Installation Procedures and Notes for Solaris 9

Organization of this paper

There are 5 parts to this paper


          Disk layout and Preliminaries

          How to install a workstation or server using the interactive dialogue.

          Final touches

          Gotchas. These are various problems and tricks which we have picked up along the way.

There are also various appendices -

         Systems with limited disk space. Read this if you don't have 500 MB available for the OS!

         Some special items which are needed at SOC

         Mail client software

         CDE hints for users

         Additional instructions for upgrading existing systems

         Installing the OpenGL software

         Site requirements for first installations of Solaris 9

         Setting the default route

         Adding the Solaris 8 OpenWindows packages

         Shared memory and semaphore tunables in /etc/system

         Setting up an FTP Server

Part 1 Introduction

This file contains notes and procedures for installing Solaris 9. It is based on our experience to date and will certainly be changed as time progresses. Always check for a new version at before starting work! Login as tssftp. Password available from us if you have an SLA.

For information on what is new in Solaris 9 and how it differs from earlier releases, see There is also an FAQ available on the Internet at which is well worth reading.

32-bit or 64-bit Solaris

Solaris 7 completed the 64-bit OS project which started in Solaris 2.5. Solaris is now a 64-bit OS in all senses of the term. The main points of this are -

The latest SUN machines with UltraSPARC IIe and III processors will not run 32 bit kernels and the install dialogue simply installs the 64 bit files. This includes the Sun Blade 100, Sun Blade 1000 and 2000 workstations as well as the 280, 480 and 880 servers.

If the 64-bit kernel is available, it will be booted by default (apart from the older ULTRA-1 machines). If you don't want this to happen, you should set a PROM variable as follows (from the ok prompt)

setenv boot-file kernel/Unix

[Caution - if you do this, you will need "boot kernel/unix -s" to boot in single-user mode. "boot -s" gets you the 64 bit kernel ! ]

To unset the boot-file option, type

set-default boot-file

So what is new ?

The main new items are (However, I have not investigated all of these myself, yet!) -

Some things have gone -

The following went with Solaris 8 -

Two major items are still coming real soon as they say -

The minimum memory requirement, according to the documentation, is 96 MB but 128 MB is desirable for serious use. It also fair to point out that SUN do not sell workstations with less than 512 MB these days. SUN suggest that older machines, less powerful workstations, become, in effect, superior X-terminals. The Remote Login Option in the login screen makes this straightforward. See Appendix 2 of this document for installing older machines. It is also possible to run servers without X Windows in very much smaller amounts of memory.

The Solaris documentation is excellent and is available from . Many of the manuals can also be downloaded from this WWW site in PDF format.

A good knowledge of Solaris system admin is definitely required before attempting any of the work described here.

Supplied CDs

You now get a box containing a DVD, CDs in two plastic wallets and various other covers!! (The layout of the CDs is described in Chapter 38 of the Solaris 9 Installation Guide.) The large number of CDs is partly due to the different amount of support which you get from SUN.

The DVD contains the software on the CDs labeled -

If you have a DVD drive, this may well be all that you need. Also, the DVD is bootable ; boot cdrom -s from the OK prompt gets you a shell prompt, as does the Solaris 9 Software 1 of 2 CD, of course.

Part 2 Disk Layout and Preliminaries

Since CPU and disk speeds have increased enormously and modern workstations generally have at least 1 GB of disk space (frequently much more), we now recommend putting the X Windows software on a local disk. Further, the traditional division of unix system files into two partitions (root and /usr) seems not to serve any purpose when both partitions are on the same disk? Our recommended scheme is therefore to have a single (root) partition for all system files. This avoids those annoying situations where the root partition is full and you need more space, while there is plenty of space in the /usr partition. We do recommend a separate /var partition when there are spooling directories (printer spools, mail spool etc.) in it since a rogue application (i.e. user) may fill it up and a full root file system is never good news.

When a separate /var partition is allocated, it should be large enough for the spooling requirement, and for the Recommended Patch Clusters that will be applied in the future. With patch clusters sometimes approaching 100Mb compressed, we recommend 500 MB is allocated.

The complete Developer Software Group and all the Freeware (which is what we suggest that people install) comes to just under 2 GB. So our recommendation for a modern SUN with a 6 GB or larger system disk and 128 MB or more memory is therefore


/ (root)

3 GB

/var (if required for spooling)

500 MB or larger


500 MB or larger


Our recommendation for an older SUN with a 1 GB or larger system disk is therefore


/ (root)

800 MB to 3 GB

/var (if required for spooling)

50 MB or larger


64 MB for up to 128 MB of memory 

512 MB for up to 1GB of memory


However, increase swap to at least 120 MB if running ARC or ERDAS.

Don't make a root partition larger than 1 GB on older (SPARC 10 or 20) machines - there is a problem with the PROM and they wont boot ! For smaller system disks, see Appendix 2.

Upgrade vs Initial install

The Upgrade option works well if there is sufficient disk space though it does take longer that an Initial Install. The advantage, of course is that any third party software installed which has been installed is left as-is - you don't have to spend another day re-installing that or getting it back from backups. If you do an upgrade, remember to redo incp.9 as the upgrade installs a new SUN version over our version of a few files such as /etc/rc2.d/S74autofs. The incp.9 script was designed to be idempotent (i.e. you can run it repeatedly !)

The documentation implies that an Initial Install will overwrite the entire system disk; this is not the case ; it is perfectly possible to preserve partitions such as /local is you want to. It only wipes /, /usr, /var partitions.

