Your Solaris Cloud Server is accessible only through SSH. All network services are disabled by default with the exception of SSH. The server comes with minimal software and changes (see Defaults for more information).

Solaris Cloud Servers no longer use the old Solaris based packaging (e.g. pkgadd or pkgrm…). In the new packaging architecture in Solaris Cloud Servers, all the latest software is on a remote repository (called “publisher” in IPS). You can also peek at the available software using the browser.

IPS package management is done through the single pkg command:

• pkg help shows a usage guide
• pkg list shows packages that are installed
• pkg search string search for packages with the given string or filename in them
• pkg install package install specified package
• pkg uninstall package remove specified package

Installing a package also installs all its dependency packages. Uninstalling will only remove the specified package, unless the -r option is also specified. You can also pass -n option to do a quick “dry run” of most of these commands.

Other good pkg tips:

• pkg search -l 'depend::web/server/apache-22' show what packages depend on apache-22
• pkg search -l httpd shows packages that have a filename called httpd
• pkg info pkg:/developer/java/jdk shows information about the Java JDK package
• pkg contents pkg:/web/server/apache-22 shows contents and files that come with the given package
• pkg contents -m pkg:/developer/java/jdk | grep depend shows which other packages are installed when you install pkg:/developer/java/jdk

You can also pass the -r option to the above commands to get the same information from the Remote repositories. Without the -r, it will show from local installed packages only.

You should also be familiar with Solaris 10's SMF framework, which is in our Solaris Cloud Servers as well. SMF is a framework for managing the services that run on your server. To get started you only need to know two commands: svcs and svcadm. Running just “svcs -a” will show all the services that are either enabled or disabled.

root@fans:/# svcs ftp
STATE          STIME    FMRI
online         11:20:48 svc:/network/ftp:default
root@fans:/#

That command shows FTP is running. To disable FTP to your server, you would do:

root@fans:/# svcadm disable ftp
root@fans:/# svcs ftp
STATE          STIME    FMRI
disabled       11:43:56 svc:/network/ftp:default
root@fans:/#

When you first login to your server, you might see something like this:

root@save:~# zfs list
NAME                  USED  AVAIL  REFER  MOUNTPOINT
zones                11.8G   448G    39K  /zones
zones/save           1.91G  3.09G    33K  /zones/save
zones/save/LOCAL       31K  3.09G    31K  /usr/local
zones/save/ROOT      1.91G  3.09G    31K  legacy
zones/save/ROOT/zbe  1.91G  3.09G  1.91G  legacy
root@save:~# 

It is highly recommended that you install all non-standard software into zones/save/LOCAL (/usr/local) file system. It is best practice to separate applications and data from the root file system.

You could even move your standard configuration files into this file system, for better transportability and management.

In addition to specific packages as mentioned above, IPS also has “grouped” packages. Installing these packages installs all the components in that group. To install the latest stable versions of the common web infrastructure software (apache, mysql, php), run: pkg install pkg:/web/amp. You can also see the official Getting Started Guide to Webstack.

The configuration directories are:

• /etc/php/5.2
• /etc/apache2/2.2
• /etc/mysql/5.1

The /var (“variable data” location) is where all the logs and data files should reside in:

• /var/php/5.2
• /var/mysql/data (links to /var/mysql/5.1/data)
• /var/apache2/2.2

The binaries and libs for the above software reside in:

• /usr/apache2/2.2
• /usr/mysql (links to /usr/mysql/5.1)
• /usr/php (links to /usr/php/5.2)

The web site data should be put in /usr/apache2/2.2/htdocs. The web server by default runs as the webservd user and group. You can also use Lighttpd or Nginx web servers instead of Apache (see below).

The following shows the SMF service names associated with apache and mysql:

root@mask:~# svcs mysql
STATE          STIME    FMRI
disabled       Sep_02   svc:/application/database/mysql:version_51
root@mask:~# svcs apache22
STATE          STIME    FMRI
disabled       Sep_02   svc:/network/http:apache22
root@mask:~# 

To use Lighttpd, simply install the Lighttpd binaries: pkg install pkg:/web/server/lighttpd-14. The associated SMF service is:

root@mask:~# svcs lighttpd14
STATE          STIME    FMRI
online         Sep_04   svc:/network/http:lighttpd14
root@mask:~# 

The file system locations for the software: /usr/lighttpd/1.4, /etc/lighttpd/1.4, /var/lighttpd/1.4

