man pages section 1M: System Administration Commands

Exit Print View

Updated: July 2014
 
 

installadm(1M)

Name

installadm - Manages automated installations on a network

Synopsis

/usr/sbin/installadm [subcommand] [-h|--help]
installadm help [subcommand]
installadm create-service [-n <svcname>]
        [-p <prefix>=<origin>
        [-K <keypath> -C <certpath>]]
        [-a <architecture>]
        [-s <FMRI/ISO> |
         -t <existing_service>]
        [-b <boot property>=<value>,... | -G <grub.cfg>]
        [-i <dhcp_ip_start> -c <count_of_ipaddr>]
        [-B <server_ipaddr>]
        [-M <manifest file>]
        [-d <imagepath>]
        [-y]
installadm set-service [options] -n <svcname>
        [-t <existing_service>]
        [-M <manifest name>]
        [-d <imagepath>]
        [-e | -D]
        [-G [none|<grub.cfg>]
        [-b [none|<property>=<value>[,... ]]
        [-p <policy>]]
        [-x [--hash <ca-hash>]]
        [-A <ca-certfile>...]
        [-C <certfile> -K <keyfile>]
        [-g] [-E] [-H]
installadm update-service [-s FMRI]
        [-p <publisher>=<origin>
            [-K <keypath> -C <certpath>]]
        -n <svcname>
installadm rename-service -n <svcname> -N <newsvcname>
installadm enable -n <svcname>
installadm disable -n <svcname>
installadm delete-service [-r] [-y] -n <svcname>
installadm list [-a|--all | -s|--server -c|--client -m|--manifest -p|--profile]
                [-v|--verbose] [-n|--service <svcname>]
installadm list [-v|--verbose] -e|--macaddr <macaddr>
installadm create-manifest -n <svcname>
         -f filename [-m manifest] [-d]
         [-c <criteria>=<value|list|range> ... |
          -C <criteriafile>]
installadm update-manifest -n <svcname>
         -f <filename> [-m <manifest>]
installadm update-manifest -n <svcname>
         -f <filename> [-m <manifest>]
installadm delete-manifest -n <svcname> -m <manifest>
installadm create-profile -n <svcname> -f <filename> ...
         [-p <profile>]
         [-c <criteria>=<value|list|range> ... |
         -C <criteriafile>]
installadm update-profile -n <svcname> -f <filename>
        [-p <profile>]
installadm delete-profile -n <svcname> -p <profile> ...
installadm export [-o <path>] -n <svcname>
        [-m <manifest name>]...  [-p <profile name>]...
installadm export [-o <path>]
        -n <svcname> | -e <macaddr>
        -G
installadm export [-o <path>]
        -s | -n <svcname> | -c | -e <macaddr>
        [-C] [-K] [-A]
installadm validate -n <svcname>
        [-M <manifest_path>]...
        [-m <manifest_name>]...
        [-P <profile_path>]...
        [-p <profile_name>]...
installadm set-criteria -n <svcname>
        [-m <manifest>] [-p <profile>]...
        [[-c <criteria>=<value|list|range>]... |
         [-C <criteria.xml>] |
         [-a <criteria>=<value|list|range>]... |
         [-d <criteria>]... |
         [-D]]
installadm create-client -n <svcname>
        -e <macaddr>
        [-b <property>=<value>,...]
        [-G <grub.cfg>]
installadm set-client -e <macaddr>
        [-n <svcname>]
        [-b [none|<property>=<value>,... ]]
        [-G [none|<grub.cfg>]
        [-g]
        [-x [-y] [--hash <ca-hash>]
        [-A <ca-certfile>]...
        [-C <certfile> -K <keyfile>]
        [-E]
        [-H]
installadm set-server
        [-i <dhcp_ip_start> -c <count_of_ipaddr>]
        [-p <port>]
        [-P <secure_port>]
        [-d <directory>]
        [-l all|<CIDR>[,...] | [-L none|<CIDR>[,...]]]
        [-m | -M]
        [-u | -U]
        [-z | -Z]
        [-s | -S]
        [[-D]
         [-x [-r] [--hash <ca-hash>]]
         [-g]
         [-A <ca-certfile>...]
         [-C <certfile> -K <keyfile>]
         [-E]
         [-H]]
installadm execute -f <file>

Description

installadm can be invoked interactively, with an individual subcommand, or by specifying a command file that contains a series of subcommands.

The Automated Installer (AI) is used to automate the installation of the Oracle Solaris OS on one or more SPARC and x86 systems over a network.

The machine topography necessary to employ AI over the network is to have an install server, a DHCP server (this can be the same system as the install server), and the installation clients. On the install server, install services are set up to contain an AI boot image, which is provided to the clients in order for them to boot over the network, input specifications (AI manifests and derived manifest scripts), one of which will be selected for the client, and Service Management Facility (SMF) configuration profiles, zero or more of which will be selected for the client.

The AI boot image content is published as the package install-image/solaris-auto-install , and is installed by the create-service subcommand. The create-service subcommand is also able to accept and unpack an AI ISO file to create the AI boot image.

Install services are created with a default AI manifest, but customized manifests or derived manifest scripts (hereafter called “scripts”) can be added to an install service by using the create-manifest subcommand. See Installing Oracle Solaris 11.2 Systems for information about how to create manifests and derived manifests scripts. The create-manifest subcommand also allows criteria to be specified, which are used to determine which manifest or script should be selected for an installation client. Criteria already associated with a manifest or script can be modified using the set-criteria subcommand.

Manifests can include information such as a target device, partition information, a list of packages, and other parameters. Scripts contain commands that query a running AI client system and build a custom manifest based on the information it finds. When AI is invoked with a script, AI runs that script as its first task, to generate a manifest.

When the client boots, a search is initiated for a manifest or script that matches the client's machine criteria. When a matching manifest or script is found, the client is installed with the Oracle Solaris release according to the specifications in the matching manifest file, or to the specifications in the manifest file derived from the matching script. Each client can use only one manifest or script.

Each service has one default manifest or script. The default is used when the criteria of no other manifest or script matches the system being installed. Any manifest or script can be designated as the default. Default manifests can have criteria associated with them which is used when attempting to locate a matching manifest, however this manifest will be returned as the default should no other matching manifest be located. Manifests or scripts with no criteria associated with them can only be used as default manifests or scripts. Manifests or scripts without criteria become inactive when a different manifest or script is designated the default.

System configuration profiles are complementary to manifests and scripts in that they also contain specifications for an installation. In particular, profiles are used to specify configuration information such as user name, user password, time zone, host name, and IP address. Profiles can contain variables that are replaced at installation time with appropriate values for the client being installed. In this way, a single profile file can set different configuration parameters on different clients. See the “Examples” section.

System configuration profiles are processed by smf(5) and conform to document format service_bundle(4). See sysconfig(1M) and Chapter 11, Configuring the Client System, in Installing Oracle Solaris 11.2 Systems for more information about system configuration profiles. Each client can use any number of system configuration profiles. A particular SMF property can be specified no more than once for each client system.

If you want a specific client to use a specific install service, you can associate that client with the service by using the create-client subcommand. You can also use set-client to modify an existing client.

    Automated installations can be secured with the Transport Layer Security (TLS) protocol. Private certificate and key pairs and Certificate Authority (CA) certificates can be assigned to the install server and to clients. The network download of the boot files of SPARC clients is further secured with OBP hash digest and encryption keys. An automated installation can be secured in the following ways:

  • Server authentication: The identity of the server can be verified.

  • Client authentication: The identity of the client can be verified.

  • Access to automated installations can be controlled.

  • Access to server data can be controlled.

  • Client data can be protected for all clients or separately for specified clients.

  • Data can be encrypted so that it cannot be read over the network.

  • Secured IPS package repositories can be accessed.

  • A user-specified directory can be securely published by the web server. Client authentication is required to access this directory.

    The installadm utility can be used to accomplish the following tasks:

  • Configure the AI server SMF service

  • Set up install services and aliases

  • Update the net image of certain install services

  • Set up installation images

  • Set up or delete clients

  • Add, update, or delete manifests and scripts

  • Specify or modify criteria for a manifest or script

  • Export manifests and scripts

  • Add or delete system configuration profiles

  • Validate profiles

  • Specify or modify criteria for profiles

  • Export profiles

  • Enable or disable install services

  • List install services

  • List clients for an install service

  • List manifests and scripts for an install service

  • List profiles for an install service

  • Secure data transfers between the install server and the AI clients

  • Enable or disable security

  • Execute batches of subcommands

Options

The installadm command has the following option:

–h
–-help

Show the usage message for all subcommands.

If followed by a subcommand, will show the usage message for that subcommand only.

Sub Commands

The installadm command has the subcommands listed below. See also the “Examples” section below.

installadm help [subcommand]

Displays a summary of the available commands.

subcommand

Displays more help for the specified subcommand.

installadm create-service [–n <svcname>]
[–p <prefix>=<origin>
[–K <keypath> –C <certpath>]]
[–a <architecture>]
[–s <FMRI/ISO> |
–t <existing_service>]
[–b <boot property>=<value>,... | –G <grub.cfg>]
[–i <dhcp_ip_start>
–c <count_of_ipaddr>]
[–B <server_ipaddr>]
[–M <manifest file>]
[–d <imagepath>]
[–y]

This subcommand sets up a network boot image (net image) in the specified imagepath directory, and creates an install service that specifies how a client booted from the net image is installed.

The AI boot image content is published as the package install-image/solaris-auto-install . If the –s option is not specified, that package is installed from the first publisher in the system's publisher preference list that provides an instance of that package. The –s option accepts the pkg specification as a full FMRI or location of an image ISO file. The resulting net image is eventually located in imagepath. The net image enables client installations.

