installadm - Manages automated installations on a network
/usr/sbin/installadm [–h|–help]
installadm help [subcommand]
installadm create-service [–n <svcname>] [–p <prefix>=<origin> [–K <keypath> –C <certpath>]] [–a <architecture>] [–s <FMRI/ISO> | –t <existing_service>] [–b <boot property>=<value>,... | –G <grub.cfg>] [–i <dhcp_ip_start> –c <count_of_ipaddr>] [–B <server_ipaddr>] [–M <manifest file>] [–d <imagepath>] [–y]
installadm set-service [options] –n <svcname> [–t <existing_service>] [–M <manifest name>] [–d <imagepath>] [–e | –D] [–G [none|<grub.cfg>] [–b [none|<property>=<value>[,... ]] [–p <policy>]] [–x [–hash <ca-hash>]] [–A <ca-certfile>...] [–C <certfile> –K <keyfile>] [–g] [–E] [–H] [–f|–hmac-type <hmac-type>]
installadm update-service [–s FMRI] [–p <publisher>=<origin> [–K <keypath> –C <certpath>]] –n <svcname>
installadm rename-service –n <svcname> –N <newsvcname>
installadm enable –n <svcname>
installadm disable –n <svcname>
installadm delete-service [–r] [–y] –n <svcname>
installadm list [–v|–verbose] [–n|–service <svcname>] [–a|–all | –s|–server –c|–client –m|–manifest –p|–profile]
installadm list [–v|–verbose] –e|–macaddr <macaddr>
installadm create-manifest [options] [source_options] –n|–service <svcname>
installadm update-manifest –n <svcname> –m <manifest>
installadm update-manifest –n <svcname> –f <filename> [–m <manifest>] [–e]
installadm delete-manifest –n <svcname> –m <manifest>
installadm create-profile –n <svcname> –f <filename> ... [–p <profile>] [–c <criteria>=<value|list|range> ... | –C <criteriafile>]
installadm set-profile –n <svcname> –p <profile name> [–P <new profile name>] [–e install|system|all[,...] ]
installadm update-profile –n <svcname> –f <filename> [–p <profile>]
installadm delete-profile –n <svcname> –p <profile> ...
installadm export [–o <path>] –n <svcname> [–m <manifest name>]... [–p <profile name>]...
installadm export [–o <path>] –n <svcname> | –e <macaddr> –G
installadm export [–o <path>] –s | –n <svcname> | –c | –e <macaddr> [–C] [–K] [–A]
installadm validate –n <svcname> [–M <manifest_path>]... [–m <manifest_name>]... [–P <profile_path>]... [–p <profile_name>]...
installadm set-criteria –n <svcname> [–m <manifest>] [–p <profile>]... [[–c <criteria>=<value|list|range>]... | [–C <criteria.xml>] | [–a <criteria>=<value|list|range>]... | [–d <criteria>]... | [–D]]
installadm create-client –n <svcname> –e <macaddr> [–b <property>=<value>,...] [–G <grub.cfg>]
installadm set-client –e <macaddr> [–n <svcname>] [–b [none|<property>=<value>,... ]] [–G [none|<grub.cfg>] [–g] [–x [–y] [–hash <ca-hash>] [–A <ca-certfile>]... [–C <certfile> –K <keyfile>] [–E] [–H] [–f|–hmac-type <hmac-type>]
installadm set-server [–i <dhcp_ip_start> –c <count_of_ipaddr>] [–p <port>] [–P <secure_port>] [–d <directory>] [–l all|<CIDR>[,...] | [–L none|<CIDR>[,...]]] [–m | –M] [–u | –U] [–z | –Z] [–s | –S] [–telemetry-enable | –telemetry-disable] [–telemetry-frequency <number_of_seconds>] [–telemetry-success [none|install_log|all_logs|all_files|<file>|<fmri>],...] [–telemetry-success-add [install_log|all_logs|all_files|<file>|<fmri>],...] [–telemetry-success-remove [install_log|all_logs|all_files|<file>|<fmri>],...] [–telemetry-failure [none|install_log|all_logs|all_files|<file>|<fmri>],...] [–telemetry-failure-add [install_log|all_logs|all_files|<file>|<fmri>],...] [–telemetry-failure-remove [install_log|all_logs|all_files|<file>|<fmri>],...] [–telemetry-statistics-retention <number>[d|m|y]] [–telemetry-files-retention <number>[d|m|y]] [[–D] [–x [–r] [–hash <ca-hash>]] [–g] [–A <ca-certfile>...] [–C <certfile> –K <keyfile>] [–E] [–H] [–F|–hmac-policy <hmac-type>] [–f|–hmac-type <hmac-type>]]
installadm execute –f <file>
installadm can be invoked interactively, with an individual subcommand, or by specifying a command file that contains a series of subcommands.
The Automated Installer (AI) is used to automate the installation of the Oracle Solaris OS on one or more SPARC and x86 systems over a network.
The machine topography necessary to employ AI over the network is to have an install server, a DHCP server (this can be the same system as the install server), and the installation clients. On the install server, install services are set up to contain an AI boot image, which is provided to the clients in order for them to boot over the network, input specifications (AI manifests and derived manifest scripts), one of which will be selected for the client, and Service Management Facility (SMF) configuration profiles, zero or more of which will be selected for the client.
The AI boot image content is published as the package install-image/solaris-auto-install, and is installed by the create-service subcommand. The create-service subcommand is also able to accept and unpack an AI ISO file to create the AI boot image.
Install services are created with a default AI manifest, but customized manifests or derived manifest scripts (hereafter called “scripts”) can be added to an install service by using the create-manifest subcommand. See Automatically Installing Oracle Solaris 11.4 Systems for information about how to create manifests and derived manifests scripts. Manifests can also be edited using the interactive manifest editor CLI. The manifest editor CLI, which can be invoked using the create-manifest and update-manifest subcommands, is an interactive interface that presents the AI manifest content as a set of objects and properties that can be manipulated using subcommands entered at the interactive interface prompt. It allows you to edit a manifest without having to view or understand an XML document (see "MANIFEST EDITOR CLI" section below). The create-manifest subcommand also allows criteria to be specified, which are used to determine which manifest or script should be selected for an installation client. Criteria already associated with a manifest or script can be modified using the set-criteria subcommand.
Manifests can include information such as a target device, partition information, a list of packages, and other parameters. Scripts contain commands that query a running AI client system and build a custom manifest based on the information it finds. When AI is invoked with a script, AI runs that script as its first task, to generate a manifest.
When the client boots, a search is initiated for a manifest or script that matches the client's machine criteria. When a matching manifest or script is found, the client is installed with the Oracle Solaris release according to the specifications in the matching manifest file, or to the specifications in the manifest file derived from the matching script. Each client can use only one manifest or script.
Each service has one default manifest or script. The default is used when the criteria of no other manifest or script matches the system being installed. Any manifest or script can be designated as the default. Default manifests can have criteria associated with them which is used when attempting to locate a matching manifest, however this manifest will be returned as the default should no other matching manifest be located. Manifests or scripts with no criteria associated with them can only be used as default manifests or scripts. Manifests or scripts without criteria become inactive when a different manifest or script is designated the default.
System configuration profiles are complementary to manifests and scripts in that they also contain specifications for an installation. In particular, profiles are used to specify configuration information such as user name, user password, time zone, host name, and IP address. Profiles can contain variables that are replaced at installation time with appropriate values for the client being installed. In this way, a single profile file can set different configuration parameters on different clients. See the “Examples” section.
System configuration profiles are processed by smf(7) and conform to document format service_bundle(5). See sysconfig(8) and Chapter 3, Working With System Configuration Profiles in Customizing Automated Installations With Manifests and Profiles for more information about system configuration profiles. Each client can use any number of system configuration profiles. A particular SMF property can be specified no more than once for each client system.
If you want a specific client to use a specific install service, you can associate that client with the service by using the create-client subcommand. You can also use create-client to modify an existing client. Security credentials associated with that client will be retained.
Automated installations can be secured with the Transport Layer Security (TLS) protocol. Private certificate and key pairs and Certificate Authority (CA) certificates can be assigned to the install server and to clients. WANBoot clients further require the use of firmware hash digest and encryption keys to enable security, which also secures the download of the initial network boot files. Security may be enabled for x86 clients as well. Note that when x86 clients use PXEBoot, the initial network boot phase is not secured. An automated installation can be secured in the following ways:
Server authentication: The identity of the server can be verified.
Client authentication: The identity of the client can be verified.
Access to automated installations can be controlled.
Access to server data can be controlled.
Client data can be protected for all clients or separately for specified clients.
Data can be encrypted so that it cannot be read over the network.
Secured IPS package repositories can be accessed.
A user-specified directory can be securely published by the web server. Client authentication is required to access this directory.
The installadm utility can be used to accomplish the following tasks:
Configure the AI server SMF service
Set up install services and aliases
Update the net image of certain install services
Set up installation images
Set up or delete clients
Add, update, or delete manifests and scripts
Specify or modify criteria for a manifest or script
Export manifests and scripts
Add or delete system configuration profiles
Validate profiles
Specify or modify criteria for profiles
Export profiles
Enable or disable install services
List install services
List clients for an install service
List manifests and scripts for an install service
List profiles for an install service
Secure data transfers between the install server and the AI clients
Enable or disable security
Execute batches of subcommands
The installadm command has the following option:
Show the usage message for all subcommands.
If followed by a subcommand, will show the usage message for that subcommand only.
The installadm command has the subcommands listed below. See also the “Examples” section below.
Displays a summary of the available commands.
Displays more help for the specified subcommand.
installadm create-service [–n <svcname>] [–p <prefix>=<origin> [–K <keypath> –C <certpath>]] [–a <architecture>] [–s <FMRI/ISO> | –t <existing_service>] [–b <boot property>=<value>,... | –G <grub.cfg>] [–i <dhcp_ip_start> –c <count_of_ipaddr>] [–B <server_ipaddr>] [–M <manifest file>] [–d <imagepath>] [–y]
This subcommand sets up a network boot image (net image) in the specified imagepath directory, and creates an install service that specifies how a client booted from the net image is installed.
