Your Solaris Cloud Server is accessible only through SSH. All network services are disabled by default with the exception of SSH. The server comes with minimal software and changes (see Defaults for more information).
Solaris Cloud Servers no longer use the old Solaris based packaging (e.g. pkgadd or pkgrm…). In the new packaging architecture in Solaris Cloud Servers, all the latest software is on a remote repository (called “publisher” in IPS). You can also peek at the available software using the browser.
IPS package management is done through the single pkg command:
Installing a package also installs all its dependency packages. Uninstalling will only remove the specified package, unless the -r option is also specified. You can also pass -n option to do a quick “dry run” of most of these commands.
Other good pkg tips:
You can also pass the -r option to the above commands to get the same information from the Remote repositories. Without the -r, it will show from local installed packages only.
You should also be familiar with Solaris 10's SMF framework, which is in our Solaris Cloud Servers as well. SMF is a framework for managing the services that run on your server. To get started you only need to know two commands: svcs and svcadm. Running just “svcs -a” will show all the services that are either enabled or disabled.
root@fans:/# svcs ftp STATE STIME FMRI online 11:20:48 svc:/network/ftp:default root@fans:/#
That command shows FTP is running. To disable FTP to your server, you would do:
root@fans:/# svcadm disable ftp root@fans:/# svcs ftp STATE STIME FMRI disabled 11:43:56 svc:/network/ftp:default root@fans:/#
When you first login to your server, you might see something like this:
root@save:~# zfs list NAME USED AVAIL REFER MOUNTPOINT zones 11.8G 448G 39K /zones zones/save 1.91G 3.09G 33K /zones/save zones/save/LOCAL 31K 3.09G 31K /usr/local zones/save/ROOT 1.91G 3.09G 31K legacy zones/save/ROOT/zbe 1.91G 3.09G 1.91G legacy root@save:~#
It is highly recommended that you install all non-standard software into zones/save/LOCAL (/usr/local) file system. It is best practice to separate applications and data
from the root file system.
You could even move your standard configuration files into this file system, for better transportability and management.
In addition to specific packages as mentioned above, IPS also has “grouped” packages. Installing these packages installs all the components in that group. To install the latest stable versions of the common web infrastructure software (apache, mysql, php), run: pkg install pkg:/web/amp. You can also see the official Getting Started Guide to Webstack.
The configuration directories are:
The /var (“variable data” location) is where all the logs and data files should reside in:
The binaries and libs for the above software reside in:
The web site data should be put in /usr/apache2/2.2/htdocs. The web server by default runs as the webservd user and group. You can also use Lighttpd or Nginx web servers instead of Apache (see below).
The following shows the SMF service names associated with apache and mysql:
root@mask:~# svcs mysql STATE STIME FMRI disabled Sep_02 svc:/application/database/mysql:version_51 root@mask:~# svcs apache22 STATE STIME FMRI disabled Sep_02 svc:/network/http:apache22 root@mask:~#
To use Lighttpd, simply install the Lighttpd binaries: pkg install pkg:/web/server/lighttpd-14. The associated SMF service is:
root@mask:~# svcs lighttpd14 STATE STIME FMRI online Sep_04 svc:/network/http:lighttpd14 root@mask:~#
The file system locations for the software: /usr/lighttpd/1.4, /etc/lighttpd/1.4, /var/lighttpd/1.4
To get PHP to work with lighttpd, enable mod_fastcgi module in /etc/lighttpd/1.4/lighttpd.conf and ensure the following fastcgi configuration is setup in lighttpd.conf:
fastcgi.server = ( ".php" => ( "localhost" => ( "socket" => "/tmp/php-fastcgi.socket", "bin-path" => "/usr/php/bin/php-cgi" ) ) )
Install nginx as usual:
root@mask:~# pkg search -p nginx PACKAGE PUBLISHER pkg:/service/network/nginx@0.8.53-0.151.1 sfe root@mask:~# pkg install pkg:/service/network/nginx ...
Setup SMF service for nginx.
root@mask:~# svccfg import /var/svc/manifest/network/http-nginx.xml root@mask:~# svcadm enable nginx root@mask:~# svcs nginx STATE STIME FMRI online Aug_01 svc:/network/http:nginx root@mask:~#
Installing the amp package above will also install MySQL 5.1. The file system locations for the software: /usr/mysql, /var/mysql/data, /etc/mysql/my.cnf. To start mysql, just do:
root@wolf:/# svcadm enable mysql root@wolf:/#
This will install MySQL and the setup the initial user tables in /var/mysql/data. You do not have to do anything else. There is no default password set. You should change the mysql passwords as soon as you install it.
Installing Java JRE and the JDK:
root@pana:~# pkg install pkg:/developer/java/jdk DOWNLOAD PKGS FILES XFER (MB) Completed 2/2 970/970 65.30/65.30 PHASE ACTIONS Install Phase 1231/1231 root@pana:~#
This installs the JDK in /usr/jdk and links for java and javac in /usr.
Sendmail is the standard mail software in Solaris Cloud Servers but it is not installed. To install and enable a secure version of Sendmail:
Right after installing sendmail with pkg, only the Sendmail Mail Submission Program (MSP) is enabled. MSP is a sendmail daemon that does only outgoing mail and does not accept incoming mail.
Now, if a local program (crontab/mail/mailx/web site) sends mail out you'll see a Connection Refused
error in /var/log/syslog
, because there is no mail server running on 127.0.0.1. This is easily resolved by enabling svcadm enable smtp:sendmail, as shown earlier.