See Appendix 5 Notes for upgrading systems for a checklist of files to save, cron tables, licences, etcetera.


It will save time if the following is done in advance of the installation -

Installation files

There should be one copy of these per site


These files are supplied as part of the "nerc fs". Make sure you have an up to date version. This directory tree contains files which we have modified or added to the SUN distribution. Examples are terminfo files for SG and HP workstations. Details are in nerc/scripts/systems/solaris/incp.9.README. A few of these must be edited for each site. Currently, these are

/etc/resolv.conf and /etc/mail/ (these both contain the DNS domain name) and /var/ldap/* which contains the certificates specific to the ldap server.

For example, copy the supplied resolv.conf.sample (which is the Wallingford one!) to resolv.conf and make necessary edits for local names etc. Future updates (rdist) may overwrite the resolv.conf.sample but will not touch the resolv.conf file. If these edits are done in the /nerc/scripts/.. directory tree, it will not be necessary to repeat on individual installed systems.

Part 3 Installation dialogue

Check the machine is in the NIS hosts map.

You can either install from a CD-ROM or DVD or from an install server.

If using an install server, go to the install directory on the install server and type

./Solaris_9/Tools/add_install_client <hostname> <platform>

<platform> is sun4m, sun4u or ... ( sun4u for an ultrasparc - anything less than 6 years old)

add_install_client does lots of checking and makes suggestions if there is a problem - do not ignore these! Finally go to the machine which is to be upgraded or installed and, at the ok prompt, type

boot net

[If you don't type "- install" after "net", it won't go into auto_install.]

In either case (CDROM or net), you are led through the same screens but an install server is much faster than an old CD-ROM.

If you boot from an install server, the DVD or the Solaris 9 Installation CD; you will get a WWW-based installation procedure which is described in "Using the Solaris Web Start Program" in Chapter 14 of the "Solaris 9 Installation Guide" which is included in the box. This even has pictures !!!

If you boot from the Solaris 9 1 of 2 CD, you will get a character-based installation procedure. The dialogue in this is pretty much identical to the Web Start Program, just the technology is different. The OpenWindows installation procedure which used to be on the 1 of 2 CD has gone since OpenWindows itself has gone from Solaris 9.

Questions and answers (for both Web Start and character-based installs) are (the order reflects the character-based procedure, WWW-based procedure may differ) as follows -

Language - take 0 - English

Locale - take option 0 - 7 bit C locale. The new 8 bit English locales (American, UK and Australian!) as well as many foreign languages are also available but seem to be an unnecessary complication for scientific/technical computers. In fact, very few third party applications have support for multiple locales.

Do not use /dev/fcip for the network interface (this is a driver for encapsulating IP over fibre-channel ; not your average ethernet NIC !)

Select Direct Connection to the Internet ( It connects to the site during the install so needs details of how to get to the Internet !) Click No to “Configure DHCP”

You may be asked for the host name and IP number.

We do not use subnets unless you know otherwise. However, there is a bug in the character-based installation tool – you can work round this by saying you have subnets and taking the default subnet mask (probably

Do not enable IPv6.

You will be asked to specify a default route, or have install find one. See Appendix 8.

Click No to "Configure Kerberos Security".

Select LDAP name service. You will be asked for a domain name. Enter the proper domain name as set in the root of the LDAP server, this will usually be the DNS domain name for the network, eg (the exceptions at the time of writing are wlinfra and monkswood). For profile name choose install-sol9, this is an unencrypted profile with no access to user passwords which will have to be changed in the finishing touches. Select the LDAP server address. Choose LDAP proxy bind. The proxy bind dn is cn=installagent,ou=profile,<ldap base> where ldap base is the base of the LDAP tree (e.g. At Wallingford it is dc=nerc-wallingford,dc=ac,dc=uk). The proxy bind password is “install”


Select the NIS (formerly YP) name service and you will be asked for the NIS domainname. Don't worry if the installation tool picks up this information from the network and does not ask ! If the system is not on the same subnet as the NIS server, the system will not be able to find it, and you will be asked for the name and IP address of the NIS server.

The time zone is Europe followed by Britain (UK), followed by Great Britain .

When asked whether this an Initial or Upgrade installation, you are asked to select Standard or Flash; choose Standard.

Do not select any Geographic Zone software (locales).

When choosing software, go for the Developer System Support Software Group, select Customize and review the selected packages. Add all the available "freeware" packages such as perl, tcsh, compression tools,... Specifically select the following -

If you have a special frame buffer, the appropriate packages should be automatically selected but it is worth checking this!.

The NIS server cluster is not included in the Developer cluster so add it if required. The packages names are SUNWypr and SUNWypu.

Do not install Netscape 6.2.1 beta as is suggested; netscape 7.0 (based on mozilla 1.0) is now available and is significantly better. See . If you don't have room for a 800 MB root partition, read Appendix 2 of this paper for suggestions on what packages to deselect.

Install software on the "system disk" only (normally /dev/dsk/c0t0d0 except for older machines which have the system disk on /dev/dsk/c0t3d0). Do not select any of the other disks. When sizing disk partitions, start with the "auto layout" option and then customise its suggested partitions as suggested in Part 2 and/or Appendix 2.

It is more convenient to partition and newfs any non system disks when the system is up and running so leave them "unconfigured" for now. The installation software will not overwrite them.

After laying out the system disk and installing the software from the first CD (Solaris 9 software, 1 of 2), the machine will ask whether you want to mount remote file systems; this is not normally required. It then asks you to set the root password. It will also ask you to customise the Power Management software. You clearly must turn this off on a server. Also, if you have a backup schedule which runs in the "wee small hours", you must leave the machine up overnight! Nonetheless, the cost of leaving screens powered on day and night is not insignificant.

