This section describes how to install the Trusted Solaris operating environment on a domain. The installation includes the following tasks:
Trusted Solaris 8 Software 1 of 2 is referred to as CD1 in this manual.
Trusted Solaris 8 Software 2 of 2 is referred to as CD2 in this manual.
Log in to SSP as user ssp. Assume the admin role.
Using the Admin Editor, edit the /etc/hosts file to include the IP address of the new domain.
You need to get the IP address from your network administrator.
The correct entries would look similar to the following /etc/hosts sample. Note that the new entry is borabora:
# /etc/inet/hosts # # Internet host table # 127.0.0.1 localhost 0.0.0.0 tsol-default # # domain subnet # 129.153.107.101 bermuda loghost 129.150.107.100 jamaica 129.150.107.102 cuba 129.150.107.103 borabora 129.150.107.104 bali 129.150.107.105 fiji # # cb0 subnet # 10.100.100.200 jamaica-qfe0 10.100.100.201 bermuda-qfe0 10.100.100.100 ctrl_brd_0 # # cb1 subnet # 10.100.101.200 jamaica-qfe1 10.100.101.201 bermuda-qfe1 10.100.101.100 ctrl_brd_1 # # misc # 129.150.103.178 wolf359 nis-master
The /etc/hosts file is actually a link to ./inet/hosts.
Using the Admin Editor, manually edit the /etc/ethers file to include the Ethernet address of the new domain.
The correct entries would look similar to the following /etc/ethers sample. Note that borabora represents the name of the new domain in this example:
08:00:20:ac:5c:b9 jamaica 08:00:20:b0:65:77 bermuda 00:00:be:01:0f:42 ctrl_brd_0 00:00:be:01:0f:6c ctrl_brd_1 00:00:be:a6:56:78 cuba 00:00:be:a6:60:d1 borabora 00:00:be:a6:60:d2 bali 00:00:be:a6:60:d3 fiji
In the role secadmin at admin_low
, use the Solaris Management Console Security Families program to update the /etc/security/tsol/tnrhdb file to indicate the template for the new domain.
If you are unfamiliar with the procedure, see To Edit the Tnrhdb.
The correct entries would look similar to the following example. Note that the new domain is borabora with IP address 129.150.107.103.
# /etc/security/tsol/tnrhdb # # Assume that template confidential and tsol is defined in the tnrhtp database. # 127.0.0.1:tsol 0.0.0.0:confidential 129.150.107.101:tsol 129.150.107.103:tsol 129.150.103.0:tsol 129.150.107.0:tsol 10.100.100.201:tsol 10.100.101.201:tsol
Make the changes in /etc/security/tsol/tnrhdb file active with the tnctl(1M) command:
ssp$ tnctl -H /etc/security/tsol/tnrhdb |
Check for the template of the new domain with the tninfo(1M) command:
ssp$ tninfo -h borabora IP address= 129.150.107.103, port= 0 template = tsol |
If the NIS+ master is running Trusted Solaris 8, its hosts, ethers and tnrhdb files need to be updated with the information for the new domain. Update the NIS+ master files.
You are done configuring the domain network information. You can now set up the Trusted Solaris SSP as a net install server, as described in the next section.
Log in to the SSP as a user who can assume the admin role and assume it.
In the admin role, at label admin_low
, use the Device Allocation Manager to allocate the CD-ROM drive, then mount CD1 with all privileges.
If you are unfamiliar with the procedure, see Setting up a CD-ROM.
To set up the SSP as an install server, follow the instructions in “Trusted Solaris Modifications to Network Installation” in Trusted Solaris Installation and Configuration.
In the admin role, set up the host domain as an install client.
ssp$ cd /export/install/ts8_sparc ./add_install_client domain_name sun4u |
If the /etc/nsswitch.conf file contains a DNS entry in its host list, you may receive the following warning:
Error: domain_name does not exist in the NIS+ ethers map.
If you receive this message, you need to remove the DNS entry in the /etc/nsswitch.conf file, to add the domain_name to the ethers map if the name is not already in the map, and to re-run the add_install_client command.
Leave the admin role and go back to the user ssp.
