User Tools

Site Tools


opensolaris_vps

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
opensolaris_vps [2010/02/12 04:08]
admin
opensolaris_vps [2010/02/26 16:07] (current)
admin
Line 1: Line 1:
 +====== Overview ======
 +
 +Your OpenSolaris VPS (2009.06 release) is accessible only through SSH. All network services are disabled by default with the exception of SSH. The server comes with minimal software and changes (see [[OpenSolaris_VPS#​Defaults]] for more information).
 +
 +===== Image Packaging System =====
 +
 +OpenSolaris no longer uses the old Solaris based packaging (e.g. pkgadd or pkgrm...). In the new packaging architecture in OpenSolaris,​ all the latest software is on a remote repository (called "​publisher"​ in IPS). You can also [[http://​pkg.opensolaris.org/​release|peek at the available software]] using the browser.
 +
 +IPS package management is done through the single **pkg** command:
 +
 +  * **pkg help** shows a usage guide
 +  * **pkg list** shows packages that are installed
 +  * **pkg search string** search for packages with the given string (or filename) in them
 +  * **pkg install package** install specified package
 +  * **pkg uninstall package** remove specified package
 +
 +Installing a package also installs all its dependency packages. Uninstalling will only remove the specified package, unless the -r option is also specified. You can also pass -n option to do a quick "dry run" of most of these commands.
 +
 +Note 1: The default publisher is /release. You can also use a [[http://​dlc.sun.com/​osol/​docs/​content/​2009.06/​IMGPACKAGESYS/​giifx.html|/​contrib or another publisher]] with extra software that is not found in /release.
 +
 +  root@mask:​~#​ pkg publisher
 +  PUBLISHER ​                            ​TYPE ​    ​STATUS ​  URI
 +  opensolaris.org ​         (preferred) ​ origin ​  ​online ​  ​http://​pkg.opensolaris.org/​release/​
 +  root@mask:​~# ​
 +
 +===== SMF =====
 +
 +You should also be familiar with Solaris 10's SMF framework, which is in OpenSolaris as well. SMF is a framework for managing the services that run on your OpenSolaris server. To get started you only need to know two commands: **svcs** and **svcadm**. Running just "svcs -a" will show all the services that are either enabled or disabled.
 +
 +  root@fans:/#​ svcs ftp
 +  STATE          STIME    FMRI
 +  online ​        ​11:​20:​48 svc:/​network/​ftp:​default
 +  root@fans:/#​
 +
 +That command shows FTP is running. To disable FTP to your server, you would do:
 +
 +  root@fans:/#​ svcadm disable ftp
 +  root@fans:/#​ svcs ftp
 +  STATE          STIME    FMRI
 +  disabled ​      ​11:​43:​56 svc:/​network/​ftp:​default
 +  root@fans:/#​
 +
 +====== Installing Software ======
 +
 +===== Recommended =====
 +
 +Since these are plain vanilla OpenSolaris builds, some packages are missing. Here is a short list of items we recommend installing to customize your environment:​
 +
 +  * pkg install SUNWman ​  (man pages)
 +  * pkg install SUNWwget ​ (wget)
 +  * pkg install SUNWgtar ​ (GNU tar)
 +  * pkg install SUNWbind ​ (nslookup, dig, and friends)
 +
 +
 +===== OpenSolaris Web Stack 1.5 =====
 +
 +In addition to specific packages as mentioned above, IPS also has "​grouped"​ packages. Installing these packages installs all the components in that group. To install the latest stable versions of the common web infrastructure software (apache, mysql, php), run: **pkg install amp**. You can also see the official Getting Started Guide to [[http://​wikis.sun.com/​display/​WebStack/​Sun+GlassFish+Web+Stack+Documentation|Webstack]].