The AI boot image content is published as the package install-image/solaris-auto-install. If the –s option is not specified, that package is installed from the first publisher in the system's publisher preference list that provides an instance of that package. The –s option accepts the pkg specification as a full FMRI or location of an image ISO file. The resulting net image is eventually located in imagepath. The net image enables client installations.
Note the following specifications:
When the first install service of a given architecture is created on an install server, an alias of that service, default-i386 or default-sparc, is automatically created. This default service is used for all installations to clients of that architecture that were not added to the install server explicitly with the create-client subcommand. To change the service aliased by the default-arch service, use the set-service subcommand. To update the default- arch service, use the update-service subcommand.
If a default-arch alias is changed to a new install service and a local ISC DHCP configuration is found, this default alias boot file is set as the default DHCP server-wide boot file for that architecture.
If you want a client to use a different install service than the default for that architecture, you must use the create-client subcommand to create a client-specific configuration.
The options are any one of the following:
Optional: Uses this install service name instead of a system-generated service name. The <svcname> can consist of alphanumeric characters, underscores (_), and hyphens (-). The first character of <svcname> cannot be a hyphen. The length of the svcname cannot exceed 63 characters.
If the –n option is not specified, a service name is generated automatically. The default name includes architecture and OS version information.
Optional: Specifies the data source for the net image. This can be either of:
The FMRI of an IPS AI net image package. This is the default. If the –s option is not specified, the newest available version of the install-image/solaris-auto-install package is used. The package is retrieved from the publisher specified by the –p option or from the first publisher in the install server's publisher preference list that provides an instance of the package.
The path to an AI ISO image.
Optional: Only applies when the service is being created from an IPS package. Specifies the IPS package repository from where you want to retrieve the install-image/solaris-auto-install package. An example is:
solaris=http://pkg.oracle.com/solaris/release/
If the –p option is not specified, the publisher used is the first publisher in the install server's publisher preference list that provides an instance of the package.
Optional: Only applies when the service is being created from an IPS package. Specifies the path to the PEM-formatted key for the secure IPS publisher.
Optional: Only applies when the service is being created from an IPS package. Specifies the path to the PEM-formatted certificate for the secure IPS publisher.
Optional: Only applies when the service is being created from an IPS package. Specifies the architecture of the clients to be installed with this service. The value can be either i386 or sparc. The default is the architecture of the install server.
Optional: Specifies the path at which to create the net image. If not specified, the image is created in a <svcname> directory at the location defined by the value of the all_services/default_imagepath_basedir property. For the default value of this property, see “Install Server Configuration Properties.” A confirmation prompt is displayed unless –y is also specified.
Optional: Suppresses any confirmation prompts and proceeds with service creation using the supplied options and any default values (see –d).
Optional: This new service is an alternate name for the aliasof install service.
Optional: Used to designate the path to the default manifest or derived manifest script to be used for the service.
Optional: For x86 clients only. Sets a property value in the service-specific boot configuration file in the service image. Use this option to set boot properties that are specific to this service. This option can accept multiple comma-separated property= value pairs.
Optional: Assigns a new GRUB2 menu file, or removes one if 'none' is specified.
Obsolete: These options have been obsoleted for use in this context, and you should use the set-server equivalents going forward. Please refer to the set-server documentation for more information.
These options will fail if the AI server is not already configured to manage DHCP.
Obsolete: This option has been obsoleted for use in this context, and you should use the set-server equivalent going forward. Please refer to the set-server documentation for more information.
installadm set-service [options] –n <svcname> [–t <existing_service>] [–M <manifest name>] [–d <imagepath>] [–e | –D] [–G [none|<grub.cfg>] [–b [none|<property>=<value>[,... ]] [–p <policy>]] [–x [–hash <ca-hash>]] [–A <ca-certfile>...] [–C <certfile> –K <keyfile>] [–g] [–E] [–H] [–f|–hmac-type <hmac-type>]
This subcommand enables the modification of an existing service. At least one of these options must be given:
Makes <svcname> an alias of the <existing_service> install service.
Designates a particular manifest or derived manifests script that is already registered with the specified service to be the default manifest or derived manifest script for that service. Use the installadm list command to show a list of manifests and derived manifest scripts registered with this service.
$ installadm list -n <svcname> -m
Causes the image to be relocated to the new image path.
Enables/Disables the service.
Assigns a new GRUB2 menu file, or removes one if 'none' is specified.
Sets the boot arguments for the GRUB menu, or removes them if 'none' is specified.
An install service can be assigned only one of these security settings. The <policy> can be one of the following security policy settings which are listed in order of decreasing security:
Confirms the identity of the AI client. Requires client and server authentication for all clients of the specified service. All clients of this service must have their firmware keys defined.
Confirms the identify of the AI install server. Requires all clients of the specified service to perform server authentication. Client authentication is optional, but any assigned client credentials are required to be provided. All clients of this service must have their firmware keys defined.
Allows both authenticated and unauthenticated clients to access the install service. Client authentication is optional, but any assigned client credentials are required to be provided. This is the default behavior.
Enables SSL/TLS end-to-end encryption for an x86 install service. No authentication is performed.
Disables all security for all clients of the specified service.
Deletes any security configuration for the service, or a specific CA if a –hash is provided. If –y is provided it will not prompt for confirmation.
Automatically generates and assigns all X.509 security credentials and generates firmware keys. The CA certificate and firmware keys are generated only if they do not already exist.
Assigns a user-provided PEM-encoded X.509 Certificate Authority (CA) certificate located at path <ca-certfile>. You only need to specify each CA chain of trust one time. If the CA chain includes more than one CA certificate file, use multiple –A options.
–C assigns a user-provided PEM-encoded X.509 certificate located at path <certfile>.
–K assigns a user-provided PEM-encoded X.509 private key located at path <keyfile>. The <keyfile> must have any passphrase removed.
The –C option must be used with the –K option. If you specify just the –C and –K options, the associated CA certificate must have been previously assigned.
If you also specify –A options then this certificate and key will be validated against those CA Certificates.
Regenerates a security encryption firmware key. Invalidates any existing key.
Firmware keys are automatically generated if they do not already exist when you use the –g, –C, –K, or –A options. Once these keys are generated, you can use the –E and –H options to replace the existing keys. Specifying the –E or –H option before firmware keys exist is an error. You can specify both firmware key options, or you can specify either –E or –H option. The firmware keys that already exist are invalidated and replaced with the newly generated values.
Regenerates a security hashing firmware key (HMAC). Invalidates any existing key.
Assigns <hmac-type> as the active signature type for the server and default client, and generates a HMAC key of that type if it does not exist.
If –g is specified in combination with –f|–hmac-type, credentials with HMAC signature type <hmac-type> will be generated and the active signature type will not be changed. If –H is specified in combination with –f|–hmac-type, a firmware key of HMAC signature type <hmac-type> will be generated, and the active signature type will not be changed.
The <hmac-type> is a valid and supported HMAC signature type and can be either hmac-sha1 or hmac-sha256 for SPARC clients and services, and only hmac-sha256 for x86 clients and services. <hmac-type> is case-insensitive.
Updates the image associated with <svcname>, where <svcname> is an alias of a service that was created using an IPS AI net image package. A new service is created with the updated image, and <svcname> is aliased to the new service.
The required arguments are:
Specifies the name of the install service being updated, which must be an alias of a service that was created using an IPS net image package.
[options] is one or more of the following:
The IPS package repository from which to update the <svcname> image. The following is an example value:
solaris=http://pkg.oracle.com/solaris/release/
A certificate and key may be specified for the publisher by providing paths to a key and certificate file to use with the options:
If the –p option is not specified, the publisher used is the publisher that was used to create the image of the service for which <svcname> is an alias. The package publisher can be seen in verbose output for that service.
The FMRI of the net image package for the update.
If the –s option is not specified, the newest available version of the install-image/solaris-auto-install package is used from the publisher specified in the description of the –p option.
Renames the install service <svcname> to <newsvcname>.
The <newsvcname> can consist of alphanumeric characters, underscores (_), and hyphens (-). The first character of <newsvcname> cannot be a hyphen. The length of the <newsvcname> cannot exceed 63 characters.
Obsolete: This subcommand has been obsoleted in preference to the –enable option of the set-service subcommand.
Enables the svcname install service.
Obsolete: This subcommand has been obsoleted in preference to the –enable option of the set-service subcommand.
Disables the svcname install service.
Deletes an install service.
Deletes the manifests, profiles, client configuration files, and web server configuration for this install service.
Deletes the image used to instantiate the service.
Deletes all security credentials of the service.
If the following conditions exist, the bootfile associated with this service is removed from the ISC DHCP configuration:
The service is a default alias.
A local ISC DHCP configuration exists.
The all_services/manage_dhcp property value is true.
The required arguments are:
Specifies the install service name to delete.
Where [options] is one or more of:
If specified, any clients assigned to this service, and any services aliased to this service, are also removed. Any security credentials associated with the service, its aliased services, and any clients, are also removed.
Suppresses any confirmation prompts and proceeds with service deletion.
Without any options, lists the summary of all services on the AI server. The available options are:
Produces more verbose listings
Lists the configuration of the AI server in a tree-like output with information about the server, services, clients, manifests and profiles on the AI server.
Can only be used in conjunction with the –v or –n options.
Behaves as a filter, only showing clients, manifests or profiles for the specified <svcname> on the server.
This option can be used to filter the –a, –c, –m or –p options.
Lists specific information for the provided <macaddress> only.
Can only be used in conjunction with the –v option.
Lists information about server configuration.
Cannot be used with the –n option.
Lists the clients of the install services on a local server.
When used with –n option, it displays only manifests and scripts for the given service.
Lists the manifests and derived manifest scripts associated with the install services on a local server, including criteria for each manifest. Inactive manifests are labeled. Inactive manifests have no associated criteria and are not the default manifest for that service.
When used with –n option, it displays only manifests and scripts for the given service.
Lists the profiles associated with the install services on a local server, including criteria for each profile.
When used with –n option, it displays only profiles for the given service.
