Upgrading a Linux Server to OpenSolaris

OpenSolaris GRUB boot screen For years I've been using various Linux distributions for my home-based server (Web, FTP, NTP (time), DNS (name), SMB and NFS (file)). I didn't use Solaris because (1) the license used to cost $595 for commercial use and (2) it was missing many features found in Linux (mainly modern GNU/open source software). Now that OpenSolaris is available, I've decided to convert. The recent additions of SMB file access, ksh93, /usr/gnu/bin, along with earlier additions of ZFS filesystem, and /{usr,opt}/sfw/bin utilities helped a lot. The following outlines steps I took to do this. Formerly, I used OpenSUSE 10.3 and I upgraded to OpenSolaris NV79 (SXDE 1/08).

DVD Install

I started by booting off the DVD and selecting the first (and default) selection, "Solaris Express Developer Edition". This creates a Solaris partition with a 10GB root (/) slice, a spare 10GB slice (/second_root) for future Live Upgrade use (luupgrade(1M), live_upgrade(5)), and the rest is placed in /export/home. After reboot, I'll change the /export/home filesystem to a ZFS filesystem pool. If you want to install with more customization, select "Solaris Express" (the second menu item).

Initial Customization

The first thing I do is login and disable the GUI login with:

svmadm disable graphical-login/cde-login
svcadm disable graphical-login/gdm
I also disable autofs, so I can use /home, with:
svmadm disable autofs 
and create a /root home directory for root with:
mkdir /root; passmgmt -m -h /root root
(this last step isn't needed for newer OpenSolaris versions)

ZFS Filesystem Creation

Recent versions of OpenSolaris have the option of creating root and other filesystems as ZFS. Otherwise, I destroy the /export/home UFS filesystem created during install, which contains all of the disk not used by / or /second_root. I first unmount /export/home and comment it out of /etc/vfstab, then type these commands to create a large ZFS pool to divvy up among ZFS filesystems:

zpool create -f mypool /dev/dsk/c0d0s7
zpool list
zfs create mypool/home
zfs set mountpoint=/export/home mypool/home
zfs create mypool/local
zfs set mountpoint=/usr/local mypool/local
zfs list 

NFS client

Solaris uses NFSv4 by default, but NFSv4 is broken on Linux 2.6 (and is not available at all with earlier Linux versions), so we must fall back to v3 when mounting NFS directories on a remote Linux NFSv4 server (the other direction, Solaris NFSv4 server to Linux NFS client works on Linux though). To mount a directory:

mount -F nfs -o vers=3 venus:/export /mnt
Or the equivalent /etc/vfstab entry would be:
# /etc/vfstab
venus:/export - /venus-export nfs - no vers=3 

FTP File Service

I enable the FTP server, in.ftpd(1M), by creating a ftp user, copying the ftp files, and enabling the ftp server:

useradd -c "FTP server" -d /export/home/ftp -m -s /bin/false ftp
svcadm enable ftp
svcs ftp
# cat >>/etc/ftpd/ftpaccess << FTPACCESS_EOF
xferlog format  %T %Xt %R %Xn %XP %Xy %Xf %Xd %Xm %U ftp %Xa %u %Xc %Xs %Xr
log transfers real,guest,anonymous inbound,outbound log syslog+xferlog
FTPACCESS_EOF 

NTP Time Service

I enable the NTP time server, xntpd(1M), by copying the /etc/ntp.conf file from Linux to /etc/inet/ntp.conf on Solaris and enabling the server:

svcadm enable ntp 

NFS File Server

# sharemgr add-share -s /backup -r backup -d "backup drive" default
Entries appear in /etc/dfs/dfstab (instead of Linux /etc/exports) Type "exportfs" to list NFS-exported directories

SMB MS Windows File Server

To enable add this line to /etc/pam.conf :

other password required pam_smb_passwd.so.1 nowarn 
Enable the service and join a MS Windows Workgroup:
# Create filesystem if needed:
zfs create -o casesensitivity=mixed  rpool/myshare
zfs set mountpoint=/myshare rpool/myshare
# Setup SMB server:
svcadm enable -r smb/server;
smbadm join -w MYGROUP # (default is WORKGROUP)
sharemgr add-share -s /myshare -r myshare -d "My OpenSolaris SMB share" default
sharemgr list -v
sharemgr show -vp 
Change "myshare" to the name of the root directory you're sharing. Then use passwd(1) to set any passwords you'll be using in MS Windows (old passwords set before pam.conf is modified are not used). On MS Windows, go to Windows Explorer or My Computer and, from the Tools menu, select "Map Network Drive": \\\\myhostname\\myshare. Change myhostname to your OpenSolaris hostname and myshare to the root directory being shared. Login with the username and password set with passwd, above. No guest login is allowed.