Use the domain_status(1M) command to ensure that the OS version is set to the proper value for the domain you are installing.
For Trusted Solaris 8, the OS version should be 5.8. If the OS version is correct, proceed to step Step 5. If not, perform the following steps.
Remove the existing domain.
ssp% domain_remove -d domain_name |
The domain_remove(1M) command prompts you to save the domain directories, as in the following example:
domain_remove: The following subdirectories conta in domain specific information such as messages files, configuration files, and hpost dump files. You may choose to keep these directories if you still need this information. This domain may be created with or without this information being saved. /var/opt/SUNWssp/adm/xf4-b3 /var/opt/SUNWssp/etc/allxf4/xf4-b3 Keep directories (y/n)? y Domain : xf4-b3 is removed !
Be sure to answer yes, y, to the prompt so that the domain information is saved. If you answer no, you will have to supply the board numbers and the platform name for the new domain.
Create the new domain with the new OS version number.
ssp% domain_create -d domain_name -o 5.8 |
If you saved the domain information, you do not need to include the -b and -p arguments. The domain_create(1M) command uses the domain information that was saved and the information you provide with the command to create the new domain.
Use the domain_switch(1M) command to ensure that SUNW_HOSTNAME is set to the name of the domain you are installing.
ssp% domain_switch domain_name |
The domain_switch command must be executed from a C shell. By default, the SSP window is a profile C shell (pfcsh(1)).
Check for blacklisted components.
If SBus boards have been added to a system board, confirm that the processors on those system boards are not blacklisted. Processors are blacklisted at the factory when a system board does not have SBus cards installed.
During the bring-up process, observe the list of blacklisted components. Alternatively, for instructions on how to retrieve the blacklist file, refer to the blacklist(4) man page.
To remove a processor from the blacklist, edit the blacklist file and remove the number of the board from the pc line in the file. By default, the blacklist file resides at $SSPVAR/etc/platform_name/blacklist; however, the location of the blacklist file can be reconfigured so that the location of the blacklist file on your server may be different from the default location.
You are done setting up the SSP as a network install server and the domain as an install client. You can now bring up the domain, as described in the next section.
Do not use the bringup command if the domain is already running an OS. Instead, shut down the OS on the system gracefully, by remotely logging in to the domain (# rlogin domain) as root and running the init 0 command. Then go to Step 2.
In the user ssp on the main SSP, with SUNW_HOSTNAME set to the domain being installed, bring up the domain.
ssp% bringup -A off |
If this is the first domain to be brought up, you will be prompted to configure the centerplane. Type y to continue if you are sure that no other domains are running. Responding yes resets the entire platform; therefore, you must ensure that no other domains are running.
This bringup will configure the Centerplane. Please confirm (y/n)? y
After a few minutes the SSP prompt is displayed. Review the output of the bringup(1M) command. If errors occurred, you must correct those errors before you proceed. If no errors occurred, continue to the next step.
In the SSP window, open a netcon(1M) session.
ssp% netcon -g |
The ok prompt is displayed after a few minutes. The duration depends directly on the size of the domain.
You are done bringing up the domain. You can now set up the OpenBoot PROM, as described in the next section.
On the domain's netcon, use the devalias command to check for duplicate devaliases entries in OBP.
The suninstall utility may not work properly if you have defined duplicate devaliases in OBP. Use the devalias command to check the aliases. The output may resemble the following example:
ok devalias net /sbus@41,0/qec@0,20000/qe@1,0 ttya /ssp-serial ssa_b_example /sbus@40,0/SUNW,soc@0,0/SUNW,pln@b0000000,XXXXXX/SUNW,ssd@0,0:a ssa_a_example /sbus@40,0/SUNW,soc@0,0/SUNW,pln@a0000000,XXXXXX/SUNW,ssd@0,0:a isp_example /sbus@40,0/QLGC,isp@0,10000/sd@0,0 net_example /sbus@40,0/qec@0,20000/qe@0,0 net /sbus@41,0/qec@0,20000/qe@0,0 ok
If any devaliases are defined twice (net is defined twice in the above example), you should remove the extra devalias entries.
If any duplicate entries exist in the devalias list, remove them.