The machine will then reboot and ask for the second CD (Solaris 9 software 2 of 2). It then loads software from this to complete the installation . A DVD or network install follows the same procedure though, of course, you don't have to insert the 2 of 2 CD !! I

After another reboot, login as root and insert the Solaris Software Companion CD (This software is not on the DVD.) Start the Installer and install the default software selection. This is where most of the Open Source software comes from.

Note that the freeware on the main Solaris 9 CDs or the DVD is loaded under /usr/sfw and the software on the Solaris Software Companion; CD is loaded under /opt/sfw. If you have current versions of /nerc/etc/cshrc and /nerc/etc/profile, the appropriate directories will be added to $PATH , $MANPATH and so on. It is possible to automount /usr/sfw and /opt/sfw from an NFS server but, if there is plenty space, install them as part of the OS install and put them in the root partition. Required space is 525 MB (/opt/sfw) and 22 MB (/usr/sfw)

To install the "nerc" customisations: login as root and mount from the /nerc/scripts server <nerchost> as -

mount <nerchost>:/localX/master/scripts/systems/solaris /mnt

cd /mnt


The incp LDAP phase will ask for domainname, profile name, proxy dn, IP address of the LDAP server, and the proxy password, so have this information to hand. (Examples are, cn=default-sol9,ou=profile,dc=nerc-wallingford,dc=ac,dc=uk,,, secret.)

If the LDAP phase of incp fails, you will need to manually set up LDAP using the ldapclient command below.

[See /nerc/scripts/systems/solaris/incp.9.README for details of which files are replaced by incp.9 and why.]

Edit /etc/vfstab to add the logging mount option as follows :-

/dev/dsk/c0t0d0s0 /dev/rdsk/c0t0d0s0 / ufs 1 no logging
/dev/dsk/c0t0d0s7 /dev/rdsk/c0t0d0s7 /local0 ufs 2 yes logging
/dev/dsk/c0t2d0s2 /dev/rdsk/c0t2d0s2 /local ufs 2 yes logging

This turns on UFS-logging which should avoid fsck after a failure (faster reboot).

Check the site dependent files listed at the beginning of Part 2.
If you used a network install server, be sure to disable it when you are finished (e.g. by removing the host entry in ethers). Otherwise, anyone could type "boot net" and have complete access to all your disks.

The following section may not be relevant if you have a recent copy of the incp.9 script (March 2005). If you do have this new script, and you are not using the "auto" switch then LDAP should already have been configured by the incp.9 script unless, for some reason, it needs to be configured manually. If your incp.9 script is older or you are using the "auto" switch to incp.9, or, you need to configure LDAP manually, follow the directions below.

If you need to configure LDAP manually: First, edit /etc/hosts to include the FQN of the servers as they appear in the certificates. It is vital that the FQN matches exactly the CN that occurs in the 'Subject' line of the certificates or the client will not be able to bind to the server. For example, if the CN in the certificate is then put the following line in /etc/hosts: sidhean

Do this for every LDAP server. Next copy /etc/auto_master.ldap to /etc/auto_master. This file standardises the maps to use '_' instead of '.' which solves problems with Solaris treating everything after the period as a key. Finally run the following command:

ldapclient init -a domainname=<domainname> \
-a profilename=<profile name> \
-a proxydn=cn=proxyagent,ou=profile,<ldap base> \

where domainname is the domain listed in the base of the directory, profile name is the profile defined in the directory to configure solaris machines for LDAP. This is often called "default-sol9" or "sol-encrypt", if you are unsure, check the directory or ask your system administrator. ldap base is the base of the ldap directory and is the address of the ldap server. You will need the proxypassword in order to complete this step. This should be listed in the usual place.

Part 4 Final Touches


Our advice is to install the current Recommended Patch Cluster on all newly-installed machines and maybe once per year thereafter. These clusters are available from or from us. A new cluster appears approximately every month. They constitute a set of patches which have been tested together and are almost a mini release of Solaris. Apart from this, it is best to only install patches as required, in particular security patches. We will normally advise sites of anything which looks particularly alarming.

If you have a DEC VT terminal as a console, type

mv /etc/inittab.vt100 /etc/inittab

and reboot - the console will now be properly defined and you should be able to use vi etc in single user mode. Also if you have a DEC VT terminal, you should

cp /usr/dt/config/Xservers /etc/dt/config/Xservers

and delete the last line in the copied file. This line looks like -

:0 Local local_uid@console root /usr/openwin/bin/Xsun :0 -nobanner

To configure the X server to use a 24 bit colour depth ( 16 million colours ), again

cp /usr/dt/config/Xservers /etc/dt/config/Xservers

and then change the following line

:0 Local local_uid@console root /usr/openwin/bin/Xsun :0 -nobanner

so it reads

:0 Local local_uid@console root /usr/openwin/bin/Xsun :0 -nobanner -dev /dev/fb defdepth 24

You may find that the two lines above were copied in by the incp.9 procedure, in that case comment out the default Xsun start-up and remove the comment from the 24 bit line ( defdepth 24 ). See man Xsun or man Xserver for further details.

You may also have to run a program called GFXconfig - this has various flavours such as pgxconfig or m64config depending on exactly which graphics card you have. This configures the hardware to run on 24 bit mode.

Additional Disks

Add lines for any additional disks to /etc/vfstab. Remember to use the logging mount option.

