Unix System Administration Solaris Management Console Chuck Hauser 2006-10-13
Presentation Conventions • Names (files, users, daemons) are usually in bold:/etc/syslog.conf • System dependent or variable items are usually in italics: /var/sadm/patch/patchnumber/log • File entries and output are in mono-spaced type:> root 8036 c Tue Apr 26 23:59:00 2005 < root 8036 c Tue Apr 26 23:59:59 2005 • Ämarks a line wrapped to fit on the slide:mv Solaris_9_Recommended_Patch_Cluster_log ÄSolaris_9_Recommended_Patch_Cluster_log.yyyymmdd • ð marks a horizontal tab (09 hex) • Reference OE for programs and documentation is Solaris 9
Introduction • “The Solaris Management Console is a graphical user interface that provides access to Solaris system administration tools.” • Replaces both AdminSuite and Admintool. • The Solaris Management Console (abbreviated as SMC from here forward) first appeared in Solaris 2.6. • SMC continues at least through Solaris 10.
Admintool and Java Web Console • Solaris 9 includes admintool, but it opens with this message. Admintool is not in Solaris 10. • The browser-based Java Web Console was introduced in Solaris 10 as a future replacement for SMC, but currently it has almost no functionality.
SMC Advantages Over admintool • Replaces the root-privileges of admintool with more flexible role-based access control (RBAC) if desired. • Based on a toolbox concept; different collections of tools and folders can be grouped for user’s role or experience. • Can be extended with JavaBeans, legacy apps, commands, etc. • Has context-sensitive help.
Role-Based Access Control (RBAC) • Replaces the all-or-nothing superuser model with least-privilege security; allows separation of superuser capabilities. • A role account is created with specific rights that are granted to a set of users. • See System Administration Guide: Security Services (817-0365) Chapters 5-7.
Solaris Management Tools History See System Administration Guide: Basic Administration (817-3814) Chapter 1 Solaris Management Tools (Roadmap) for a matrix of Solaris management tools support.
Solaris Volume Management Packages Because Solstice DiskSuite has been incorporated in Solaris 9 as the Solaris Volume Manager, the DiskSuite Tool (metatool) has been removed and SMC is now the graphical interface for Solaris Volume Management.
SMC Documentation • There is no Sun manual that covers only SMC. • The System Administration Guide: Basic Administration (817-3814) introduces SMC in Chapter 2 Working With the Solaris Management Console (Tasks) • Other references are scattered in the various System Administration Guides. • BigAdmin has SMC 2.0 Frequently Asked Questions which also has 2.1 tips at http://www.sun.com/bigadmin/content/misc/smc20_faq.html. • SunSolve has a Solaris Management Console Support Document (70475).
Solaris Management Console Tools • Solaris Management Console Tools by Janice Winsor (Sun Microsystems Press, 2002) covers SMC 2.0 and is out of print. • Three sample chapters are online: • Networked System Administration Tools from Sun Microsystems • SMC Toolbox Editor: Creating and Editing the SMC Toolbox • Using SMC Tools
SMC Help • Online help is available. The currently selected tool will determine the help shown. • A simple non-boolean search is available. • Help can be printed.
SMC Components • SMC Server: provides tools for console and services such as authentication, authorization, logging, messaging, etc. • SMC Toolbox Editor: used to modify or create toolboxes. • SMC client (the ‘Console’): interface that contains the GUI tools used to perform management tasks.
SMC Server Components • The SMC server is a Java-based daemon. • Although it is a single process, it is a server for both the Solaris Management Console and Solaris Web-Based Enterprise Management (WBEM). • If server crashes or console never loads, stop and restart the server using the init.wbem command (next slide).
Running the SMC Server • The script /etc/init.d/init.wbem is used to start smcboot, a small proxy server (see Initial Server Configurationslide). • In addition to the usual start and stop arguments, init.wbem also takes a status argument:# /etc/init.d/init.wbem statusSolaris Management Console serverÄversion 2.1.0 running on port 898. • For startup, init.wbem is linked to /etc/rc2.d/S90wbem and the shutdown scripts are /etc/rc0.d/K36wbem, /etc/rc1.d/K36wbem, and /etc/rcS.d/K36wbem.
Running the Console Locally • Choose Solaris Management Console from the CDE Tools Menu (see right) • Or double-click the SMC icon in CDE Applications Manager or File Manager
Starting the Console Locally by Command Line • Must be in an X11 terminal window, i.e., xterm. • Use the following command:/usr/sadm/bin/smc& • The command line is also used when using a PC X server to remotely run SMC.
Running SMC in Web Browser • Despite what some of the documentation implies, SMC cannot be run in a web browser. • Java Web Console (Solaris 10) can.
Options for Running SMC Remotely • Use a Unix box with SSH and Xwindows • Run Xwindows on a PC • Run Solaris or other Unix in a PC virtual machine such as VMware (right)
Remote X Server to Run on PC • Use commercial product or download free Cygwin environment (www.cygwin.com). • Cygwin provides both X11 and OpenSSH for running SMC.
SSH X11 Tunneling • The Secure Shell (SSH) can be used to encrypt X11 traffic by forwarding through an SSH tunnel. • Neither Xhosts nor Xauth are necessary when using SSH to tunnel.