The following example removes the last-created net devalias. You may have to issue a second nvunalias command if the second net alias is the incorrect one. Then issue an nvalias command to create the correct net device alias.
ok nvunalias net |
If a net alias does not exist for the network interface that is on the same subnet as the SSP, create one by typing a command similar to the following example:
ok nvalias net /sbus@41,0/SUNW,hme@0,8c00000 |
Where /sbus@41,0 refers to system board 0 and SBus 1. The /SUNW,hme@0 portion of the device name defines a 100BASE-T network interface installed in Slot 0. This information is site-specific; thus, your configuration may vary.
The following table contains the SBus numbers used in the devalias file.
Table 5–1 SBus Numbers in the devalias File
system board |
sysio 0 |
sysio 1 |
|
system board |
sysio 0 |
sysio 1 |
---|---|---|---|---|---|---|
0 |
/sbus@40 |
/sbus@41 |
|
8 |
/sbus@60 |
/sbus@61 |
1 |
/sbus@44 |
/sbus@45 |
|
9 |
/sbus@64 |
/sbus@65 |
2 |
/sbus@48 |
/sbus@49 |
|
10 |
/sbus@68 |
/sbus@69 |
3 |
/sbus@4c |
/sbus@4d |
|
11 |
/sbus@6c |
/sbus@6d |
4 |
/sbus@50 |
/sbus@51 |
|
12 |
/sbus@70 |
/sbus@71 |
5 |
/sbus@54 |
/sbus@55 |
|
13 |
/sbus@74 |
/sbus@75 |
6 |
/sbus@58 |
/sbus@59 |
|
14 |
/sbus@78 |
/sbus@79 |
7 |
/sbus@5c |
/sbus@5d |
|
15 |
/sbus@7c |
/sbus@7d |
The watch-net-all command (no spaces) displays the functioning network interfaces.
You are done setting up the OBP environment. You can now install the Trusted Solaris operating environment, as described in the following section.
You can use these instructions to install the Trusted Solaris operating environment without saving any previous files.
During the installation, you will use the suninstall utility, which has its own instructions. The following instructions are specific to the Sun Enterprise 10000. For more information about the suninstall utility, refer to the Solaris installation instructions in your Solaris media kit.
The next step starts the suninstall utility. During the installation, you will be asked to specify the device name of the boot disk. Do not begin the installation until you know the device name.
In the netcon window, boot the system from the network.
ok boot net |
You should have an alias (usually net) in OBP for the proper network interface. Use that alias with the boot command, as shown in the example above. Otherwise, you must type in the complete OBP device path. If you specify an alias (or path) that does not describe the proper network interface, the boot command will fail, and you will have to bring up the domain again.
If you install the operating system on a drive other than the one designated as the boot drive, the suninstall utility displays a warning message similar to the following:
Warning You have an invalid disk configuration because of the condition(s) displayed in the window below. Errors should be fixed to ensure a successful installation. Warnings can be ignored without causing the installation to fail. > To go back and fix errors or warnings, select Cancel. > To accept the error conditions or warnings and continue with > the installation, select Continue. WARNING: The boot disk is not selected or does not have a “/” mount point (c0t3d0)
You can safely ignore this warning and press F2 to continue.
The boot net command starts the suninstall utility. This utility prompts you to provide site and platform-specific information. Refer to the following table for the platform-specific information you may need to supply.
