User Tools

Site Tools


opensolaris_vps

Overview

Your OpenSolaris VPS (2009.06 release) is accessible only through SSH. All network services are disabled by default with the exception of SSH. The server comes with minimal software and changes (see Defaults for more information).

Image Packaging System

OpenSolaris no longer uses the old Solaris based packaging (e.g. pkgadd or pkgrm…). In the new packaging architecture in OpenSolaris, all the latest software is on a remote repository (called “publisher” in IPS). You can also peek at the available software using the browser.

IPS package management is done through the single pkg command:

  • pkg help shows a usage guide
  • pkg list shows packages that are installed
  • pkg search string search for packages with the given string (or filename) in them
  • pkg install package install specified package
  • pkg uninstall package remove specified package

Installing a package also installs all its dependency packages. Uninstalling will only remove the specified package, unless the -r option is also specified. You can also pass -n option to do a quick “dry run” of most of these commands.

Note 1: The default publisher is /release. You can also use a /contrib or another publisher with extra software that is not found in /release.

root@mask:~# pkg publisher
PUBLISHER                             TYPE     STATUS   URI
opensolaris.org          (preferred)  origin   online   http://pkg.opensolaris.org/release/
root@mask:~# 

SMF

You should also be familiar with Solaris 10's SMF framework, which is in OpenSolaris as well. SMF is a framework for managing the services that run on your OpenSolaris server. To get started you only need to know two commands: svcs and svcadm. Running just “svcs -a” will show all the services that are either enabled or disabled.

root@fans:/# svcs ftp
STATE          STIME    FMRI
online         11:20:48 svc:/network/ftp:default
root@fans:/#

That command shows FTP is running. To disable FTP to your server, you would do:

root@fans:/# svcadm disable ftp
root@fans:/# svcs ftp
STATE          STIME    FMRI
disabled       11:43:56 svc:/network/ftp:default
root@fans:/#

Installing Software

Since these are plain vanilla OpenSolaris builds, some packages are missing. Here is a short list of items we recommend installing to customize your environment:

  • pkg install SUNWman (man pages)
  • pkg install SUNWwget (wget)
  • pkg install SUNWgtar (GNU tar)
  • pkg install SUNWbind (nslookup, dig, and friends)

OpenSolaris Web Stack 1.5

In addition to specific packages as mentioned above, IPS also has “grouped” packages. Installing these packages installs all the components in that group. To install the latest stable versions of the common web infrastructure software (apache, mysql, php), run: pkg install amp. You can also see the official Getting Started Guide to Webstack.

The configuration directories are:

  • /etc/php/5.2
  • /etc/apache2/2.2
  • /etc/mysql/5.1

The /var (“variable data” location) is where all the logs and data files should reside in:

  • /var/php/5.2
  • /var/mysql/data (links to /var/mysql/5.1/data)
  • /var/apache2/2.2

The binaries and libs for the above software reside in:

  • /usr/apache2/2.2
  • /usr/mysql (links to /usr/mysql/5.1)
  • /usr/php (links to /usr/php/5.2)

The web site data should be put in /usr/apache2/2.2/htdocs. The web server by default runs as the webservd user and group. You can also use Lighttpd or Nginx web servers instead of Apache (see below).

The following shows the SMF service names associated with apache and mysql:

root@mask:~# svcs mysql
STATE          STIME    FMRI
disabled       Sep_02   svc:/application/database/mysql:version_51
root@mask:~# svcs apache22
STATE          STIME    FMRI
disabled       Sep_02   svc:/network/http:apache22
root@mask:~# 

Known Issues

NOTE 1

The gd.so module included with PHP is broken as of September 2009 in our OpenSolaris VPS server. Apache will fail to start because of this! You need to either disable PHP's gd.so module OR additional software needs to be installed. This is due to bug 9231.

To disable gd.so module, edit /etc/php/5.2/conf.d/gd.ini and place ; before the extension=gd.so line.

If you require gd.so module in PHP, you need to install the X11 packages. To do so run: pkg install SUNWxwplt. Please do this only if gd.so module is required. The X11 packages install lots of additional software and services that are not needed and uses up extra disk space.

Note: As a hack, you can copy the entire /usr/X11 contents from another OpenSolaris install to your OpenSolaris VPS. Contact us for additional information.

NOTE 2

Apache 2.2 is broken as of September 2009 in our OpenSolaris VPS server. Apache may hang and will stop responding to HTTP requests. If you are seeing this, you need to make some minor changes, until we get official fix from Sun/OpenSolaris.

Lighttpd

To use Lighttpd, simply install the Lighttpd binaries: pkg install SUNWlighttpd14. The associated SMF service is:

root@mask:~# svcs lighttpd14
STATE          STIME    FMRI
online         Sep_04   svc:/network/http:lighttpd14
root@mask:~# 

The file system locations for the software: /usr/lighttpd/1.4, /etc/lighttpd/1.4, /var/lighttpd/1.4

To get PHP to work with lighttpd, enable mod_fastcgi module in /etc/lighttpd/1.4/lighttpd.conf and ensure the following fastcgi configuration is setup in lighttpd.conf:

fastcgi.server             = ( ".php" =>
                             ( "localhost" =>
                               (
                                 "socket" => "/tmp/php-fastcgi.socket",
                                 "bin-path" => "/usr/php/bin/php-cgi"
                               )
                             )
                          )

Nginx

Nginx requires some additional steps, since it is not yet part of the default OpenSolaris release. You can easily install Nginx since it is available on another IPS repository. We start off with adding a new webstack repository that contains Nginx:

root@mask:~# pkg set-publisher -O http://pkg.opensolaris.org/webstack/ webstack
root@mask:~# pkg publisher              
PUBLISHER                             TYPE     STATUS   URI
opensolaris.org          (preferred)  origin   online   http://pkg.opensolaris.org/release/
webstack                              origin   online   http://pkg.opensolaris.org/webstack/

