soltips
Misc Solaris Tips and Tricks
Keep the system up-to-date
# smpatch analyze // see what should be applied # smpatch download // download them # smpatch update // applies them
!!! You don’t need analyze and download. Update will do that.
By default, update will only install patches that are fairly safe. I.e. they can be installed with the system running normally, and won’t cause trouble. Patches that require an immediate reboot will be skipped, and put into a file /var/sadm/spool/disallowed_patch_list . When you’re ready to do them, kick everybody off the system, shut down as much as you can, and do# smpatch add -x idlist=/var/sadm/spool/disallowed_patch_listthen reboot.
Firewall
Edit /etc/ipf/pfil.ap
Uncomment the interfaces you want filtering on, probably your primary ethernet interface. Use /sbin/ifconfig -a if you don’t know the interface names. Do# /usr/sbin/svcadm restart network/pfil
Create /etc/ipf/ipf.conf
Start with rules that allow all traffic:pass in quick all pass out quick all
Start the firewall
# /usr/sbin/svcadm enable network/ipfilter
Reboot and make sure the network is still available.
Better rules
Allows all outgoing connections, and incoming for a few services. For a pure client machine remove all the pass in TCP rules and maybe also ICMP. icmp type 8 is needed to respond to ping. 13 is time stamp request
pass in quick proto tcp from any to any port = 22 keep state pass in quick proto tcp from any to any port = 80 keep state pass in quick proto tcp from any to any port = 443 keep state pass in quick proto icmp from any to any icmp-type 8 keep state pass in quick proto icmp from any to any icmp-type 13 keep state pass out quick from any to any keep state block in quick allRestart the firewall:
# ipf -Fa -f /etc/ipf/ipf.conf
Fix the active FTP connections
Even if you’re not going to create a NAT, you’ll want one entry in ipnat.conf. It’s a proxy that makes FTP work. Otherwise you can only use passive FTP. Put the following in /etc/ipf/ipnat.confmap rtls0 0/0 -> 0/32 proxy port 21 ftp/tcp
rtls0 is your ethernet interface name
Restart the NAT service:# ipnat -CF -f /etc/ipf/ipnat.conf
NAT for zones
- Make sure the NAT is configured (see above)
map rtls0 10.10.10.0/24 -> 0/32
- Assign the global zone’s imaginary address to the physical interface. Add a default route to the imaginary router. Use the imaginary router’s IP address and the real router’s MAC address.
# ifconfig rtls0 addif 10.10.10.1/24 up # route add default 10.10.10.254 # arp -s 10.10.10.254 0:0:c:7:ac:6c // !!! replace with your own MAC
- Run inbound network services (say, a web server) in different zones and give each service its own IP address:
rdr rtls0 0/0 port 80 -> 10.10.10.2 port 80 tcp
Modify the network configuration of a running zone
The ifconfig(1M) command can be used in the global zone to modify a zone’s existing network configuration or to add new logical interfaces to a zone.
global# ifconfig rtls0 addif 192.168.200.202 zone zone100 global# ifconfig rtls0 removeif 192.168.200.202
Prevent a ‘fork bomb’ from affecting all of the zones
# zonecfg -z bad add rctl set name=zone.max-lwps add value (priv=privileged,limit=1000,action=deny) end
That will prevent a zone’s processes from having a total of more than 1000 LWPs simultaneously.
Change the hostname in Solaris 10
Change the hostname in the following files:/etc/nodename /etc/hostname.*interface /etc/inet/hosts /etc/inet/ipnodesand rename directory under /var/crash
# cd /var/crash # mv oldname newnamethen reboot the server.
Enable some user to open ports < 1024
# usermod -K defaultpriv=basic,net_privaddr myuserSee /etc/user_attr for the current settings.
Memory usage
$ echo "::memstat" | sudo mdb -k