Partition (if necessary) and newfs any additional, new disks.

newfs /dev/rdsk/c0t1d0s2

It is not really necessary to use the -i and -m flags any more (as we used to recommend) - nowadays newfs calculates reasonable values even for large disks.

If you have forgotten to do boot -r, the following commands will do the same thing without rebooting :


It is "good practice" to fsck such a disk before using it -

fsck /dev/rdsk/c0t1d0s2

Secure Shell (SSH)

We would like to encourage use of SSH and its related programs such as scp and sftp as secure replacements for the classic Internet applications such as telnet and ftp. On servers where security is an issue, we normally disable the telnet and ftp services in /etc/inetd.conf and force users to access the server using ssh. However, this may be a bit fierce for some people ?

We have found the Solaris SSH (based on OpenSSH and packaged with Solaris 9) is not quite up to advanced usage yet (e.g. if you use the agent). Hopefully, this will get fixed but, for now, we are recommending that people use the OpenSSH package. Get this from . This is the version currently recommended on the WWW site.

To remove the Solaris SSH, use

pkgrm -n SUNWsshcu SUNWsshdr SUNWsshdu SUNWsshr SUNWsshu

To install OpenSSH from our tar file, simply unpack the tar ball and run the install script.

NB When upgrading SSH software, you should always preserve the host keys. These are in the /usr/local/etc directory for OpenSSH and the /etc/ssh directory for the Solaris SSH DG: If this directory has been restored, delete or rename it. The new version of ssh will not accept the old keys as valid.


This is a special version of /etc/inetd.conf which has many services disabled ; it is intended for use on exposed machines such as outside the firewall.


The "7.0 beta" version of netscape is now available and seems significantly superior to the version of netscape supplied with Solaris 9. We have constructed a tar file and install script to make installing this straightforward.

Simply fetch the file netscape70b-sol9.tgz from , unpack it and run the install script.

Be aware that Netscape 7.0 writes the users information (preferences, cache files, bookmarks ....) under ~/.mozilla, not under ~/.netscape. First-time users of Netscape 7.0 are offered the option of migrating preferences, email setup etc from .netscape to .mozilla.

Netscape installs in /opt/dt/appconfig/SUNWns6.

Alternative Print Server software (LPRng)

The standard Solaris print software is pretty good ; certainly hugely better than is was 4 or 5 years back. However, for serious print-serving (say dozens of printers) we now use the third party LPRng. See This is very robust and has support for a wide range of printers. It also features a “magic” filter which automatically converts print files to whatever format the printer can cope with. There is also a nice GUI tool to configure new printers and generally manage the system. For full information see the HOWTO which can be downloaded from the above URL.

The following is an outline only of how to install LPRng ; please let us know if you want to use this software.

Current software versions of the three LPRng packages are :-



Main package



GUI Tool for admin work 



Magic filter



Before installing lprng, you must remove the Solaris print software -

pkgrm -n SUNWpcr SUNWpcu SUNWppm SUNWpsr SUNWpsu SUNWscplp

Also remove any HP JetAdmin software - pkgrm HPNP or HPNPL - but you may need /usr/sbin/bootpd which comes from the HP package.

Build all 3 packages (lprng, lprngtool, and ifhp ) with gcc 3.

use configure --prefix=/usr --sysconfdir=/etc (default is to install in /usr/local)

The filter goes in /usr/libexec/filters/ifhp

Put the required (improved) file program in this directory as well and /etc/ifhp.conf to tell the filter where the file program is.

The font used for text files (PCL) is much too large - change in the section of /etc/ifhp.conf which is headed 'font control'. Change pitch=10 to pitch=12 :-

## canned setup

pcl_normalpage=[ letter crlf linewrap portrait clearmargins fixed pitch=12 courier ]


The sendmail which SUN have included in Solaris 9 is up to date (version 8.12.2). This is good but it does mean that the file which we have used on subsidiary machines for years no longer works correctly. Please use the file from /nerc/scripts/systems/solaris/incp.base.9/etc/mail/ For those interested, this was built using the nullcient feature in V8 sendmail.

Note this has two site dependent edits in it. If you have run incp.9, as recommended here, this will have been taken care of for you. For sendmail mail hubs (mail host machines), contact us.

Oracle Servers

If the machine is to run an ORACLE database, it needs additional semaphores - add the following lines to the end of /etc/system for Oracle 8.1.7

See the install procedure for earlier Solaris releases for earlier versions of Oracle.

* Oracle 8 wants shmsys:shminfo_shmmni=100 Mozilla wants =1000
* Oracle 8 wants shmsys:shminfo_shmseg=10 Mozilla wants =100
set shmsys:shminfo_shmmax=4294967295
set shmsys:shminfo_shmmin=1
set shmsys:shminfo_shmmni=100
set shmsys:shminfo_shmseg=10
set semsys:seminfo_semmni=100
set semsys:seminfo_semmsl=160
set semsys:seminfo_semmns=310
set semsys:seminfo_semopm=100
set semsys:seminfo_semvmx=32767

[You can do this by typing cat /etc/system.oracle8 >> /etc/system.]

See the Shared memory and semaphore tunables in /etc/system section in Appendix 10 for more details.

If you are upgrading an oracle server and not reinstalling the oracle software, you need to preserve the file /var/opt/oracle/oratab across the upgrade.


On critical machines, it is prudent to load the hardware test software - VTS. This is on the Solaris 9 Software Supplement CD. (It is not on the DVD.) Mount this CD and type

pkgadd -n -d /cdrom/cdrom0/SunVTS_5.0/Product SUNWvts SUNWvtsmn SUNWvtsx

Accept all the defaults.