Whenever the list output includes fields that are inaccessible for a user, that is, they do not have sufficient authorisations, then these fields are hidden from the output. Examples of such fields are those related to whether security is enabled or not, the security credentials, and so on.
installadm create-manifest [options] [source_options] –n|–service <svcname>
Creates a manifest or derived manifests script for a specific install service, thus making the manifest or script available on the network, independently from creating a service. A non-default manifest or script can be used (can be active) only when criteria are associated with it. Criteria can be entered on the command line (–c) or in a criteria XML file (–C).
The manifest or derived manifests script to be created can be copied from a file (–f) or an existing manifest of the install service (–M). Additionally specifying the –e allows the user to edit the manifest before it is saved to the install service. If the manifest to be created is not a script, the user is placed into the interactive interface. The interface presents the AI manifest content as a set of non-XML objects and properties that can be manipulated using subcommands entered at the interactive interface prompt, allowing the user to edit the manifest before saving it to the install service. If the manifest to be created is a script, then the user is placed into the editor specified by the environment variable, VISUAL. If VISUAL is not defined, EDITOR is used instead. If neither are defined, then the default editor vi(1) is used.
If neither –f nor –M is specified, the user is placed into the interactive interface to interactively specify input for the new manifest (some values are pre-filled with sensible defaults), which is then saved to the install service. See the "MANIFEST EDITOR CLI" section below for more information about the interactive interface.
The name of the manifest is determined in the following order:
The manifest name specified by the –m option, if present.
The value of the ai_instance name attribute, if present in the manifest.
The base name of the filename.
The required arguments are:
Specifies the name of the install service this manifest or script is to be associated with.
[source_options] can be one of the following:
Specifies the path name of the manifest or derived manifests script to add.
If –e is also specified, the user can edit the manifest before saving it to the install service. If the manifest to be created is not a script, the user is placed into the interactive interface. If the manifest to be created is a script, then the user is placed into the editor specified by the environment variable, VISUAL. If VISUAL is not defined, EDITOR is used instead. If neither are defined, then the default editor vi(1) is used.
Specifies the name of an existing manifest or derived manifests script for <svcname> to copy for the new manifest.
If –e is also specified, the user can edit the manifest before saving it to the install service. If the manifest to be created is not a script, the user is placed into the interactive interface. If the manifest to be created is a script, then the user is placed into the editor specified by the environment variable, VISUAL. If VISUAL is not defined, EDITOR is used instead. If neither are defined, then the default editor vi(1) is used.
If neither –f nor –M is specified, the user is placed into the interactive interface to interactively specify input for the new manifest (some values are pre-filled with sensible defaults), which is then saved to the install service. The –m option is required to name the new manifest.
[options] can be one or more of the following:
Specifies the AI instance name of the manifest or derived manifests script. Sets the name attribute of the ai_instance element of the manifest to manifest. The manifest or script is referred to as manifest in subsequent installadm commands and installadm list output.
Specifies criteria to be associated with the added manifest or script. See the "Criteria" section below. The –c option can be specified multiple times.
Specifies the path name of a criteria XML file containing criteria to be associated with the added manifest or script.
Specifies that this manifest or script is the new default manifest or script for the service.
installadm update-manifest –n|–service <svcname> –m|–manifest <manifest>
installadm update-manifest –n|–service <svcname> –f|–file <filename> [–m|–manifest <manifest>] [–e|–edit]
Places the user into either the interactive interface or an editor, to edit the manifest specified by <manifest name>. If the manifest is not a script, the user is placed into the interactive interface. The interface presents the content of <manifest> as a set of non-XML objects and properties that can be manipulated using subcommands entered at the interactive interface prompt, allowing the user to edit the manifest. If the manifest is a script, then the user is placed into the editor specified by the environment variable, VISUAL. If VISUAL is not defined, EDITOR is used instead. If neither are defined, then the default editor vi(1) is used.
If –f <manifest file> is specified, then the current manifest is totally replaced by the contents of <manifest file>. Additionally specifying the –e option, places the user into an editor or interactive interface as above to allow the user to edit the manifest before saving it to the install service.
See the "MANIFEST EDITOR CLI" section below for more information about the interactive interface.
Any criteria or default status remain with the manifest or script following the update.
The name of the manifest is determined in the following order:
The manifest specified by the –m option, if present.
The value of the ai_instance name attribute, if present in the changed manifest and if it matches the ai_instance name value of an existing manifest.
The base name of the filename, if it matches the ai_instance name attribute value in an existing manifest, or the name given by installadm list if it matches the name of an existing script.
The required arguments are:
Specifies the name of the install service of the manifest or script being updated.
The following arguments may also be specified:
Specifies the path name of the replacement manifest or derived manifest script.
Specifies the name of the manifest to edit or the AI instance name of the replacement manifest or script. Required if –f <filename> not specified.
In conjunction with –f <filename>, allows the user to edit the manifest before saving it to the install service. If the content of the copied file is not a script, the user is placed into the interactive interface. If the content is a script, then the user is placed into the editor specified by the environment variable, VISUAL. If VISUAL is not defined, EDITOR is used instead. If neither are defined, then the default editor vi(1) is used.
installadm delete-manifest –n|–service <svcname> –m|–manifest manifest
Deletes a manifest or derived manifest script that was published with a specific install service. A default manifest or script cannot be deleted.
The required arguments are:
Specifies the name of the install service of the manifest or script being deleted.
Specifies the AI instance name of a manifest or derived manifests script as output by installadm list with the –n option.
installadm create-profile [options] –n|–service <svcname> –f|–file filename...
Creates profiles for a specific install service. Criteria can optionally be associated with a profile by either entering them on the command line (–c) or in a criteria XML file (–C). Profiles created without criteria are associated with all clients of the service.
The name of the profile is determined in the following order:
The profile specified by the –p option, if present.
The base name of the filename.
Profile names must be unique for an AI service. If multiple –f options are used to create more than one profile with the same criteria, then the –p option is invalid and the names of the profiles are derived from their file names.
The required arguments are:
Required: Specifies the name of the install service of the profile being created.
Required: Specifies the path name of the file with which to add the profile. Multiple profiles can be specified.
[options] may be one or more of the following:
Optional: Specifies the name of the profile being created. Valid only for single profile creation.
Optional: Specifies criteria to be associated with the profiles. See the "Criteria" section below. Multiple –c options can be specified.
Optional: Specifies the path name of a criteria XML file containing criteria to be associated with the specified profiles.
Optional: Specifies a comma separated list of environments where the profile should be applied. Specifying install indicates that the profile should be applied to the installation environment. Specifying system indicates that the profile should be applied to the installed system environment. Specifying all is a convenience to denote that the profile should be applied to both environments. By default, profiles are created with only the system value.
installadm set-profile [options] –n|–service <svcname> –p|–profile <profile name>
Modifies the settings on a profile for a specific install service. A profile can be designated to be applied to the installation environment or the installed system environment using the –e option. A profile can also be renamed by using the –P option.
The required arguments are:
Required: Specifies the name of the install service of the profile being modified.
Required: Specifies the name of the profile to modify.
[options] may be one or more of the following:
Optional: Renames profile to specified name.
Optional: Specifies a comma separated list of environments where the profile should be applied. Specifying install indicates that the profile should be applied to the installation environment. Specifying system indicates that the profile should be applied to the installed system environment. Specifying all is a convenience to denote that the profile should be applied to both environments.
installadm update-profile –n|–service <svcname> –f|–file filename [–p|–profile profile]
Updates the specified profile from the <svcname> install service. Replaces the specified profile with the contents of filename. Any criteria remain with the profile following the update.
The profile to be updated is determined in the following order:
The profile specified by the –p option, if present.
The base name of the filename.
Required: Specifies the name of the install service of the profile being updated.
Required: Specifies the path name of the file to use to update the profile.
Optional: Specifies the name of the profile being updated. Use this option if the name of the profile to update is different from the base name of the filename.
installadm delete-profile –n|–service <svcname> –p|–profile profile ...
Deletes the profile profile from the <svcname> install service.
The required arguments are:
Specifies the name of the install service of the profile being deleted.
Specifies the name of the profile to delete. Multiple –p options can be specified.
The export command has several possible valid combinations of options. The first element [selector] selects the object that is the source of the item to be output:
Specify the server object to be used as the source of security keys or certificates.
Specify a specific service to be used as the source of manifests, profiles, GRUB menu, or security keys or certificates.
Specify the server's default client security is to be used for exporting of security keys or certificates.
Specify a client, by its MAC Address, to be used as the source of security keys or certificates.
The next element [items] specifies the item, or items to be output:
Specify a manifest or derived manifest name to export from the specified service. Multiple –m options may be specified.
Specify a profile name to export from the specified service. Multiple –p options may be specified.
Outputs a the GRUB2 menu (grub.cfg) file that is currently in use for the service or client.
This can be used only with the –n or –e options.
Outputs the PEM-encoded X.509 certificate for the server, service or client specified.
This can be used with any of the selection options –n, –e, –s or –c.
Outputs the PEM-encoded X.509 private key for the server, service or client specified.
This can be used with any of the selection options –n, –e, –s or –c.
Outputs the PEM-encoded X.509 Certificate Authority (CA) certificate with the specified <hash> value.
This option can be repeated to export multiple CA Certificates, and also can be used with any of the selection options –n, –e, –s or –c.
Validates specified profiles or manifests. The validate subcommand can be used to either validate profiles in the database (–p) or to validate profiles (–P) or manifests (–M) while they are being developed before their entry into the database.
The required arguments are:
Specifies the service with which the profiles or manifests are associated and to be validated against.
Where [options] is one or more of the following:
Specifies an external manifest file to validate against the provided service.
Specifies the name of an existing manifest to validate against the provided service.
Specifies an external profile file to validate against the provided service.
Specifies the name of an existing profile to validate against the provided service.
installadm set-criteria [options] –n <svcname> [–m <manifest>] [–p <profile>]...
Updates criteria of an already published manifests, derived manifest scripts, or profiles. Criteria can be specified on the command line or in a criteria XML file.
Valid criteria are described under the create-manifest subcommand.
The required arguments are:
Specifies the service with which the profiles or manifests are associated.
And one or more of:
Specifies the AI instance name of a manifest or derived manifest script.
