Summary

binford is Jim's utility machine. Its original purpose is to be a terminal server for the new name servers, but its use can be expanded to just about any need including a file server for patches a backup print, license, or JumpStart server. It could also be names frankenstein as it was built from parts of several other machines.

This is a change log that will also serve as an install document for Solaris on binford. This document will probably not be of interest to the end user.

• Hardware
  • Sun Ultra 10
  • Serial number FW92460273
  • 512 MB RAM
  • 40 GB hard drive
• Major Software Installs
  • Solaris 9
  • Sun Studio 11
  • OpenGL 1.5
  • Java 1.6

18 Jul 2008 - Update IPSec

IPSec was updated to reflect the need for binford to mount and be mountable by both machines in the server group and those outside the server group. The standard /etc/inet/ike/config file, which was the same as the config.server_shared file has been replaced with its own file called config.binford.

The major change was to add a rule for each system in the Server Shared group and a rule for each of the shared groups apart from the Server Shared group. Effectively, binford can mount any other system using IPSec that allows it, and any IPsec using system can mount binford if binford allows it.

09 Jul 2008 - Sun Patch Installation and Software Update

Solaris System Patches

The Solaris 9 Recommended patch cluster was installed as well as any patches that were recommended by patchdiag.

Sun Studio 11 Patches

2 Sun Studio 11 Patches were applied. They were:

Java 1.6 Update 7

Java 1.6 Update 7 was installed by installing these packages:

Solaris Package Updates

17 of the CIS packages either required updating or were installed. The packages that were updated or installed are:

09 Jun 2008 - Security Configuration

IPsec Configuration

binford will be going in the ike Server Shared group. There's no real reason for them to get their own ike keys and they will likely only be mounting, or be mounted by other systems in the Server Shared group or the systems that have their own keys (i.e. drizzt, pegasus, and saturn).

Removing Exceptions

On several servers, drizzt, and js to be exact, there was an exception in their /etc/inet/ipsecinit.conf file for binford to be able to mount their drives without using IPsec. That exception was in place to allow the system to mount the drives, get on with the configuration and other work and not have to initially worry about setting up IPsec. Be sure to unmount any mounts to those systems. The exception looks like:

    # Permit binford to not require IPSec for NFS
    { rport 2049 raddr 129.21.57.99 dir both } bypass { }
    { lport 2049 raddr 129.21.57.99 dir both } bypass { }

Remove the exception on those machines and restart IPSec with:

    ipsecconf -f
    ipsecconf -a /etc/inet/ipsecinit.conf

At this point, binford will not be able to NFS mount any of those servers until IPSec is setup.

Adding binford to the IPSec and IKE Config Files

The Server Shared group is designed to not require every possible combination key pairs, one for each possible pair of servers in that group. That is why it is a shared key. The members all have the same key. Once the Server Shared keys were distributed to the necessary machines, a restart of the IPSec and iked programs is not necessary on most systems. Unfortunately due to the servers sharing the same subnets as nonserver systems, the machines that needs to share ike keys with Server Shared and other systems, must have configuration entries for both.

In the ike repository directory (name and path left out on purpose, trust me, Jim knows where it is), make the following changes to integrate heckyl:

In the file config.drizzt, in the appropriate section, add:

{
        label "drizzt to binford"
        local_id_type dn
        local_id "C=US, O=RIT, OU=CIS, CN=drizzt.cis.rit.edu"
        local_addr 129.21.57.69
        remote_id "C=US, O=RIT, OU=CIS, CN=CIS Server Shared Certificate"
        remote_addr 129.21.57.99

        p1_xform
                {auth_method rsa_sig oakley_group 2 auth_alg md5 encr_alg 3des}
}

Do the same thing in config.pegasus and config.saturn. Change the hostname and ip address as appropriate.

Because it is a server shared key, that only is shared among servers, that is all that needs to change to add the new system.