To get PHP to work with lighttpd, enable mod_fastcgi module in /etc/lighttpd/1.4/lighttpd.conf and ensure the following fastcgi configuration is setup in lighttpd.conf:

fastcgi.server             = ( ".php" =>
                             ( "localhost" =>
                               (
                                 "socket" => "/tmp/php-fastcgi.socket",
                                 "bin-path" => "/usr/php/bin/php-cgi"
                               )
                             )
                          )

Install nginx as usual:

root@mask:~# pkg search -p nginx
PACKAGE                                   PUBLISHER
pkg:/service/network/nginx@0.8.53-0.151.1 sfe
root@mask:~# pkg install pkg:/service/network/nginx
...

Setup SMF service for nginx.

root@mask:~# svccfg import /var/svc/manifest/network/http-nginx.xml
root@mask:~# svcadm enable nginx
root@mask:~# svcs nginx
STATE          STIME    FMRI
online         Aug_01   svc:/network/http:nginx
root@mask:~# 

Installing the amp package above will also install MySQL 5.1. The file system locations for the software: /usr/mysql, /var/mysql/data, /etc/mysql/my.cnf. To start mysql, just do:

root@wolf:/# svcadm enable mysql
root@wolf:/#

This will install MySQL and the setup the initial user tables in /var/mysql/data. You do not have to do anything else. There is no default password set. You should change the mysql passwords as soon as you install it.

Installing Java JRE and the JDK:

root@pana:~# pkg install pkg:/developer/java/jdk
DOWNLOAD                                    PKGS       FILES     XFER (MB)
Completed                                    2/2     970/970   65.30/65.30 

PHASE                                        ACTIONS
Install Phase                              1231/1231 
root@pana:~# 

This installs the JDK in /usr/jdk and links for java and javac in /usr.

Sendmail is the standard mail software in Solaris Cloud Servers but it is not installed. To install and enable a secure version of Sendmail:

• pkg install pkg:/service/network/smtp/sendmail
• svcadm enable smtp:sendmail

Right after installing sendmail with pkg, only the Sendmail Mail Submission Program (MSP) is enabled. MSP is a sendmail daemon that does only outgoing mail and does not accept incoming mail.

Now, if a local program (crontab/mail/mailx/web site) sends mail out you'll see a Connection Refused error in /var/log/syslog, because there is no mail server running on 127.0.0.1. This is easily resolved by enabling svcadm enable smtp:sendmail, as shown earlier.

The sendmail MTA should now be configured to run securely on local 127.0.0.1 interface.

root@save:~# netstat -an |egrep "\.25|\.587" |grep LISTEN
127.0.0.1.25               *.*                0      0 128000      0 LISTEN
127.0.0.1.587              *.*                0      0 128000      0 LISTEN
root@save:~# svcs -av|grep sendmail
online         -              7:33:19   7273 svc:/network/smtp:sendmail
online         -              7:33:59   7274 svc:/network/sendmail-client:default
root@save:~# 

You have full access to the networking stack in the Solaris Cloud Servers environment. You can manage firewalls (ipfilter) and listen on the wire for network traffic (snoop). Please look at the ipfilter howto for more information on how to use it.

You will also have two interfaces configured. One is the public facing and the other is the private interface.

root@save:~# ipadm show-if
IFNAME     STATE    CURRENT      PERSISTENT
lo0        ok       -m-v------46 ---
save0      ok       bm--------46 ---
save1      ok       bm--------4- ---
root@save:~# 

save.entic.net is the host (and zone) name. save0 is the public interface with a routable IP address (save.entic.net) assigned and save1 should have a non-routable Back End 10.0.0.0/8 IP address (save-be.entic.net).

You should use this save-be.entic.net interface for when communicating with another Cloud Server provisioned in the Entic.net server environment.

Our Servers are based on Solaris's non-global containers called “Zones”. The Zone OS shares the same kernel as the host OS. We do our best to keep your Solaris based Server upgraded to the latest stable releases.

In general, the upgrades are done by moving your older Zone to a different hardware with the upgraded OS/apps.

The latest version of our Solaris based Cloud Servers is OpenIndiana b151a2 (0.5.11-0.151.1.2). You can request to be upgraded to this version anytime, by contacting support.

This is the recommend upgrade process for people running the usual stack of Apache/Nginx/Lighttpd and PHP/Mysql.