 +
 +The configuration directories are:
 +
 +  * /​etc/​php/​5.2
 +  * /​etc/​apache2/​2.2
 +  * /​etc/​mysql/​5.1
 +
 +The /var ("​variable data" location) is where all the logs and data files should reside in:
 +
 +  * /​var/​php/​5.2
 +  * /​var/​mysql/​data (links to /​var/​mysql/​5.1/​data)
 +  * /​var/​apache2/​2.2
 +
 +The binaries and libs for the above software reside in:
 +
 +  * /​usr/​apache2/​2.2
 +  * /usr/mysql (links to /​usr/​mysql/​5.1)
 +  * /usr/php (links to /​usr/​php/​5.2)
 +
 +The web site data should be put in /​usr/​apache2/​2.2/​htdocs. The web server by default runs as the **webservd** user and group. You can also use Lighttpd or Nginx web servers instead of Apache (see below).
 +
 +The following shows the SMF service names associated with apache and mysql:
 +
 +  root@mask:​~#​ svcs mysql
 +  STATE          STIME    FMRI
 +  disabled ​      ​Sep_02 ​  ​svc:/​application/​database/​mysql:​version_51
 +  root@mask:​~#​ svcs apache22
 +  STATE          STIME    FMRI
 +  disabled ​      ​Sep_02 ​  ​svc:/​network/​http:​apache22
 +  root@mask:​~# ​
 +
 +
 +==== Known Issues ====
 +=== NOTE 1 ===
 +**The gd.so module included with PHP is broken as of September 2009 in our OpenSolaris VPS server.** Apache will fail to start because of this! You need to either disable PHP's gd.so module OR additional software needs to be installed. This is due to bug [[http://​defect.opensolaris.org/​bz/​show_bug.cgi?​id=9231|9231]].
 +
 +To disable gd.so module, edit **/​etc/​php/​5.2/​conf.d/​gd.ini** and place **;** before the **extension=gd.so** line.
 +
 +If you **require gd.so** module in PHP, you need to install the X11 packages. To do so run: **pkg install SUNWxwplt**. Please do this only if gd.so module is required. The X11 packages install lots of additional software and services that are not needed and uses up extra disk space.
 +
 +Note: As a hack, you can copy the entire /usr/X11 contents from another OpenSolaris install to your OpenSolaris VPS. Contact us for additional information.
 +
 +=== NOTE 2 ===
 +**Apache 2.2 is broken as of September 2009 in our OpenSolaris VPS server.** Apache may hang and will stop responding to HTTP requests. **If you are seeing this**, you need to make {{:​portfs_hang.tar.gz|some minor changes}}, until we get official fix from Sun/​OpenSolaris.
 +
 +
 +
 +==== Lighttpd ====
 +
 +To use Lighttpd, simply install the Lighttpd binaries: **pkg install SUNWlighttpd14**. The associated SMF service is:
 +
 +  root@mask:​~#​ svcs lighttpd14
 +  STATE          STIME    FMRI
 +  online ​        ​Sep_04 ​  ​svc:/​network/​http:​lighttpd14
 +  root@mask:​~# ​
 +
 +The file system locations for the software: /​usr/​lighttpd/​1.4,​ /​etc/​lighttpd/​1.4,​ /​var/​lighttpd/​1.4
 +
 +To get PHP to work with lighttpd, enable **mod_fastcgi** module in /​etc/​lighttpd/​1.4/​lighttpd.conf and ensure the following fastcgi configuration is setup in lighttpd.conf:​
 +
 +  fastcgi.server ​            = ( "​.php"​ =>
 +                               ( "​localhost"​ =>
 +                                 (
 +                                   "​socket"​ => "/​tmp/​php-fastcgi.socket",​
 +                                   "​bin-path"​ => "/​usr/​php/​bin/​php-cgi"​
 +                                 )
 +                               )
 +                            )
 +
 +
 +==== Nginx ====
 +
 +Nginx requires some additional steps, since it is not yet part of the default OpenSolaris release. You can easily install Nginx since it is available on another IPS repository. We start off with adding a new webstack repository that contains Nginx:
 +
 +