Only one manifest may be specified since it is not possible to have multiple manifests with the same criteria assigned.
Specifies the name of a profile.
Then [options] is one of the following variations:
Specifies criteria to replace all existing criteria for the manifest, script, or profile. See the "Criteria" section below for possible values.
It is possible to specify multiple –c options.
Specifies the path name of a criteria XML file containing criteria to replace all existing criteria for the manifest, script, or profile.
Specifies criteria to be appended to the existing criteria for the manifest, script, or profile. See the "Criteria" section below for possible values. If the criteria specified already exists, the value|list|range of that criteria is replaced by the specified value|list|range.
It is possible to specify multiple –a options.
Specifies criteria to be removed from the existing criteria for the manifest, script, or profile. See the "Criteria" section below for possible values.
It is possible to specify multiple –d options.
installadm create-client [options] –e|–macaddr <macaddr> –n|–service <svcname>
Accomplishes optional setup tasks for a specified client, in order to provide custom client settings that vary from the default settings used by the create-service subcommand. Enables the user to specify a non-default service name and boot arguments or GRUB2 menu for a client.
An existing client may be modified using the installadm set-client subcommand.
If the following conditions exist, the client is configured in the ISC DHCP configuration:
The client is an x86 system.
A local ISC DHCP configuration exists.
The all_services/manage_dhcp property value is true.
The required arguments are:
Specifies the install service for client installation.
Specifies a MAC address for the client.
For x86 clients only, [options] may be either one of the following:
Sets a property value in the client-specific boot configuration file. Use this option to set boot properties that are specific to this client. This option can accept multiple property=value pairs, or be repeated several times.
Specify a custom GRUB2 menu (grub.cfg) file to use when booting the client.
installadm set-client –e <macaddr> [–n <svcname>] [–b [none|<property>=<value>,... ]] [–G [none|<grub.cfg>] [–g] [–x [–y] [–hash <ca-hash>] [–A <ca-certfile>]... [–C <certfile> –K <keyfile>] [–E] [–H] [–f|–hmac-type <hmac-type>]
The required arguments are:
Specifies a MAC address for the client.
The following arguments may also be specified:
Will move the client to this service if different from the existing service it is associated with.
Generates a new set of CA Cert, Client Cert and Key, including an encryption key and hash if they are not already in place.
Deletes the client's security information. This can be further modified using the following options:
Specifies that no prompting for confirmations should be done.
Limits command to deleting only any CA Cert that matches that value.
Assigns a user-provided PEM-encoded X.509 Certificate Authority (CA) certificate located at path <ca-certfile>. You only need to specify each CA chain of trust one time. If the CA chain includes more than one CA certificate file, use multiple –A options.
–C assigns a user-provided PEM-encoded X.509 certificate located at path <certfile>.
–K assigns a user-provided PEM-encoded X.509 private key located at path <keyfile>. The <keyfile> must have any passphrase removed.
The –C option must be used with the –K option. If you specify just the –C and –K options, the associated CA certificate must have been previously assigned.
If you also specify –A options then this certificate and key will be validated against those CA Certificates.
Regenerates a firmware security encryption key. Invalidates any existing key.
Firmware keys are automatically generated if they do not already exist when you use the –g, –C, –K, or –A options. Once these keys are generated, you can use the –E and –H options to replace the existing keys. Specifying the –E or –H option before firmware keys exist is an error. You can specify both firmware key options, or you can specify either –E or –H option. The firmware keys that already exist are invalidated and replaced with the newly generated values.
Regenerates a security hashing firmware key (HMAC). Invalidates any existing key.
Assigns <hmac-type> as the active signature type for the client.
If –g is specified in combination with –F|–hmac-type, credentials with HMAC signature type <hmac-type> will be generated and the active signature type will not be changed. If –H is specified in combination with –f|–hmac-type, a firmware key of HMAC signature type <hmac-type> will be generated, and the active signature type will not be changed.
The <hmac-type> is a valid and supported HMAC signature type and can be either hmac-sha1 or hmac-sha256 for SPARC clients and services and only hmac-sha256 for x86 clients and services. <hmac-type> is case-insensitive.
For x86 clients only, [options] may be either one of the following:
For x86 clients only, sets the boot arguments for the GRUB menu, or removes them if 'none' is specified, restoring the service GRUB configuration.
This option will fail if there is a custom GRUB2 menu already in place for this client.
For x86 clients only, assigns a new GRUB2 menu file, or removes one if 'none' is specified.
Adding a new GRUB2 menu will replace any existing boot-args specified for this client.
Deletes an existing client's specific service information that was previously set up using the create-client subcommand. Also deletes all security credentials for that client.
If the following conditions exist, the client is unconfigured in the ISC DHCP configuration:
The client is an x86 system.
A local ISC DHCP configuration exists.
The all_services/manage_dhcp property value is true.
The required arguments are:
Specifies the MAC address of the client to delete.
Modifies the server configuration.
Note the following specifications:
If –i and –c options are used, and a DHCP server is not yet configured, an ISC DHCP server is configured.
If an ISC DHCP server is already configured, that DHCP server is updated.
Even when –i and –c arguments are provided and DHCP is configured, no binding exists between the install service being created and the IP range. When –i and –c are passed and the value of all_services/manage_dhcp is true, the IP range is set up, a new DHCP server is created if needed, and that DHCP server remains up and running for all install services and all clients to use. The network information provided to the DHCP server has no specific bearing on the service being created.
If the IP range requested is not on a subnet that the install server has direct connectivity to and the install server is multihomed, the –B option is used to provide the address of the bootfile server (usually an IP address on this system). This should only be necessary when multiple IP addresses are configured on the install server and DHCP relays are employed. In all other configurations, the software can determine this automatically.
Where [options] is at least one of:
Specifies the port that hosts the AI install services web server. By default, the web server is hosted on port 5555.
If you want to use a different port number from the default, customize the port property before you create any install services.
Specifies the port that hosts the secure AI install services web server. By default, the web server is hosted on port 5556.
Specifies the default location for images created by the installadm create-service command. Images are located at <directory>/service_name. The default value of this property is /export/auto_install.
Enables the AI Manifest Wizard Web UI, and is mutually exclusive with the –U option.
Disables the AI Manifest Wizard Web UI, and is mutually exclusive with the –U option.
Enables the AI Manifest Wizard to write generated manifests to a temporary location on the AI server for ease of addition to a service through installadm. Mutually exclusive with the –Z option.
Disables the AI Manifest Wizard writing generated manifests to a temporary location on the AI server for ease of addition to a service through installadm. Mutually exclusive with the –z option.
Takes a comma-separated list of networks in CIDR format (for example, 192.168.56.0/24) to allow.
Use this list of networks to specify which clients this install server serves. Using this option will replace any networks already configured using –l or –L options.
Using this option will set the AI install server SMF all_services/networks and all_services/exclude_networks values. Specifically, this sets the all_services/exclude_networks property to false.
By default, the AI install server is configured to serve install clients on all networks that the server is connected to if the server is multihomed. To return to this state you can use the special 'all' value here.
Tells the server to exclude these networks when deciding what to serve out on, mutually exclusive with the –l option. Using this option will replace any networks already configured using –l or –L options.
Takes a comma-separated list of networks in CIDR format (for example, 192.168.56.0/24) to disallow.
Using this option will set the AI install server SMF all_services/networks and all_services/exclude_networks values. Specifically, this sets the all_services/exclude_networks property to true.
By default, the AI install server is configured to serve install clients on all networks that the server is connected to if the server is multihomed. To return to this state you can use the special 'none' value here.
Configures the AI server property to manage the DHCP configuration locally. If set the AI server will automatically update the local ISC DHCP configuration when client and service configurations are modified in the install server.
If there is no existing ISC DHCP configuration, then the –i and –c options must also be specified to define the address range to manage.
Mutually exclusive with the –M option.
Configures the AI server property to not manage the DHCP configuration locally, so the AI server will not automatically maintain the ISC DHCP configuration when client or service configurations are modified.
Mutually exclusive with the –m option.
Changes the DHCP configuration if managing DHCP, the –i and –c options must be specified together.
If not already managing DHCP, it will be necessary to also specify the –m option to enable it.
These options are used to specify the starting IP address in a range to be added to the local DHCP configuration.
The number of IP addresses is provided by the –c option. If a local ISC DHCP configuration does not exist, and –m is also specified, an ISC DHCP server is started.
If a local ISC DHCP configuration already exists these addresses will be added to the existing set of managed addresses, provided there is no overlap.
Used to provide the IP address of the boot server from which clients should request bootfiles. Only required if this IP address cannot be determined by other means.
Turns on or off the sending of telemetry data to the AI server from the AI client. The sstored(8) service, svc:/system/sstore, must be enabled for telemetry to be sent.
Sets the frequency of when the telemetry data should be sent to the AI server from the AI client. If the frequency is a non-zero number, then the data will be sent every number_of _seconds. If the frequency is 0, then the data will be sent immediately as it is available. The default is 120 seconds.
Sets what files are sent back to the AI server from the AI client when the installation completes successfully. A value of none will effectively turn off the sending of files from the AI client to the AI server. A value of install_log will send the install_log file. A value of all_logs will send the install_log file as well as the relevant SMF service log files. A value of all_files will send those listed in all_logs as well as the install service files used to install the system such as manifest and profile files. A value of <file> will send the fully qualified file back to the AI server. Shell-style wildcards (*, ? and []) are allowed in the file path. This option can be specified multiple times. The default is install_log.
Appends to the list of files that are sent back to the AI server from the AI client when the installation completes successfully. A value of install_log will append theinstall_log file to the list of files to send to the AI server upon a successful installation. A value of all_logs will append the install_log file as well as the relevant SMF service log files to the list of files to send to the AI server upon a successful installation. A value of all_files will append those files listed in all_logs as well as the install service files used to install the system such as manifest and profile files to the list of files to send to the AI server upon a successful installation. A value of <file> will append the file to the list of files to send to the AI server upon a successful installation. The file must be a fully qualified file and shell-style wildcards (*, ? and []) are allowed. This option can be specified multiple times.