X11 Forwarding Configuration • /etc/ssh/sshd_config must be modified to allow X11 forwarding by the ssh server. • Find Line with X11 tunneling options:# X11 tunneling optionsð# X11Forwarding noï X11DisplayOffset 10 • Change to allow forwarding:X11Forwarding yes
Getting sshd to reread sshd_config • Send a SIGHUP signal to the sshd daemon to reread the configuration file. • There may be multiple instances of sshd running if using privilege separation:ps -ef | grep sshd root 304 702 0 19:36:22 ? 0:00 /usr/lib/ssh/sshdroot 702 1 0 Oct 05 ? 0:00 /usr/lib/ssh/sshdcfhauser 308 304 0 19:36:30 ? 0:00 /usr/lib/ssh/sshdcfhauser 178 175 0 19:25:32 ? 0:01 /usr/lib/ssh/sshd root 175 702 0 19:25:25 ? 0:00 /usr/lib/ssh/sshd • Signal process 702 (whose parent is process 1):kill -1 702
Possible Missing Font Message • This message may appear when using a remote X server on a PC to run SMC:Warning: Cannot convert string"-monotype-arial-regular-r-normal--*-140-*-*-p-*-iso8859-1" to type FontStruct • The Java Virtual Machine running SMC on the server is requesting a font that is not in the font set of the remote X server. • This message may be safely ignored, but it can be fixed by aliasing the font (see following).
Removing Font Error Message in Cygwin • Edit /usr/X11R6/lib/X11/fonts/75dpi/fonts.alias • Add the following as one complete line:-monotype-arial-regular-r-normal--*-140-*-*-p-*-iso8859-1 -b&h-lucida-medium-r-normal-sans-14-140-75-75-p-81-iso8859-1 • In an xterm window, force X server to re-read fonts: xset fp rehash
Removing Font Error Message in X-Win32 (Hummingbird) • Open the X-Util32 configuration utility. • Select FontsðAlias • Double-click 75dpi; double-click fonts.alias to open Font Alias dialog box. • Enter in the Alias from field:-monotype-arial-regular-r-normal--*-140-*-*-p-*-iso8859-1 • Enter in the Alias to field: -b&h-lucida-medium-r-normal-sans-14-140-75-75-p-81-iso8859-1 • Click Add
Running su When Tunnelling • Although a normal user can start SMC, usually want to run as root (if not using RBAC) to avoid problems with loading some tools. • When using su to switch to root, do not use the ‘–’ option, otherwise the DISPLAY variable defining the local display will be lost:
Initial Server Configuration • The smcboot native program waits for a connection from a console program on port 898. • When a connection is received for the first time, the real java-based server is called and displays the above while the server initializes.
Console Elements • The default console consists of three main panes: Navigation, View, and Information. • There is a menu bar, tool bar, status bar, and if enabled, a location bar. • Context Help and Console Event tabs are at the bottom.
Console Preferences Choose ConsoleèPreferences to change: • Console (toolbox used) • Appearance • Toolbar • Fonts • Tool Loading • Authentication
Navigation Pane • Acts similar to a frame in a web page. • Clicking on in item in this pane will display this item in the View pane. • Double-click on an item or click on the turner icon ( ) to expand tree.
View and Information Panes • View Pane – shows information related to selected node in navigation pane. • Information Pane – on bottom; either displays context-sensitive help or console events depending on selected button.
Default Toolbox The default toolbox contains tools for: • System Status • System Configuration • Services • Storage • Devices and Hardware
Logging In Even when running as root, selecting a tool will require logging in as root. If using RBAC, login as a role name and password.
System Status – Log Viewer • The log view defaults to events logged by the WBEM logging service (/var/sadm/wbem/log). • Syslog files may be chosen by selecting drop down box labeled Log File, but view must be manually refreshed. Note: the OpenWindows xconsole program provides a continually updated display of console messages in an Xwindow; it should be run as root:/bin/su root –c “/usr/openwin/bin/xconsole –daemon –verbose”
System Status – Performance • Displays performance data based on projects, user, or summary. • Basically useless in System Performance Summary mode: the display blanks while system gathers new data, information appears briefly, then blanks for next cycle. Project and User screens are more useful. • Before running: be sure to change Preferences è General from default 30 seconds to longer time period to have a chance of seeing data.
System Status – Processes • Use View è Filter to search for an individual process. • Right-click on an individual process to see process properties, suspend a process, resume a suspended process, or kill (‘delete’) a process.
System Configuration – User Accounts • Allows viewing or modification of individual user accounts. • Probably best method for working with RBAC. • Multiple users can be added in a batch operation (see Adding Multiple Users).
User Properties – Home Directory Modifying the user’s home directory will change the entry in /etc/passwd for the user and rename the old home directory to the new name.
Users – Adding Multiple Users • An SMC wizard can be used to add multiple users by • User types each name • Generate automatic prefix followed by numeric sequence • Use text file in a format similar to /etc/passwd; minimum should have: newdudeid:New Dude • Other batch operations on users (add, delete, modify) can be performed at the command line using the smmultiuser command.
Users – User Templates User templates are a named collection of user properties that can be used as the starting point for creating new users.
Users – Rights • Actually RBACRights Profiles, a collection of commands, authorizations, or other rights. • Rights could be directly assigned to a user, but better to assign to a role, then assign the role to users. • The next slide shows a rights profile for User Security.
Users – Administrative Roles • No roles are predefined. • Sun suggests creating Primary Administrator, System Administrator, and Operator rights profiles. • This example adds a password.operator role for handling user password requests.