Specifying Configuration in a System Configuration Profile

Language:

You can specify configuration of any system characteristic that is configurable by using SMF properties. For example, the system configuration profile can configure a root account, an initial user, keyboard layout, terminal type, an IPv4 network interface (static or DHCP) and default route, an IPv6 network interface (static or addrconf) and default route, and name service (name server list, search list, domain). If you specify a service or property that does not apply, that specification is ignored. Do not specify any particular property more than one time.

If you are not sure which SMF properties you need to specify, you can use the describe subcommand of the svccfg command to display a description of the property groups and properties of a service, including possible settings. See “Property Inspection and Modification Subcommands” on the svccfg(1M) man page.

svccfg -s FMRI describe [-v] [-t] [property-group/property]

A property group or specific property can be queried by specifying either the property group name, or the property group name and property name separated by a slash (/), as an argument.

The –v option gives all information available, including descriptions for current settings, constraints, and other possible setting choices.

The –t option shows only the template data for the selection (see the smf_template(5) man page), and does not display the current settings for property groups and properties.

$ svccfg -s name-service/switch describe config
config application
Name service switch configuration data as described in nsswitch.conf(5).
config/value_authorization astring solaris.smf.value.name-service.switch
config/default astring files
Default configuration database entry.
config/host astring "files dns mdns"
Override configuration for host database lookups. (both IPv4 and IPv6 hosts)
config/printer astring "user files"
Override configuration for printer database lookups.
$ svccfg -s name-service/switch describe -v config
config application
name: config
type: application
required: true
target: this
description: Name service switch configuration data as described in nsswitch.conf(5).
config/value_authorization astring solaris.smf.value.name-service.switch
config/default astring files
type: astring
required: true
Default configuration database entry.
visibility: readwrite
minimum number of values: 1
maximum number of values: 1
value: files
...
$ svccfg -s name-service/switch describe -t config
name: config
type: application
Name service switch configuration data as described in nsswitch.conf(5).
name: default
type: astring
Default configuration database entry.
name: host
type: astring
Override configuration for host database lookups. (both IPv4 and IPv6 hosts)
name: password
type: astring
Override configuration for passwd database lookups. Also used with the shadow and user_attr databases.
name: group
type: astring
Override configuration for group database lookups.
name: network
type: astring
Override configuration for network database lookups.
...
$ svccfg -s system/config-user describe root_account
root_account application
root_account/expire astring
root_account/password astring
root_account/read_authorization astring solaris.smf.read.system-config
root_account/stability astring Evolving
root_account/type astring

Configuring Root and User Accounts

Enter the following sysconfig create-profile command with the users grouping to generate a valid profile that configures the root user and initial user.

# sysconfig create-profile -g users [-o directory]

The svc:/system/config-user SMF service configures user and root accounts. This service recognizes two property groups:

The root_account property group includes SMF properties that configure the root account.
The user_account property group includes SMF properties that configure user accounts.

Tip - Generate an encrypted password, or password hash, by using the pwhash command. You can provide the resulting hash for any account.

Configuring the Root Account

The root_account property group contains the properties listed in the following table.

Table 8 root_account Property Group Properties

Property	Type	Required	Description
`password`	`astring`	required	Encrypted root password. If you do not provide a root password, the root password is empty.
`type`	`astring`	optional	Account type: `normal` or `role`.
`expire`	`string`	optional	Expiration date for login. If set to 0 (zero), the user will be forced to change the root password at the next login.

Example 65 Configuring the Root Account Only With Password Expired

<service name="system/config-user" version="1" type="service">
    <instance name="default" enabled="true">
        <property_group name="root_account" type="application">
            <propval name="password" value="encrypted_password"/>
            <propval name="type" value="normal"/>
            <propval name="expire" value="0"/>
        </property_group>
    </instance>
</service>

Configuring a User Account

This section includes the following information:

Creating a User Account Without Depending on the Automounter
User Account Properties
Configuring Multiple Initial Users

Creating a User Account Without Depending on the Automounter

By default, when initial user accounts are created, the home directories are managed by the automounter and accessed under /home/login directories. To create initial user accounts without depending on the automounter, set the user_account/autohome property to the empty string ("") in the system configuration profile.

Setting the user_account/autohome property to the empty string has the following effects:

The home directory entry in the /etc/passwd file is set to the mount point of the home ZFS dataset, not to /home/login. The default mount point of the home ZFS dataset is /export/home/login.
No mapping entry is added to the /etc/auto_home file.

User Account Properties

The user_account property group contains the properties listed in the following table.

