User Tools

Site Tools


solaris_cloud_servers

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
solaris_cloud_servers [2012/05/16 14:48]
admin [Production Server Upgrades]
solaris_cloud_servers [2012/05/16 14:48] (current)
admin [Production Server Upgrade]
Line 1: Line 1:
 +====== Overview ======
  
 +Your Solaris Cloud Server is accessible only through SSH. All network services are disabled by default with the exception of SSH. The server comes with minimal software and changes (see [[solaris_cloud_servers#​Defaults]] for more information).
 +
 +===== Image Packaging System =====
 +
 +Solaris Cloud Servers no longer use the old Solaris based packaging (e.g. pkgadd or pkgrm...). In the new packaging architecture in Solaris Cloud Servers, all the latest software is on a remote repository (called "​publisher"​ in IPS). You can also [[http://​pkg.openindiana.org/​dev|peek at the available software]] using the browser.
 +
 +IPS package management is done through the single **pkg** command:
 +
 +  * **pkg help** shows a usage guide
 +  * **pkg list** shows packages that are installed
 +  * **pkg search string** search for packages with the given string or filename in them
 +  * **pkg install package** install specified package
 +  * **pkg uninstall package** remove specified package
 +
 +Installing a package also installs all its dependency packages. Uninstalling will only remove the specified package, unless the -r option is also specified. You can also pass -n option to do a quick "dry run" of most of these commands.
 +
 +Other good pkg tips:
 +
 +  * **pkg search -l '​depend::​web/​server/​apache-22'​** show what packages depend on apache-22
 +  * **pkg search -l httpd** shows packages that have a filename called httpd
 +  * **pkg info pkg:/​developer/​java/​jdk** shows information about the Java JDK package
 +  * **pkg contents pkg:/​web/​server/​apache-22** shows contents and files that come with the given package
 +  * **pkg contents -m pkg:/​developer/​java/​jdk | grep depend** shows which other packages are installed when you install pkg:/​developer/​java/​jdk
 +
 +You can also pass the **-r** option to the above commands to get the same information from the Remote repositories. Without the -r, it will show from local installed packages only.
 +===== SMF =====
 +
 +You should also be familiar with Solaris 10's SMF framework, which is in our Solaris Cloud Servers as well. SMF is a framework for managing the services that run on your server. To get started you only need to know two commands: **svcs** and **svcadm**. Running just "svcs -a" will show all the services that are either enabled or disabled.
 +
 +  root@fans:/#​ svcs ftp
 +  STATE          STIME    FMRI
 +  online ​        ​11:​20:​48 svc:/​network/​ftp:​default
 +  root@fans:/#​
 +
 +That command shows FTP is running. To disable FTP to your server, you would do:
 +
 +  root@fans:/#​ svcadm disable ftp
 +  root@fans:/#​ svcs ftp
 +  STATE          STIME    FMRI
 +  disabled ​      ​11:​43:​56 svc:/​network/​ftp:​default
 +  root@fans:/#​
 +
 +
 +====== Installing Software ======
 +
 +When you first login to your server, you might see something like this:
 +
 +  root@save:​~#​ zfs list
 +  NAME                  USED  AVAIL  REFER  MOUNTPOINT
 +  zones                11.8G   ​448G ​   39K  /zones
 +  zones/​save ​          ​1.91G ​ 3.09G    33K  /zones/save
 +  zones/​save/​LOCAL ​      ​31K ​ 3.09G    31K  /usr/local
 +  zones/​save/​ROOT ​     1.91G  3.09G    31K  legacy
 +  zones/​save/​ROOT/​zbe ​ 1.91G  3.09G  1.91G  legacy
 +  root@save:​~# ​
 +
 +It is highly recommended that you install all non-standard software into zones/​save/​LOCAL (/​usr/​local) file system. It is best practice to separate ''​applications and data''​ from the root file system.
 +
 +You could even move your standard configuration files into this file system, for better transportability and management.
 +===== Solaris Webstack =====
 +
 +In addition to specific packages as mentioned above, IPS also has "​grouped"​ packages. Installing these packages installs all the components in that group. To install the latest stable versions of the common web infrastructure software (apache, mysql, php), run: **pkg install pkg:/​web/​amp**. You can also see the official Getting Started Guide to [[http://​wikis.sun.com/​display/​WebStack/​Sun+GlassFish+Web+Stack+Documentation|Webstack]].