DNS Name Server (BIND, named)

Copy /etc/named.conf and associated files pointed to in /etc/named.conf (in my case, /etc/named.conf.include, /etc/named.d/named-local.conf, /var/lib/named/\*/\*)

svcadm enable network/dns/server
svcs network/dns/server 

Sendmail Mail Server

To enable sendmail, you first need to copy and customize sendmail.cf. Here's what I did:

echo mydomainname-DOT-com >>/etc/mail/local-host-names:
vi /etc/mail/aliases
/usr/sbin/newaliases
cd /usr/lib/mail/cf
cp sendmail.mc customized.mc
vi customized.mc
make customized.cf
cp customized.cf /etc/mail/sendmail.cf
# Configure sendmail to not use local.cf
svccfg -s sendmail setprop config/local_only = false
svcadm refresh sendmail
svcadm restart sendmail
# Test
sendmail -c customized.cf -v root-AT-mydomainname.com </dev/null 
Here's a copy of my customized.mc file:
divert(-1)
# Based on /usr/lib/mail/cf/sendmail.mc, Solaris NV79
divert(0)dnl
VERSIONID(`@(#)sendmail.mc      1.11 (Sun) 06/21/04')
OSTYPE(`solaris8')dnl
#DOMAIN(`solaris-generic')dnl
DOMAIN(`solaris-antispam')dnl
define(`SMART_HOST','smtp-server.san.rr.com')dnl
FEATURE(`relay_entire_domain')dnl
MASQUERADE_AS(`drydog.com')dnl
# Blacklists
FEATURE(`enhdnsbl', `bl.spamcop.net', `"Spam blocked see: http://spamcop.net/bl.shtml?"$&{client_addr}', `t')dnl
FEATURE(`dnsbl', `sbl.spamhaus.org', `"550 Mail from " $`'&{client_addr} " refused - see http://www.spamhaus.org/sbl/"')
FEATURE(`dnsbl', `list.dsbl.org', `"550 Mail from " $`'&{client_addr} " refused - see http://dsbl.org/"')
FEATURE(`dnsbl',`dnsbl.njabl.org',`550 Message from $&{client_addr}rejected - see http://njabl.org/')dnl
# Procmail
# Need SUNWprocmail, SFWprcmail, or CSWprocmail procmail package (or similar) and
# rules file ~/.procmailrc. Change procmail path to where your procmail is located:
define(`PROCMAIL_MAILER_PATH',`/usr/bin/procmail')dnl
FEATURE(local_procmail)dnl
MAILER(`procmail')dnl
# Replace localhost with another relay host different from SMART_HOST, if available:
define(`confFALLBACK_SMARTHOST', `localhost$?m.$m$.')dnl
MAILER(`local')dnl
MAILER(`smtp')dnl
LOCAL_NET_CONFIG
R$\* < @ $\* .$m. > $\*      $#esmtp $@ $2.$m $: $1 < @ $2.$m. > $3 

Note: you must preserve the tabs in the R$ line above, which is in the original /usr/lib/mail/cf/sendmail.mc file.

Postfix. An alternative to the above is to use a more-modern email server (MTA) such as Postfix. That way, you can use the same configuration files on Linux as on Solaris (assuming you used Postfix on Linux). The trade-off is the overhead of installing/maintaining add-on software (Postfix on Solaris) versus setting up a new configuration with pre-installed software (Solaris Sendmail). However, Postfix configuration files are a lot less complex and less-error prone than Sendmail.

Sendmail References

IMAP Mail Client Server

I use the imap daemon from UW Pine. Cyrus also provides a imap daemon, but it's mind-boggling complexity and extra configuration is more than I want to deal with for my purposes. A Pine package is available from SunFreeware, and Blastwave, and Drydog. I add these lines to /etc/inet/inetd.conf, to enable unsecure and secure imap, for IPv4 and IPv6:

imap    stream  tcp     nowait  root    /usr/local/sbin/imapd     imapd
imap    stream  tcp6    nowait  root    /usr/local/sbin/imapd     imapd
imaps   stream  tcp     nowait  root    /usr/local/sbin/imapd     imapd
imaps   stream  tcp6    nowait  root    /usr/local/sbin/imapd     imapd
and import it into SMF with
inetconv -i /etc/inet/inetd.conf 

