Introduction

Craig has donated a pair of Netra T105s to the group. This is the documentation on their build.

The first (to be known as ultra.sluug.org) has the following configuration:

Netra t1 (UltraSPARC-IIi 360MHz), No Keyboard
OpenBoot 3.10.25 ME, 320 MB memory installed, Serial #14255536.
Ethernet address 8:0:20:d9:85:b0, Host ID: 80d985b0.
/pci@1f,0/pci@1,1/scsi@2
Target 0
Unit 0 Disk FUJITSU MAJ3182MC 5509
Target 1
Unit 0 Disk FUJITSU MAJ3182M SUN18G 0804

The second (to be known as busch.sluug.org):

Netra t1 (UltraSPARC-IIi 360MHz), No Keyboard
OpenBoot 3.10.23 ME, 512 MB memory installed, Serial #11065274.
Ethernet address 8:0:20:a8:d7:ba, Host ID: 80a8d7ba.

Because busch has a cd-rom, we will build an image on it first and then jumpstart ultra using that image.


Build Process for busch

Base Install

Boot off of the CD-ROM. Use the serial console (there is no keyboard input). Select '0' (English) when asked about the language selection Select '3' (VT100) when asked for your console type. The system is networked. Identify hme0 with the public IP which we will use (206.196.99.165) and hme1 with a private IP (192.168.1.30) Do not select dhcp or IPv6. The subnet on hme0 is 255.255.255.240 and default gateway is 206.196.99.161. For hme1, use "busch-local".

Do not configure kerberos or name services (we will come back to these after the install, and we don't want to confuse the installer by not being connected to any of these networks.)

Select Americas, United States, Central Time.

Select "no" for network services. This will leave ssh as the only enabled service.

Select a "standard" install and let the CDs automatically eject. Select auto reboot.

Accept the license. For localization support, choose the USA unicode options, but choose posix C as the default.

Don't install any additional software or web start ready software. Choose "entire distribution".

Use c0t0d0 as the boot disk. It has 8749M available. Manually lay out the partition table.

Slice Mount Point Size
0 / 6084M
1 swap 1024M
3 /var 1640M

It would be nice to leave space on the primary disk for live upgrade, but a 9G drive just isn't big enough.

Don't mount software from a remote server. Choose "Begin Installation".

When the install has completed, add a user, being careful to keep UID's in sync with other systems.

Create a couple of directories (mode 770, root:sysadmin): /usr/local/patches and /usr/local/src.

Configure IPF

Uncomment the hme line in /etc/ipf/pfil.ap. Then run

#svcadm -v refresh pfil

Edit /etc/ipf/ipf.conf to allow incoming SSH connections, loopback traffic, and outbound traffic on hme0 and hme1 both. Either unplumb and plumb the interfaces, or just reboot. Should you make more changes, this next command will flush the rules and install the new ruleset:

#ipf -Fa -f /etc/ipf/ipf.conf
Disable unnecessary services
# svcadm -v disable svc:/network/rpc-100235_1/rpc_ticotsord:default svc:/application/font/stfsloader:default svc:/network/rpc/cde-calendar-manager:default svc:/application/cde-printinfo:default svc:/application/graphical-login/cde-login:default svc:/application/font/fc-cache:default svc:/application/management/wbem:default  svc:/system/sac:default svc:/system/filesystem/autofs:default  svc:/system/name-service-cache:default  svc:/network/security/ktkt_warn:default svc:/application/print/cleanup:default svc:/network/rpc/gss:default

Verify that you haven't accidentally disabled anything else - Solaris is picky about the order in which services are disabled due to dependencies.

#svcs -xv
Patching

We are using Martin Paul's outstanding pca (Patch Check Advanced, available from http://www.par.univie.ac.at/solaris/pca/) script to simplify patching. Because Sun keeps changing its website and patch availability policy, we currently need to download the patchdiag.xref file manually from sunsolve.