    Note the following specifications:

  • When the first install service of a given architecture is created on an install server, an alias of that service, default-i386 or default-sparc, is automatically created. This default service is used for all installations to clients of that architecture that were not added to the install server explicitly with the create-client subcommand. To change the service aliased by the default-arch service, use the set-service subcommand. To update the default- arch service, use the update-service subcommand.

    If a default-arch alias is changed to a new install service and a local ISC DHCP configuration is found, this default alias boot file is set as the default DHCP server-wide boot file for that architecture.

  • If you want a client to use a different install service than the default for that architecture, you must use the create-client subcommand to create a client-specific configuration.

The options are any one of the following:

-n <svcname>
--service <svcname>

Optional: Uses this install service name instead of a system-generated service name. The <svcname> can consist of alphanumeric characters, underscores (_), and hyphens (-). The first character of <svcname> cannot be a hyphen. The length of the svcname cannot exceed 63 characters.

If the –n option is not specified, a service name is generated automatically. The default name includes architecture and OS version information.

-s <source>
--source <source>

Optional: Specifies the data source for the net image. This can be either of:

  • The FMRI of an IPS AI net image package. This is the default. If the –s option is not specified, the newest available version of the install-image/solaris-auto-install package is used. The package is retrieved from the publisher specified by the –p option or from the first publisher in the install server's publisher preference list that provides an instance of the package.

  • The path to an AI ISO image.

-p <publisher>=< origin>
--publisher <publisher >=<origin>

Optional: Only applies when the service is being created from an IPS package. Specifies the IPS package repository from where you want to retrieve the install-image/solaris-auto-install package. An example is solaris=http://pkg.oracle.com/solaris/release/.

If the –p option is not specified, the publisher used is the first publisher in the install server's publisher preference list that provides an instance of the package.

–-key keypath

Optional: Only applies when the service is being created from an IPS package. Specifies the path to the PEM-formatted key for the secure IPS publisher.

–-cert certpath

Optional: Only applies when the service is being created from an IPS package. Specifies the path to the PEM-formatted certificate for the secure IPS publisher.

-a <architecture>
--arch <architecture>

Optional: Only applies when the service is being created from an IPS package. Specifies the architecture of the clients to be installed with this service. The value can be either i386 or sparc . The default is the architecture of the install server.

-d <imagepath>
--imagepath <imagepath>

Optional: Specifies the path at which to create the net image. If not specified, the image is created in a <svcname> directory at the location defined by the value of the all_services/default_imagepath_basedir property. For the default value of this property, see “Install Server Configuration Properties.” A confirmation prompt is displayed unless –y is also specified.

-y
--noprompt

Optional: Suppresses any confirmation prompts and proceeds with service creation using the supplied options and any default values (see – d).

-t <aliasof>
--aliasof <aliasof>

Optional: This new service is an alternate name for the aliasof install service.

-M <manifest file>
--default-manifest <manifest file>

Optional: Used to designate the path to the default manifest or derived manifest script to be used for the service.

-b <property>=< value>,...
--boot-args <property >=<value>,...

Optional: For x86 clients only. Sets a property value in the service-specific boot configuration file in the service image. Use this option to set boot properties that are specific to this service. This option can accept multiple comma-separated property= value pairs.

–G none|<grub.cfg>
–-grub-cfg none|<grub.cfg>

Optional: Assigns a new GRUB2 menu file, or removes one if 'none' is specified.

–i <dhcp_ip_start> –c <count_of_ipaddr>
–-ip-start <dhcp_ip_start> –-ip-count <count_of_ipaddr>

Obsolete: These options have been obsoleted for use in this context, and you should use the set-server equivalents going forward. Please refer to the set-server documentation for more information.

These options will fail if the AI server is not already configured to manage DHCP.

–B <server_ipaddr>
–-bootfile-server <server_ipaddr>

Obsolete: This option has been obsoleted for use in this context, and you should use the set-server equivalent going forward. Please refer to the set-server documentation for more information.

installadm set-service [options] –n|–-service <svcname>

This subcommand enables the modification of an existing service. At least one of these options must be given:

–t <existing_service>
–-aliasof <existing_service>

Makes <svcname> an alias of the <existing_service> install service.

–M <manifest name>
–-default-manifest-name <manifest name>

Designates a particular manifest or derived manifests script that is already registered with the specified service to be the default manifest or derived manifest script for that service. Use the installadm list command to show a list of manifests and derived manifest scripts registered with this service.

$ installadm list -n <svcname> -m
–d <imagepath>
–-imagepath <imagepath>

Causes the image to be relocated to the new image path.

–e|–-enable | –D|–-disable

Enables/Disables the service.

–G none|<grub.cfg>
–-grub-cfg none|<grub.cfg>

Assigns a new GRUB2 menu file, or removes one if 'none' is specified.

–b none|<property>=<value>[,... ]
–-boot-args none|<property>=<value>[,... ]

Sets the boot arguments for the GRUB menu, or removes them if 'none' is specified.

–p <policy>
–-security-policy <policy>

An install service can be assigned only one of these security settings. The <policy> can be one of the following security policy settings which are listed in order of decreasing security:

require-client-auth

Confirms the identity of the AI client. Requires client and server authentication for all clients of the specified service. All SPARC clients of this service must have their OBP keys defined.

require-server-auth

Confirms the identify of the AI install server. Requires all clients of the specified service to perform server authentication. Client authentication is optional, but any assigned client credentials are required to be provided. All SPARC clients of this service must have their OBP keys defined.

optional

Allows both authenticated and unauthenticated clients to access the install service. Client authentication is optional, but any assigned client credentials are required to be provided. This is the default behavior.

encr-only

Enables SSL/TLS end-to-end encryption for an x86 install service. No authentication is performed.

disable

Disables all security for all clients of the specified service.

–x [–y|–-noprompt] [–-hash <ca-hash>]
–-delete-security [–y|–-noprompt] [–-hash <ca-hash>]

Deletes any security configuration for the service, or a specific CA if a –-hash is provided. If –y is provided it will not prompt for confirmation.

–g
–-generate-all-certs

Automatically generates and assigns all X.509 security credentials and generates OBP keys. The CA certificate and OBP keys are generated only if they do not already exist.

–A <ca-certfile>...
–-ca-cert <ca-certfile>...

Assigns a user-provided PEM-encoded X.509 Certificate Authority (CA) certificate located at path <ca-certfile>. You only need to specify each CA chain of trust one time. If the CA chain includes more than one CA certificate file, use multiple –A options.

–C <certfile> –K <keyfile>
–-cert <certfile> –-key <keyfile>

–C assigns a user-provided PEM-encoded X.509 certificate located at path <certfile>.

–K assigns a user-provided PEM-encoded X.509 + private key located at path <keyfile>. The <keyfile> must have any passphrase removed.

The –C option must be used with the –K option. If you specify just the –C and –K options, the associated CA certificate must have been previously assigned.

If you also specify –A options then this certificate and key will be validated against those CA Certificates.

–E
–-generate-encr-key

Regenerates a SPARC OBP firmware security encryption key. Invalidates any existing key.

OBP keys are automatically generated if they do not already exist when you use the –g, –C, –K, or –A options. Once these keys are generated, you can use the –E and –H options to replace the existing keys. Specifying the –E or –H option before OBP keys exist is an error. You can specify both OBP key options, or you can specify either –E or –H. The OBP keys that already exist are invalidated and replaced with the newly generated values.

–h
–-generate-hmac-key

Regenerates a SPARC OBP firmware security hashing key (HMAC). Invalidates any existing key.

installadm update-service [options] –n|–-service <svcname>

Updates the image associated with <svcname>, where <svcname> is an alias of a service that was created using an IPS AI net image package. A new service is created with the updated image, and <svcname> is aliased to the new service.

The required arguments are:

–n <svcname>
–-service <svcname>

Specifies the name of the install service being updated, which must be an alias of a service that was created using an IPS net image package.

[options] is one or more of the following:

–p <publisher>=<origin>
–-publisher <publisher>=<origin>

The IPS package repository from which to update the <svcname> image. The following is an example value:

solaris=http://pkg.oracle.com/solaris/release/

A certificate and key may be specified for the publisher by providing paths to a key and certificate file to use with the options:

–K|–-key <keypath>
–C|–-cert <certpath>

If the –p option is not specified, the publisher used is the publisher that was used to create the image of the service for which <svcname> is an alias.T he package publisher can be seen in verbose output for that service.

-s <FMRI>
--source <FMRI>

The FMRI of the net image package for the update.

If the –s option is not specified, the newest available version of the install-image/solaris-auto-install package is used from the publisher specified in the description of the –p option.

installadm rename-service –n <svcname> –N <newsvcname>

Renames the install service <svcname> to <newsvcname>.

The <newsvcname> can consist of alphanumeric characters, underscores (_), and hyphens (-). The first character of <newsvcname> cannot be a hyphen. The length of the <newsvcname> cannot exceed 63 characters.

installadm enable –n <svcname>

Obsolete: This subcommand has been obsoleted in preference to the –-enable option of the set-service subcommand.

Enables the svcname install service.

installadm disable –n <svcname>

Obsolete: This subcommand has been obsoleted in preference to the –-enable option of the set-service subcommand.

Disables the svcname install service.

installadm delete-service [options] –n|–-service <svcname>

Deletes an install service.

  • Deletes the manifests, profiles, client configuration files, and web server configuration for this install service.

  • Deletes the image used to instantiate the service.

  • If the following conditions exist, the bootfile associated with this service is removed from the ISC DHCP configuration:

    • The service is a default alias.

    • A local ISC DHCP configuration exists.

    • The all_services/manage_dhcp property value is true.