Tweaking NFS Servers

For the most part Solaris determines the size of and the load on the platform and dynamically sizes kernel parameters accordingly. Frankly, it is generally best to accept these and not even try to tweak things yourself !! One exception to this is a large, dedicated NFS server. For such servers:-

Find the line /usr/lib/nfs/nfsd -a 16 in /etc/rc3.d/S15nfs.server. The number at the end of this line is the number of concurrent NFS requests the server can handle. Increase this to something like 100 per ultrasparc processor.

Run the command vmstat -s on the server and check for the line XXXXXX total name lookups (cache hits 76%).

This should be over 90%. Otherwise, consider adding following lines to /etc/system -

* Increase size of directory name lookup cache and inode cache RC
* See SMCC NFS Server Performance and Tuning Guide
set ncsize=5000
set ufs_ninode=5000

The default value is 17*maxusers + 90 and maxusers is the no of MBs of memory so this comes out at roughly 2000 for 128 MB of memory. We have set these parameters to 5000 on NFS servers in NERC. NB do not set ufs_ninode less than ncsize !!


Now reboot and check the machine comes up cleanly.

Before handing the machine over, complete the following checks -

Part 5 Gotchas

This is a collection of odd problems and traps which we have learned, mostly "the hard way".

    Remove the case of the Ultra/1

    Locate the jumper J2003 which is under the video card slot by the power supply. ( You will need to remove the video card first ) This is a 3-pin plug with a 2-pin jumper. Turn the system off and follow anti-static precautions whilst relocating the jumper. To write-enable the PROM, move the jumper from pins 1 and 2 to pins 2 and 3. Pin 1 has a * by it. Turn the system on, and you will be prompted to upgrade the PROM. Follow the instructions to do so.

    Once complete, then write-protect the PROM again by moving the jumper to connect pins 1 and 2.

Appendix 1 Systems with limited disk space

The entire Developer Cluster requires approximately 800 to 900 MB. There are going to be problems on older platforms (such as SPARC 10s and SPARC20s) with internal disks smaller than 1 GB. Even at 1 GB you will have problems, but contact us if you cannot work around these yourself. For very small systems, ( 424 MB disks ) we suggest the following:

Install the Core Group Cluster, plus the following additional packages which make the system compatible with the NERC file structure, provide on-line documentation and the freeware tools, plus the Common Desktop Environment.
This should use about 300 MB.

Therefore allocate 360 MB to the root filesystem, and 64MB to swap on slice 1. We do not recommend a separate /var on systems of this size as it will just cause problems of one sort or another later.

On the Solaris install window,

Add all Freeware tools

Add Sun Workshop Compilers Bundled LibC
Add Documentation Tools
Add On-Line manual pages

Add all the Perl 5.6.1 modules

Once the install is finished, then add the following packages with pkgadd

Source Compatability modules


pkgadd -d /path/to/Product SUNWscpr SUNWscpu SUNWscpux

Common Desktop Environment ( CDE ) base modules


pkgadd -d /path/to/Solaris_9/Product SUNWj3rt SUNWdtdmn SUNWocf  SUNWocfr \
SUNWdtdte SUNWdticn SUNWtltk SUNWdtwm SUNWdtma

To get the CDE to start with a DeskTop Login screen, run /usr/dt/bin/dtconfig -e

To permanently, go back to the command line login option, run/usr/dt/bin/dtconfig -d

The options mentioned above install on top of the core cluster with no dependency failures. They install the following products:

system      SUNWscpr       Source Compatibility, (Root)
system      SUNWscpu       Source Compatibility, (Usr)
system      SUNWscpux      Source Compatibility (Usr) (64-bit)

system      SUNWj3rt       J2SDK 1.4 runtime environment
system      SUNWdtdmn      CDE daemons
system      SUNWocf        Open Card Framework
system      SUNWocfr       Configuration files for Open Card Framework
system      SUNWdtdte      Solaris Desktop Login Environment
system      SUNWdticn      CDE icons
system      SUNWtltk       ToolTalk runtime
system      SUNWdtma       CDE man pages

Appendix 2 Supplement for SOC

This details some changes which we had to make for Solaris systems at SOC.

In order to have selected broadcast packets (e.g. SUN RPC) go through routers to another segment (The routers are configured to allow this.) we increase the TTL above the default value of 1. Command to use is

      ndd -set /dev/ip ip_broadcast_ttl 32

This command is included in a special of version of /etc/rc2.d/S69inet which should be used at SOC.

The script /nerc/etc/rc.d/S01addroute should be run at boot time to set the default route (139.166.X.1). If you cannot get out of SOC (e.g. telnet) the reason is probably that this was not set.The routers at SOC do not broadcast RIP packets. Also within SOC (i.e. the default route is not used since we have a 16 bit netmask ( - the routers are configured to act as proxy ARP servers.

The file /etc/auto_master contains a list of /data and /working mount points. This was necessary because of the two level hierarchy used at SOC.

Appendix 3 Mail client software.