 +
 +The configuration directories are:
 +
 +  * /​etc/​php/​5.2
 +  * /​etc/​apache2/​2.2
 +  * /​etc/​mysql/​5.1
 +
 +The /var ("​variable data" location) is where all the logs and data files should reside in:
 +
 +  * /​var/​php/​5.2
 +  * /​var/​mysql/​data (links to /​var/​mysql/​5.1/​data)
 +  * /​var/​apache2/​2.2
 +
 +The binaries and libs for the above software reside in:
 +
 +  * /​usr/​apache2/​2.2
 +  * /usr/mysql (links to /​usr/​mysql/​5.1)
 +  * /usr/php (links to /​usr/​php/​5.2)
 +
 +The web site data should be put in /​usr/​apache2/​2.2/​htdocs. The web server by default runs as the **webservd** user and group. You can also use Lighttpd or Nginx web servers instead of Apache (see below).
 +
 +The following shows the SMF service names associated with apache and mysql:
 +
 +  root@mask:​~#​ svcs mysql
 +  STATE          STIME    FMRI
 +  disabled ​      ​Sep_02 ​  ​svc:/​application/​database/​mysql:​version_51
 +  root@mask:​~#​ svcs apache22
 +  STATE          STIME    FMRI
 +  disabled ​      ​Sep_02 ​  ​svc:/​network/​http:​apache22
 +  root@mask:​~# ​
 +
 +==== Lighttpd ====
 +
 +To use Lighttpd, simply install the Lighttpd binaries: **pkg install pkg:/​web/​server/​lighttpd-14**. The associated SMF service is:
 +
 +  root@mask:​~#​ svcs lighttpd14
 +  STATE          STIME    FMRI
 +  online ​        ​Sep_04 ​  ​svc:/​network/​http:​lighttpd14
 +  root@mask:​~# ​
 +
 +The file system locations for the software: /​usr/​lighttpd/​1.4,​ /​etc/​lighttpd/​1.4,​ /​var/​lighttpd/​1.4
 +
 +To get PHP to work with lighttpd, enable **mod_fastcgi** module in /​etc/​lighttpd/​1.4/​lighttpd.conf and ensure the following fastcgi configuration is setup in lighttpd.conf:​
 +
 +  fastcgi.server ​            = ( "​.php"​ =>
 +                               ( "​localhost"​ =>
 +                                 (
 +                                   "​socket"​ => "/​tmp/​php-fastcgi.socket",​
 +                                   "​bin-path"​ => "/​usr/​php/​bin/​php-cgi"​
 +                                 )
 +                               )
 +                            )
 +
 +==== Nginx ====
 +
 +Install nginx as usual:
 +
 +  root@mask:​~#​ pkg search -p nginx
 +  PACKAGE ​                                  ​PUBLISHER
 +  pkg:/​service/​network/​nginx@0.8.53-0.151.1 sfe
 +  root@mask:​~#​ pkg install pkg:/​service/​network/​nginx
 +  ...
 +  ​
 +Setup SMF service for nginx.
 +
 +  root@mask:​~#​ svccfg import /​var/​svc/​manifest/​network/​http-nginx.xml
 +  root@mask:​~#​ svcadm enable nginx
 +  root@mask:​~#​ svcs nginx
 +  STATE          STIME    FMRI
 +  online ​        ​Aug_01 ​  ​svc:/​network/​http:​nginx
 +  root@mask:​~# ​
 +
 +==== MySQL ====
 +
 +Installing the amp package above will also install MySQL 5.1. The file system locations for the software: /usr/mysql, /​var/​mysql/​data,​ /​etc/​mysql/​my.cnf. To start mysql, just do:
 +
 +  root@wolf:/#​ svcadm enable mysql
 +  root@wolf:/#​
 +
 +This will install MySQL and the setup the initial user tables in /​var/​mysql/​data. You do not have to do anything else. There is no default password set. You should [[http://​www.cyberciti.biz/​faq/​mysql-change-root-password/​|change the mysql passwords]] as soon as you install it.
 +
 +
 +===== Java =====
 +
 +Installing Java JRE and the JDK:
 +
 +  root@pana:​~#​ pkg install pkg:/​developer/​java/​jdk
 +  DOWNLOAD ​                                   PKGS       ​FILES ​    XFER (MB)
 +  Completed ​                                   2/2     ​970/​970 ​  ​65.30/​65.30 ​
 +  ​
 +  PHASE                                        ACTIONS
 +  Install Phase                              1231/​1231 ​
 +  root@pana:​~# ​
 +
 +This installs the JDK in /usr/jdk and links for java and javac in /usr.