Distribute the Updated Files

A number of files need to be copied to binford and some to the other servers in order to implement IPSec. These commands were executed from the ike repository directory:

    scp server_shared.ipsecinit.conf root@binford:/etc/inet/ipsecinit.conf
    scp config.server_shared root@binford:/etc/inet/ike/config
    scp server_shared.private.cert root@binford:/etc/inet/secret/ike.privatekeys/0
    scp server_shared.public.cert root@binford:/etc/inet/ike/publickeys/0
    scp drizzt.public.cert root@binford:/etc/inet/ike/publickeys/1
    scp pegasus.public.cert root@binford:/etc/inet/ike/publickeys/2
    scp saturn.public.cert root@binford:/etc/inet/ike/publickeys/3
    scp cis_shared.public.cert root@binford:/etc/inet/ike/publickeys/4
    scp cluster_shared.public.cert root@binford:/etc/inet/ike/publickeys/5
    scp lias_shared.public.cert root@binford:/etc/inet/ike/publickeys/6

    scp config.drizzt root@drizzt:/etc/inet/ike/config
    scp config.pegasus root@pegasus:/etc/inet/ike/config
    scp config.saturn root@saturn:/etc/inet/ike/config

(Re)start iked and ipsec on binford:

    pkill in.iked
    /usr/lib/inet/in.iked
    ipsecconf -f
    ipsecconf -a /etc/inet/ipsecinit.conf

08 Jun 2008 - 09 Jun 2008 - Initial Setup and System Configuration

From Many Come One

Several Ultra 10s were used to put the machine together. The 40 GB disk came from the old archaic, the 333 MHz processor came from another machine (as the one from archaic was damaged), the memory came from a couple different systems and the SCSI card came from yet another system. Once a working setup was found, it was setup and cabled on the big table in the middle of the main server room.

Solaris Install

Using the format command, the boot disk was partitioned as follows:

Solaris 9 was installed from CD. JumpStart was not used as this machine is not designed to be a general use system. During the system configuration, as many services and software packages as possible were removed. Software packages such as samba, ssh, perl, and java were as stripped down as possible as newer versions were going to be installed after the Solaris install.

After Solaris was installed, the Solaris 9 Recommended patch cluster was installed as well as any patches that were recommended by patchdiag.

After the installation, a local account, jim was created just like all the other local jim accounts. This is to allow remote access.

usrlocal

We are going to follow the usual /usr/local setup. Create the usual directories:

    cd /usr
    mkdir -m 0755 local
    cd /usr/local
    for I in bin doc etc include info lib libexec man misc sbin; do
        mkdir -m 0755 $I
    done

Jim's Scripts

The standard set if tools and utility files that Jim developed were installed in the usual places. The scripts are installed in /usr/local/sbin and any relating resources files were installed in /usr/local/etc. The current list and brief description:

• Patch Tools
  • dopatchdiag - Runs patchdiag and generates a report
  • unzippatches - Glorified wrapper to unzip
  • wgetpatches - Gets a list of patches from sunsolve
  • wgetxref - Gets the xref file from sunsolve
• System Admin Tools
  • cmpfiles - Compares a list of files to the ones on the system
  • finddups - Finds duplicate files based on a set of tests
  • killuser - Terminates all of a user's process
  • purgefiles - Cleans files in a given directory tree based on a date criteria and optional exception list
  • stopservices - Renames the init scripts of undesired services
  • sysepage - Modular paging program, also has resource file in /usr/local/etc
  • time2UTC - Cute Perl/Tk program that converts time back and forth, requires Perl/Tk
  • verbackup - Program to manage versioned backups of files

patchdiag

Downloaded patchdiag 1.0.4 from Sun into /tmp/patchdiag_1.0.4.tar.Z Unpacked and installed under //usr/local/misc as you see here.

    cd /usr/local/misc
    zcat /tmp/patchdiag_1.0.4.tar.Z | tar xf -
    ln -s /usr/local/misc/patchdiag-1.0.4 /usr/local/misc/patchdiag
    ln -s /usr/local/misc/patchdiag/patchdiag /usr/local/bin/patchdiag
    cd /usr/local/misc/patchdiag
    ./patchdiag_setup    (Enter /usr/local/misc/patchdiag as the path for the xref file)

Execute the wgetxref command to download the patchdiag.xref file. Add the following crontab entry:

    00 01 * * * /usr/local/sbin/wgetxref -P /usr/local/misc/patchdiag-1.0.4

The crontab entry will ensure that a new patchdiag.xref is downloaded daily.