The required arguments are:

–n <svcname>
–-service <svcname>

Specifies the install service name to delete.

Where [options] is one or more of:

–r|–-autoremove

If specified, any clients assigned to this service, and any services aliased to this service, are also removed.

–y|–-noprompt

Suppresses any confirmation prompts and proceeds with service deletion.

installadm list [–v] [–s | –e <macaddr> | [–a | –cmp] [–n <svcname>]]

Without any options, lists the summary of all services on the AI server. The available options are:

–v
–-verbose

Produces more verbose listings

–a
–-all

Lists the configuration of the AI server in a tree-like output with information about the server, services, clients, manifests and profiles on the AI server.

Can only be used in conjunction with the –v or –n options.

–n <svcname>
–service <svcname>

Behaves as a filter, only showing clients, manifests or profiles for the specified <svcname> on the server.

This option can be used to filter the –a, –c, –m or –p options.

–e <macaddress>
–-macaddr <macaddress>

Lists specific information for the provided <macaddress> only.

Can only be used in conjunction with the –v option.

–s
–-server

Lists information about server configuration.

Cannot be used with the –n option.

-c
--client

Lists the clients of the install services on a local server.

When used with –n option, it displays only manifests and scripts for the given service.

-m
--manifest

Lists the manifests and derived manifest scripts associated with the install services on a local server, including criteria for each manifest. Inactive manifests are labeled. Inactive manifests have no associated criteria and are not the default manifest for that service.

When used with –n option, it displays only manifests and scripts for the given service.

-p
--profile

Lists the profiles associated with the install services on a local server, including criteria for each profile.

When used with –n option, it displays only profiles for the given service.

Whenever the list output includes fields that are inaccessible for a user, that is, they do not have sufficient authorisations, then these fields are hidden from the output. Examples of such fields are those related to whether security is enabled or not, the security credentials, and so on.

installadm create-manifest [options] –n|–-service <svcname> –f|–-file <filename>

Creates a manifest or derived manifests script for a specific install service, thus making the manifest or script available on the network, independently from creating a service. A non-default manifest or script can be used (can be active) only when criteria are associated with it. Criteria can be entered on the command line (–c) or in a criteria XML file (–C).

    The name of the manifest is determined in the following order:

  1. The manifest name specified by the –m option, if present.

  2. The value of the ai_instance name attribute, if present in the manifest.

  3. The base name of the filename.

The required arguments are:

–n <svcname>
–-service <svcname>

Specifies the name of the install service this manifest or script is to be associated with.

–f <filename>
–-file <filename>

Specifies the path name of the manifest or derived manifests script to add.

[options] can be one or more of the following:

–m <manifest>
–-manifest <manifest>

Specifies the AI instance name of the manifest or derived manifests script. Sets the name attribute of the ai_instance element of the manifest to manifest. The manifest or script is referred to as manifest in subsequent installadm commands and installadm list output.

–c <criteria>=< value|list|range>...
–-criteria <criteria>=< value|list|range>...

Specifies criteria to be associated with the added manifest or script. See the "Criteria" section below. The –c option can be specified multiple times.

–C <criteriafile>
–-criteria-file <criteriafile>

Specifies the path name of a criteria XML file containing criteria to be associated with the added manifest or script.

-d
--default

Specifies that this manifest or script is the new default manifest or script for the service.

installadm update-manifest –n|–-service <svcname>
–f|–-file <filename> [–m|–-manifest <manifest>]

Updates the specific manifest or derived manifests script from the <svcname> install service. Replaces the specified manifest or script with the contents of filename. Any criteria or default status remain with the manifest or script following the update.

    The name of the manifest is determined in the following order:

  1. The manifest specified by the – m option, if present.

  2. The value of the ai_instance name attribute, if present in the changed manifest and if it matches the ai_instance name value of an existing manifest.

  3. The base name of the filename, if it matches the ai_instance name attribute value in an existing manifest, or the name given by installadm list if it matches the name of an existing script.

The required arguments are:

–n <svcname>
–-service <svcname>

Specifies the name of the install service of the manifest or script being updated.

-f filename
--file filename

Specifies the path name of the replacement manifest or derived manifest script.

Optionally the following may be specified:

-m manifest
--manifest manifest

Specifies the AI instance name of the replacement manifest or script.

installadm delete-manifest -n|--service <svcname>
-m|--manifest manifest

Deletes a manifest or derived manifest script that was published with a specific install service. A default manifest or script cannot be deleted.

The required arguments are:

-n <svcname>
--service <svcname>

Specifies the name of the install service of the manifest or script being deleted.

-m manifest
--manifest manifest

Specifies the AI instance name of a manifest or derived manifests script as output by installadm list with the –n option.

installadm create-profile [options] –n|–-service <svcname>
–f|–-file filename...

Creates profiles for a specific install service. Criteria can optionally be associated with a profile by either entering them on the command line (–c) or in a criteria XML file (–C). Profiles created without criteria are associated with all clients of the service.

    The name of the profile is determined in the following order:

  1. The profile specified by the –p option, if present.

  2. The base name of the filename.

Profile names must be unique for an AI service. If multiple – f options are used to create more than one profile with the same criteria, then the –p option is invalid and the names of the profiles are derived from their file names.

The required arguments are:

-n <svcname>
--service <svcname>

Required: Specifies the name of the install service of the profile being created.

-f filename...
--file filename...

Required: Specifies the path name of the file with which to add the profile. Multiple profiles can be specified.

[options] may be one or more of the following:

-p profile
--profile profile

Optional: Specifies the name of the profile being created. Valid only for single profile creation.

-c criteria= value|list|range...
--criteria criteria= value|list|range...

Optional: Specifies criteria to be associated with the profiles. See the "Criteria" section below. Multiple –c options can be specified.

-C criteriafile
--criteria-file criteriafile

Optional: Specifies the path name of a criteria XML file containing criteria to be associated with the specified profiles.

installadm update-profile –n|–-service <svcname>
–f|–-file filename [–p|–-profile profile]

Updates the specified profile from the <svcname> install service. Replaces the specified profile with the contents of filename . Any criteria remain with the profile following the update.

    The profile to be updated is determined in the following order:

  1. The profile specified by the –p option, if present.

  2. The base name of the filename.

-n <svcname>
--service <svcname>

Required: Specifies the name of the install service of the profile being updated.

-f filename
--file filename

Required: Specifies the path name of the file to use to update the profile.

-p profile
--profile profile

Optional: Specifies the name of the profile being updated. Use this option if the name of the profile to update is different from the base name of the filename.

installadm delete-profile -n|--service <svcname>
-p|--profile profile ...

Deletes the profile profile from the <svcname> install service.

The required arguments are:

-n <svcname>
--service <svcname>

Specifies the name of the install service of the profile being deleted.

-p profile...
--profile profile...

Specifies the name of the profile to delete. Multiple – p options can be specified.

installadm export [–o <path>] [selector] [items]

The export command has several possible valid combinations of options. The first element [selector] selects the object that is the source of the item to be output:

–s
–-server

Specify the server object to be used as the source of security keys or certificates.

-n <svcname>
--service <svcname>

Specify a specific service to be used as the source of manifests, profiles, GRUB menu, or security keys or certificates.

–c
–-default-client

Specify the server's default client security is to be used for exporting of security keys or certificates.

–e <macaddr>
–macaddr <macaddr>

Specify a client, by it's MAC Address, to be used as the source of security keys or certificates.

The next element [items] specifies the item, or items to be output:

–m <manifest name>
–-manifest <manifest name>

Specify a manifest or derived manifest name to export from the specified service. Multiple –m options may be specified.


Note -  This can be used only with the –n option.

–p <profile name>
–-profile <profile name>

Specify a profile name to export from the specified service. Multiple –p options may be specified.


Note -  This can be used only with the –n option.
–G
–-grub-cfg

Outputs a the GRUB2 menu (grub.cfg) file that is currently in use for the service or client.

This can be used only with the –n or –e options.

–c
–-cert

Outputs the PEM-encoded X.509 certificate for the server, service or client specified.

This can be used with any of the selection options –n, –e, –s or –c.

–K
–-key

Outputs the PEM-encoded X.509 private key for the server, service or client specified.

This can be used with any of the selection options –n, –e, –s or –c.

–A <hash> ...
–-ca-cert <hash> ...

Outputs the PEM-encoded X.509 Certificate Authority (CA) certificate with the specified <hash> value.

This option can be repeated to export muliple CA Certificates, and also can be used with any of the selection options –n, –e, –s or –c.

installadm validate [options] –n|–-service <svcname>

Validates specified profiles or manifests. The validate subcommand can be used to either validate profiles in the database (–p) or to validate profiles (–P) or manifests (–M) while they are being developed before their entry into the database.

The required arguments are:

–n <svcname>
–-service <svcname>

Specifies the service with which the profiles or manifests are associated and to be validated against.

Where [options] is one or more of the following:

–M <manifest_path>
–-manifest <manifest_path>

Specifies an external manifest file to validate against the provided service.

–m <manifest_name>
–-manifest <manifest_name>

Specifies the name of an existing manifest to validate against the provided service.

–P <profile_path>
–-profile-file <profile_path>

Specifies an external profile file to validate against the provided service.

–P <profile_name>
–-profile-file <profile_name>

Specifies the name of an existing profile to validate against the provided service.

installadm set-criteria [options] –n <svcname>
[–m <manifest>] [–p <profile>]...

Updates criteria of an already published manifests, derived manifest scripts, or profiles. Criteria can be specified on the command line or in a criteria XML file.

Valid criteria are described under the create-manifest subcommand.

The required arguments are:

–n <svcname>
–-service <svcname>

Specifies the service with which the profiles or manifests are associated.