Table 9 user_account Property Group Properties

Property	Type	Required	Description
`login`	`astring`	`required`	User's login.
`password`	`astring`	`required`	Encrypted user password.
`description`	`astring`	`optional`	Usually the user's full name.
`shell`	`astring`	`optional`	Full pathname of the program used as the user's shell on login.
`uid`	`count`	`optional`	UID of the new user. y default the UID is set to the next number above the highest number currently assigned.
`gid`	`count`	`optional`	User's primary group membership. The default GID is 10, which is the `staff` group.
`type`	`astring`	`optional`	Account type: `normal` or `role`.
`profiles`	`astring`	`optional`	One or more comma-separated execution profiles defined in the `prof_attr`(4) man page.
`roles`	`astring`	`optional`	One or more comma-separated roles defined in the `user_attr`(4) man page.
`sudoers`	`astring`	`optional`	Entry added to the `/etc/sudoers.d/svc-system-config-user` file along with the `login`.
`expire`	`astring`	`optional`	Expiration date for the login. If set to 0 (zero), the user will be forced to change the password at the next login.
`home_zfs_dataset`	`astring`	`optional`	User's home directory ZFS dataset.
`home_mountpoint`	`astring`	`optional`	User's home directory mount point.
`autohome`	`astring`	`optional`	User's auto home directory mount point. The default value is the local host's `/export/home/login` directory. If the `autohome` property is set to the empty string (`""`), the user account is created without depending on the automounter. The property setting is stored in the `/etc/auto_home` file for the configured user.

Example 66 Configuring an Account That Does Not Use a Password

In this example, the password is set to NP so that the account can only be accessed using the su command as a privileged user or the ssh command with key-based authentication.

<service name="system/config-user" version="1" type="service">
    <instance name="default" enabled="true">
        <property_group name="user_account">
          <propval name="login" value="jack"/>
          <propval name="password" value="NP"/>
          <propval name="description" value="default_user"/>
          <propval name="shell" value="/usr/bin/bash"/>
          <propval name="gid" value="10"/>
          <propval name="uid" value="1001"/>
          <propval name="type" value="normal"/>
          <propval name="roles" value="root"/>
          <propval name="profiles" value="System Administrator"/>
        </property_group>
    </instance>
</service>

Configuring Multiple Initial Users

To configure multiple users on the newly-installed system, specify the users by using the useradd command in a script. Then use a run-once SMF service to run the script at first boot. See Running a Custom Script During First Boot for instructions.

Configuring SSH Keys

The ssh_public_keys property group holds pre-generated ssh keys. The keys will be written to the users $HOME/ .ssh/authorized_keys file when the system is configured.

Example 67 Configuring SSH Keys

  <property_group name="user_account" type="application">
    <...>
    <property type="astring" name="ssh_public_keys">
        <astring_list>
            <value_node value='[<options>] <key-type> <base64-encoding-key> [<comment>] />'
            <value_node value='[<options>] <key-type> <base64-encoding-key> [<comment>] />'
        </astring_list>
     </property>
   </property_group>

Setting the System Identity

Use the sysconfig create-profile command with the identity grouping to generate a valid profile that configures the system node name.

# sysconfig create-profile -g identity [-o directory]

The svc:/system/identity:node SMF service sets the system host name. The node is the instance of svc:/system/identity.

The identity property group contains the properties listed in the following table.

Table 10 config Property Group Properties

Property	Type	Required	Description
`nodename`	`astring`	optional	System host name.
`enable_mapping`	`boolean`	optional	Value used to disable node name mapping.
`loopback`	`astring`	optional	Host name mapped to loopback.

Example 68 Configuring the Host Name

This example sets the system host name to solaris.

<service name="system/identity" version="1" type="service">
    <instance name="node" enabled="true">
        <property_group name="config" type="application">
            <propval name="nodename" value="solaris"/>
        </property_group>
    </instance>
</service>

Example 69 Disabling Node Name Mapping

When you install the Oracle Solaris 11 OS or an Oracle Solaris 11 update release, by default the system node name is mapped to the loopback or to the IP address of the interface configured as part of installation. You can disable this default mapping by setting the enable_mapping property to false, as shown in the following example.

<service name="system/identity" version="1" type="service">
    <instance name="node" enabled="true">
        <property_group name="config" type="application">
            <propval name="nodename" value="solaris"/>
            <propval name="enable_mapping" value="false"/>
        </property_group>
    </instance>
</service>

Setting the Time Zone and Locale

Use the sysconfig create-profile command with the location grouping to generate a valid profile that configures the time zone and locale.

# sysconfig create-profile -g location [-o directory]

The svc:/system/timezone SMF service sets the time zone for the system.

The timezone property group contains the properties listed in the following table.

Table 11 timezone Property Group Properties

Property	Type	Required	Description
`localtime`	`astring`	optional	System time zone.

Example 70 Configuring the Time Zone

This example sets the time zone to Central European Time/Prague, CZ.

