===Introduction=== Craig has donated a pair of Netra T105s to the group. This is the documentation on their build. The first (to be known as ultra.sluug.org) has the following configuration:\\ ''Netra t1 (UltraSPARC-IIi 360MHz), No Keyboard \\ OpenBoot 3.10.25 ME, 320 MB memory installed, Serial #14255536.\\ Ethernet address 8:0:20:d9:85:b0, Host ID: 80d985b0.\\ /pci@1f,0/pci@1,1/scsi@2\\ Target 0 \\ Unit 0 Disk FUJITSU MAJ3182MC 5509\\ Target 1 \\ Unit 0 Disk FUJITSU MAJ3182M SUN18G 0804 \\ '' The second (to be known as busch.sluug.org): ''Netra t1 (UltraSPARC-IIi 360MHz), No Keyboard \\ OpenBoot 3.10.23 ME, 512 MB memory installed, Serial #11065274. \\ Ethernet address 8:0:20:a8:d7:ba, Host ID: 80a8d7ba. \\ '' Because busch has a cd-rom, we will build an image on it first and then jumpstart ultra using that image. ---- === Build Process for busch === ==Base Install== Boot off of the CD-ROM. Use the serial console (there is no keyboard input). Select '0' (English) when asked about the language selection Select '3' (VT100) when asked for your console type. The system is networked. Identify hme0 with the public IP which we will use (206.196.99.165) and hme1 with a private IP (192.168.1.30) Do not select dhcp or IPv6. The subnet on hme0 is 255.255.255.240 and default gateway is 206.196.99.161. For hme1, use "busch-local". Do not configure kerberos or name services (we will come back to these after the install, and we don't want to confuse the installer by not being connected to any of these networks.) Select Americas, United States, Central Time. Select "no" for network services. This will leave ssh as the only enabled service. Select a "standard" install and let the CDs automatically eject. Select auto reboot. Accept the license. For localization support, choose the USA unicode options, but choose posix C as the default. Don't install any additional software or web start ready software. Choose "entire distribution". Use c0t0d0 as the boot disk. It has 8749M available. Manually lay out the partition table. ^ Slice ^ Mount Point ^Size ^ | 0 | / | 6084M | | 1 | swap | 1024M | | 3 | /var | 1640M | It would be nice to leave space on the primary disk for live upgrade, but a 9G drive just isn't big enough. Don't mount software from a remote server. Choose "Begin Installation". When the install has completed, add a user, being careful to keep UID's in sync with other systems. Create a couple of directories (mode 770, root:sysadmin): /usr/local/patches and /usr/local/src. ==Configure IPF== Uncomment the hme line in /etc/ipf/pfil.ap. Then run #svcadm -v refresh pfil Edit /etc/ipf/ipf.conf to allow incoming SSH connections, loopback traffic, and outbound traffic on hme0 and hme1 both. Either unplumb and plumb the interfaces, or just reboot. Should you make more changes, this next command will flush the rules and install the new ruleset: #ipf -Fa -f /etc/ipf/ipf.conf ==Disable unnecessary services== # svcadm -v disable svc:/network/rpc-100235_1/rpc_ticotsord:default svc:/application/font/stfsloader:default svc:/network/rpc/cde-calendar-manager:default svc:/application/cde-printinfo:default svc:/application/graphical-login/cde-login:default svc:/application/font/fc-cache:default svc:/application/management/wbem:default svc:/system/sac:default svc:/system/filesystem/autofs:default svc:/system/name-service-cache:default svc:/network/security/ktkt_warn:default svc:/application/print/cleanup:default svc:/network/rpc/gss:default Verify that you haven't accidentally disabled anything else - Solaris is picky about the order in which services are disabled due to dependencies. #svcs -xv ==Patching== We are using Martin Paul's outstanding pca (Patch Check Advanced, available from http://www.par.univie.ac.at/solaris/pca/) script