Then, install nginx as usual:

root@mask:~# pkg search nginx
INDEX      ACTION    VALUE                     PACKAGE
basename   dir       opt/webstack-source/nginx pkg:/nginx-source@0.6.35-1
basename   dir       var/nginx                 pkg:/nginx@0.6.35-1
basename   dir       etc/nginx                 pkg:/nginx@0.6.35-1
basename   file      usr/nginx/sbin/nginx      pkg:/nginx@0.6.35-1
description set       nginx                     pkg:/nginx-source@0.6.35-1
description set       nginx                     pkg:/nginx@0.6.35-1
pkg.summary set       nginx                     pkg:/nginx-source@0.6.35-1
pkg.summary set       nginx                     pkg:/nginx@0.6.35-1
root@mask:~# pkg install nginx
...

Setup SMF service for nginx.

root@mask:~# svccfg import /var/svc/manifest/network/http-nginx.xml
root@mask:~# svcadm enable nginx
root@mask:~# svcs nginx
STATE          STIME    FMRI
online         Aug_01   svc:/network/http:nginx
root@mask:~# 

MySQL

Installing the amp package above will also install MySQL 5.1. The file system locations for the software: /usr/mysql, /var/mysql/data, /etc/mysql/my.cnf. To start mysql, just do:

root@wolf:/# svcadm enable mysql
root@wolf:/#

This will install MySQL and the setup the initial user tables in /var/mysql/data. You do not have to do anything else. There is no default password set. You should change the mysql passwords as soon as you install it.

Java

Using IPS, you can easily install the latest version of JDK. The general syntax to install the JDK is: pkg install SUNWj<version>dev

root@pana:~# pkg install SUNWj6dev
DOWNLOAD                                    PKGS       FILES     XFER (MB)
Completed                                    2/2     970/970   65.30/65.30 

PHASE                                        ACTIONS
Install Phase                              1231/1231 
root@pana:~# 

This installs the JDK in /usr/java.

Python

To install Python 2.6: pkg install SUNWPython26

IPS uses the Python programming language, this is one of the reasons Python is already included in your OS, though it is the 2.4 version:

root@pana:~# /usr/bin/python -V
Python 2.4.4
root@pana:~# 

Compiling

You can use the GCC compiler to compile software. To do this, the GCC development cluster (gmake/autoconf/libtool…) needs to be installed: pkg install gcc-dev.

Sun Studio Express

These steps are for using Sun Studio Express in OpenSolaris. It is the recommend compiler on the OpenSolaris platform - it has been optimized for OpenSolaris. Install compilers and additional required packages:

  • pkg install sunstudioexpress
  • pkg install SUNWggrp
  • pkg install SUNWbtool

Then, add the following contents to the end of /home/admin/.profile file (we recommend compiling as the admin user, until ready to install software).

DMAKE_MODE=parallel
DMAKE_MAX_JOBS=4
CFLAGS="-fast"
CXXFLAGS="-fast"
export DMAKE_MAX_JOBS DMAKE_MODE CFLAGS CXXFLAGS
export PATH="/opt/SunStudioExpress/bin:$PATH"

Be sure to now source the new .profile or log out and in again to get the new environment in the admin account. That should do it.

Note: Instead of running make, you can run: dmake. This will make your compile a lot faster!

Mail (outgoing)

Sendmail is the default mail software in OpenSolaris.

You can configure sendmail to either be a daemon listening for incoming mail or have it just be a client that can send out mail (the most secure). The latter is required if you have a web site or application that needs to send mail to users. You can use these steps to setup a secure **sendmail client**:

  • pkg install SUNWsndm
  • svcadm enable sendmail

Doing netstat -an |grep LISTEN should now show that sendmail ports 25 and 587 running on localhost in a secure environment.

Note: Some Unix operations (crontab/mail/mailx) also use sendmail client to send out mail.

Networking

You have full access to the networking stack in the OpenSolaris environment. You can manage firewalls (ipfilter) and listen on the wire for network traffic (snoop). Please look at the ipfilter howto for more information on how to use it.

Defaults

As we've mentioned earlier, the OpenSolaris VPS servers from Entic.net are bare minimum installs. We do this on purpose - we want to provide the hardware and the base OS, the rest is up to you to customize and make your own.

There are, however, some minor changes which we feel are a must and have been done on your server:

svcadm disable rpc/bind
svcadm disable autofs
svcadm disable svc:/network/security/ktkt_warn:default
useradd -s /bin/bash -m admin
useradd -s /usr/bin/pfsh -d / suser
usermod -K type=role root
usermod -P "Primary Administrator" -R root admin
usermod -P "Primary Administrator" -R root suser

We disable rpc/bind because RPC services are usually not required (even though the default rpc/bind service has a SMF property of config/local_only=true, we still disable it as an added security measure). We also disable a couple of services which we find running after the install (shown above).

We then create two users: admin and suser (more on suser below). We also make root a RBAC role, ensuring all direct root logins are disabled.

Both of these accounts are then given the “Primary Administrator” profile. This makes it so you can run commands as root using the “pfexec”: e.g. pfexec pkg install SUNWj6dev to install Java. In addition, since root is now a role, we also assign the root role to both admin and suser users.

suser: suser is a special account we create so we can login to your server, if there is ever a need. Since root is a role, we can no longer login as root directly. Please leave this account as is, if at all possible. It has been setup so no one can login to it, remotely.

opensolaris_vps.txt · Last modified: 2010/02/26 16:07 by admin