Table 5–2 Platform-Specific Information for the suninstall Utility and CD1
If you are asked to |
Do this |
---|---|
Type of Terminal |
If you are using dtterm, select Other and enter dtterm. |
Please enter the hostname of the SSP for domain_name [default_name] | Enter the hostname for your SSP. Note that the default value is to append -ssp to the domain name. |
Set the network information |
Select the appropriate level of information you want to provide. If you select any option other than None, the suninstall utility displays a series of dialogs that request configuration information. Provide that information. |
Solaris Interactive Installation |
Select Initial for fresh install. |
Select 64 bit |
Click “Select To Include Solaris 64-bit Support” to install the 64-bit kernel. Refer to the Solaris 8 6/00 Release Notes Supplement for instructions on how to check the operating mode, to set the default mode, and to switch the operating mode. |
Select Software |
Select Entire Distribution plus OEM Support. |
Select Disk(s) |
Select the disk(s) on which the software is to be installed. If you choose a drive other than the one designated as the boot drive, a warning message appears later in the installation process. At that point, you can choose whether to continue, or not. |
Automatically Layout File Systems |
Select Manual Layout, then select Customize. The suninstall utility enables you to customize the root disk by specifying disk partitions. Refer to Table 5–3 as a guide. |
Mount Remote File System |
Press F4 if file systems are to be mounted from a remote file server. Press F2 if they are not. |
Manual Reboot after installation |
Select manual reboot and press F2 to begin the installation. This step, which installs the software from the Trusted Solaris CD1, can take approximately 40 minutes to complete. When the install ends successfully, the superuser prompt is displayed in the domain's netcon console window. You can now configure the Trusted Solaris 8 operating environment, as described in To Configure the Trusted Solaris Operating Environment. Note – Configuring the Trusted Solaris 8 software must be done before rebooting and before installing CD2. |
Make sure that you select Manual Reboot and not Automatic Reboot.
When you perform a full install of the Trusted Solaris 8 operating environment on a domain, the suninstall utility allows you to manually enter the disk partition sizes for your file systems. Do not use disk partitions that are less than the minimum sizes in Table 5–3.
If two disks are used, root (/) and /usr must be on the device specified in the OBP boot alias.
Table 5–3 Minimum Partition Sizes
Partition |
Minimum Sizes |
Notes |
|
---|---|---|---|
0 |
/ |
256 Mbyte |
Bare minimum size |
1 |
swap |
1024 Mbyte |
Bare minimum size |
2 |
overlap |
|
Actual total disk size |
3 |
/var |
512 Mbyte |
|
4 |
|
3 Mbyte |
This slice must be reserved for the Alternate Pathing and Solstice™ DiskSuite™ products. Otherwise, subsequent Alternate Pathing installations will overwrite the operating system. |
5 |
/opt |
512 Mbyte |
This may be larger depending upon remaining space. |
6 |
/usr |
1 Gbyte |
Asian-language users may need more space here. |
Use the Tab key to move the cursor, and use the keyboard to type the size for each partition. Press F2 when you are done.
Return to Table 5–2 to continue the suninstall installation.
Enter a root password when prompted.
Root password: password Please re-enter your root password: password |
Before manually rebooting after installation, configure the operating environment.
To enable keyboard abort and allow the domain's netcon key sequence ~# to drop to the ok prompt, change the value of KEYBOARD_ABORT to enable in the /a/etc/default/kbd file.
KEYBOARD_ABORT=enable |
If you are running a spare SSP, update the /a/etc/inet/hosts file to include IP addresses and names of the main and spare SSP.
In the following example, the domain is borabora, the main and spare SSPs are jamaica and bermuda.
# /etc/inet/hosts # # Internet host table # 127.0.0.1 localhost 0.0.0.0 tsol-default 129.150.107.103 borabora loghost 129.150.107.101 bermuda 129.150.107.100 jamaica
Update the /a/etc/security/tsol/tnrhdb file to include templates for the main and spare SSP and any other workstations the domain communicates with.
In the following example, the domain has IP address 129.150.107.103 and the SSPs have IP addresses 129.150.107.100 and 129.150.107.101.
# /etc/security/tsol/tnrhdb # # Assume that template tsol is defined in the tnrhtp database. # 127.0.0.1:tsol 0.0.0.0:confidential 129.150.107.103:tsol 129.150.107.0:tsol 129.150.103.0:tsol 129.150.107.100:confidential 129.150.107.101:tsol
In the netcon window, drop down to the OBP prompt using ~#.
List the devices entry for your boot disk.
domain_name# ls -l /dev/dsk/root_partition_device |
Where root_partition_device is in the form cxtxdxsx.
Copy the part of the string that begins with either /sbus or /pci.
Example: /sbus@65,0/SUNW,fas@1,8800000/sd@3,0:a
Assign the device string to an alias; enter the nvalias command on a single line.
ok nvalias bootdisk_alias device_string |
Use the setenv command to set the default boot-device alias to the correct device.
ok setenv boot-device bootdisk_alias |
You are done configuring the OBP variables. You can now bring up the domain, as described in the following section.