to simplify patching. Because Sun keeps changing its website and patch availability policy, we currently need to download the patchdiag.xref file manually from sunsolve. ==Harden With JASS== Download JASS (also known as the Sun Security Toolkit) from Sun's site. Extract it and add the resulting package: #/usr/sfw/bin/gtar -xvzf SUNWjass-4.2.0.pkg.tar.Z #pkgadd -d . #/opt/SUNWjass/bin/jass-execute secure.driver This will further lock down services, set PermitRootLogin to "No" in SSH, harden the FTP server configuration, tighten permissions, configure log rotation, set up TCP wrappers, enforce password complexity rules, and generally do Useful Things to keep the system secure. JASS does a couple of overly-secure things, like restrict SSH logins to machines on the local domain, so in /etc/hosts.allow, we'll need to change the sshd line to read "all". ===Jumpstart=== Before setting up jumpstart, we need a place to put the install files. Create a zfs pool and filesystem: #zpool create -f sluug c0t1d0 #zfs create sluug/jumpstart #zfs set mountpoint=/jumpstart sluug/jumpstart Use vold to mount the first cdrom. Install the first portion of the jumpstart software. #cd /cdrom/sol_10_1106_sparc/s0/Solaris_10/Tools/ #./setup_install_server /jumpstart Create a new rules file and a profile for the flash archive we will create later: #cd /jumpstart/Solaris_10/Misc/jumpstart_sample #cp rules rules.orig Comment out everything in the rules file and add the following line: network 192.168.1.0 && \ karch sun4u - flash_profile - Create a flash_profile file containing the following (you might need to change the IP address to reflect your local network configuration) install_type flash_install archive_location nfs://192.168.1.30/jumpstart/sol10u3.flar partitioning explicit filesys rootdisk.s0 6036 / filesys rootdisk.s1 512 swap filesys rootdisk.s3 2048 /var Share the /jumpstart directory: #zfs set sharenfs=ro sluug/jumpstart #svcadm -v enable nfs/status #svcadm -v enable nfs/nlockmgr #svcadm -v enable nfs/server Create the image of our currently-installed system referred to in the flash_profile file: #flarcreate -n sluug_sol10u3_img -x /cdrom/ -x /usr/local/patches/ /jumpstart/sol10u3.flar Generate a rules_ok file: #./check Create a file /jumpstart/sysidcfg with the following: domain_name=sluug.org name_server=127.0.0.1 profile=flash_profile profile_server=192.168.1.30 network_interface=hme0 {hostname=ultra.sluug.org ip_address=206.199.99.164 netmask=255.255.255.240 protocol_ipv6=no} network_interface=hme1 {hostname=ultra.buildnetwork.domain ip_address=192.168.1.33 netmask=255.255.255.0 protocol_ipv6=no} system_locale=C terminal=vt100 timezone=CST Add the install client: cd /jumpstart/Solaris_10/Tools ./add_install_client -i 192.168.1.33 -e 8:0:20:d9:85:b0 -s busch-local:/jumpstart -c busch-local:/jumpstart -p busch-local:/jumpstart ultra sun4u You may want to temporarily disable the firewall to avoid problems with tftp and nfs during the jumpstart process. Also, you will need to edit /etc/hosts.allow: rpcbind: all In /etc/system, comment out the line reading "set nfssrv:nfs_portmon=1". See http://forum.java.sun.com/thread.jspa?threadID=5096957&messageID=9348465 Changes to /etc/system require a reboot, so run init 6 Then log into ultra via serial console. From the 'ok' prompt: ok> boot net - install When the install finishes, be sure to reset the firewall and turn off the extra services required by jumpstart. ===Racking=== After racking and cabling the servers, you'll need to copy a resolv.conf off of bud (removing the "127.0.0.1" entry and un-commenting our other name servers). You'll also need to install a new nsswitch.conf: # cd /etc # mv nsswitch.conf nsswitch.conf.orig # cp nsswitch.dns nsswitch.conf