 +
 +
 +====== Mail (outgoing) ======
 +
 +Sendmail is the standard mail software in Solaris Cloud Servers but it is not installed.
 +To install and enable a secure version of Sendmail:
 +
 +  * pkg install pkg:/​service/​network/​smtp/​sendmail
 +  * svcadm enable smtp:​sendmail
 + 
 +Right after installing sendmail with pkg, only the Sendmail Mail Submission Program (MSP) is enabled. MSP is a sendmail daemon that does only outgoing mail and does not accept incoming mail.
 +
 +Now, if a local program (crontab/​mail/​mailx/​web site) sends mail out you'll see a ''​Connection Refused''​ error in ''/​var/​log/​syslog'',​ because there is no mail server running on 127.0.0.1. This is easily resolved by enabling **svcadm enable smtp:​sendmail**,​ as shown earlier.
 +
 +The sendmail MTA should now be configured to run securely on local 127.0.0.1 interface. ​
 +
 +  root@save:​~#​ netstat -an |egrep "​\.25|\.587"​ |grep LISTEN
 +  127.0.0.1.25 ​              ​*.* ​               0      0 128000 ​     0 LISTEN
 +  127.0.0.1.587 ​             *.*                0      0 128000 ​     0 LISTEN
 +  root@save:​~#​ svcs -av|grep sendmail
 +  online ​        ​- ​             7:​33:​19 ​  7273 svc:/​network/​smtp:​sendmail
 +  online ​        ​- ​             7:​33:​59 ​  7274 svc:/​network/​sendmail-client:​default
 +  root@save:​~# ​
 +
 +====== Networking ======
 +
 +You have full access to the networking stack in the Solaris Cloud Servers environment. You can manage firewalls (ipfilter) and listen on the wire for network traffic (snoop). Please look at the [[http://​www.obfuscation.org/​ipf/​ipf-howto.html|ipfilter howto]] for more information on how to use it.
 +
 +You will also have two interfaces configured. One is the public facing and the other is the private interface.
 +
 +  root@save:​~#​ ipadm show-if
 +  IFNAME ​    ​STATE ​   CURRENT ​     PERSISTENT
 +  lo0        ok       ​-m-v------46 ---
 +  save0      ok       ​bm--------46 ---
 +  save1      ok       ​bm--------4- ---
 +  root@save:​~# ​
 +
 +''​save.entic.net''​ is the host (and zone) name. ''​save0''​ is the public interface with a routable IP address (''​save.entic.net''​) assigned and ''​save1''​ should have a non-routable Back End ''​10.0.0.0/​8''​ IP address (''​save-be.entic.net''​).
 +
 +You should use this ''​save-be.entic.net''​ interface for when communicating with another Cloud Server provisioned in the Entic.net server environment.
 +
 +====== Upgrades ======
 +
 +Our Servers are based on Solaris'​s non-global containers called "​Zones"​. The Zone OS shares the same kernel as the host OS. 
 +We do our best to keep your Solaris based Server upgraded to the latest stable releases.
 +
 +In general, the upgrades are done by moving your older Zone to a different hardware with the upgraded OS/​apps. ​
 +
 +The latest version of our Solaris based Cloud Servers is **OpenIndiana b151a2 (0.5.11-0.151.1.2)**. You can request to be upgraded to this version anytime, by contacting support.
 +===== Production Server Upgrades =====
 +
 +This is the recommend upgrade process for people running the usual stack of Apache/​Nginx/​Lighttpd and PHP/​Mysql. ​
 +
 +  * Shutdown Zone
 +  * Transfer Zone and data to upgraded OS/Kernel system
 +  * Boot Zone
 +
 +The original Zone is left on the old system, for recovery purposes.
 +The time it takes to do the above steps is about 5 minutes. Some adjustments are made to your system to ensure that it follows our standard Server builds.
 +
 +===== Critical Server Upgrades =====
 +
 +For production and critical servers, we recommend the following upgrade process. This process is time consuming for us so please only request this for your absolute critical servers which require minimum downtime. We also recommend this for servers with **custom** software, this allows you to test out your software on the newer OS.
 +
 +There is a 30 second downtime while the server is shutdown and then restarted:
 +
 +  * Shutdown Production Zone
 +  * Take snapshot and Boot Production Zone (on the old existing version)
 +  * Transfer and Boot the **upgraded** Zone under different IP
 +  * Customer confirms the new Test Zone upgrade is successful at the new IP
 +
 +Repeat process to do a final Upgrade/​move after Customer confirms successful testing:
 +
 +  * Shutdown Production Zone
 +  * Transfer Production Zone and data to upgraded OS/Kernel system
 +  * Boot Production Zone
 +
 +The original Zone is left on the old system, for recovery purposes.