Removes from the list of files that are sent back to the AI server from the AI client when the installation completes successfully. A value of install_log will remove the install_log file to the list of files to send to the AI server upon a successful installation. A value of all_logs will remove the install_log file as well as the relevant SMF service log files to the list of files to send to the AI server upon a successful installation. A value of all_files will remove those files listed in all_logs as well as the install service files used to install the system such as manifest and profile files from the list of files to send to the AI server upon a successful installation. A value of <file> will remove the file from the list of files to send to the AI server upon a successful installation. The file must be a fully qualified file and shell-style wildcards (*, ? and []) are allowed. This option can be specified multiple times.
Sets what files are sent back to the AI server from the AI client when the installation fails. A value of none will effectively turn off the sending of files from the AI client to the AI server. A value of install_log will send the install_log file. A value of all_logs will send the install_log file as well as the relevant SMF service log files. A value of all_files will send those listed in all_logs as well as the install service files used to install the system such as manifest and profile files. A value of <file> will send the fully qualified file back the AI server. Shell-style wildcards (*, ? and []) are allowed in the file path. This option can be specified multiple times. The default is install_log.
Adds to the list of files that are sent back to the AI server from the AI client when the installation completes successfully. A value of install_log will add the install_log file to the list of files to send to the AI server upon a failed installation. A value of all_logs will add the install_log file as well as the relevant SMF service log files to the list of files to send to the AI server upon a failed installation. A value of all_files will add those files listed in all_logs as well as the install service files used to install the system such as manifest and profile files to the list of files to send to the AI server upon a failed installation. A value of <file> will add the file to the list of files to send to the AI server upon a successful installation. The file must be a fully qualified file with shell-style wildcards (*, ? and []). This option can be specified multiple times.
Removes from the list of files that are sent back to the AI server from the AI client when the installation completes successfully. A value of install_log will remove the install_log file from the list of files to send to the AI server upon a failed installation. A value of all_logs will remove the install_log file as well as the relevant SMF service log files from the list of files to send to the AI server upon a failed installation. A value of all_files will remove those files listed in all_logs as well as the install service files used to install the system such as manifest and profile files to the list of files to send to the AI server upon a failed installation. A value of <file> will remove the file to the list of files to send to the AI server upon a successful installation. The file must be a fully qualified file with shell-style wildcards (*, ? and []). This option can be specified multiple times.
Sets the number of (d)ays, (m)onths or (y)ears that telemetry statistical data will be retained on the AI server (default is years). To turn off the removal of telemetry statistical data a value of 0 may be used. The default is to retain telemetry statistics for 2 years.
Sets the number of (d)ays, (m)onths or (y)ears that telemetry success and failure files will be retained on the AI server (default is days). To turn off the removal of telemetry success and failure files a value of 0 may be used. The default is to retain telemetry files for 7 days.
Mutually exclusive with the –S option.
Re-enables security enforcement server-wide after security was disabled by using the –disable-security option.
Mutually exclusive with the –s option.
Disables security enforcement server-wide. While security is disabled, no credentials will be issued to clients, and no credentials will be required from clients. While security is disabled, no HTTPS network protection is provided for any of the AI files served to an AI client. User-specified secure files served by the AI web server are not accessible while security is disabled.
While security is disabled, you can continue to configure security. Any changes are effective when security is re-enabled.
Use caution when disabling security for systems that already have install services configured: The secured AI service data will not require authentication to access, and non-authenticated clients will be able to install Oracle Solaris through AI.
Limits the [sec_options] to modifying the default client security only as opposed to the server's security settings.
The [sec_options] can be any of the following. By default they are applied to the server, unless the –D|–default-client-security option is specified:
Delete any configured security. If –hash is specified, only CA Certificates with that hash will be removed.
Without –r, deletes the CA certificate previously assigned to the install server (or the default client with –D specified).
With –r, deletes the specified CA certificate for the server and any clients that use that CA certificate.
Deletes the CA certificate previously assigned to the install server, the specified client, default clients.
The value of <ca-hash> is the hash value of the certificate's X.509 subject. Use the list -v subcommand to display the CA certificate hash.
When the CA certificate is deleted for a client, that client can no longer be authenticated. If you use the specified CA certificate to generate certificates, the installadm command will not be able to generate certificates.
Automatically generates and assigns all X.509 security credentials and generates firmware keys. The CA certificate and firmware keys are generated only if they do not already exist.
Assigns a user-provided PEM-encoded X.509 Certificate Authority (CA) certificate located at path <ca-certfile>. You only need to specify each CA chain of trust one time. If the CA chain includes more than one CA certificate file, use multiple –A options.
–C assigns a user-provided PEM-encoded X.509 certificate located at path <certfile>.
–K assigns a user-provided PEM-encoded X.509 private key located at path <keyfile>. The <keyfile> must have any passphrase removed.
The –C option must be used with the –K option. If you specify just the –C and –K options, the associated CA certificate must have been previously assigned.
If you also specify –A options then this certificate and key will be validated against those CA Certificates.
Regenerates a security encryption firmware key. Invalidates any existing key.
Firmware keys are automatically generated if they do not already exist when you use the –g, –C, –K, or –A options. Once these keys are generated, you can use the –E and –H options to replace the existing keys. Specifying the –E or –H option before firmware keys exist is an error. You can specify both firmware key options, or you can specify either –E or –H option. The firmware keys that already exist are invalidated and replaced with the newly generated values.
Regenerates a firmware security hashing key (HMAC). Invalidates any existing key.
Designates a HMAC signature type to be set as the server-wide policy. The policy will be applied to any new AI clients and services as well as existing AI clients and services for which new credentials are assigned.
Assigns <hmac-type> as the active signature type for the server and default client and generates a HMAC key of that type if it does not exist.
If –g is specified in combination with –F|–hmac-type, credentials with HMAC signature type <hmac-type> will be generated and the active signature type will not be changed. If –H is specified in combination with –f|–hmac-type, a firmware key of HMAC signature type <hmac-type> will be generated, and the active signature type will not be changed.
The <hmac-type> is a valid and supported HMAC signature type and can be either hmac-sha1 or hmac-sha256 for SPARC clients and services and only hmac-sha256 for x86 clients and services. <hmac-type> is case-insensitive.
Executes a list of subcommands from <file> in sequence as a batch job.
Has the added benefit of leaving refresh/restart of SMF services until the completion of the batch run.
The required arguments are:
The file containing a list of subcommands to be executed, one line per subcommand.
Blank lines, and those starting with a '#' are ignored.
The interactive mode provides an installadm prompt at which it is possible to enter subcommands one after the other. The main benefits of interactive mode are:
To input several commands using just the subcommand form, especially useful if using sudo or pfexec to run installadm with additional privileges or authorisations.
Tab-completion of the subcommands.
In interactive mode, there are several other commands available to use that are not used by the one-command usage:
If specified, will execute the <command> in a sub-shell based on the value of the environment variable SHELL.
Without any parameters will start a sub-shell to be used interactively.
There is also a short-form of this command '!' that can be used as "!ls" to execute the ls command.
Quits the interactive prompt.
Manifests, derived manifest scripts, and profiles can be used to configure AI clients differently according to certain characteristics, or criteria. Only one manifest or script can be associated with a particular client. Any number of profiles can be associated with a particular client.
The criteria values are determined by the AI client during startup.
See the “Examples” section to see how to specify criteria on the command line. For information about criteria keywords for different AI clients, see Defining Criteria for Manifests and Profiles in Customizing Automated Installations With Manifests and Profiles.
|
The ipv4, mac, mem, and network specifications can be expressed as ranged values separated by a hyphen (-). To specify no limit to one end of a range, use unbounded. Precedence is given to specific value matches versus range matches when determining a matching manifest.
The arch, cpu, hostname, platform, and zonename specifications can be expressed as a quoted list of values separated by white space.
The following properties of the svc:/system/install/server:default SMF service are used to configure the install server.
The majority of these are configurable using the set-server subcommand which would be the preferred mechanism for updating them.
A list of networks in CIDR format (for example, 192.168.56.0/24) to allow or disallow, depending on how the all_services/exclude_networks property is set.
Use this list of networks to specify which clients this install server serves. By default, the AI install server is configured to serve install clients on all networks that the server is connected to if the server is multihomed.
A boolean value. If true, exclude networks specified by the all_services/networks property from being served by this install server. If false, include the networks specified by the all_services/networks property.
Specifies the port that hosts the AI install services web server. By default, the web server is hosted on port 5555.
If you want to use a different port number from the default, customize the port property before you create any install services.
Specifies the port that hosts the secure AI install services web server. By default, the web server is hosted on port 5556.
Specifies a directory on the local system that the AI web server will serve using its standard port (defined by the all_services/port property). This directory will be accessible at the following location:
http://server:port/files
Specifies a directory on the local system that the AI web server will serve using its secure port (defined by the all_services/secure_port property). This directory will be accessible at the following location:
https://server:secure_port/secure_files
Only authenticated clients can access this directory. For greatest security, files in the webserver_secure_files_dir directory should be owned by user webservd and group webservd and have no world access.
Specifies the default location for images created by the installadm create-service command. Images are located at all_services/default_imagepath_basedir/service_name. The default value of this property is /export/auto_install.
A boolean value. If true, automatically update the local ISC DHCP configuration when client and service configurations are modified in the install server. If false, does not automatically maintain the ISC DHCP configuration.
The manifest editor CLI is an interactive interface that presents the AI manifest content as a set of objects and properties that can be manipulated using subcommands entered at the interactive interface prompt. It allows you to interactively edit a manifest during create-manifest or update-manifest without having to view or understand an XML document.
The interface provides a visual representation of the objects and properties in the manifest. Objects can contain properties that can be set, deleted, or added, as well as sub-objects (themselves objects) that can be traversed, added, deleted, or moved.
The following subcommands are available within the interface:
set, add, delete, and move
select, cancel, and end
help, info, walk, commit, exit, validate, and shell
Without any parameters, provides a list of available subcommands. If a subcommand is specified, help is provided for that specific subcommand.
By default, displays all properties and objects up to one level down. For objects more than one level down, a summary line is displayed, followed by '...'. Use the –v option to show details of objects more than one level down. When multiples of a given object exist, the order is designated by <object>[<position#>],for example, disk[3].