And one or more of:

–m <manifest name>
–-manifest <manifest name>

Specifies the AI instance name of a manifest or derived manifest script.

Only one manifest may be specified since it is not possible to have multiple manifests with the same criteria assigned.

–p <profile_name>
–-profile <profile_name>

Specifies the name of a profile.

Then [options] is one of the following variations:

–c <criteria=value|list|range> ...
–-criteria <criteria=value|list|range> ...

Specifies criteria to replace all existing criteria for the manifest, script, or profile. See the "Criteria" section below for possible values.

It is possible to specify multiple –c options.

–C <criteria.xml>
–-criteria-file <criteria.xml>

Specifies the path name of a criteria XML file containing criteria to replace all existing criteria for the manifest, script, or profile.

–D
–-delete-all-criteria

–a <criteria=value|list|range> ...
–-append-criteria <criteria=value|list|range> ...

Specifies criteria to be appended to the existing criteria for the manifest, script, or profile. See the "Criteria" section below for possible values. If the criteria specified already exists, the value|list|range of that criteria is replaced by the specified value|list|range.

It is possible to specify multiple –a options.

–d <criteria> ...
–-delete-criteria <criteria> ...

Specifies criteria to be removed from the existing criteria for the manifest, script, or profile. See the "Criteria" section below for possible values.

It is possible to specify multiple –d options.

installadm create-client [options]
–e|–-macaddr <macaddr> –n|–-service <svcname>

Accomplishes optional setup tasks for a specified client, in order to provide custom client settings that vary from the default settings used by the create-service subcommand. Enables the user to specify a non-default service name and boot arguments or GRUB2 menu for a client.

An existing client may be modified using the installadm set-client subcommand.

    If the following conditions exist, the client is configured in the ISC DHCP configuration:

  • The client is an x86 system.

  • A local ISC DHCP configuration exists.

  • The all_services/manage_dhcp property value is true.

The required arguments are:

-n <svcname>
--service <svcname>

Specifies the install service for client installation.

–e macaddr
–-macaddr macaddr

Specifies a MAC address for the client.

For x86 clients only, [options] are may be either one of the following:

-b <property>=<value>,...
--boot-args <property>=<value>,...

Sets a property value in the client-specific boot configuration file. Use this option to set boot properties that are specific to this client. This option can accept multiple property=value pairs, or be repeated several times.

–G <grub.cfg>
–-grub-cfg <grub.cfg>

Specify a custom GRUB2 menu (grub.cfg) file to use when booting the client.

installadm set-client –e <macaddr>
[–n <svcname>]
[–b [none|<property>=<value>,... ] |
–G [none|<grub.cfg>]]
[–g]
[–x [–y] [–-hash <ca-hash>]
[–A <ca-certfile>]...
[–C <certfile> –K <keyfile>]
[–E]
[–H]

The required arguments are:

–e macaddr
–-macaddr macaddr

Specifies a MAC address for the client.

Where [options] is any of the following:

–n|–-service <svcname>

Will move the client to this service if different + from the existing service it is associated with.

–g
–-generate-all-certs

Generates a new set of CA Cert, Client Cert and Key, including an encryption key and hash for SPARC if they are not already in place.

–x
–-delete-security

Deletes the client's security information. This can be further modified using the following options:

–y|–-noprompt

Specifies that no prompting for confirmations should be done.

–-hash <ca-hash>

Limits command to deleting only any CA Cert that matches that value.

–A <ca-certfile>...
–-ca-cert <ca-certfile>...

Assigns a user-provided PEM-encoded X.509 Certificate Authority (CA) certificate located at path <ca-certfile>. You only need to specify each CA chain of trust one time. If the CA chain includes more than one CA certificate file, use multiple –A options.

–C <certfile> –K <keyfile>
–-cert <certfile> –-key <keyfile>

–C assigns a user-provided PEM-encoded X.509 certificate located at path <certfile>.

–K assigns a user-provided PEM-encoded X.509 private key located at path <keyfile>. The <keyfile> must have any passphrase removed.

The –C option must be used with the –K option. If you specify just the –C and –K options, the associated CA certificate must have been previously assigned.

If you also specify –A options then this certificate and key will be validated against those CA Certificates.

For SPARC clients only, [options] are may be either one of the following:

–E
–-generate-encr-key

Regenerates a SPARC OBP firmware security encryption key. Invalidates any existing key.

OBP keys are automatically generated if they do not already exist when you use the –g, –C, –K, or –A options. Once these keys are generated, you can use the –E and –H options to replace the existing keys. Specifying the –E or –H option before OBP keys exist is an error. You can specify both OBP key options, or you can specify either –E or –H. The OBP keys that already exist are invalidated and replaced with the newly generated values.

–H
–-generate-hmac-key

Regenerates a SPARC OBP firmware security hashing key (HMAC). Invalidates any existing key.

For x86 clients only, [options] are may be either one of the following:

–b|–-boot-args none|<property>=<value>,...

For x86 clients only, sets the boot arguments for the GRUB menu, or removes them if 'none' is specified, restoring the service GRUB configuration.

This option will fail if there is a custom GRUB2 menu already in place for this client.

–G|–-grub-cfg none|<grub.cfg>

For x86 clients only, assigns a new GRUB2 menu file, or removes one if 'none' is specified.

Adding a new GRUB2 menu will replace any existing boot-args specified for this client.

installadm delete-client –e|–-macaddr macaddr

Deletes an existing client's specific service information that was previously set up using the create-client subcommand.

    If the following conditions exist, the client is unconfigured in the ISC DHCP configuration:

  • The client is an x86 system.

  • A local ISC DHCP configuration exists.

  • The all_services/manage_dhcp property value is true.

The required arguments are:

–e macaddr
–-macaddr macaddr

Specifies the MAC address of the client to delete.

installadm set-server [options] [sec_options]

Modifies the server configuration.

Note the following specifications:

  • If –i and –c options are used, and a DHCP server is not yet configured, an ISC DHCP server is configured.

    If an ISC DHCP server is already configured, that DHCP server is updated.

    Even when –i and –c arguments are provided and DHCP is configured, no binding exists between the install service being created and the IP range. When –i and –c are passed and the value of all_services/manage_dhcp is true, the IP range is set up, a new DHCP server is created if needed, and that DHCP server remains up and running for all install services and all clients to use. The network information provided to the DHCP server has no specific bearing on the service being created.

  • If the IP range requested is not on a subnet that the install server has direct connectivity to and the install server is multihomed, the –B option is used to provide the address of the bootfile server (usually an IP address on this system). This should only be necessary when multiple IP addresses are configured on the install server and DHCP relays are employed. In all other configurations, the software can determine this automatically.

Where [options] is at least one of:

–p <port>
–-port <port>

Specifies the port that hosts the AI install services web server. By default, the web server is hosted on port 5555.

If you want to use a different port number from the default, customize the port property before you create any install services.

–P <secure_port>
–-secure-port <secure_port>

Specifies the port that hosts the secure AI install + services web server. By default, the web server is + hosted on port 5556.

–d <directory>
–-imagepath-basedir <directory>

Specifies the default location for images created by the installadm create-service command. Images are located at <directory>/service_name. The default value of this property is /export/auto_install.

–u|–-enable-webui

Enables the AI Manifest Wizard Web UI, and is mutually exclusive with the –U option.

–U|–-disable-webui

Disables the AI Manifest Wizard Web UI, and is mutually exclusive with the –U option.

–z|–-enable-wizard-save

Enables the AI Manifest Wizard to write generated manifests to a temporary location on the AI server for ease of addition to a service through installadm. Mutually exclusive with the –Z option.

–Z|–-disable-wizard-save

Disables the AI Manifest Wizard writing generated manifests to a temporary location on the AI server for ease of addition to a service through installadm. Mutually exclusive with the –z option.

–l all|<CIDR>[,...]
–-include-networks all|<CIDR>[,...]

Takes a comma-separated list of networks in CIDR format (for example, 192.168.56.0/24) to allow.

Use this list of networks to specify which clients this install server serves. Using this option will replace any networks already configured using –l or –L options.

Using this option will set the AI install server SMF all_services/networks and all_services/exclude_networks values. Specifically, this sets the all_services/exclude_networks property to false.

By default, the AI install server is configured to serve install clients on all networks that the server is connected to if the server is multihomed. To return to this state you can use the special 'all' value here.

–L none|<CIDR>[,...]
–-exclude-networks none|<CIDR>[,...]

Tells the server to exclude these networks when deciding what to serve out on, mutually exclusive with the –l option. Using this option will replace any networks already configured using –l or –L options.

Takes a comma-separated list of networks in CIDR format (for example, 192.168.56.0/24) to disallow.

Using this option will set the AI install server SMF all_services/networks and all_services/exclude_networks values. Specifically, this sets the all_services/exclude_networks property to true.

By default, the AI install server is configured to serve install clients on all networks that the server is connected to if the server is multihomed. To return to this state you can use the special 'none' value here.

–m
–-manage-dhcp

Configures the AI server property to manage the DHCP configuration locally. If set the AI server will automatically update the local ISC DHCP configuration when client and service configurations are modified in the install server.

If there is no existing ISC DHCP configuration, then the –i and –c options must also be specified to define the address range to manage.

Mutually exclusive with the –M option.

–M
–-unmanage-dhcp

Configures the AI server property to not manage the DHCP configuration locally, so the AI server will not automatically maintain the ISC DHCP configuration when client or service configurations are modified.

Mutually exclusive with the –m option.

–i <dhcp_ip_start> –c <count_of_ipaddr>
–-ip-start <dhcp_ip_start> –-ip-count <count_of_ipaddr>

Changes the DHCP configuration if managing DHCP, the –i and –c options must be specified together.