Sun Software and Patch Installation

The following unbundled Sun software was installed. Note: The following lists the package names, and patch number at the time the software was installed. Newer revisions of the patches or software packages may be installed at a later date with less detail added to this file.

Java 1.6 Update 5

Java 1.6 Update 5 was installed by installing these packages:

Sun OpenGL 1.5

OpenGL 1.5 was installed by running the shell archive file with the command: sh ogl15_rt.shar. Patch 120812-24 was installed after the archive was finished.

Sun Studio 11

The js.updsunstudio11 script was used to install Sun Studio 11. While that script is technically designed to update Studio 11, it can also perform a fresh install of the software and patches.

The installed Sun Studio 11 packages are:

The installed Sun Studio 11 patches are:

Root Account Changes

The root user account was changed in 2 ways. The home directory of root was changed from / to /root and the default shell was changed to /bin/ksh. All dot files were moved into /root. The standard SSH keys and environment files were copied to root's home directory.

xaccess

Installed a new Xaccess file with the contents below as /etc/dt/config/Xaccess.

# Only allow Direct XDMCP connections from other CIS machines.  Do
# not allow indirect or other connections.
*.cis.rit.edu

xservers

The /etc/dt/config/xservers file was copied from another system. The important line in this file is the one that sets the default color depth to 24. That line looks like:

   :0   Local local_uid@console root /usr/openwin/bin/Xsun :0 -nobanner -dev /dev/fb defdepth 24

xhost

Patched xhost per the usual CIS hackery to prevent lazy users from using xhost + when they should know better. The patch is applied, but due to the very limited number of users, all of which know better, this will likely never be an issue.

Quite frankly, on binford this is REALLY unnecessary, but it was done out of habit.

The CIS hackery is to rename /usr/openwin/bin/xhost to /usr/openwin/bin/CISxhost and create a script that will complain and exit if xhost + is ever tried.

system

Created a /etc/issue file that gives the usual unauthorized use message:

Unauthorized connections are prohibited; all activity may be logged.
Disconnect immediately if you object to this policy.

Created a /etc/motd file that references BinfordLog. The file looks like:

        Chester F. Carlson Center for Imaging Science
        Rochester Institute of Technology
        Node: binford
        See http://wiki.cis.rit.edu/bin/view/Help/BinfordLog

Limited max number of processes per user to 512 via maxuprc in /etc/system. This will take effect after a reboot:

    * Limit user processes to 512.  Prevents "fork bombs"
    set maxuprc=512

Set RFC 1948 TCP sequence number generation via TCP_STRONG_ISS in /etc/default/inetinit:

    TCP_STRONG_ISS=2

disable execution of code located on user stack

Though this is the default for all 64 bit Solaris kernels, I added the following code to /etc/system in the event that the system is ever booted with a 32 bit kernel. Okay, this is silly, we will never boot a 32 bit kernel on binford but in the name of the RIT server standard and in the mode better safe than sorry...