• Shutdown Zone
• Transfer Zone and data to upgraded OS/Kernel system
• Boot Zone

The original Zone is left on the old system, for recovery purposes. The time it takes to do the above steps is about 5 minutes. Some adjustments are made to your system to ensure that it follows our standard Server builds.

For production and critical servers, we recommend the following upgrade process. This process is time consuming for us so please only request this for your absolute critical servers which require minimum downtime. We also recommend this for servers with custom software, this allows you to test out your software on the newer OS.

There is a 30 second downtime while the server is shutdown and then restarted:

• Shutdown Production Zone
• Take snapshot and Boot Production Zone (on the old existing version)
• Transfer and Boot the upgraded Zone under different IP
• Customer confirms the new Test Zone upgrade is successful at the new IP

Repeat process to do a final Upgrade/move after Customer confirms successful testing:

• Shutdown Production Zone
• Transfer Production Zone and data to upgraded OS/Kernel system
• Boot Production Zone

The original Zone is left on the old system, for recovery purposes. The time it takes to the above final upgrade takes about 5 minutes. Some adjustments are made to your system to ensure that it follows our standard Server builds.

When the upgrade is done, the kernel and standard software are also upgraded. You might end up with older packages that are no longer maintained or that might required manual upgrades. First, get the latest version string:

root@tail:~# pkg list entire
NAME (PUBLISHER)                              VERSION         STATE      UFOXI
entire                                        0.5.11-0.151.1.2 installed  -----
root@tail:~# 

Then:

root@tail:~# pkg list |grep -v 151.1.2
NAME (PUBLISHER)                              VERSION         STATE      UFOXI
library/icu (opensolaris.org)                 0.5.11-0.134.0.2 installed  u----
nginx (webstack)                              0.6.35-1        installed  u----
root@tail:~# 

That shows that we have two packages that are not using the 0.5.11-0.151.1.2 version of the distribution. This can be normal, if you have non-standard packages. This also gives you the opportunity to remove obsoleted packages. In the above case, let's examine nginx further:

root@tail:~# pkg info -r nginx
          Name: nginx
       Summary: nginx web server
         State: Installed
     Publisher: webstack
     Version: 0.6.35
 Build Release: 5.11
        Branch: 1
Packaging Date: Fri May 15 01:05:03 2009
          Size: 6.21 MB
          FMRI: pkg://webstack/nginx@0.6.35,5.11-1:20090515T010503Z

        Name: service/network/nginx
     Summary: Free, open-source, high-performance HTTP server and reverse proxy
    Category: System/Services
       State: Not installed
   Publisher: sfe
     Version: 0.8.53
 Build Release: 5.11
      Branch: 0.151.1
Packaging Date: Fri Oct 14 22:06:24 2011
        Size: 8.06 MB
        FMRI: pkg://sfe/service/network/nginx@0.8.53,5.11-0.151.1:20111014T220624Z
root@tail:~# 

In this case, it appears that there is a newer version of nginx from the 151.1 build. You can remove the old one (because it was installed from another IPS publisher and install the one from the 0.151.1 branch.

As we've mentioned earlier, the Solaris Cloud Servers from Entic.net are bare minimum installs. We do this on purpose - we want to provide the hardware and the base OS, the rest is up to you to customize and make your own.

There are, however, some minor changes which we feel are a must and have been done on your server:

svcadm disable rpc/bind autofs ktkt_warn svc:/network/rpc/gss:default
useradd -s /bin/bash -m admin
useradd -s /usr/bin/pfsh -d / suser
usermod -K type=role root
usermod -P "Primary Administrator" -R root admin
usermod -P "Primary Administrator" -R root suser

We disable rpc/bind because RPC services are usually not required (even though the default rpc/bind service has a SMF property of config/local_only=true, we still disable it as an added security measure). We also disable a couple of services which we find running after the install (shown above).

We then create two users: admin and suser (more on suser below). We also make root a RBAC role, ensuring all direct root logins are disabled. We then assign the root role to both admin and suser users.

Both of these accounts are then given the “Primary Administrator” profile.

This makes it so you can run commands as root using the “pfexec” command as the admin user. pfexec pkg install pkg:/service/network/smtp/sendmail to install Sendmail.

suser: suser is a special account we create so we can login to your server, if there is ever a need. Since root is a role, we can no longer login as root directly. Please leave this account as is, if at all possible. It has been setup so no one can login to it, remotely.