Selects an object and navigates to that level. The object may be further specified by position# or by the value of a property.
Discards any changes made on the current level and navigates up one level.
Validates changes made on the current level and, if no validation errors occur, navigates up one level. At top level, same as 'exit'.
Sets the value of an object's <property> to <value>.
Adds an object or a property. If –w is specified for an object, the object is added and a 'walk' is started. Without –w, the new object's 'info' is automatically displayed, showing the properties/default values of the added object.
Deletes an object or property. The property may be specified by value and the object may be specified by position# or by the value of a property.
Moves object to a different position. Valid objects to move are designated in 'info' output by '[<position#>]'.
Prompts for every settable property associated with the current object. For each property, displays the name and current value and allows a new value to be entered. Recursively walks down sub objects and allows addition of new subobjects. Can be interrupted with Ctrl-D.
Validates settings at the current level. This is an optional subcommand. The subcommands, 'end' and 'exit', validate implicitly.
Validates changes, saves manifest, and continues editing. Valid at top level only. Following a successful commit, a new baseline is established and cancel can no longer revert any changes made earlier.
Prompts whether to save manifest and exit (changes are validated), exit without saving uncommitted changes, or continue editing.
Executes the <solaris command> in a sub-shell based on the value of the environment variable SHELL. Without any parameters, will start a sub-shell to be used interactively. Can be used to easily execute a system command or view system information from within the interface.
# installadm create-manifest -n sol_11_3 -m mymanifest Type help to see list of subcommands. installadm:mymanifest> info http-proxy: <not specified> auto-reboot: false create-swap: true create-dump: true software: type: IPS name: <not specified> facet[1]: facet.locale.*=false ... <other facets removed for brevity> facet[20]: facet.locale.zh_TW=true ... publisher: name=solaris ... pkg-list: action=install ... disk: Section not specified pool: action: create name: rpool is-root: true mountpoint: <not specified> pool-option: Section not specified dataset-option: Section not specified be-option: Section not specified vdev: Section not specified filesystem[1]: name=export ... option: Section not specified filesystem[2]: name=export/home ... option: Section not specified volume: Section not specified boot-mods: Section not specified configuration: Section not specified installadm:mymanifest> select software installadm:mymanifest:software> select publisher installadm:mymanifest:software:publisher> set origin=http://myrepo.example.com/solaris installadm:mymanifest:software:publisher> info name: solaris key: <not specified> cert: <not specified> ca-cert: <not specified> origin: http://myrepo.example.com/solaris mirror: <not specified> installadm:mymanifest:software:publisher> end installadm:mymanifest:software> end installadm:mymanifest> exit 1. Save manifest and exit 2. Exit without saving uncommitted changes 3. Continue editing Please select choice: 1 100% : Created Manifest: 'mymanifest' #Example 2 Creating a Second Manifest for the Install Service Based on a Previously Created Manifest
The following example creates a second manifest for the install service based on the manifest created in Example 1, but additionally adds a new package to the list of packages to be installed.
# installadm installadm> create-manifest -n sol_11_3 -m newmanifest -M mymanifest -e Type help to see list of subcommands. installadm:newmanifest> select software installadm:newmanifest:software> select pkg-list installadm:newmanifest:software:pkg-list> add name=pkg:/my/new/pkg installadm:newmanifest:software:pkg-list> exit 1. Save manifest and exit 2. Exit without saving uncommitted changes 3. Continue editing Please select choice: 1 Created Manifest: 'newmanifest' installadm>Example 3 Replacing the Contents of a Manifest
The following example replaces the contents of a manifest, oldmanifest, with that of /tmp/replace.xml, and additionally changes the auto-reboot property from false to true and adds a new publisher, by using walk to set the publisher properties desired.
# installadm update-manifest -n sol_11_3 -m oldmanifest \ -f /tmp/replace.xml -e installadm:oldmanifest> select software installadm:oldmanifest:software> add -w publisher * To terminate walk, use Ctrl-D * name [<not specified>]: newpublisher key [<not specified>]: cert [<not specified>]: ca-cert [<not specified>]: origin [<not specified>]: http://myrepo.example.com/solaris origin [<not specified>]: mirror [<not specified>]: installadm:oldmanifest:software:publisher> end installadm:oldmanifest:software> end installadm:oldmanifest> set auto-reboot=true installadm:oldmanifest> exit 1. Save manifest and exit 2. Exit without saving uncommitted changes 3. Continue editing Please select choice: 1 Changed Manifest: 'oldmanifest' #Example 4 Updating an Existing Manifest
The following example updates an existing manifest, testmanifest, so that the disk is no longer selected by ctd name, but by size.
# installadm update-manifest -n sol_11_3 -m testmanifest installadm:testmanifest> select disk installadm:testmanifest:disk> info in-zpool: rpool in-vdev: <not specified> name: name: c0t0d0 name-type: ctd disk-selection-props: Section not specified keyword: Section not specified iscsi: Section not specified gpt-partition: Section not specified partition: Section not specified slice: Section not specified installadm:testmanifest:disk> delete name Are you sure you want to remove 'name'? [y|N]: y Object 'name' deleted. installadm:testmanifest:disk> add disk-selection-props type: <not specified> vendor: <not specified> chassis: <not specified> size: <not specified> installadm:testmanifest:disk:disk-selection-props> set size=750gb installadm:testmanifest:disk:disk-selection-props> end installadm:testmanifest:disk> info in-zpool: rpool in-vdev: <not specified> name: Section not specified disk-selection-props: type: <not specified> vendor: <not specified> chassis: <not specified> size: 750gb keyword: Section not specified iscsi: Section not specified gpt-partition: Section not specified partition: Section not specified slice: Section not specified installadm:testmanifest:disk> end installadm:testmanifest> end 1. Save manifest and exit 2. Exit without saving uncommitted changes 3. Continue editing Please select choice: 1 100% : Changed Manifest: 'testmanifest'
Set up an install server and an x86 install service for the first time.
If you are not using the SPARC OBP's network-boot-arguments variable to configure an AI client, then a DHCP server must be configured to supply the AI service configuration. If you already have the OBP or DHCP server configured, this step may be skipped. Otherwise, installadm can setup and manage a local ISC DHCP server for AI clients to boot from. To configure this you can use the set-server subcommand:
The set-server subcommand is used to set a starting IP address and total count of IP addresses, in order to configure the DHCP server.
# installadm set-server -i 172.0.0.10 -c 10
The starting IP address of 172.0.0.10 and 10 IP addresses are added to the local ISC DHCP configuration. If a local ISC DHCP configuration does not exist, an ISC DHCP server is started.
If you do not specify a source for the net image, an IPS package is used, for example:
# installadm create-service -y
On an x86 install server, this command sets up an x86 net image and install service with a default name in a directory at the image location specified by the value of the all_services/default_imagepath_basedir property. For the default value of this property, see “Install Server Configuration Properties.” The –y option confirms that the default location is acceptable. Since the architecture is not specified, the service created is of the same architecture as the install server. This command assumes that a package repository on the pkg publisher list for the install server contains the install-image/solaris-auto-install package.
The command sets up a net image and an install service using the default image path and the service name, /export/auto_install/sol-11_1-i386.
Because this is the first x86 service created, the default-i386 service is automatically created and aliased to this service. The default-i386 alias is operational, and a client booted through PXE will boot and install from the default-i386 service if not specifically configured using create-client.
Example 6 Set Up a New SPARC Install Service From a Package RepositoryTo specify the creation of a SPARC service on an x86 install server, use the –a option:
# installadm create-service -y -a sparc
If you do not specify a source for the net image, an IPS package is used by default.
This net image enables SPARC client installations.
Because this is the first SPARC service created, the default-sparc service is automatically created and aliased to this service. The default-sparc alias is operational, and a SPARC client will boot and install from the default-sparc service.
Example 7 Set Up an x86 Install Service From a Different Package RepositoryBy default, the solaris-auto-install package is obtained from the systems configured publishers.
To specify an alternative package repository for the solaris-auto-install package, use the –p option. For example, use the following command to specify the ai-image publisher located at http://example.example.com:4281 as the publisher of the solaris-auto-install package:
# installadm create-service -y \ -p ai-image=http://example.example.com:4281Example 8 Set Up a New x86 Install Service From an ISO File
An x86 install service can be created from an ISO image using:
# installadm create-service -n sol-11_1-i386 \ -s /export/isos/sol-11_1-ai-x86.iso \ -y
The AI ISO image is at /export/auto_install/sol-11_1-sparc. The command sets up a net image and an install service at /export/images/sol-11_1-i386 that is based on the AI ISO image. This net image enables client installations.
Example 9 Set Up a New SPARC Install Service From an ISO FileA SPARC install service from an ISO image can be created using the command:
# installadm create-service -n sol-11_1-sparc \ -s /export/isos/sol-11_1-ai-sparc.iso \ -d /export/images/sol-11_1-sparc
The AI ISO image is at /export/isos/sol-11_1-ai-sparc.iso. The command sets up a net image and an install service at /export/images/sol-11_1-sparc that is based on the AI ISO image. This net image enables client installations.
Example 10 Associate a Client With an Install ServiceUse the following sample command to associate a client with a specific install service. The install service must already exist.
# installadm create-client -b "console=ttya" \ -e 0:e0:81:5d:bf:e0 -n sol-11_1-i386
In this example, the command creates a client-specific setup for the system with MAC address 0:e0:81:5d:bf:e0. This client will use the install service previously set up, named sol-11_1-i386, and that service's associated net image. The command sets the boot property console=ttya in the client-specific boot configuration file in /etc/netboot.
Example 11 Add a New Install Service Without Modifying the Default ServiceUse the following sample command to add a new service named sol-11-sparc, retaining existing services, and leaving the existing default unchanged.
# installadm create-service -n sol-11-sparc \ -s /export/isos/sol-11-1111-ai-sparc.iso \ -d /export/ai/sol-11-sparcExample 12 Update the default-i386 Service
Use the following sample command to update the default-i386 alias service to be associated with the latest available image. The installadm list command shows the service before and after the command. The example assumes that an updated net image package is available from the publisher that was originally used to create the default-i386 service alias.