<service name='system/timezone' version='1'>
  <instance name='default' enabled='true'>
    <property_group name='timezone'>
      <propval name='localtime' value='Europe/Prague'/>
    </property_group>
  </instance>
</service>

The svc:/system/environment:init SMF service sets the locale for the system.

The environment property group can define the following environment variables. See the environ(5) man page for information about environment variables.

Table 12 environment Property Group Properties

Environment Variable	Type	Required	Default Value
`LC_CTYPE`	`astring`	optional	`C`
`LC_NUMERIC`	`astring`	optional	`C`
`LC_TIME`	`astring`	optional	`C`
`LC_COLLATE`	`astring`	optional	`C`
`LC_MONETARY`	`astring`	optional	`C`
`LC_MESSAGES`	`astring`	optional	`C`
`LC_ALL`	`astring`	optional	`C`
`LANG`	`astring`	optional	`C`

Example 71 Configuring the Locale

This example sets the locale to Czech language (cs) and Czech Republic (CZ).

<service name='system/environment' version='1'>
  <instance name='init' enabled='true'>
    <property_group name='environment'>
      <propval name='LC_ALL' value='cs_CZ.UTF-8'/>
    </property_group>
  </instance>
</service>

Setting the Terminal Type and Keyboard Layout

The following examples show how to set the terminal type and keyboard layout for the console in a system configuration profile.

Example 72 Configuring Terminal Type

The svc:/system/console-login SMF service configures the terminal type. See the ttymon(1M) man page for definition of related SMF properties.

This example sets the terminal type to vt100.

<service name="system/console-login" version="1" type="service">
    <instance name="default" enabled="true">
        <property_group name="ttymon" type="application">
            <propval name="terminal_type" value="vt100"/>
        </property_group>
    </instance>
</service>

Example 73 Configuring Keyboard Layout

Use the sysconfig create-profile command with the keyboard grouping to generate a valid profile that configures the keyboard layout.

# sysconfig create-profile -g keyboard [-o directory]

The svc:/system/keymap SMF service configures the keyboard layout. See the kbd(1) man page for definition of related SMF properties.

This example sets the keyboard layout to Czech.

<service name='system/keymap' version='1' type='service'>
    <instance name='default' enabled='true'>
        <property_group name='keymap' type='system'>
            <propval name='layout' value='Czech'/>
        </property_group>
    </instance>
</service>

Configuring Network Interfaces

Use the sysconfig create-profile command with the network grouping to generate a valid profile that configures the network. This command will start the SCI Tool, which will prompt you for the information needed to configure an interface.

# sysconfig create-profile -g network [-o directory]

The svc:/network/install SMF service configures an initial physical network interface. This service is initially disabled with property values that do not result in any system configuration.

Note - If the installation target is an iSCSI device, do not configure that network interface in any system configuration profile for that installation. For iSCSI boot, the network interface for the iSCSI device is configured early in the client boot process. If you configure that same interface again, the network/install service for the interface goes into maintenance state.

To configure multiple network interfaces, specify the configuration in a script, and use a run-once SMF service to run the script at first boot. See Running a Custom Script During First Boot for instructions and a sample script.

The svc:/network/install service supports multiple IPv4 and IPv6 interfaces and, optionally, a default route reachable by these interfaces. The service allows you to configure IPv4 and IPv6 interfaces. The service uses its properties and the ipadm command to configure the network interfaces. Similarly, the service uses its properties and the route command to define a default route.

See the examples in Specifying Static Network Configuration.

The install_ipv4_interface property group only allows one interface to be configured, but the ipv4_interface property group allows for multiple interfaces to be configured. Both IPv4 property groups contain the properties listed in the following table.

Table 13 Property Group Properties for an IPv4 Network Interface

Property	Type	Required	Description
`name`	`astring`	`required`	Name of the network interface.
`address_type`	`astring`	`required`	Value used to construct the `–T` option for the `ipadm create-addr` subcommand. Valid values are `static` or `dhcp`.
`static_address`	`net_address_v4`	`optional`	Only required with an `address_type` of `static`. Used to construct the local address for the `ipadm create_addr` subcommand.
`dhcp_wait`	`astring`	`optional`	Only applies with an `address_type` of `dhcp`. If defined, this property is used to construct the `–w` `seconds` (or `forever`) portion of the `ipadm create-addr` subcommand.
`default_route`	`net_address_v4`	`optional`	Used to define a default route using the `route`command. # /usr/sbin/route \ -p add default `default-route` \ -ifp `ifname` The value of `ifname` is the interface name portion of the `name` property.

The install_ipv6_interface property group only allows one interface to be configured, but the ipv6_interface property group allows for multiple interfaces to be configured. The property groups for an IPv6 interface contains the properties listed in the following table.

