Using System Configuration Manifests with Bootable AI
By scottdickson on Dec 20, 2010
In my last blog, I talked about how to configure a manifest for a bootable AI installation. The main thing there was how to select which packages to install. This time we are going to talk about how to handle AI's version of sysidcfg and configuring system identity at install-time.
In a Jumpstart world, many of the things that make up a system's identity - hostname, network configuration, timezone, naming services, etc. - can be configured at installation time by providing a sysidcfg file. Alternately, an interactive dialog starts and prompts the installer for this sort of information.
The System Configuration manifest provides this same sort of information in an Automated Installer world. The documentation for AI shows how to create either a separate or an embedded SC manifest to be served by an AI server. When using Bootable AI, the SC manifest needs to be embedded within the AI manifest. The SC manifest, whether embedded or not, is basically an XML document that is providing a bunch of properties for SMF services that are going to run on the first system boot to help complete the system configuration. Some of the main tasks that can be completed in the SC manifest are:
- Identify and configure the administrative "first user" created at install time.
- Specify a root password and whether root is a role or a standard user
- Configure timezone, hostname, keyboard maps, terminal type
- Specify whether the network should be configured automatically or manually.
- Configure network settings, including DNS, for manually configured networks
But, in the end, all of this is just setting SMF properties, so it's pretty straightforward. It appears as a large service_bundle with properties for multiple SMF services.
As far as including the SC manifest information in the bootable AI manifest, the SC manifest is essentially embedded into the AI manifest as a large comment. Don't be put off by the comment notation. This whole section is passed on to SMF to assign the necessary service properties.
In order to explain the various sections of properties, I will just annotate an updated SC manifest. In this manifest, I will specify some of the more common configuration settings you might use.
The whole SC embedded manifest is identified within the AI manifest with the tag sc_embedded_manifest. See the Automated Installer Guide for more details on the rest of the options to this tag. The two lines following the sc_embedded_manifest tag are just the top part of the stand-alone SC manifest XML document. Look in the default AI manifest for exact placement of this section.
<!-- <?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
The rest of the SC manifest sets up service properties for a service bundled named "system configuration."
<service_bundle type="profile" name="system configuration">
The service system/install/config is responsible for doing some of the basic configuration actions at install-time, such as setting up the first, or admin, user, setting a root password, and giving the system a name. The property group "user_account" specifies how the first user, used for administration, should be configured. You can specify here the username (name="login"), an encrypted password, the GECOS field information (name="description"), as well as the UID and GID for the account. Note that the default password supplied for the first user (by default, named jack) in the default manifest is "jack".
Special note should be made of the property "roles". Recall that in Solaris 11 Express, root is no longer a regular login user, but becomes a role. Therefore, in order to be able to assume the root role for administrative functions, this first user needs to be given the root role. Other roles can also be specified here as needed. Also notice that the profile "Primary Administrator" is no longer assigned to this first user, as was done in OpenSolaris. Additional properties around roles, profiles, authorizations, etc. may be assigned. See the Automated Installer Guide for details.
<service name="system/install/config" version="1" type="service">
<instance name="default" enabled="true">
<property_group name="user_account" type="application">
<propval name="login" type="astring" value="sewr"/>
<propval name="password" type="astring" value="9Nd/cwBcNWFZg"/>
<propval name="description" type="astring" value="default_user"/>
<propval name="shell" type="astring" value="/usr/bin/bash"/>
<propval name="uid" type='count' value='27589'/>
<propval name="gid" type='count' value='10'/>
<propval name="type" type="astring" value="normal"/>
<propval name="roles" type="astring" value="root"/>
As with Jumpstart, it is possible to specify a root password at install time. The encrypted string for the root password is given here as the password property. If no new password is supplied, the default root password at install-time is "solaris". Also note here that root is created as a role rather than a regular login user.
<property_group name="root_account" type="application">
<propval name="password" type="astring" value="$5$dnRfcZs$Hx4aBQ161Uvn9ZxJFKMdRiy8tCf4gMT2s2rtkFba2y4"/>
<propval name="type" type="astring" value="role"/>
A few other housekeeping properties can also be set here for the system/install/config service. These include the local timezone and the hostname (/etc/nodename) for the system.
<property_group name="other_sc_params" type="application">
<propval name="timezone" type="astring" value="US/Eastern"/>
<propval name="hostname" type="astring" value="myfavoritehostname"/>
The system/console-login service establishes the login service for the console. Here you can specify the terminal type to be used for the console.
<service name="system/console-login" version="1" type="service">
<property_group name="ttymon" type="application">
<propval name="terminal_type" type="astring" value="xterms"/>
The service system/keymap establishes what sort of keyboard input is to be expected on the system.
<service name='system/keymap' version='1' type='service'>
<instance name='default' enabled='true'>
<property_group name='keymap' type='system'>
<propval name='layout' type='astring' value='US-English'/>
By default, Solaris 11 Express enabled NWAM (NetWork Automagic) to automatically configure the primary network interface. NWAM, by default, activates a primary network for the system, whether wired or wireless, monitors its availability and tries to restore network connectivity if it should go away. Most people would say that its behavior is best suited for mobile or desktop systems, and it functions well in that space. It includes the ability to have profiles that guide its behavior in a variety of networked environments. NWAM relies on DHCP to get an available IP address and other data needed to configure the network.
In the default AI profile, the network/physical:nwam service instance is enabled and the network/physical:default service instance is disabled. In most server configurations, static addressing and configuration might be more desirable. In that case, you can do as we have below and switch with service instance is enabled and which is disabled by default.
<service name="network/physical" version="1" type="service">
<instance name="nwam" enabled="false"/>
<instance name="default" enabled="true"/>
In the case where we are doing static network configuration, we will rely on the network/install service to set up our networks. The properties and values used here correspond to arguments to the ipadm command, new in Solaris 11 Express. ipadm is used to configure and tune IP interfaces. See its man page for details on syntax.
In this case, we are setting up a single IPv4 network interface (xnf0), giving it a static IP address and netmask, and specifying a default route.
<service name="network/install" version="1" type="service">
<instance name="default" enabled="true">
<property_group name="install_ipv4_interface" type="application">
<propval name="name" type="astring" value="xnf0/v4"/>
<propval name="address_type" type="astring" value="static"/>
<propval name="static_address" type="net_address_v4" value="192.168.100.101/24"/>
<propval name="default_route" type="net_address_v4" value="192.168.100.1"/>
As with Jumpstart using sysidcfg, it is possible to set up DNS information at install-time. Note that only DNS and not NIS or LDAP naming services can be set up this way. The System Administration Guide: Naming and Directory Services manual discusses how to configure these naming services. NIS+ is no longer supported in Solaris 11 Express.
The network/dns/install service is used to set up DNS at install-time. For this, we specify the regular sorts of data that will populate the /etc/resolv.conf file: nameservers, domain, and a domain name search path. Some of these data items take multiple values, so lists of values are used, as shown below.
<service name="network/dns/install" version="1" type="service">
<instance name="default" enabled="true">
<property_group name="install_props" type="application">
<property name="nameserver" type="net_address">
<propval name="domain" type="astring" value="us.warble.com"/>
<property name="search" type="astring">
And we close out the service bundle and the embedded SC manifest.
So, by building a custom AI manifest with its embedded SC manifest, you can accomplish the same sorts of install-time configuration of a system as you could with Jumpstart and sysidcfg, without having to build any sort of complex finish scripts or any kind of extra coding. This approach makes is possible to have a repeatable methodology for creating the administrative user, with known, standard credentials, and for configuring the base system networks and naming services.