This is probably a case of being spoilt by too much choice :-

We advise choosing one of the GUI programs (i.e. dtmail or netscape) apart from using mailx when off site and you have a low bandwidth connection. Some recommendations for these follow :-

Appendix 4 CDE Customisations

uncomment #DTSOURCEPROFILE=true
and add export DTSOURCEPROFILE

###   example for csh
###     if ( ! ${?DT} ) then
###       #
###       # commands and environment variables not appropriate for desktop
###       #
###       stty ...
###       tset ...
###       setenv DISPLAY mydisplay:0
###       ...
###     endif

# override default print action for CDE mail tool
# see CDE Install Guide (August 95) page 30
LABEL           Print
TYPE            COMMAND
EXEC_STRING     sh -c ' \
                dtmailpr -p -f %(File)Arg_1% | mp -m -l | \
                dtlp -u %(File)Arg_1%;'

Appendix 5 Notes for upgrading systems

Appendix 6 Installing the OpenGL software

The Solaris OpenGL software is Sun's implementation of the industry standard OpenGL graphics library. It supports the following frame buffers -

Without accelerated hardware, OpenGL works but is painfully slow – really it can only be used for testing – not for real work.

OpenGL v 1.2.2 is provided in pkgadd form, on the CD labelled "Solaris 9 Software Supplement ". (Not on the DVD)

There are 13 packages -

SUNWafbgl Sun OpenGL for Solaris Elite3D Support

SUNWafbgx Sun OpenGL for Solaris 64-bit Elite3D Support

SUNWffbgl Sun OpenGL for Solaris Creator Graphics (FFB) Support

SUNWffbgx Sun OpenGL for Solaris 64-bit Creator Graphics (FFB) Support

SUNWglh   Sun OpenGL for Solaris Header Files

SUNWglrt  Sun OpenGL for Solaris Runtime Libraries

SUNWglrtu Sun OpenGL for Solaris Platform Specific Runtime Libs

SUNWglrtx Sun OpenGL for Solaris 64-bit Runtime Libraries

SUNWglsr  Sun OpenGL for Solaris Runtime Generic Software

SUNWglsrx Sun OpenGL for Solaris 64-bit Optimized SW Rasterizer

SUNWglsrz Sun OpenGL for Solaris Optimized SW Rasterizer

SUNWifbgl Sun OpenGL for Solaris Expert3D Graphics Support

SUNWifbgx Sun OpenGL for Solaris 64-bit Expert3D Graphics Support

After doing the pkgadd, reboot (well, restart the X server!) . Then run /usr/openwin/demo/GL/ogl_install_check. You should see a rotating wheel if all is well. Also, check that the report produced by this program includes the item -
OpenGL GLX Server: Detail Status Report
GLX: Context is direct.

If this is so, OpenGL is using the "DGA mechanism" to render directly to the frame buffer (bypassing the X server). If the "Context is indirect", then this is not happening and performance will be very poor - probably because you are not the user who originally logged into the X Window system. This is a security feature ! To turn this off and allow all local users to use the DGA mechanism-

chmod 666 /dev/mouse /dev/kbd /dev/sound/* /dev/fbs/*

and edit the /etc/logindevperm file and change the default permissions of all devices listed to 0666.

Note that your system is no longer secure if you do this.

Appendix 7 Site Requirements for Solaris 9

You should have the current version of /nerc/scripts/... which includes the incp.9 script etc which is described in the procedure. This contains the NERC customisations for Solaris 9.

The freeware packages are installed under /usr/sfw/... and /opt/sfw/... Be sure that you have the latest version of the /nerc/etc/ files to get these directories in the default $PATH.

Appendix 8 Setting the default route

Most NERC sites consist of a single Class C IP network with a firewall and a Cisco router connecting the ethernet to the Internet. In such circumstances, the simplest (and best) method is to define a static default route to the firewall. Normally, this is A.B.C.254 Simply create a file /etc/defaultrouter which contains this number. If you do this, the RIP daemon (in.routed) will not even start.

Also, it is important that you do not run the ICMP Router discovery protocol (RFC 1256) on SUNs which are acting as IP routers. Our CISCOs don't support this protocol and this can lead to all sorts of roundabout default routes. To do this, simply rename the daemon -

mv /usr/sbin/in.rdisc /usr/sbin/

Finally, SUN Infodoc 17947 has a lot of useful information on IP routing and Solaris.

Appendix 9 Adding the Solaris 8 OpenWindows to Solaris 9

This is not recommended. It is not supported by SUN and even if it works now there is no guarantee that it will continue to work. If this can be done as an option via the CDE Desktop Login screen then this procedure will be updated to show how.

Some users prefer the OpenWindows GUI environment. Sun have said for some time that they will drop this, and now with Solaris 9 they finally have.

First of all, install the following from a Solaris 8 CD set

DON'T LET SUNWaudio REPLACE ANY FILES, it's just to keep the pre-requisites right for Open Look.


pkgadd -d /path/to/solaris_8 SUNWaudio SUNWoldcv SUNWoldst SUNWoldte SUNWolimt SUNWolinc SUNWolman SUNWolrte

These are:

system      SUNWaudio      Audio applications
system      SUNWoldcv      OPEN LOOK document and help viewer applications
system      SUNWoldst      OPEN LOOK deskset tools
system      SUNWoldte      OPEN LOOK Desktop Environment
system      SUNWolimt      OPEN LOOK imagetool
system      SUNWolinc      OPEN LOOK include files
system      SUNWolman      OPEN LOOK toolkit/desktop users man pages
system      SUNWolrte      OPEN LOOK toolkits runtime environment

Next, either disable the Desk Top Login screen with /usr/dt/bin/dtconfig -d , or select command line login from the CDE login.