Harden With JASS

Download JASS (also known as the Sun Security Toolkit) from Sun's site. Extract it and add the resulting package:

  #/usr/sfw/bin/gtar -xvzf SUNWjass-4.2.0.pkg.tar.Z
  #pkgadd -d .
  #/opt/SUNWjass/bin/jass-execute secure.driver

This will further lock down services, set PermitRootLogin to "No" in SSH, harden the FTP server configuration, tighten permissions, configure log rotation, set up TCP wrappers, enforce password complexity rules, and generally do Useful Things to keep the system secure. JASS does a couple of overly-secure things, like restrict SSH logins to machines on the local domain, so in /etc/hosts.allow, we'll need to change the sshd line to read "all".

Jumpstart

Before setting up jumpstart, we need a place to put the install files. Create a zfs pool and filesystem:

 #zpool  create  -f sluug c0t1d0
 #zfs create sluug/jumpstart
 #zfs set mountpoint=/jumpstart sluug/jumpstart

Use vold to mount the first cdrom. Install the first portion of the jumpstart software.

#cd /cdrom/sol_10_1106_sparc/s0/Solaris_10/Tools/
#./setup_install_server /jumpstart

Create a new rules file and a profile for the flash archive we will create later:

#cd /jumpstart/Solaris_10/Misc/jumpstart_sample
#cp rules rules.orig

Comment out everything in the rules file and add the following line:

network 192.168.1.0 && \
      karch sun4u - flash_profile -

Create a flash_profile file containing the following (you might need to change the IP address to reflect your local network configuration)

install_type    flash_install
archive_location        nfs://192.168.1.30/jumpstart/sol10u3.flar
partitioning    explicit
filesys rootdisk.s0 6036 /
filesys rootdisk.s1 512 swap
filesys rootdisk.s3 2048 /var

Share the /jumpstart directory:

#zfs set sharenfs=ro sluug/jumpstart
#svcadm -v enable nfs/status
#svcadm -v enable nfs/nlockmgr
#svcadm -v enable nfs/server

Create the image of our currently-installed system referred to in the flash_profile file:

#flarcreate -n sluug_sol10u3_img -x /cdrom/ -x /usr/local/patches/ /jumpstart/sol10u3.flar

Generate a rules_ok file:

#./check

Create a file /jumpstart/sysidcfg with the following:

domain_name=sluug.org
name_server=127.0.0.1
profile=flash_profile
profile_server=192.168.1.30
network_interface=hme0
{hostname=ultra.sluug.org
ip_address=206.199.99.164
netmask=255.255.255.240
protocol_ipv6=no}
network_interface=hme1
{hostname=ultra.buildnetwork.domain
ip_address=192.168.1.33
netmask=255.255.255.0
protocol_ipv6=no}
system_locale=C
terminal=vt100 
timezone=CST

Add the install client:

 cd /jumpstart/Solaris_10/Tools
./add_install_client -i 192.168.1.33 -e 8:0:20:d9:85:b0 -s busch-local:/jumpstart -c busch-local:/jumpstart -p busch-local:/jumpstart ultra sun4u

You may want to temporarily disable the firewall to avoid problems with tftp and nfs during the jumpstart process. Also, you will need to edit /etc/hosts.allow:

rpcbind:    all

In /etc/system, comment out the line reading "set nfssrv:nfs_portmon=1". See http://forum.java.sun.com/thread.jspa?threadID=5096957&messageID=9348465

Changes to /etc/system require a reboot, so run

init 6

Then log into ultra via serial console. From the 'ok' prompt:

ok> boot net - install

When the install finishes, be sure to reset the firewall and turn off the extra services required by jumpstart.

Racking

After racking and cabling the servers, you'll need to copy a resolv.conf off of bud (removing the "127.0.0.1" entry and un-commenting our other name servers). You'll also need to install a new nsswitch.conf:

# cd /etc
# mv nsswitch.conf nsswitch.conf.orig
# cp nsswitch.dns nsswitch.conf