If not already managing DHCP, it will be necessary to also specify the –m option to enable it.

These options are used to specify the starting IP address in a range to be added to the local DHCP configuration.

The number of IP addresses is provided by the –c option. If a local ISC DHCP configuration does not exist, and –m is also specified, an ISC DHCP server is started.

If a local ISC DHCP configuration already exists these addresses will be added to the existing set of managed addressed, provided there is no overlap.

–B <server_ipaddr>
–-bootfile-server <server_ipaddr>

Used to provide the IP address of the boot server from which clients should request bootfiles. Only required if this IP address cannot be determined by other means.

–s
–-enable-security

Mutually exclusive with the -S option.

Re-enables security enforcement server-wide after security was disabled by using the –-disable-security option.

–S
–-disable-security

Mutually exclusive with the –s option.

Disables security enforcement server-wide. While security is disabled, no credentials will be issued to clients, and no credentials will be required from clients. While security is disabled, no HTTPS network protection is provided for any of the AI files served to an AI client. User-specified secure files served by the AI web server are not accessible while security is disabled.

While security is disabled, you can continue to configure security. Any changes are effective when security is re-enabled.

Use caution when disabling security for systems that already have install services configured: The secured AI service data will not require authentication to access, and non-authenticated clients will be able to install Oracle Solaris through AI.

–D
–-default-client-security

Limits the [sec_options] to modifying the default client security only as opposed to the server's security settings.

The [sec_options] can be any of the following. By default they are applied to the server, unless the –D|–-default-client-security option is specified:

–x [–-hash <ca-hash> [–r]]
–-delete-security [–-hash <ca-hash> [–-recursive]]

Delete any configured security. If –-hash is specified, only CA Certificates with that hash will be removed.

Without –r, deletes the CA certificate previously assigned to the install server (or the default client with –D specified).

With –r, deletes the specified CA certificate for the server and any clients that use that CA certificate.

Deletes the CA certificate previously assigned to the install server, the specified client, default clients.

The value of <ca-hash> is the hash value of the certificate's X.509 subject. Use the list -v subcommand to display the CA certificate hash.

When the CA certificate is deleted for a client, that client can no longer be authenticated. If you use the specified CA certificate to generate certificates, the installadm command will not be able to generate certificates.

–g
–-generate-all-certs

Automatically generates and assigns all X.509 + security credentials and generates OBP keys. The CA + certificate and OBP keys are generated only if they + do not already exist.

–A <ca-certfile>...
–-ca-cert <ca-certfile>...

Assigns a user-provided PEM-encoded X.509 Certificate Authority (CA) certificate located at path <ca-certfile>. You only need to specify each CA chain of trust one time. If the CA chain includes more than one CA certificate file, use multiple –A options.

–C <certfile> –K <keyfile>
–-cert <certfile> –-key <keyfile>

–C assigns a user-provided PEM-encoded X.509 certificate located at path <certfile>.

–K assigns a user-provided PEM-encoded X.509 private key located at path <keyfile>. The <keyfile> must have any passphrase removed.

The –C option must be used with the –K option. If you specify just the –C and –K options, the associated CA certificate must have been previously assigned.

If you also specify –A options then this certificate and key will be validated against those CA Certificates.

–E
–-generate-encr-key

Regenerates a SPARC OBP firmware security encryption key. Invalidates any existing key.

OBP keys are automatically generated if they do not already exist when you use the –g, –C, –K, or –A options. Once these keys are generated, you can use the –E and –H options to replace the existing keys. Specifying the –E or –H option before OBP keys exist is an error. You can specify both OBP key options, or you can specify either –E or –H. The OBP keys that already exist are invalidated and replaced with the newly generated values.

–H
–-generate-hmac-key

Regenerates a SPARC OBP firmware security hashing key (HMAC). Invalidates any existing key.

installadm execute –f <file>

Executes a list of subcommands from <file> in sequence as a batch job.

Has the added benefit of leaving refresh/restart of SMF services until the completion of the batch run.

The required arguments are:

–f <file>
–-file <file>

The file containing a list of subcommands to be executed, one line per subcommand.

Blank lines, and those starting with a '#' are ignored.

Interactive Mode

Interactive Mode

The interactive mode provides an installadm prompt at which it is possible to enter subcommands one after the other. The main benefits of interactive mode are:

  • To input several commands using just the subcommand form, especially useful if using sudo or pfexec to run installadm with additional privileges or authorisations.

  • Tab-completion of the subcommands.

In interactive mode, there are several other commands available to use that are not used by the one-command usage:

shell [<command>]

If specified, will execute the <command> in a sub-shell based on the value of the environment variable SHELL.

Without any parameters will start a sub-shell to be used interactively.

There is also a short-form of this command '!' that can be used as "!ls" to execute the ls command.

quit

Quits the interactive prompt.

Criteria

Criteria

Manifests, derived manifest scripts, and profiles can be used to configure AI clients differently according to certain characteristics, or criteria. Only one manifest or script can be associated with a particular client. Any number of profiles can be associated with a particular client.

The criteria values are determined by the AI client during startup.

See the “Examples” section to see how to specify criteria on the command line. For information about creating a criteria file, see Installing Oracle Solaris 11.2 Systems .

Criteria
Description
arch
Architecture per uname -m.
cpu
CPU class per uname -p.
hostname
Assigned host name.
ipv4
IP version 4 network address.
mac
Hexadecimal MAC address with colon (:) separators.
mem
Memory size in MB per prtconf(1M).
network
IP version 4 network number.
platform
Platform name returned by uname -i for x86 systems and prtconf -b for SPARC systems.
zonename
Name of a zone per zones(5).

The ipv4, mac, mem, and network specifications can be expressed as ranged values seperated by a hyphen (-). To specify no limit to one end of a range, use unbounded. Precedence is given to specific value matches versus range matches when determining a matching manifest.

The arch, cpu, hostname, platform, and zonename specifications can be expressed as a quoted list of values separated by white space.

Install Server Configuration Properties

Install Server Configuration Properties

The following properties of the svc:/system/install/server:default SMF service are used to configure the install server.

The majority of these are configurable using the set-server subcommand which would be the preferred mechanism for updating them.

all_services/networks

A list of networks in CIDR format (for example, 192.168.56.0/24) to allow or disallow, depending on how the all_services/exclude_networks property is set.

Use this list of networks to specify which clients this install server serves. By default, the AI install server is configured to serve install clients on all networks that the server is connected to if the server is multihomed.

all_services/exclude_networks

A boolean value. If true, exclude networks specified by the all_services/networks property from being served by this install server. If false, include the networks specified by the all_services/networks property.

all_services/port

Specifies the port that hosts the AI install services web server. By default, the web server is hosted on port 5555.

If you want to use a different port number from the default, customize the port property before you create any install services.

all_services/secure_port

Specifies the port that hosts the secure AI install services web server. By default, the web server is hosted on port 5556.

all_services/webserver_files_dir

Specifies a directory on the local system that the AI web server will serve using its standard port (defined by the all_services/port property). This directory will be accessible at the following location:

http://hostname:port/webserver_files_dir

all_services/webserver_secure_files_dir

Specifies a directory on the local system that the AI web server will serve using its secure port (defined by the all_services/secure_port property). This directory will be accessible at the following location:

https://hostname:secure_port/webserver_secure_files_dir

Only authenticated clients can access this directory. For greatest security, files in the webserver_secure_files_dir directory should be owned by user webservd and group webservd and have no world access.

all_services/default_imagepath_basedir

Specifies the default location for images created by the installadm create-service command. Images are located at all_services/default_imagepath_basedir/service_name. The default value of this property is /export/auto_install.

all_services/manage_dhcp

A boolean value. If true, automatically update the local ISC DHCP configuration when client and service configurations are modified in the install server. If false, does not automatically maintain the ISC DHCP configuration.

Examples

Example 1 Set Up a New x86 Install Service From a Package Repository

Set up an install server and an x86 install service for the first time.

If you are not using the SPARC OBP's network-boot-arguments variable to configure an AI client, then a DHCP server must be configured to supply the AI service configuration. If you already have the OBP or DHCP server configured, this step may be skipped. Otherwise, installadm can setup and manage a local ISC DHCP server for AI clients to boot from. To configure this you can use the set-server subcommand:

The set-server subcommand is used to set a starting IP address and total count of IP addresses, in order to configure the DHCP server.

# installadm set-server -i 172.0.0.10 -c 10

The starting IP address of 172.0.0.10 and 10 IP addresses are added to the local ISC DHCP configuration. If a local ISC DHCP configuration does not exist, an ISC DHCP server is started.

If you do not specify a source for the net image, an IPS package is used, for example:

# installadm create-service -y

On an x86 install server, this command sets up an x86 net image and install service with a default name in a directory at the image location specified by the value of the all_services/default_imagepath_basedir property. For the default value of this property, see “Install Server Configuration Properties.” The –y option confirms that the default location is acceptable. Since the architecture is not specified, the service created is of the same architecture as the install server. This command assumes that a package repository on the pkg publisher list for the install server contains the install-image/solaris-auto-install package.

The command sets up a net image and an install service using the default image path and the service name, /export/auto_install/sol-11_1-i386.

Because this is the first x86 service created, the default-i386 service is automatically created and aliased to this service. The default-i386 alias is operational, and a client booted through PXE will boot and install from the default-i386 service if not specifically configured using create-client.

Example 2 Set Up a New SPARC Install Service From a Package Repository

To specify the creation of a SPARC service on an x86 install server, use the –a option:

# installadm create-service -y -a sparc

If you do not specify a source for the net image, an IPS package is used by default.

This net image enables SPARC client installations.