From the command line, run /usr/openwin/bin/openwin

Appendix 10: Shared memory and semaphore tunables in /etc/system

Name                     Default     Min        Max         Reference
____                     _______     ___        ___         _________

shmsys:shminfo_shmmax    1048576     1048576    Available   Maximum shm segmentRAM  size in bytes

shmsys:shminfo_shmmin    1           1          -           Minimum shm segment size in bytes

shmsys:shminfo_shmni     100         100        -           Number of shm identifiers to pre-allocate

shmsys:shminfo_shmseg    6           6          -           Maximum number of shm segments per process

semsys:seminfo_semmap    10          10         -           Number of entries in semaphore map

semsys:seminfo_semmni    10          10         65535       Number of semaphore identifiers

semsys:seminfo_semmns    60          -          -           Number of semaphores in system

semsys:seminfo_semmnu    30          -          -           Number of undo structures in system

semsys:seminfo_semmsl    25          -          -           Maximum number of semaphores per ID

semsys:seminfo_semopm    10          -          -           Maximum number of operations per semop call

semsys:seminfo_semume    10          -          -           Maximum number of undo entries per process

semsys:seminfo_semusz    96          -          -           Size in bytes of undo structure, derived from semume

semsys:seminfo_semvmx    32767       -          -           Semaphore maximum value

semsys:seminfo_semaem    16384       -          -           Adjust on exit maximum value

msgsys:msgmap            100         100        -           # of entries in msg map

msgsys:msgma             2048        2048       -           max message size

msgsys:msgnb             4096        4096       -           max # bytes on queue

msgsys:msgmni            50          50         -           # of message queue identifiers

msgsys:msgssz            8           8          -           msg segment size (should be word size multiple

msgsys:msgtql            40          40         -           # of system message header

msgsys:msgseg            1024        1024       32767       # of msg segments

Appendix 11: Setting up an FTP Server

Since the release of Solaris 9, the FTP daemon supplied with Solaris has become our recommendation to supply an FTP service for Solaris systems. The software is based on the Washington University FTP server.

Anonymous FTP is discouraged, and read-write anonymous FTP is strongly discouraged. Anonymous FTP should not be provided as a matter of course on all systems. If an anonymous FTP service is required, the service should be provided on a dedicated system, on which most services are disabled, and access is provided only via SSH and, maybe, telnet.

11.1 The ftpd daemon

ftpd provides three capabilities

real user - a user can ftp to the system, and upload and download any file on the system with all the privileges of a real user, i.e., unless prevented by the permissions on a file.

anonymous user - a user can ftp to a system, and give the special username anonymous when prompted for username. The system asks for his email address as password, and some elementary checks are performed to check that the character string given is in the correct format for an email address. The user is locked (chroot) into the home directory and subdirectories of the special username ftp; his home directory appears to be the filestore root, and he cannot see other parts of the system's filestore. Subdirectories of the ftp home directory can be marked as downloadable only, or can be configured to be uploadable only.

guest user - the ID and password given are real, but the user cannot log in to a terminal session, e.g. telnet or ssh, (the shell in the passwd file is set to /bin/true), the user is allowed to ftp to and from the system. As with the anonymous user, users listed by the guestuser command in the /etc/ftpd/ftpaccess configuration file are locked into the home directory specified in the passwd file, and its subdirectories. Subdirectories can be configured to be downloadable or uploadable only.

For the anonymous user and each guest user, there is a parallel real administrator ID, to allow someone access to the filestore and maintain files as necessary.

In the working below, this document presumes that the anonymous FTP area is in /local/users/ftp.  This is a local choice.

11.2 Preliminary steps

Ascertain the name of the host to provide the login directory.

Find out whether read-write and read-only access are required. Read-write anonymous FTP is strongly discouraged. Determine the disk areas to which access is required. These may be on the login system, or may be mounted from elsewhere.

The home directory is most easily situated on the host providing the ftp login. If it is not, the filestore must be exported to the FTP host with root permissions, so that the FTP daemon can change the ownerships on uploaded files.

There is no need to create the FTP home directory yet, it will be created later in the procedure.

Set up any guest IDs. These will have entries in /etc/passwd of the form

guest1:x:26540:1:Guest FTP:/local/users/guest1-ftp:/bin/true

(the /bin/true ensures the guest ID cannot have telnet access.)

An alternative form of the entry in the /etc/passwd file is

guest1:x:26540:1:Guest FTP:/local/users/guest1-ftp/./pub:/bin/true

This causes the user to be chrooted to his home directory (assuming he is listed as a guest user in the /etc/ftpd/ftpaccess configuration file), and then to be placed in the pub subdirectory by cd.

As the default list of valid shells does not include /bin/true, check that the file /etc/shells exists (it should exist if the incp.9 procedure has been run), and that it contains a line /bin/true. If /etc/shells does not exist, it can be copied from /nerc/scripts/systems/solaris/incp/base.9/etc.

There is no need to set up the Anonymous FTP ID; this will be set up by the script setting up the Anonymous FTP and Guest home directories.

11.3 Set up up the anonymous FTP and Guest home directories

The ftpconfig script is executed as root to set up the anonymous and guest FTP areas. ftpconfig sets up the directory structure needed for Anonymous FTP operation, and copies the required system files into this structure. If the directory structure already exists, the system files are refreshed, any data is left untouched. (Sun suggest ftpconfig be re-run after any major patch, to refresh the system file structure; however, this should only be needed if one of the files changed by patching is used in the ftp directory, and the change is significant.)

To create the directory structure for Anonymous FTP, and put an anonymous FTP ID in /etc/passwd, as root,

/usr/sbin/ftpconfig /path/to/ftp

If the Anonymous FTP ID is already in /etc/passwd, as root,

/usr/sbin/ftpconfig -d /path/to/ftp

(the -d flag means "create directory structure only").

