After the newly installed system has booted for the first time it is time to make Solaris a bit more homely. This involves installing a number of packages, which brings me neatly to the first thing that annoys me (and probably a lot of other people used to current Linux distributions): the package management is an absolute mess.
Most Linux distributions take a two-tiered approach to package management: there are low level tools that allow installation of one or more packages, reading from a local filesystem, removal of packages, listing information about packages and so on. RPM is an example of this, as is DPKG.
Then there are high level tools that know about local and remote collections of packages, can resolve dependencies for package installation and removal. YUM, APT and PackageKit are examples of these tools.
Unless something is severely broken the high level tools are used for package management in the usual cases. Noone actually wants to do all the manual dependency solving and package downloading themselves, that's what computers are for, after all.
Unfortunately all Solaris provides are tools of the first category. While I understand that changing the low level tools is impossible for binary compatibility reasons I do not see a reason why high level tools for handling all the grunt work are not being provided.
The logical response to this dilemma is to write a rudimentary high level tool which takes away some of the pain. My version is written in Perl (which, astoundingly, is part of the core install, and not even insultingly old). Currently all it can do is install packages. It relies on the dependency information in the Solaris packages, which is spotty at best.
So, lets make this system a bit more habitable.
mount -F nfs 10.200.200.1:/jumpstart /mnt
gkp.pl -d /mnt/Solaris/Product SUNWgcmn SUNWwgetr SUNWwgetu SUNWntpr SUNWntpu SUNWgtar \
SUNWsshcu SUNWsshr SUNWsshu SUNWsshdr SUNWsshdu SUNWbash SUNWless SUNWdoc SUNWman \
SUNWgnu-coreutils SUNWtoo
Among other things this will install
- Bash
- wget
- GNU tar
- SSH server and client
- man pages
h3. Setting the root shell
I probably won't make many friends here, but I like bash. And I also like a root shell I can actually work with. So, root gets a bash. Contrary to what other people might say this is an absolutely harmless change on modern Solaris systems. /bin/sh
still points to ksh (and that should not be changed), but the shell of the root account is not important to the work of the system itself. And should the root shell be unavailable or broken Solaris will fall back to /bin/sh
.
usermod -s /usr/bin/bash root
h3. Configuring SSH
Working on the console itself is tedious, so getting SSH up and running is important. Even though the packages are installed they are not configured or enabled yet.
First, though, I usually define a special group to which accounts which are allowed to ssh into the system are added. Then the keys are generated, and finally ssh is enabled.
groupadd sshusers
echo "AllowGroups sshusers" >> /etc/ssh/sshd_config
/lib/svc/method/sshd -c
svcadm enable ssh
h3. Security settings
By default Solaris creates crypt
encrypted passwords. While this is compatible with almost every UNIX system since the later jurassic, it is certainly no longer up to date. The following will change the password algorithm to the BSD (and Linux) compatible version of MD5.
perl -pi -e 's/^CRYPT_DEFAULT=.*/CRYPT_DEFAULT=1/' /etc/security/policy.conf
This will not change existing accounts. Only newly created password hashes are affected. This means that the root password should be set again, to create a new hash.
h3. Adding normal users
Working as root is a bad idea, so adding normal users is the order of the day to do normal work on the system. I prefer to have a special group containing all normal users, so this has to be added as well.
In addition, giving every user a separate ZFS filesystem as home directory is a good idea. The dataset rpool/export/home
does already exist, the installer created it.
Since this is going to be a storage system without a lot of users there is no big problem with /export/home
living on rpool
.
groupadd users
zfs create rpool/export/home/admin
useradd -g users -G sshusers -d /export/home/admin -s /usr/bin/bash \
-c "Admin User" -m admin
chown -R admin:users ~admin
The user becomes a member of the sshusers
group and can thus login via SSH (after a password is set).