Because this is the first SPARC service created, the default-sparc service is automatically created and aliased to this service. The default-sparc alias is operational, and a SPARC client will boot and install from the default-sparc service.

Example 3 Set Up an x86 Install Service From a Different Package Repository

By default, the solaris-auto-install package is obtained from the systems configured publishers.

To specify an alternative package repository for the solaris-auto-install package, use the –p option. For example, use the following command to specify the ai-image publisher located at http://example.company.com:4281 as the publisher of the solaris-auto-install package:

# installadm create-service -y \
-p ai-image=http://example.company.com:4281
Example 4 Set Up a New x86 Install Service From an ISO File

An x86 install service can be created from an ISO image using:

# installadm create-service -n sol-11_1-i386 \
-s /export/isos/sol-11_1-ai-x86.iso \
-y

The AI ISO image is at /export/auto_install/sol-11_1-sparc. The command sets up a net image and an install service at /export/images/sol-11_1-i386 that is based on the AI ISO image. This net image enables client installations.

Example 5 Set Up a New SPARC Install Service From an ISO File

A SPARC install service from an ISO image can be created using the command:

# installadm create-service -n sol-11_1-sparc \
-s /export/isos/sol-11_1-ai-sparc.iso \
-d /export/images/sol-11_1-sparc

The AI ISO image is at /export/isos/sol-11_1-ai-sparc.iso. The command sets up a net image and an install service at /export/images/sol-11_1-sparc that is based on the AI ISO image. This net image enables client installations.

Example 6 Associate a Client With an Install Service

Use the following sample command to associate a client with a specific install service. The install service must already exist.

# installadm create-client -b "console=ttya" \
-e 0:e0:81:5d:bf:e0 -n sol-11_1-i386

In this example, the command creates a client-specific setup for the system with MAC address 0:e0:81:5d:bf:e0. This client will use the install service previously set up, named sol-11_1-i386, and that service's associated net image. The command sets the boot property console=ttya in the client-specific boot configuration file in /etc/netboot.

Example 7 Add a New Install Service Without Modifying the Default Service

Use the following sample command to add a new service named sol-11-sparc, retaining existing services, and leaving the existing default unchanged.

# installadm create-service -n sol-11-sparc \
-s /export/isos/sol-11-1111-ai-sparc.iso \
-d /export/ai/sol-11-sparc
Example 8 Update the default-i386 Service

Use the following sample command to update the default-i386 alias service to be associated with the latest available image. The installadm list command shows the service before and after the command. The example assumes that an updated net image package is available from the publisher that was originally used to create the default-i386 service alias.

# installadm list
Service Name    Base Service        Status Arch  Type Ali Cli Man Pro
------------    --------        ------ ----  ---- --- --- --- ---
default-i386    solaris11-i386  on     i386  pkg  0   1   1   0
solaris11-i386  -               on     i386  pkg  1   0   1   0
# installadm update-service default-i386
...
Creating new i386 service: solaris11_1-i386
Aliasing default-i386 to solaris11_1-i386 ...
...
# installadm list
Service Name      Base Service          Status Arch  Type Ali Cli Man Pro
------------      --------          ------ ----  ---- --- --- --- ---
default-i386      solaris11_1-i386  on     i386  pkg  0   1   1   0
solaris11-i386    -                 on     i386  pkg  0   0   1   0
solaris11_1-i386  -                 on     i386  pkg  1   0   1   0
Example 9 Add a New Install Service and Update the default-sparc Service

Use the following two sample commands to add a new service named my-sparc-service , retaining existing services, and making the new service the default for SPARC clients.

# installadm create-service -n solaris11_1-sparc \

-s /export/isos/sol-11_1-ai-sparc.iso \
-d /export/ai/solaris11_1-sparc
# installadm set-service \
--aliasof=solaris11_1-sparc default-sparc
Example 10 Add a Custom Default AI Manifest to an Install Service

Use the following sample command to add a new manifest to the sol-11_1-i386 install service, and make it the service's default manifest. The manifest data is in my_default.xml. Future installadm commands will refer to this manifest as my_default. The –d option makes it the default manifest for the service.

# installadm create-manifest -d -f my_default.xml \
-m my_default -n sol-11_1-i386
Example 11 Add a Derived Manifests Script to an Install Service

Use the following sample command to add a derived manifests script named my_script to an existing install service named solaris11_1-i386 . Scripts are added in the same way that manifests are added.

# installadm create-manifest -f my_script.py \
-m my_script -n solaris11_1-i386

See Installing Oracle Solaris 11.2 Systems for information about how to create derived manifest scripts.

Example 12 Replace the Default AI Manifest for an Install Service

Use the following sample command to replace the default manifest for an existing install service, sol-11_1-sparc, with a custom manifest that has already been added to the service as custom_manifest. The manifest was added to the service by specifying -m custom_manifest to the create-manifest subcommand.

# installadm set-service \
--default-manifest=custom_manifest sol-11_1-sparc
Example 13 List Install Services

Use the following sample command to list the install services on a local server.

# installadm list
Service Name            Base Service                Status  Arch  Type Ali Cli Man Pro
------------            --------                ------  ----  ---- --- --- --- ---
default-i386            solaris11_1_6_2_0-i386  on      i386  pkg  0   1   1   0
default-sparc           solaris11_1_6_2_0-sparc on      sparc pkg  0   0   1   0
solaris11_1_6_2_0-i386  -                       on      i386  pkg  1   0   1   0
solaris11_1_6_2_0-sparc -                       on      sparc pkg  1   0   1   0
Example 14 List Clients Associated With an Install Service

Use the following sample command to list the clients of a specific install service on a local server.

$ installadm list -c -n default-i386
Service Name Client Address    Arch Secure Custom Args Custom Grub
------------ --------------    ---- ------ ----------- -----------
default-i386 00:11:22:33:44:55 i386 no     yes         no
             AA:BB:CC:DD:EE:FF i386 no     no          no
Example 15 List Manifests Associated With an Install Service

Use the following sample command to list the manifests and derived manifest scripts associated with a specific install service on a local server.

$ installadm list -m -n default-sparc
Service Name  Manifest Name   Type    Status            Criteria 
------------  -------------   ----    ------            --------
default-sparc mem             xml     active            mem = 4086 MB
              custom_manifest xml     default / active  mem = 512 - 
                                                        1024 MB 
              orig_manfiest   xml     inactive          none
              test_derived    derived inactive          none 

    This example shows the following output:

  • A non-default manifest with criteria (mem)

  • A default manifest with criteria indicating it is still active (custom_manifest)

  • A non-default manifest (orig_default) that is marked inactive because it has no criteria and it is not the default

  • A non-default derived manfest that is marked inactive because it has no criteria and it is not the default

Example 16 List Profiles

Use the following sample command to list the system configuration profiles for all install services on a local server.

$ installadm list -p
Service Name            Profile Name       Criteria
------------            ------------       --------
solaris11_1_6_2_0-i386  sc_all-i386.xml    none
solaris11_1_6_2_0-sparc sc_all-sparc.xml   none
                        sc_network.xml     ipv4    = 10.0.2.100 - 10.0.2.199
                                           network = 10.0.0.0
Example 17 Add a Custom AI Manifest With No Name to an Install Service

Use the following sample command to add the manifest in /export/my_manifest.xml to sol-11_1-i386 with a criterion of MAC address equaling aa:bb:cc:dd:ee:ff.

# installadm create-manifest \
-f /export/my_manifest.xml -n sol-11_1-i386 \
-c mac="aa:bb:cc:dd:ee:ff"

In this example, the manifest does not contain a name attribute, so the manifest name is taken from the file name.

$ installadm list -m -n sol-11_1-i386
Service Name  Manifest Name   Type Status   Criteria
------------  -------------   ---- ------   --------
sol-11_1-i386 my_manifest.xml xml  active   mac = AA:BB:CC:DD:EE:FF
              orig_default    xml  default  none
Example 18 Add a Custom AI Manifest With a Custom Name to an Install Service

Use the following sample command to add the manifest in /export/my_manifest.xml to sol-11_1-i386 with the criterion of IPv4 range from 10.0.2.100 and 10.0.2.199.

# installadm create-manifest \
-f /export/my_manifest.xml \
-n sol-11_1-i386 -m custom_name \
-c ipv4="10.0.2.100-10.0.2.199"

In this example, the manifest name is taken from the –m option.

$ installadm list -m -n sol-11_1-i386
Service Name  Manifest Name   Type Status   Criteria
------------  -------------   ---- ------   --------
sol-11_1-i386 custom_name     xml  active   ipv4 = 10.0.2.100 - 10.0.2.199
              orig_default    xml  default  none
Example 19 Add a Custom AI Manifest With Name Specified In the Manifest

Use the following sample command to add the manifest in /export/manifest3.xml to sol-11_1-i386 with criteria of 2048 MB memory or greater and an architecture of i86pc.

# installadm create-manifest \
-f /export/manifest3.xml -n sol-11_1-i386 \
-c mem="2048-unbounded" -c arch=i86pc

In this example, the manifest name is taken from the name attribute of the ai_instance element in the manifest, as shown in the following partial manifest:

<auto_install>
    <ai_instance name="my_name" />
</auto_install>
$ installadm list -m -n sol-11_1-i386
Service Name Manifest Name Type Status  Criteria
------------ ------------- ---- ------  --------
sol-11_1-i386 my_name       xml  active  arch = i86pc
                                         mem  = 2048 - unbounded
              orig_default  xml  default none
Example 20 Add a System Configuration Profile To an Install Service

Use the following sample command to add the profile in /export/profile4.xml to sol-11_1-i386 with criteria of any of the host names myhost1, host3, or host6 .