 +  root@mask:​~#​ pkg set-publisher -O http://​pkg.opensolaris.org/​webstack/​ webstack
 +  root@mask:​~#​ pkg publisher ​             ​
 +  PUBLISHER ​                            ​TYPE ​    ​STATUS ​  URI
 +  opensolaris.org ​         (preferred) ​ origin ​  ​online ​  ​http://​pkg.opensolaris.org/​release/​
 +  webstack ​                             origin ​  ​online ​  ​http://​pkg.opensolaris.org/​webstack/​
 +
 +Then, install nginx as usual:
 +
 +  root@mask:​~#​ pkg search nginx
 +  INDEX      ACTION ​   VALUE                     ​PACKAGE
 +  basename ​  ​dir ​      ​opt/​webstack-source/​nginx pkg:/​nginx-source@0.6.35-1
 +  basename ​  ​dir ​      ​var/​nginx ​                ​pkg:/​nginx@0.6.35-1
 +  basename ​  ​dir ​      ​etc/​nginx ​                ​pkg:/​nginx@0.6.35-1
 +  basename ​  ​file ​     usr/​nginx/​sbin/​nginx ​     pkg:/​nginx@0.6.35-1
 +  description set       ​nginx ​                    ​pkg:/​nginx-source@0.6.35-1
 +  description set       ​nginx ​                    ​pkg:/​nginx@0.6.35-1
 +  pkg.summary set       ​nginx ​                    ​pkg:/​nginx-source@0.6.35-1
 +  pkg.summary set       ​nginx ​                    ​pkg:/​nginx@0.6.35-1
 +  root@mask:​~#​ pkg install nginx
 +  ...
 +  ​
 +Setup SMF service for nginx.
 +
 +  root@mask:​~#​ svccfg import /​var/​svc/​manifest/​network/​http-nginx.xml
 +  root@mask:​~#​ svcadm enable nginx
 +  root@mask:​~#​ svcs nginx
 +  STATE          STIME    FMRI
 +  online ​        ​Aug_01 ​  ​svc:/​network/​http:​nginx
 +  root@mask:​~# ​
 +
 +
 +==== MySQL ====
 +
 +Installing the amp package above will also install MySQL 5.1. The file system locations for the software: /usr/mysql, /​var/​mysql/​data,​ /​etc/​mysql/​my.cnf. To start mysql, just do:
 +
 +  root@wolf:/#​ svcadm enable mysql
 +  root@wolf:/#​
 +
 +This will install MySQL and the setup the initial user tables in /​var/​mysql/​data. You do not have to do anything else. There is no default password set. You should [[http://​www.cyberciti.biz/​faq/​mysql-change-root-password/​|change the mysql passwords]] as soon as you install it.
 +
 +
 +
 +===== Java =====
 +
 +Using IPS, you can easily install the latest version of JDK. The general syntax to install the JDK is: **pkg install SUNWj<​version>​dev**
 +
 +  root@pana:​~#​ pkg install SUNWj6dev
 +  DOWNLOAD ​                                   PKGS       ​FILES ​    XFER (MB)
 +  Completed ​                                   2/2     ​970/​970 ​  ​65.30/​65.30 ​
 +  ​
 +  PHASE                                        ACTIONS
 +  Install Phase                              1231/​1231 ​
 +  root@pana:​~# ​
 +
 +This installs the JDK in /​usr/​java. ​
 +
 +
 +===== Python =====
 +
 +To install Python 2.6: **pkg install SUNWPython26**
 +
 +IPS uses the Python programming language, this is one of the reasons Python is already included in your OS, though it is the 2.4 version: ​
 +
 +  root@pana:​~#​ /​usr/​bin/​python -V
 +  Python 2.4.4
 +  root@pana:​~# ​
 +
 +====== Compiling ======
 +
 +You can use the GCC compiler to compile software. To do this, the GCC development cluster (gmake/​autoconf/​libtool...) needs to be installed: **pkg install gcc-dev**. ​
 +
 +
 +**Sun Studio Express**
 +
 +These steps are for using Sun Studio Express in OpenSolaris. It is the recommend compiler on the OpenSolaris platform - it has been optimized for OpenSolaris. Install compilers and additional required packages:
 +
 +  * **pkg install sunstudioexpress**
 +  * **pkg install SUNWggrp**
 +  * **pkg install SUNWbtool**
 +
 +Then, add the following contents to the end of **/​home/​admin/​.profile** file (we recommend compiling as the admin user, until ready to install software).