Finish the domain installation.
Perform any site-specific configuration tasks on the newly installed environment by editing the configuration files in the /a directory.
The number and extent of any site-specific configuration task, such as configuring the default router, are highly dependent on the local configuration of the server and the network on which it resides. If you are unsure about what tasks you should perform, contact your service provider, or refer to the System Administration Guide, Volume 1 and the Trusted Solaris Administrator's Procedures.
Shut down the domain from the netcon window.
# init 0 |
Switch to the domain and bring it up.
ssp% domain_switch domain-name ssp% bringup -A on |
If this is the first domain to be brought up, you will be prompted for a root password.
Provide a root password.
On the netcon, when the Trusted Solaris domain has finished rebooting, you will not get the "console login:" prompt, because command line login is disabled in the Trusted Solaris environment for security reasons. For now, to finish configuring the Trusted Solaris domain, you can access the domain's admin role by logging in remotely from the Trusted Solaris SSP.
When accessing a Trusted Solaris domain, a user who can assume the admin role must remotely log in to the domain. For a discussion of remote administration options, see “Remote Administration Options” in Trusted Solaris Administrator's Procedures.
On the Trusted Solaris SSP, assume the root role.
In the root role on the SSP, rlogin to the domain.
You are now in the domain's root role.
To verify that you are in the domain's root role:
ssp$ uname -a ssp$ id -a |
For a broader view of what is and is not allowed in a Trusted Solaris environment on a Sun Enterprise 10000, see Differences from Solaris 8 Installation and Configuration of the Sun Enterprise 10000.
If the domain is to be a NIS+ client, assume the domain's admin role to update the hosts entry in the /etc/nsswitch.conf file after running the nisclient command.
hosts: files nisplus |
Failure to do this will result in the domain communicating in JTAG instead of network mode after a reboot.
Perform the following steps to configure the ntp.conf file, which resides at /etc/inet/ntp.conf.
Assume the admin role on the Trusted Solaris SSP and rlogin to the domain.
You should now be in the admin role on the domain. To confirm:
$ uname -a $ id -a |
Create the ntp.conf file in your text editor using the Admin Editor action.
Add the following lines to the file.
server ssp-name server 127.127.1.0 fudge 127.127.1.0 stratum 10
Each domain should use the SSP as its source for time, and the SSP should use at least two other sources, besides its internal clock, to avoid a single point of failure in case the SSP clock fails. Each domain should use the SSP as its source for time, and the SSP should use at least two other sources, besides its internal clock, to avoid a single point of failure in case the SSP's clock fails.
The domain should have a stratum number that is at least one level above the SSP.
For more information about NTP commands, refer to the ntpdate(1M) man page.
You are done configuring the NTP packages. You can now finish the domain installation, as described in the following section.
If you want to install Trusted Solaris AP 2.3, see Chapter 7, Trusted Solaris Alternate Pathing 2.3 on an E10000 Domain.
Otherwise, you are done with the install unless you need to license your software, as described in the following section.
The Sun Enterprise 10000 domain feature requires different approaches to software licensing when compared to systems that cannot be logically partitioned.
License management (the license server) is normally tied to a machine host ID. On a Sun Enterprise 10000 system, the license server is tied to the domain host ID. Each domain receives its own domain host ID.
Therefore, if licensing is installed on a Sun Enterprise 10000 system, it must be installed in a domain that will not be removed. Adding or removing processors from the domain will not affect licensing, as long as the domain always has at least one active processor.
If licensing ever needs to be moved from one domain to another, the licenses will need to be regenerated using the new domain host ID. This is identical to the situation when moving the license server from one machine to another. This process is called a server move; contact the Sun License Center to request a server move.
For more licensing information, use the following Sun License Center URL:
http://www.sun.com/licensing
To obtain the Sun Enterprise 10000 system domain host ID, type hostid in a shell window.
Other software vendors may have unique software licensing policies on the Sun Enterprise 10000 system. All major independent service providers have been notified and should have software policies in place. For additional information, contact your service provider.