 +The time it takes to the above **final** upgrade takes about 5 minutes. Some adjustments are made to your system to ensure that it follows our standard Server builds.
 +
 +===== Post-Upgrade =====
 +
 +When the upgrade is done, the kernel and standard software are also upgraded. You might end up with older packages that are no longer maintained or that might required manual upgrades. First, get the latest version string:
 +
 +  root@tail:​~#​ pkg list entire
 +  NAME (PUBLISHER) ​                             VERSION ​        ​STATE ​     UFOXI
 +  entire ​                                       0.5.11-0.151.1.2 installed ​ -----
 +  root@tail:​~# ​
 +
 +Then:
 +
 +  root@tail:​~#​ pkg list |grep -v 151.1.2
 +  NAME (PUBLISHER) ​                             VERSION ​        ​STATE ​     UFOXI
 +  library/icu (opensolaris.org) ​                ​0.5.11-0.134.0.2 installed ​ u----
 +  nginx (webstack) ​                             0.6.35-1 ​       installed ​ u----
 +  root@tail:​~# ​
 +
 +That shows that we have two packages that are not using the 0.5.11-0.151.1.2 version of the distribution. This can be normal, if you have non-standard packages. This also gives you the opportunity to remove obsoleted packages. In the above case, let's examine nginx further:
 +
 +  root@tail:​~#​ pkg info -r nginx
 +            Name: nginx
 +         ​Summary:​ nginx web server
 +           ​State:​ Installed
 +       ​Publisher:​ webstack
 +       ​Version:​ 0.6.35
 +   Build Release: 5.11
 +          Branch: 1
 +  Packaging Date: Fri May 15 01:05:03 2009
 +            Size: 6.21 MB
 +            FMRI: pkg://​webstack/​nginx@0.6.35,​5.11-1:​20090515T010503Z
 +
 +          Name: service/​network/​nginx
 +       ​Summary:​ Free, open-source,​ high-performance HTTP server and reverse proxy
 +      Category: System/​Services
 +         ​State:​ Not installed
 +     ​Publisher:​ sfe
 +       ​Version:​ 0.8.53
 +   Build Release: 5.11
 +        Branch: 0.151.1
 +  Packaging Date: Fri Oct 14 22:06:24 2011
 +          Size: 8.06 MB
 +          FMRI: pkg://​sfe/​service/​network/​nginx@0.8.53,​5.11-0.151.1:​20111014T220624Z
 +  root@tail:​~# ​
 +
 +In this case, it appears that there is a newer version of nginx from the 151.1 build. You can remove the old one (because it was installed from another IPS publisher and install the one from the 0.151.1 branch.
 +
 +====== Defaults ======
 +
 +As we've mentioned earlier, the Solaris Cloud Servers from Entic.net are bare minimum installs. We do this on purpose - we want to provide the hardware and the base OS, the rest is up to you to customize and make your own. 
 +
 +There are, however, some minor changes which we feel are a must and have been done on your server:
 +
 +  svcadm disable rpc/bind autofs ktkt_warn svc:/​network/​rpc/​gss:​default
 +  useradd -s /bin/bash -m admin
 +  useradd -s /​usr/​bin/​pfsh -d / suser
 +  usermod -K type=role root
 +  usermod -P "​Primary Administrator"​ -R root admin
 +  usermod -P "​Primary Administrator"​ -R root suser
 +
 +We disable rpc/bind because RPC services are usually not required (even though the default rpc/bind service has a SMF property of **config/​local_only=true**,​ we still disable it as an added security measure). We also disable a couple of services which we find running after the install (shown above).
 +
 +We then create two users: admin and suser (more on //suser// below). We also make root a RBAC role, ensuring all direct root logins are disabled. We then assign the root role to both admin and suser users.
 +
 +Both of these accounts are then given the "​Primary Administrator"​ profile. ​
 +
 +This makes it so you can run commands as root using the "​pfexec"​ command as the ''​admin''​ user. **pfexec pkg install pkg:/​service/​network/​smtp/​sendmail** to install Sendmail.
 +
 +**suser**: suser is a special account we create so we can login to your server, if there is ever a need. Since root is a role, we can no longer login as root directly. Please leave this account as is, if at all possible. It has been setup so no one can login to it, remotely.
solaris_cloud_servers.txt ยท Last modified: 2012/05/16 14:48 by admin