    * Prevent buffer overflow attacks from getting anywhere past a DoS
    set noexec_user_stack=1

Remember, it will not take effect until the next reboot.

dns

NIS is not used on binford as it is a limited access server. To help DNS and other network services in the case of minor network issues, the IP addresses of leeloo, air, earth, water, and tron were added to /etc/hosts.

printers

Configure the usual set of printers. Set up the queues first, referencing the printers using different duplexing options. Use the PPD file when we can. Set sailfish as the default printer.

cd /usr/lib/lp/model/ppd/Xerox
gzip -dc Xerox-DocuPrint_N32-Postscript.ppd.gz > Xerox-DocuPrint_N32-Postscript.ppd

lpadmin -p sailfish -s printer!sailfish-long -T PS -I postscript -n /usr/lib/lp/model/ppd/Xerox/Xerox-DocuPrint_N32-Postscript.ppd
lpadmin -p sailfish-1 -s printer!sailfish-1 -T PS -I postscript -n /usr/lib/lp/model/ppd/Xerox/Xerox-DocuPrint_N32-Postscript.ppd
lpadmin -p dolphin -s printer!dolphin-long -T PS -I postscript -n /usr/lib/lp/model/ppd/Xerox/Xerox-DocuPrint_N32-Postscript.ppd
lpadmin -p dolphin-1 -s printer!dolphin-1 -T PS -I postscript -n /usr/lib/lp/model/ppd/Xerox/Xerox-DocuPrint_N32-Postscript.ppd
lpadmin -p tang -s printer!tang-long -T PS -I postscript
lpadmin -p tang-1 -s printer!tang-1 -T PS -I postscript
lpadmin -p guppy -s guppy -T PS -I postscript
lpadmin -d sailfish

CIS Packages

A subset of the available CIS packages was installed. The ones that were skipped include ones that are related to the web server or database services as they are not needed on this machine. The list of CIS packages that were installed is:

Undesired Services Disabled

The /usr/local/sbin/stopservices script was run to disable the undesired services. This should be run after each installation of Solaris patches as they sometimes reenable services.

sendmail

The automatic starting of Sendmail was disabled by the stopservices script.

Disabled the network operation of sendmail, by creating /etc/default/sendmail with these contents:

    MODE=

The fixsubmitcf JumpStart update script was run to fix the sendmail resource files so that mail could be sent from binford.

syslog

Patched up syslog to send data to tron. This is a simplified version of what we used to do throughout CIS, which was inspired by the OSF/1 approach to syslog. Now, we use a single file instead, we still support sending things to tron, and we have a simpler rollover file.

This is the /etc/syslog.conf file:

# Be careful; this file is processed by m4, so take care with quotes
# and other text that might match reserved m4 words.

# The usual stuff...
*.err;kern.notice;auth.notice           /dev/sysmsg
*.info;kern.debug;mail.crit             /var/adm/messages
*.alert;kern.err;daemon.err             operator
*.alert                                 root
*.emerg                                 *

# ... and select messages are forwarded to tron
*.notice                                @tron

Need to tweak the existing logadm facility.

Edited /etc/logadm.conf

Replaces the old text:

    /var/log/syslog -C 8 -P 'Tue Jun 10 07:10:00 2008' -a 'kill -HUP `cat /var/run/syslog.pid`'
    /var/adm/messages -C 4 -P 'Tue Jun 10 07:10:00 2008' -a 'kill -HUP `cat /var/run/syslog.pid`'
    /var/cron/log -c -s 512k -t /var/cron/olog
    /var/lp/logs/lpsched -C 2 -N -t '$file.$N'
    /var/adm/pacct -C 0 -N -a '/usr/lib/acct/accton pacct' -g adm -m 664 -o adm -p never

With this new text:

    /var/log/syslog -C 21 -P 'Tue Jun 10 07:10:00 2008' -a 'kill -HUP `cat /var/run/syslog.pid`'
    /var/adm/messages -C 21 -z 1 -p 1d -P 'Tue Jun 10 07:10:00 2008' -a 'kill -HUP `cat /var/run/syslog.pid`'
    /var/cron/log -c -s 512k -t /var/cron/olog
    /var/lp/logs/lpsched -C 2 -N -t '$file.$N'
    /var/adm/pacct -C 21 -N -a '/usr/lib/acct/accton pacct' -g adm -m 664 -o adm -p never

When done, run logadm -V and make sure the output is correct.

Note: The use of 21 for the -C option, as the number of days to retain log files is a result of the RIT Gold Server Standard.

-- JimBodie - 11 Jun 2008