 +
 +  DMAKE_MODE=parallel
 +  DMAKE_MAX_JOBS=4
 +  CFLAGS="​-fast"​
 +  CXXFLAGS="​-fast"​
 +  export DMAKE_MAX_JOBS DMAKE_MODE CFLAGS CXXFLAGS
 +  export PATH="/​opt/​SunStudioExpress/​bin:​$PATH"​
 +
 +Be sure to now source the new **.profile** or log out and in again to get the new environment in the admin account. That should do it. 
 +
 +Note: Instead of running **make**, you can run: **dmake**. This will make your compile a lot faster!
 + 
 +
 +
 +====== Mail (outgoing) ======
 +
 +Sendmail is the default mail software in OpenSolaris.
 +
 +You can configure sendmail to either be a daemon listening for incoming mail or have it just be a client that can send out mail (the most secure). The latter is required if you have a web site or application that needs to send mail to users. You can use these steps to setup a secure [[http://​sial.org/​howto/​sendmail/​client|**sendmail client**]]:
 +
 +  * pkg install SUNWsndm
 +  * svcadm enable sendmail
 + 
 +Doing ''​netstat -an |grep LISTEN''​ should now show that sendmail ports 25 and 587 running on localhost in a secure environment.
 +
 +Note: Some Unix operations (crontab/​mail/​mailx) also use sendmail client to send out mail. 
 +
 +
 +====== Networking ======
 +
 +You have full access to the networking stack in the OpenSolaris environment. You can manage firewalls (ipfilter) and listen on the wire for network traffic (snoop). Please look at the [[http://​www.obfuscation.org/​ipf/​ipf-howto.html|ipfilter howto]] for more information on how to use it.
 +
 +
 +
 +====== Defaults ======
 +
 +As we've mentioned earlier, the OpenSolaris VPS servers from Entic.net are bare minimum installs. We do this on purpose - we want to provide the hardware and the base OS, the rest is up to you to customize and make your own. 
 +
 +There are, however, some minor changes which we feel are a must and have been done on your server:
 +
 +  svcadm disable rpc/bind
 +  svcadm disable autofs
 +  svcadm disable svc:/​network/​security/​ktkt_warn:​default
 +  useradd -s /bin/bash -m admin
 +  useradd -s /​usr/​bin/​pfsh -d / suser
 +  usermod -K type=role root
 +  usermod -P "​Primary Administrator"​ -R root admin
 +  usermod -P "​Primary Administrator"​ -R root suser
 +
 +We disable rpc/bind because RPC services are usually not required (even though the default rpc/bind service has a SMF property of **config/​local_only=true**,​ we still disable it as an added security measure). We also disable a couple of services which we find running after the install (shown above).
 +
 +We then create two users: admin and suser (more on //suser// below). We also make root a RBAC role, ensuring all direct root logins are disabled.
 +
 +Both of these accounts are then given the "​Primary Administrator"​ profile. This makes it so you can run commands as root using the "​pfexec":​ e.g. **pfexec pkg install SUNWj6dev** to install Java. In addition, since root is now a role, we also assign the root role to both admin and suser users.
 +
 +**suser**: suser is a special account we create so we can login to your server, if there is ever a need. Since root is a role, we can no longer login as root directly. Please leave this account as is, if at all possible. It has been setup so no one can login to it, remotely.
 +
 +
  
opensolaris_vps.txt ยท Last modified: 2010/02/26 16:07 by admin