As Guest IDs have already been put in /etc/passwd, for each Guest ID,

/usr/sbin/ftpconfig -d /path/to/guest1
/usr/sbin/ftpconfig -d /path/to/guest2

11.4 Setting upload and Download areas in home directories.

These are traditionally called /pub and /pubwrite (sometimes /download and /upload). They should have permissions 555 and 755 respectively.

You may wish to create a welcome.msg file in the anonymous and guest home directories at this stage. Typically, this will contain the line "Welcome to the system-name FTP service".

11.5 The /etc/ftpd/ftpaccess configuration file

The full set of ftpaccess directives are given in the ftpaccess man page; this gives a subset needed to set up an anonymous and guest FTP service.

class           realusers       real            *
class           guestusers      guest           *
class           anonusers       anonymous       *

guestuser       guest1 guest2

chmod           no              anonymous
delete          no              anonymous
overwrite       no              anonymous
rename          no              anonymous
umask           no              anonymous

# no retrieval from top level directory and its subdirs except /pub

noretrieve      relative        class=anonusers         /
allow-retrieve  relative        class=anonusers         /pub

# no silly characters in filenames
path-filter     guest,anonymous /etc/ftpd/filename.msg  ^[:alnum:]._-]*$ ^[.-]

upload          class=anonusers    *    *         no  nodirs
upload        class=anonusers    *    /path/to/ftp/pubwrite yes ftpadm ftpadm 0440 nodirs

# log           commands        real,guest,anonymous
# log           security        real,guest,anonymous
# log           transfers       real,guest,anonymous    inbound,outbound

# log     syslog    # logging is to syslog (not /var/adm/xferlog)

11.6 Test the system

Create a test file in the ftp UID filestore that can be used for testing downloading.
echo "test.file" >/local/users/ftp/pub/test.file

Check that you can ftp in and out as an ordinary user.

Check that you can establish an ftp connection as anonymous.

Check that the welcome.msg that is displayed is what you expect.

Check that the ls and dir commands work correctly.

Check that the test file can be downloaded.
cd pub
get test.file
should result in Transfer complete, but
send test.upload
should result in Permission denied on server. (Upload)

Check that upload is not possible to subdirectories bin, dev, etc, usr, pub
cd /
cd bin
send test.file
should result in Permission denied on server. (Upload)

Check that upload is possible to the upload directory, but that download is not.
cd /
cd upload
send test.file
get test.file

Check that upload of invalid file names results in an error message.

send .cshrc

Check that logging is working correctly. Individual commands are logged to the syslog, transfers are logged to /var/adm/xferlog

from Unix, type
cd /var/adm
grep ftp messages
Mar  1 15:14:19 shannon ftpd[3266]: [ID 165209] USER rgi
Mar  1 15:14:21 shannon ftpd[3266]: [ID 125383] PASS password
Mar  1 15:14:23 shannon ftpd[3266]: [ID 124999] FTP LOGIN FROM sidhean [], rgi
Mar  1 15:14:26 shannon ftpd[3266]: [ID 313182] PORT
Mar  1 15:14:26 shannon ftpd[3266]: [ID 483773] NLST -la
Mar  1 15:14:29 shannon ftpd[3266]: [ID 225560] QUIT
Mar  1 15:14:29 shannon ftpd[3266]: [ID 528697] FTP session closed
57 rgi@shannon>

cat xferlog
Fri Mar  1 13:15:00 2002 1 sidhean 13 /local1/dick1/ftp-test/pub/hellosailor a _ o a ftp 0 * c
Fri Mar  1 13:19:12 2002 1 sidhean 13 /local1/dick1/ftp-test/pub/hellosailor a _ o a ftp 0 * c
Fri Mar  1 13:53:51 2002 1 sidhean 13 /users/ncs/rgi/hellosailor a _ o r rgi ftp 0 * c
Fri Mar  1 13:55:25 2002 1 sidhean 5 /users/ncs/rgi/bibi a _ i r rgi ftp 0 * c
Fri Mar  1 13:56:49 2002 1 sidhean 13 /local1/dick1/ftp-test/pub/hellosailor a _ o a ftp 0 * c
61 rgi@shannon>

11.7 Upgrading systems

If the system on which ftpd is being installed is a replacement system intended to take over from another system, there are a few things to look out for.

ftpd expects to find the configuration files in /etc/ftpd; in many legacy systems, these are in /etc.

The contents of the bin, dev, and usr directories of anonymous and guest users should be re-made. This is essential if the legacy system was not Solaris.

The paths to anonymous and guest home directories may change. Edit not only /etc/passwd but also any upload commands in /etc/ftpd/ftpaccess.

The mechanism used to mark a user as guest is different with Silicon Graphics' ftp daemon, this expects the guest users to be listed in the ftpusers file, along with the keyword restricted. With ftpd, ftpusers is a "blacklist" file; it contains only the list of users, such as root, who are not permitted to ftp directly into the system. Guest users are listed using the guestuser keyword in the ftpaccess configuration file.

Appendix 14 Performance Monitoring Software

The classic unix performance-monitoring software is a programme called sar. This is not included in the “development software cluster” (our recommended software selection). To enable this, proceed as follows -

install the two Solaris packages SUNWaccr and SUNWaccu using pkgadd in the usual manner

uncomment the body of the provided init script - /etc/init.d/perf – and run it.

uncomment all the lines in the crontab file belonging to sys

  The sar command has many, many options – see “man sar” for details. Also, see the System Administration Guide Volume 2, Chapters 34 and 36.