# installadm create-profile \
-f /export/profile4.xml -n sol-11_1-i386 -p profile4 \
-c hostname="myhost1 host3 host6"
$ installadm list -p -n sol-11_1-i386
Service Name  Profile Name Criteria
------------  ------------ --------
sol-11_1-i386 profile4     hostname = myhost1, host3, host6
Example 21 Add a System Configuration Profile For All Clients

If you do not specify criteria, then the profile is used by all clients that use the specified install service. In the following example, the created profile is used by all clients that use the sol-11_1-i386 service.

# installadm create-profile -f /export/locale.xml \

-n sol-11_1-i386
$ installadm list -p -n sol-11_1-i386
Service Name  Profile Name Criteria
------------  ------------ --------
sol-11_1-i386 profile4     hostname = myhost1, host3, host6
              locale.xml   none
Example 22 Add a System Configuration Profile With Variables

A profile can use variables that are replaced with custom client configuration information at client installation time. Using such variables, a profile file can be reused for any number of different systems.

This example uses one system configuration profile file to assign each install client a unique host name. The hostname.xml file contains the following line:

<propval name="nodename" value="{{AI_HOSTNAME}}"/>

At installation time, {{AI_HOSTNAME}} is replaced with the actual host name of that system. For example, when hostname.xml is used to configure the client with host name myhost1, the hostname.xml profile contains the following line:

<propval name="nodename" value="myhost1"/>

For more information about using replacement tags with profiles, see Using System Configuration Profile Templates in Installing Oracle Solaris 11.2 Systems .

Example 23 Add Criteria To an Existing Manifest

Use the following sample command to append the criterion of 4096 MB memory or greater to the criteria of manifest2 of sol-11_1-i386 .

# installadm set-criteria -m manifest2 \
-n sol-11_1-i386 -a mem="4096-unbounded"
Example 24 Replace the Criteria for an Existing Manifest

Use the following sample command to replace the criteria of manifest2 of sol-11_1-i386 with the criteria specified in the file /tmp/criteria.xml.

# installadm set-criteria -m manifest2 \
-n sol-11_1-i386 -C /tmp/criteria.xml

See Installing Oracle Solaris 11.2 Systems for information about the contents of the criteria XML file.

Example 25 Validate Profile Files Under Development

Use the following sample command to validate the profiles stored in the files myprofdir/myprofile.xml and yourprofdir/yourprofile.xml during their development.

# installadm validate -P myprofdir/myprofile.xml \

-P yourprofdir/yourprofile.xml -n sol-11_1-i386
Example 26 Export Profile Contents

Use the following sample command to export the profile myprofile.xml in the service sol-11_1-i386.

# installadm export -p myprofile -n sol-11_1-i386
Example 27 Replace the Contents of an Existing AI Manifest

Use the following sample command to update the manifest in service sol-11_1-i386 that has the manifest name, or AI instance name, spec with the contents of the manifest in the file /home/admin/new_spec.xml .

# installadm update-manifest -n sol-11_1-i386 \
-f /home/admin/new_spec.xml -m spec
Example 28 Export and Update an Existing AI Manifest

Use the following sample commands to export the data of an existing manifest named spec in service sol-11_1-i386, and then update the manifest with modified content.

# installadm export -n sol-11_1-i386 -m spec \
-o /home/admin/spec.xml

Make changes to /home/admin/spec.xml.

$ pfexec installadm update-manifest -n sol-11_1-i386 \
-f /home/admin/spec.xml -m spec
Example 29 Export and Update an Existing Profile

Use the following sample commands to export the data of an existing profile named prof1 in service sol-11_1-i386, and then update the profile with modified content.

# installadm export -n sol-11_1-i386 -p prof1 \
-o /home/admin/prof1.xml

Make changes to /home/admin/prof1.xml.

# installadm update-profile -n sol-11_1-i386 \
-f /home/admin/prof1.xml -p prof1
Example 30 Set Initial Server Authentication

The first step in configuring security is to assign server credentials. Use the following command to generate all server security credentials automatically:

# installadm set-server --generate-all-certs
Generating server credentials...
The root CA certificate has been generated.
The CA signing certificate request has been generated.
The signing CA certificate has been generated.
A new certificate key has been generated.
A new certificate has been generated.
Generating new encryption key...
To set the OBP encryption key for server authentication only, enter this OBP command:
  set-security-key wanboot-aes 8bd64e25e00497f194fa93de2a92157c
enerating new hashing key (HMAC)...
To set the OBP hashing (HMAC) key for server authentication only, enter this OBP command:
  set-security-key wanboot-hmac-sha1 4cff95a8fb0b08699de9f1ca5e5251a796b497de
Configuring web server security.
Changed Server
Refreshing SMF service svc:/system/install/server:default
Configuring web server security.
Example 31 Set Initial Default Client Authentication

Assign default client credentials so that the identity of clients can be verified to the server. Use the following command to generate a set of default client credentials. These credentials will be used for any AI client that does not have credentials assigned by specifying the client's MAC address or by specifying the install service that client will use.

$ installadm set-server --default-client-security \
         --generate-all-certs
Generating default client credentials...
A new certificate key has been generated.
A new certificate has been generated.
Generating new encryption key...
To set the OBP encryption key, enter this OBP command:
  set-security-key wanboot-aes c17e4842331456680d818f4ef515f222
Generating new hashing key (HMAC)...
To set the OBP hashing (HMAC) key, enter this OBP command:
  set-security-key wanboot-hmac-sha1 f3e943d6669835264fcaf0f7fbfb80e45beea7f3
Changed Server
Example 32 Set Client Authentication for a Specific SPARC Client

Generate and assign unique X.509 credentials and OBP keys to a SPARC client:

$ installadm set-client -e 2:0:0:0:0:0 \\
         --generate-all-certs
Generating credentials for client 02:00:00:00:00:00...
A new certificate key has been generated.
A new certificate has been generated.
Generating new encryption key...
To set the OBP encryption key, enter this OBP command:
  set-security-key wanboot-aes 42a04f73ee6950859febb96d97b7d2bd
Generating new hashing key (HMAC)...
To set the OBP hashing (HMAC) key, enter this OBP command:
  set-security-key wanboot-hmac-sha1 7fbed772b69bf104e5e2f72a4c47d42b62bf074b
Changed Client : '02:00:00:00:00:00'
Example 33 Display the OBP Keys for a Specific Client

Some time after the SPARC client has been configured, you need to know how to set the security keys for that client in the OBP. Use the installadm "list -e <macaddr>" command with the –-verbose option to display the required OBP keys:

# installadm list -e 2:0:0:0:0:0 -v
Service Name Client Address    Arch  Secure Custom Args Custom Grub
------------ --------------    ----  ------ ----------- -----------
solaris11_2  02:00:00:00:00:00 sparc yes    no          no

   Client Credentials?  yes
   Security Key? ...... yes
   Security Cert:
                  Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=CID 01020000000000
                  Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA
                  Valid from: May 20 10:20:00 2013 GMT
                          to: May 18 10:20:00 2023 GMT
   CA Certificates:
         d09051e4 Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA
                  Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA
                  Valid from: May 20 09:50:00 2013 GMT
                          to: May 18 09:50:00 2023 GMT
   OBP Encr Key (AES) . 42a04f73ee6950859febb96d97b7d2bd
   OBP Hash (HMAC) .... 7fbed772b69bf104e5e2f72a4c47d42b62bf074b
   Boot Args .......... -

The displayed Key and Hash can be set by using the OBP set-security-key commands at the ILOM or ALOM system console at the ok prompt, for example:

set-security-key wanboot-aes 42a04f73ee6950859febb96d97b7d2bd
set-security-key wanboot-hmac-sha1 7fbed772b69bf104e5e2f72a4c47d42b62bf074b
Example 34 Enforce Client Authentication for All Clients of an AI Service

The following command requires client and server authentication for all clients of the sol-11_2-sparc install service. The 'optional' security policy value is the default value.

# installadm set-service -p require-client-auth -n
sol-11_2-sparc
Security policy for service sol-11_2-sparc changing
from 'optional' to 'require-client-auth'.
Changed Service : 'sol-11_2-sparc'
Refreshing SMF service svc:/system/install/server:default

All clients of the sol-11_2-sparc install service must be assigned and must supply valid security X.509 client and server authentication credentials. Since this is a SPARC install service, OBP firmware security keys must be entered for all clients.

Example 35 Generate Default Credentials for All Clients of a Specified Install Service

The following command generates credentials that will be attributed to any client of the solaris11_2-sparc install service that does not have custom client credentials. See Example 30, “Set Client Authentication for a Specific SPARC Client,” for an example of assigning custom client credentials.

# installadm set-service  -n sol-11_1-sparc \
  --generate-all-certs
Generating credentials for service sol-11_1-sparc...
A new certificate key has been generated.
A new certificate has been generated.
Generating new encryption key...
To set the OBP encryption key, enter this OBP command:
  set-security-key wanboot-aes 0bd1d30d603174b7fc3ee7fd7654c3c8
Generating new hashing key (HMAC)...
To set the OBP hashing (HMAC) key, enter this OBP command:
  set-security-key wanboot-hmac-sha1 35caa0c8596585c852f120d3872e9227e724496e
Changed Service : 'sol-11_1-sparc'

These credentials are also attributed to any clients that are subsequently assigned to the solaris11_2-sparc install service by using the create-client subcommand.

When you use default credentials, multiple clients are assigned identical credentials and can view each other's installation data.