Table 14 Property Group Properties for an IPv6 Network Interface

Property	Type	Required	Description
`name`	`astring`	`required`	Name of the network interface.
`address_type`	`astring`	`required`	Value used to construct the `–T` option for the `ipadm create-addr` subcommand. Valid values are `static` or `addrconf`.
`static_address`	`net_address_v6`	`optional`	Only required with an `address_type` of `static`. Used to construct the local address for the `ipadm create-addr` subcommand.
`interface_id`	`net_address_v6`	`optional`	Only applies with an `address_type` of `addrconf`. Used to construct the `–i` `interface_id` portion of the `ipadm create-addr` subcommand.
`stateless`	`astring`	`optional`	Only applies with an `address_type` of `addrconf`. Used to construct the `–p` `stateless=yes\|no` portion of the `ipadm create-addr` subcommand.
`stateful`	`astring`	`optional`	Only applies with an `address_type` of `addrconf`. Used to construct the `–p` `stateful=yes\|no` portion of the `ipadm create-addr` subcommand.
`default_route`	`net_address_v6`	`optional`	Used to define a default route using the `route` command. # /usr/sbin/route \ -p add default `default-route` \ -ifp `ifname` The value of `ifname` is the interface name portion of the `name` property.

Configuring Name Service

Use the sysconfig create-profile command with the naming_services grouping to generate a valid profile that configures DNS, NIS, and LDAP clients and the name service switch.

# sysconfig create-profile -g naming_services [-o directory]

The naming_services grouping includes two SMF services.

The svc:/system/name-service/switch service manages the naming service.
The svc:/network/dns/client service manages the DNS service.

The svc:/system/name-service/switch SMF service configures the name service switch. This service is initially disabled with property values that do not result in any system configuration. See the examples in Specifying Name Service Configuration. The config property group of the svc:/system/name-service/switch service includes the properties listed in the following table. For a complete listing of all of the properties see the nsswitch.conf(4) man page.

Table 15 config Properties of the svc:/system/name-service/switch Property Group

Property	Type	Required	Description
default	astring	optional	Sets the default source configuration for all name service switch databases
bootparam	astring	optional	Overrides the default source configuration for the bootparams database
ether	astring	optional	Overrides the default source configuration for the ethers database
group	astring	optional	Overrides the default source configuration for the group database
host	astring	optional	Overrides the default source configuration for the host database
netmask	astring	optional	Overrides the default source configuration for the netmask database
network	astring	optional	Overrides the default source configuration for the network database
password	astring	optional	Overrides the default source configuration for the passwd database
protocol	astring	optional	Overrides the default source configuration for the protocol database
rpc	astring	optional	Overrides the default source configuration for the rpc database

The svc:/network/dns/client service supports the configuration of a DNS client. The service defines one property group: config. The service uses its properties to construct a configuration information for the DNS service. See the examples in Specifying Name Service Configuration.

The config property group contains the properties listed in the following table.

Table 16 config Property Group Properties

Property	Type	Required	Description
`domain`	`astring`	`optional`	Local domain name. Used to construct the `domain` directive in `resolv.conf`.
`nameserver`	`net_address_list`	`required`	List of IPv4 and IPv6 addresses. Used to construct the `nameserver` directives in `resolv.conf`.
`search`	`astring_list`	`optional`	List of domain values for the search list for host name lookup. Used to construct the `search` directive in `resolv.conf`.

Configuring Kerberos

A system configuration profile that includes Kerberos configuration information for an AI client should be created by the kclient command. Although the profile can be viewed, editing the file by hand is not suggested. For more information, see How to Configure Kerberos Clients Using AI.

Setting Up Oracle Configuration Manager and Oracle Auto Service Request

Oracle Configuration Manager enables you to log your system configurations with My Oracle Support, and Oracle Auto Service Request can automatically generate service requests for specific hardware faults.

Use the sysconfig create-profile command with the support grouping to generate a valid profile that configures Oracle Configuration Manager and Oracle Auto Service Request.

# sysconfig create-profile -g support [-o directory]

The output profile sets up the first phase of registration, which is the same for all AI clients that match the following criteria:

The systems use the same My Oracle Support credentials to register. All AI clients hat use this profile register with My Oracle Support in the same way. The data from all of these AI clients will be associated with the same My Oracle Support account.
The systems access My Oracle Support through the same network configuration. All AI client that use this profile access My Oracle Support through the same proxy servers and aggregation hubs, for example.

If you need to create additional profiles for different groups of AI client, you should rerun the sysconfig create-profile command, rather than copy and edit an existing profile. If your proxy server has a user name and password, then you must rerun sysconfig create-profile since the passwords are encrypted.