The sendmail MTA should now be configured to run securely on local 127.0.0.1 interface.
root@save:~# netstat -an |egrep "\.25|\.587" |grep LISTEN 127.0.0.1.25 *.* 0 0 128000 0 LISTEN 127.0.0.1.587 *.* 0 0 128000 0 LISTEN root@save:~# svcs -av|grep sendmail online - 7:33:19 7273 svc:/network/smtp:sendmail online - 7:33:59 7274 svc:/network/sendmail-client:default root@save:~#
You have full access to the networking stack in the Solaris Cloud Servers environment. You can manage firewalls (ipfilter) and listen on the wire for network traffic (snoop). Please look at the ipfilter howto for more information on how to use it.
You will also have two interfaces configured. One is the public facing and the other is the private interface.
root@save:~# ipadm show-if IFNAME STATE CURRENT PERSISTENT lo0 ok -m-v------46 --- save0 ok bm--------46 --- save1 ok bm--------4- --- root@save:~#
save.entic.net
is the host (and zone) name. save0
is the public interface with a routable IP address (save.entic.net
) assigned and save1
should have a non-routable Back End 10.0.0.0/8
IP address (save-be.entic.net
).
You should use this save-be.entic.net
interface for when communicating with another Cloud Server provisioned in the Entic.net server environment.
Our Servers are based on Solaris's non-global containers called “Zones”. The Zone OS shares the same kernel as the host OS. We do our best to keep your Solaris based Server upgraded to the latest stable releases.
In general, the upgrades are done by moving your older Zone to a different hardware with the upgraded OS/apps.
The latest version of our Solaris based Cloud Servers is OpenIndiana b151a2 (0.5.11-0.151.1.2). You can request to be upgraded to this version anytime, by contacting support.
This is the recommend upgrade process for people running the usual stack of Apache/Nginx/Lighttpd and PHP/Mysql.
The original Zone is left on the old system, for recovery purposes. The time it takes to do the above steps is about 5 minutes. Some adjustments are made to your system to ensure that it follows our standard Server builds.
For production and critical servers, we recommend the following upgrade process. This process is time consuming for us so please only request this for your absolute critical servers which require minimum downtime. We also recommend this for servers with custom software, this allows you to test out your software on the newer OS.
There is a 30 second downtime while the server is shutdown and then restarted:
Repeat process to do a final Upgrade/move after Customer confirms successful testing:
The original Zone is left on the old system, for recovery purposes. The time it takes to the above final upgrade takes about 5 minutes. Some adjustments are made to your system to ensure that it follows our standard Server builds.
When the upgrade is done, the kernel and standard software are also upgraded. You might end up with older packages that are no longer maintained or that might required manual upgrades. First, get the latest version string:
root@tail:~# pkg list entire NAME (PUBLISHER) VERSION STATE UFOXI entire 0.5.11-0.151.1.2 installed ----- root@tail:~#
Then:
root@tail:~# pkg list |grep -v 151.1.2 NAME (PUBLISHER) VERSION STATE UFOXI library/icu (opensolaris.org) 0.5.11-0.134.0.2 installed u---- nginx (webstack) 0.6.35-1 installed u---- root@tail:~#
That shows that we have two packages that are not using the 0.5.11-0.151.1.2 version of the distribution. This can be normal, if you have non-standard packages. This also gives you the opportunity to remove obsoleted packages. In the above case, let's examine nginx further:
root@tail:~# pkg info -r nginx Name: nginx Summary: nginx web server State: Installed Publisher: webstack Version: 0.6.35 Build Release: 5.11 Branch: 1 Packaging Date: Fri May 15 01:05:03 2009 Size: 6.21 MB FMRI: pkg://webstack/nginx@0.6.35,5.11-1:20090515T010503Z
Name: service/network/nginx Summary: Free, open-source, high-performance HTTP server and reverse proxy Category: System/Services State: Not installed Publisher: sfe Version: 0.8.53 Build Release: 5.11 Branch: 0.151.1 Packaging Date: Fri Oct 14 22:06:24 2011 Size: 8.06 MB FMRI: pkg://sfe/service/network/nginx@0.8.53,5.11-0.151.1:20111014T220624Z root@tail:~#
In this case, it appears that there is a newer version of nginx from the 151.1 build. You can remove the old one (because it was installed from another IPS publisher and install the one from the 0.151.1 branch.
As we've mentioned earlier, the Solaris Cloud Servers from Entic.net are bare minimum installs. We do this on purpose - we want to provide the hardware and the base OS, the rest is up to you to customize and make your own.
There are, however, some minor changes which we feel are a must and have been done on your server:
svcadm disable rpc/bind autofs ktkt_warn svc:/network/rpc/gss:default useradd -s /bin/bash -m admin useradd -s /usr/bin/pfsh -d / suser usermod -K type=role root usermod -P "Primary Administrator" -R root admin usermod -P "Primary Administrator" -R root suser
We disable rpc/bind because RPC services are usually not required (even though the default rpc/bind service has a SMF property of config/local_only=true, we still disable it as an added security measure). We also disable a couple of services which we find running after the install (shown above).
We then create two users: admin and suser (more on suser below). We also make root a RBAC role, ensuring all direct root logins are disabled. We then assign the root role to both admin and suser users.
Both of these accounts are then given the “Primary Administrator” profile.
This makes it so you can run commands as root using the “pfexec” command as the admin
user. pfexec pkg install pkg:/service/network/smtp/sendmail to install Sendmail.
suser: suser is a special account we create so we can login to your server, if there is ever a need. Since root is a role, we can no longer login as root directly. Please leave this account as is, if at all possible. It has been setup so no one can login to it, remotely.