# installadm list Service Name Base Service Status Arch Type Ali Cli Man Pro ------------ -------- ------ ---- ---- --- --- --- --- default-i386 solaris11-i386 on i386 pkg 0 1 1 0 solaris11-i386 - on i386 pkg 1 0 1 0 # installadm update-service default-i386 ... Creating new i386 service: solaris11_1-i386 Aliasing default-i386 to solaris11_1-i386 ... ... # installadm list Service Name Base Service Status Arch Type Ali Cli Man Pro ------------ -------- ------ ---- ---- --- --- --- --- default-i386 solaris11_1-i386 on i386 pkg 0 1 1 0 solaris11-i386 - on i386 pkg 0 0 1 0 solaris11_1-i386 - on i386 pkg 1 0 1 0Example 13 Add a New Install Service and Update the default-sparc Service
Use the following two sample commands to add a new service named my-sparc-service, retaining existing services, and making the new service the default for SPARC clients.
# installadm create-service -n solaris11_1-sparc \ -s /export/isos/sol-11_1-ai-sparc.iso \ -d /export/ai/solaris11_1-sparc # installadm set-service \ --aliasof=solaris11_1-sparc default-sparcExample 14 Add a Custom Default AI Manifest to an Install Service
Use the following sample command to add a new manifest to the sol-11_1-i386 install service, and make it the service's default manifest. The manifest data is in my_default.xml. Future installadm commands will refer to this manifest as my_default. The –d option makes it the default manifest for the service.
# installadm create-manifest -d -f my_default.xml \ -m my_default -n sol-11_1-i386Example 15 Add a Derived Manifests Script to an Install Service
Use the following sample command to add a derived manifests script named my_script to an existing install service named solaris11_1-i386. Scripts are added in the same way that manifests are added.
# installadm create-manifest -f my_script.py \ -m my_script -n solaris11_1-i386
See Automatically Installing Oracle Solaris 11.4 Systems for information about how to create derived manifest scripts.
Example 16 Replace the Default AI Manifest for an Install ServiceUse the following sample command to replace the default manifest for an existing install service, sol-11_1-sparc, with a custom manifest that has already been added to the service as custom_manifest. The manifest was added to the service by specifying -m custom_manifest to the create-manifest subcommand.
# installadm set-service \ --default-manifest=custom_manifest sol-11_1-sparcExample 17 List Install Services
Use the following sample command to list the install services on a local server.
# installadm list Service Name Base Service Status Arch Type Ali Cli Man Pro ------------ -------- ------ ---- ---- --- --- --- --- default-i386 solaris11_1_6_2_0-i386 on i386 pkg 0 1 1 0 default-sparc solaris11_1_6_2_0-sparc on sparc pkg 0 0 1 0 solaris11_1_6_2_0-i386 - on i386 pkg 1 0 1 0 solaris11_1_6_2_0-sparc - on sparc pkg 1 0 1 0Example 18 List Clients Associated With an Install Service
Use the following sample command to list the clients of a specific install service on a local server.
$ installadm list -c -n default-i386 Service Name Client Address Arch Secure Custom Args Custom Grub ------------ -------------- ---- ------ ----------- ----------- default-i386 00:11:22:33:44:55 i386 no yes no AA:BB:CC:DD:EE:FF i386 no no noExample 19 List Manifests Associated With an Install Service
Use the following sample command to list the manifests and derived manifest scripts associated with a specific install service on a local server.
$ installadm list -m -n default-sparc Service Name Manifest Name Type Status Criteria ------------ ------------- ---- ------ -------- default-sparc mem xml active mem = 4086 MB custom_manifest xml default / active mem = 512 - 1024 MB orig_manifest xml inactive none test_derived derived inactive none
This example shows the following output:
A non-default manifest with criteria (mem)
A default manifest with criteria indicating it is still active (custom_manifest)
A non-default manifest (orig_default) that is marked inactive because it has no criteria and it is not the default
A non-default derived manifest that is marked inactive because it has no criteria and it is not the default
Use the following sample command to list the system configuration profiles for all install services on a local server.
$ installadm list -p Service Name Profile Name Criteria ------------ ------------ -------- solaris11_1_6_2_0-i386 sc_all-i386.xml none solaris11_1_6_2_0-sparc sc_all-sparc.xml none sc_network.xml ipv4 = 10.0.2.100 - 10.0.2.199 network = 10.0.0.0Example 21 Add a Custom AI Manifest With No Name to an Install Service
Use the following sample command to add the manifest in /export/my_manifest.xml to sol-11_1-i386 with a criterion of MAC address equaling aa:bb:cc:dd:ee:ff.
# installadm create-manifest \ -f /export/my_manifest.xml -n sol-11_1-i386 \ -c mac="aa:bb:cc:dd:ee:ff"
In this example, the manifest does not contain a name attribute, so the manifest name is taken from the file name.
$ installadm list -m -n sol-11_1-i386 Service Name Manifest Name Type Status Criteria ------------ ------------- ---- ------ -------- sol-11_1-i386 my_manifest.xml xml active mac = AA:BB:CC:DD:EE:FF orig_default xml default noneExample 22 Add a Custom AI Manifest With a Custom Name to an Install Service
Use the following sample command to add the manifest in /export/my_manifest.xml to sol-11_1-i386 with the criterion of IPv4 range from 10.0.2.100 and 10.0.2.199.
# installadm create-manifest \ -f /export/my_manifest.xml \ -n sol-11_1-i386 -m custom_name \ -c ipv4="10.0.2.100-10.0.2.199"
In this example, the manifest name is taken from the –m option.
$ installadm list -m -n sol-11_1-i386 Service Name Manifest Name Type Status Criteria ------------ ------------- ---- ------ -------- sol-11_1-i386 custom_name xml active ipv4 = 10.0.2.100 - 10.0.2.199 orig_default xml default noneExample 23 Add a Custom AI Manifest With Name Specified In the Manifest
Use the following sample command to add the manifest in /export/manifest3.xml to sol-11_1-i386 with criteria of 2048 MB memory or greater and an architecture of i86pc.
# installadm create-manifest \ -f /export/manifest3.xml -n sol-11_1-i386 \ -c mem="2048-unbounded" -c arch=i86pc
In this example, the manifest name is taken from the name attribute of the ai_instance element in the manifest, as shown in the following partial manifest:
<auto_install> <ai_instance name="my_name" /> </auto_install>
$ installadm list -m -n sol-11_1-i386 Service Name Manifest Name Type Status Criteria ------------ ------------- ---- ------ -------- sol-11_1-i386 my_name xml active arch = i86pc mem = 2048 - unbounded orig_default xml default noneExample 24 Add a System Configuration Profile To an Install Service
Use the following sample command to add the profile in /export/profile4.xml to sol-11_1-i386 with criteria of any of the host names myhost1, host3, or host6.
# installadm create-profile \ -f /export/profile4.xml -n sol-11_1-i386 -p profile4 \ -c hostname="myhost1 host3 host6" $ installadm list -p -n sol-11_1-i386 Service Name Profile Name Criteria ------------ ------------ -------- sol-11_1-i386 profile4 hostname = myhost1, host3, host6Example 25 Add a System Configuration Profile For All Clients
If you do not specify criteria, then the profile is used by all clients that use the specified install service. In the following example, the created profile is used by all clients that use the sol-11_1-i386 service.
# installadm create-profile -f /export/locale.xml \ -n sol-11_1-i386 $ installadm list -p -n sol-11_1-i386 Service Name Profile Name Criteria ------------ ------------ -------- sol-11_1-i386 profile4 hostname = myhost1, host3, host6 locale.xml noneExample 26 Apply a System Configuration Profile to the Installation Environment
Use the following sample command to specify that a system configuration profile be applied to the installation environment.
# installadm set-profile -p profile4 -e install -n sol-11_1-i386 # installadm list -p -n sol-11_1-i386 Service Name Profile Name Environment Criteria ------------ ------------ ----------- -------- sol-11_1-i386 profile4 install hostname = myhost1, host3, host6 locale.xml system noneExample 27 Add a System Configuration Profile With Variables
A profile can use variables that are replaced with custom client configuration information at client installation time. Using such variables, a profile file can be reused for any number of different systems.
This example uses one system configuration profile file to assign each install client a unique host name. The hostname.xml file contains the following line:
<propval name="nodename" value="{{AI_HOSTNAME}}"/>
At installation time, {{AI_HOSTNAME}} is replaced with the actual host name of that system. For example, when hostname.xml is used to configure the client with host name myhost1, the hostname.xml profile contains the following line:
<propval name="nodename" value="myhost1"/>
For more information about using replacement tags with profiles, see Using System Configuration Profile Templates in Customizing Automated Installations With Manifests and Profiles.
Example 28 Add Criteria To an Existing ManifestUse the following sample command to append the criterion of 4096 MB memory or greater to the criteria of manifest2 of sol-11_1-i386.
# installadm set-criteria -m manifest2 \ -n sol-11_1-i386 -a mem="4096-unbounded"Example 29 Replace the Criteria for an Existing Manifest
Use the following sample command to replace the criteria of manifest2 of sol-11_1-i386 with the criteria specified in the file /tmp/criteria.xml.
# installadm set-criteria -m manifest2 \ -n sol-11_1-i386 -C /tmp/criteria.xml
See Automatically Installing Oracle Solaris 11.4 Systems for information about the contents of the criteria XML file.
Example 30 Validate Profile Files Under DevelopmentUse the following sample command to validate the profiles stored in the files myprofdir/myprofile.xml and yourprofdir/yourprofile.xml during their development.
# installadm validate -P myprofdir/myprofile.xml \ -P yourprofdir/yourprofile.xml -n sol-11_1-i386Example 31 Export Profile Contents
Use the following sample command to export the profile myprofile.xml in the service sol-11_1-i386.
# installadm export -p myprofile -n sol-11_1-i386Example 32 Replace the Contents of an Existing AI Manifest
Use the following sample command to update the manifest in service sol-11_1-i386 that has the manifest name, or AI instance name, spec with the contents of the manifest in the file /home/admin/new_spec.xml.