Example 36 Produce a Security Summary Listing

When "installadm list" is run with sufficient authorisations, it will by default list a summary of the security of the server, service and/or client:

# installadm list -s
AI Server Parameter  Value
-------------------  -----
Hostname ........... ai-server
Architecture ....... i386
Active Networks .... 10.0.0.1
Image Path Base Dir . /export/auto_install
Managing DHCP? ..... yes
Security Enabled? .. yes
Server Credentials? .. yes
Number of Services . 12
Number of Clients .. 4
Number of Manifests  19
Number of Profiles . 5
 
# installadm list
Service Name            Base Service          Status Arch  Type Secure Ali Cli Man Pro
------------            --------          ------ ----  ---- ------ --- --- --- ---
default-i386            solaris11_2-i386  on     i386  pkg  no     0   1   4   0
default-sparc           solaris11_2-sparc on     sparc pkg  no     0   0   3   0
solaris11_1_6_2_0-i386  -                 on     i386  pkg  no     1   0   2   2
solaris11_1_6_2_0-sparc -                 on     sparc pkg  no     1   0   1   2
solaris11_2-i386        -                 on     i386  pkg  yes    0   0   1   0
solaris11_2-sparc       -                 on     sparc pkg  yes    0   2   2   0

# installadm list -c
Service Name            Client Address    Arch  Secure Custom Args Custom Grub
------------            --------------    ----  ------ ----------- -----------
default-i386            00:11:22:33:44:55 i386  yes    yes         no
solaris11_1_6_2_0-sparc AA:BB:CC:DD:EE:FF sparc yes    no          no
solaris11_2-sparc       02:00:00:00:00:00 sparc yes    no          no
                        03:00:00:00:00:00 sparc yes    no          no
Example 37 Produce a Security Verbose Listing

When "installadm list -v" is run with sufficient authorisations, verbose output of the security configuration of the server, service and/or client (some output omitted for brevity):

# installadm list -sv
AI Server Parameter      Value
-------------------      -----
...
Security Enabled? ...... yes
Server Credentials? .... yes
Security Key? .......... yes
Security Cert:
              Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=ai-server
              Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA
              Valid from: May 20 09:50:00 2013 GMT
                     to: May 18 09:50:00 2023 GMT
CA Certificates:
      d09051e4 Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA
               Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA
               Valid from: May 20 09:50:00 2013 GMT
                      to: May 18 09:50:00 2023 GMT
      f9d73b41 Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA
               Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA
               Valid from: May 20 09:50:00 2013 GMT
                      to: May 18 09:50:00 2023 GMT
OBP Encr Key (AES) ..... 8bd64e25e00497f194fa93de2a92157c
OBP Hash (HMAC) ........ 4cff95a8fb0b08699de9f1ca5e5251a796b497de
Def Client Credentials?  yes
Def Client Sec Key? .... yes
Def Client Sec Cert:
               Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Client default
               Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA
               Valid from: May 20 09:52:00 2013 GMT
                      to: May 18 09:52:00 2023 GMT
Def Client CA Certs .... none
Def Client OBP Encr Key  c17e4842331456680d818f4ef515f222
Def Client OBP Hash .... f3e943d6669835264fcaf0f7fbfb80e45beea7f3
...

# installadm list -v -n solaris11_2-sparc
Service Name   Base Service Status Arch  Type Secure Ali Cli Man Pro
------------   --------     ------ ----  ---- ------ --- --- --- ---
sol-11_2-sparc -            on     sparc iso  yes    0   2   1   0

   ...
   Supports Security? .. yes
   Security Enabled? ... yes
   Security Policy ..... require-client-auth
   Service Credentials?  yes
   Security Key? ....... yes
   Security Cert:
                 Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=AI Service sol-11_2-sparc
                 Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA
                 Valid from: May 20 10:33:00 2013 GMT
                         to: May 18 10:33:00 2023 GMT
   CA Certificates ..... none
   OBP Encr Key (AES) .. 0bd1d30d603174b7fc3ee7fd7654c3c8
   OBP Hash (HMAC) ..... 35caa0c8596585c852f120d3872e9227e724496e
Example 38 Add a New CA Certificate for Validating Client Certificates

The following command adds a CA certificate in a file named cert.pem :

$ installadm set-server --default-client-security --ca-cert cert.pem
Assigning default client credentials...
A new CA certificate has been filed.
Changed Server

This CA certificate will be available to authenticate any client certificates that require it.

Example 39 Assign New X.509 Credentials

The following command assigns a new X.509 certificate and private key and a new CA certificate for the install server:

$ installadm set-server -A cacert.pem -K server.key -C server.crt
Assigning server credentials...
The key has been replaced.
The certificate has been replaced
A new CA certificate has been filed.
Configuring security for user-specified server cert
Configuring web server security.
Changed Server
Refreshing SMF service svc:/system/install/server:default
Example 40 Delete a CA Certificate by Hash Value

The following command deletes the specified CA certificate for all clients that use that CA certificate. The value of the –-ca-cert option argument is the hash value of the certificate's X.509 subject. Use the –y option to suppress the prompt to confirm that you want to delete the CA certificate.

$ installadm set-server --delete-security \
         --recursive --hash d09051e4
         Identifier hash: d09051e4
         Subject: C=US, O=Oracle, OU=Solaris Deployment, CN=Root CA
         Issuer: C=US, O=Oracle, OU=Solaris Deployment, CN=Root CA
         Valid from May 20 11:09:00 2013 GMT to May 18 11:09:00 2023 GMT
        This CA has the following uses:
                Note: this is the server CA certificate
                Client default
                Note: this is the root CA certificate
        Deleting this Certificate Authority certificate can prevent
            credentials from validating.
        Do you want to delete this Certificate Authority certificate [y|N]: y
          Identifier hash: d09051e4
          Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA
          Issuer: /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA
          Valid from May 20 09:50:00 2013 GMT to May 18 09:50:00 2023 GMT
        This CA has the following uses:
                Note: this is the server CA certificate
                Client default
                Note: this is the root CA certificate
        Deleting all references to Certficate Authority with hash value d09051e4
        Changed Server
Example 41 View AI Server Configuration Parameters

To see the current values for the AI server's most common parameters and a summary of some, you can use the list -s command:

# installadm list -s
AI Server Parameter  Value
-------------------  -----
Hostname ........... ai-server
Architecture ....... i386
Active Networks .... 10.0.0.1
Default Image Path . /export/auto_install
Managing DHCP? ..... yes
Security Enabled? .. yes
Server Credentials? .. yes
Number of Services . 12
Number of Clients .. 4
Number of Manifests  19
Number of Profiles . 5

To view more detailed information, and some of the less common parameters, use verbose mode:

# installadm list -sv
AI Server Parameter      Value
-------------------      -----
Hostname ............... ai-server
Architecture ........... i386
Active Networks ........ 10.0.0.1
Http Port .............. 5555
Secure Port ............ 5556
Default Image Path ..... /export/auto_install
Multi-Homed? ........... yes
Managing DHCP? ......... yes
DHCP IP Range .......... none
Boot Server ............ -
Web UI Enabled? ........ yes
Wizard Saves to Server?  no
Security Enabled? ...... yes
Server Credentials? .... yes
Security Key? .......... yes
Security Cert:
               Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=ai-server
               Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA
               Valid from: May 20 11:09:00 2013 GMT
                       to: May 18 11:09:00 2023 GMT
CA Certificates:
      f9d73b41 Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA
               Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA
               Valid from: May 20 11:09:00 2013 GMT
                       to: May 18 11:09:00 2023 GMT
OBP Encr Key (AES) ..... 8bd64e25e00497f194fa93de2a92157c
OBP Hash (HMAC) ........ 4cff95a8fb0b08699de9f1ca5e5251a796b497de
Def Client Credentials?  yes
Def Client Sec Key? .... yes
Def Client Sec Cert:
               Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Client default
               Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA
               Valid from: May 20 11:09:00 2013 GMT
                       to: May 18 11:09:00 2023 GMT
Def Client CA Certs .... none
Def Client OBP Encr Key  c17e4842331456680d818f4ef515f222
Def Client OBP Hash .... f3e943d6669835264fcaf0f7fbfb80e45beea7f3
Number of Services ..... 12
Number of Clients ...... 4
Number of Manifests .... 19
Number of Profiles ..... 5
Example 42 Invoke Interactive Mode

Interactive mode is entered by just issuing the installadm command without any parameters. For example:

# installadm
installadm> create-service -n s11-1-i386 -a i386 -y
...
installadm> create-profile -n s11-1-i386 -f initial_profile.xml
...
installadm> quit

Similarly, interactive mode can be useful when wishing to invoke several commands interactively using a root role through su:

$ su root -c /usr/sbin/installadm
installadm> create-manifest -n s11-2-sparc -f /tmp/manifest.xml
...
installadm> create-profile -n s11-2-sparc -f /tmp/static_net.xml
...
Example 43 Execute Several Commands In Batch

Running several commands in batch mode has the benefit of delaying the refreshing of the SMF services until all commands have completed.

To run several subcommands you must first populate the file:

$ cat >> /tmp/batch <<_EOF
create-service -n my_sparc -a sparc
create-service -n my_i386 -a i386
create-manifest -n my_sparc -f /tmp/new_default.xml -d
create-manifest -n my_i386 -f /tmp/new_default.xml -d
...
_EOF
# installadm execute -f /tmp/batch
...

Exit Status

The following exit values are returned:

0

The command was processed successfully.

1

An error occurred.

2

Invalid command line options were specified.

3

A service's version is not supported by installadm.

4

No changes were made - nothing to do.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Availability
install/installadm
Interface Stability
Committed

See Also

aimanifest(1M), sysconfig(1M), ickey(1M), ai_manifest (4), service_bundle (4), dhcp(5) , smf(5), environ (5)

Part III, Installing Using an Install Server, in Installing Oracle Solaris 11.2 Systems

Transitioning From Oracle Solaris 10 JumpStart to Oracle Solaris 11.2 Automated Installer