Secure IMAP If you use imap over a unsecured network, you should use SSL (TCP port 993) instead of the unsecured imap port 143. This requires generating a certificate with OpenSSL, You can copy the same certificate from your previous (Linux) system, if this is a replacement server. ) To make your own certificate (using the Blastwave version of openssl):

mkdir -p /etc/sfw/openssl/certs
cd /etc/sfw/openssl/certs
# Create a self-signed certificate (careful—don't make it readable by others!)
openssl req -new -x509 -nodes -out imapd.pem -keyout imapd.pem -days 9999
chmod 0400 imapd.pem 

I just copied my /etc/ssl/certs directory on Linux to /usr/local/openssl/certs (where Blastwave OpenSSL expects it—your version of OpenSSL may use another directory, such as /usr/local/ssl/certs). Do not use tcpd (TCP wrappers) with imaps—it doesn't work.

MySQL Database Server

I simply copied the binary database files from Linux to Solaris. First, enable the MySQL server:

# /usr/sfw/bin/mysql_install_db
# groupadd mysql
# useradd -g mysql -d /var/mysql mysql
# chgrp -R mysql /var/mysql
# chmod -R 770 /var/mysql
# echo "skip-networking" >>/etc/mysql/my.cnf
# svcadm enable mysql
# /usr/sfw/bin/mysqladmin -u root -p
(enter your pw) 
Next, I copied the /var/lib/mysql/\* files on Linux to /var/mysql/5.0/data on Solaris. You can also use mysqldump on Linux and import with mysql on Solaris.

Apache Web Server

Apache 2 comes pre-built under /usr/apache. However, I've always rolled-my-own to get the exact set of features and modules, and to make moving between Linux distributions (and OpenSolaris) easy. So, here's how I build Apache with PHP on Solaris: I use GDBM from Blastwave, (also available on SunFreeware).

gtar xfz httpd-2.2.6.tar.gz
gtar xfz php-5.2.5.tar.gz
cd httpd-2.2.6
export PATH=$PATH:/usr/sfw/bin
export CC=/usr/sfw/bin/gcc
# Show you're running on OpenSolaris (optional):
export CFLAGS='-DPLATFORM=\\"Unix/OpenSolaris\\"'
./configure --prefix=/usr/local/apache \\
        --enable-so     \\
        --enable-cgi    \\
        --enable-info   \\
        --enable-rewrite        \\
        --enable-speling        \\
        --enable-usertrack      \\
        --enable-deflate \\
        --enable-ssl    \\
        --enable-mime-magic
make
make install
cd ../php-5.2.5
./configure \\
        --with-apxs2=/usr/local/apache/bin/apxs \\
        --with-mysql=/usr/sfw \\
        --prefix=/usr/local/apache/php \\
        --with-config-file-path=/usr/local/apache/php \\
        --enable-force-cgi-redirect \\
        --disable-cgi \\
        --with-gettext \\
        --with-zlib \\
        --with-gdbm=/opt/csw \\
        --with-openssl
make
make install
make install-cli
for i in init.d/apachectl rcS.d/K16apachectl rc0.d/K16apachectl \\
        rc1.d/K16apache rc2.d/K16apachectl rc3.d/S50apache ; do
        cp /usr/local/bin/apachectl /etc/$i
done
vi /usr/local/apache/conf/httpd.conf
/etc/init.d/apachectl start 

Update: for recent versions of OpenSolaris, change the PHP configure --with-mysql and --with-openssl entries to --with-mysql=/usr/mysql --with-openssl=/usr

<script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
<script src="http://connect.facebook.net/en_US/all.js#xfbml=1"></script>
Comments:

where have you got SXDE 1/08? on http://developers.sun.com/sxde, there is only SXDE 9/07
thanks and happy new year

Posted by gerard on January 01, 2008 at 04:03 PM PST #

It's not released yet--A new SXDE should appear soon.

Posted by Dan Anderson on January 02, 2008 at 02:26 AM PST #

"zfs recv" crashes my system always, hope to see snv79 soon, maybe snv80. Even number more stable?

Posted by snv77 user on January 02, 2008 at 09:15 PM PST #

If "zfs receive" is used with a ZFS pool that doesn't exist, it core dumps (it should print an error message instead). Otherwise, I don't know of any bugs. Even or odd build numbers are not more stable or unstable.

You could report your problem to http://bugs.opensolaris.org/

Posted by Dan Anderson on January 03, 2008 at 02:01 AM PST #

SXDE 1/08 is now available at
http://developers.sun.com/sxde

Posted by Dan Anderson on February 06, 2008 at 03:41 PM PST #

Post a Comment:
Comments are closed for this entry.
About

Solaris cryptography and optimization.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today