# installadm update-manifest -n sol-11_1-i386 \ -f /home/admin/new_spec.xml -m specExample 33 Export and Update an Existing AI Manifest
Use the following sample commands to export the data of an existing manifest named spec in service sol-11_1-i386, and then update the manifest with modified content.
# installadm export -n sol-11_1-i386 -m spec \ -o /home/admin/spec.xml
Make changes to /home/admin/spec.xml.
$ pfexec installadm update-manifest -n sol-11_1-i386 \ -f /home/admin/spec.xml -m specExample 34 Export and Update an Existing Profile
Use the following sample commands to export the data of an existing profile named prof1 in service sol-11_1-i386, and then update the profile with modified content.
# installadm export -n sol-11_1-i386 -p prof1 \ -o /home/admin/prof1.xml
Make changes to /home/admin/prof1.xml.
# installadm update-profile -n sol-11_1-i386 \ -f /home/admin/prof1.xml -p prof1Example 35 Set Initial Server Authentication
The first step in configuring security is to assign server credentials. Use the following command to generate all server security credentials automatically:
# installadm set-server --generate-all-certs Generating server credentials... The root CA certificate has been generated. The CA signing certificate request has been generated. The signing CA certificate has been generated. A new certificate key has been generated. A new certificate has been generated. Generating new encryption key... Generated client encryption (AES) firmware key: ac6b6f68019007506662b09ad662e29f Generating new hashing key (HMAC)... Generated client hashing (HMAC SHA-256) firmware key: aed0b58d149794a8611a4797b6f434475774ec965900df74afdf08862894cb57 Configuring web server security. Changed Server Refreshing SMF service svc:/system/install/server:default Configuring web server security.Example 36 Set Initial Default Client Authentication
Assign default client credentials so that the identity of clients can be verified to the server. Use the following command to generate a set of default client credentials. These credentials will be used for any AI client that does not have credentials assigned by specifying the client's MAC address or by specifying the install service that client will use.
$ installadm set-server --default-client-security \ --generate-all-certs Generating default client credentials... A new certificate key has been generated. A new certificate has been generated. Generating new encryption key... Generated client encryption (AES) firmware key: ac6b6f68019007506662b09ad662e29f Generating new hashing key (HMAC)... Generated client hashing (HMAC SHA-256) firmware key: aed0b58d149794a8611a4797b6f434475774ec965900df74afdf08862894cb57 Changed ServerExample 37 Set Client Authentication for a Specific SPARC Client
Generate and assign unique X.509 credentials and firmware keys to a SPARC client:
$ installadm set-client -e 2:0:0:0:0:0 \\ --generate-all-certs Generating credentials for client 02:00:00:00:00:00... A new certificate key has been generated. A new certificate has been generated. Generating new encryption key... Generated client encryption (AES) firmware key: ac6b6f68019007506662b09ad662e29f Generating new hashing key (HMAC)... Generated client hashing (HMAC SHA-256) firmware key: aed0b58d149794a8611a4797b6f434475774ec965900df74afdf08862894cb57 Changed Client : '02:00:00:00:00:00'Example 38 Display the Firmware Keys for a Specific Client
Some time after the client has been configured, you need to know how to set the security keys for that client in the firmware. Use the installadm list -e <macaddr> command with the –verbose option to display the required firmware keys:
# installadm list -e 2:0:0:0:0:0 -v Service Name Client Address Arch Secure Custom Args Custom Grub ------------ -------------- ---- ------ ----------- ----------- solaris11_2 02:00:00:00:00:00 sparc yes no no Client Credentials? yes Security Key? ...... yes Security Cert: Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=CID 01020000000000 Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA Valid from: May 20 10:20:00 2013 GMT to: May 18 10:20:00 2023 GMT CA Certificates: d09051e4 Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA Valid from: May 20 09:50:00 2013 GMT to: May 18 09:50:00 2023 GMT FW Encr Key (AES) . f6c6bc503ea9ea0f7805ca7fd1d157f2 FW HMAC-SHA1 Key (inactive) 685417240dba5ae12986e10d750ec6b1b36dc862 FW HMAC-SHA256 Key (active) bfa514e1f1c11e1e769d954b11600a9660c6ee0d9aca82f9be66d0880751dc44 Boot Args .......... -
For SPARC clients, the displayed Key and Hash can be set by using the OBP set-security-key commands at the ILOM or ALOM system console at the ok prompt, for example:
set-security-key wanboot-aes 42a04f73ee6950859febb96d97b7d2bd set-security-key wanboot-hmac-sha1 7fbed772b69bf104e5e2f72a4c47d42b62bf074b
For x86 clients, the displayed Key and Hash can be set by using the BIOS user interface. First enable WAN Boot for network boot, then enter the firmware keys in the fields indicated in the BIOS UI.
Example 39 Enforce Client Authentication for All Clients of an AI ServiceThe following command requires client and server authentication for all clients of the sol-11_2-sparc install service. The 'optional' security policy value is the default value.
# installadm set-service -p require-client-auth -n sol-11_2-sparc Security policy for service sol-11_2-sparc changing from 'optional' to 'require-client-auth'. Changed Service : 'sol-11_2-sparc' Refreshing SMF service svc:/system/install/server:default
All clients of the sol-11_2-sparc install service must be assigned and must supply valid security X.509 client and server authentication credentials. Firmware security keys must be entered for all clients.
Example 40 Generate Default Credentials for All Clients of a Specified Install ServiceThe following command generates credentials that will be attributed to any client of the solaris11_2-sparc install service that does not have custom client credentials. See Example 30, “Set Client Authentication for a Specific SPARC Client,” for an example of assigning custom client credentials.
# installadm set-service -n sol-11_1-sparc \ --generate-all-certs Generating credentials for service sol-11_1-sparc... A new certificate key has been generated. A new certificate has been generated. Generating new encryption key... Generated client encryption (AES) firmware key: ac6b6f68019007506662b09ad662e29f Generating new hashing key (HMAC)... Generated client hashing (HMAC SHA-256) firmware key: aed0b58d149794a8611a4797b6f434475774ec965900df74afdf08862894cb57 Changed Service : 'sol-11_1-sparc'
These credentials are also attributed to any clients that are subsequently assigned to the solaris11_2-sparc install service by using the create-client subcommand.
When you use default credentials, multiple clients are assigned identical credentials and can view each other's installation data.
Example 41 Produce a Security Summary ListingWhen "installadm list" is run with sufficient authorisations, it will by default list a summary of the security of the server, service and/or client:
# installadm list -s AI Server Parameter Value ------------------- ----- Hostname ........... ai-server Architecture ....... i386 Active Networks .... 10.0.0.1 Image Path Base Dir . /export/auto_install Managing DHCP? ..... yes Security Enabled? .. yes Server Credentials? .. yes Number of Services . 12 Number of Clients .. 4 Number of Manifests 19 Number of Profiles . 5 # installadm list Service Name Base Service Status Arch Type Secure Ali Cli Man Pro ------------ -------- ------ ---- ---- ------ --- --- --- --- default-i386 solaris11_2-i386 on i386 pkg no 0 1 4 0 default-sparc solaris11_2-sparc on sparc pkg no 0 0 3 0 solaris11_1_6_2_0-i386 - on i386 pkg no 1 0 2 2 solaris11_1_6_2_0-sparc - on sparc pkg no 1 0 1 2 solaris11_2-i386 - on i386 pkg yes 0 0 1 0 solaris11_2-sparc - on sparc pkg yes 0 2 2 0 # installadm list -c Service Name Client Address Arch Secure Custom Args Custom Grub ------------ -------------- ---- ------ ----------- ----------- default-i386 00:11:22:33:44:55 i386 yes yes no solaris11_1_6_2_0-sparc AA:BB:CC:DD:EE:FF sparc yes no no solaris11_2-sparc 02:00:00:00:00:00 sparc yes no no 03:00:00:00:00:00 sparc yes no noExample 42 Produce a Security Verbose Listing
When "installadm list -v" is run with sufficient authorisations, verbose output of the security configuration of the server, service and/or client (some output omitted for brevity):
# installadm list -sv AI Server Parameter Value ------------------- ----- ... Security Enabled? ...... yes Server Credentials? .... yes Security Key? .......... yes Security Cert: Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=ai-server Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA Valid from: May 20 09:50:00 2013 GMT to: May 18 09:50:00 2023 GMT CA Certificates: d09051e4 Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA Valid from: May 20 09:50:00 2013 GMT to: May 18 09:50:00 2023 GMT f9d73b41 Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA Valid from: May 20 09:50:00 2013 GMT to: May 18 09:50:00 2023 GMT Def Client Credentials? yes Def Client Sec Key? .... yes Def Client Sec Cert: Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Client default Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA Valid from: May 20 09:52:00 2013 GMT to: May 18 09:52:00 2023 GMT Def Client CA Certs .... none Def Client FW Encr Key (AES) f6c6bc503ea9ea0f7805ca7fd1d157f2 Def Client FW HMAC-SHA1 Key (inactive) 685417240dba5ae12986e10d750ec6b1b36dc862 Def Client FW HMAC-SHA256 Key (active) bfa514e1f1c11e1e769d954b11600a9660c6ee0d9aca82f9be66d0880751dc44 HMAC Policy ............ HMAC-SHA256 ... # installadm list -v -n solaris11_2-sparc Service Name Base Service Status Arch Type Secure Ali Cli Man Pro ------------ -------- ------ ---- ---- ------ --- --- --- --- sol-11_2-sparc - on sparc iso yes 0 2 1 0 ... Supports Security? .. yes Security Enabled? ... yes Security Policy ..... require-client-auth Service Credentials? yes Security Key? ....... yes Security Cert: Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=AI Service sol-11_2-sparc Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA Valid from: May 20 10:33:00 2013 GMT to: May 18 10:33:00 2023 GMT CA Certificates ..... none FW Encr Key (AES) f6c6bc503ea9ea0f7805ca7fd1d157f2 FW HMAC-SHA1 Key (inactive) 685417240dba5ae12986e10d750ec6b1b36dc862 FW HMAC-SHA256 Key (active) bfa514e1f1c11e1e769d954b11600a9660c6ee0d9aca82f9be66d0880751dc44Example 43 Add a New CA Certificate for Validating Client Certificates
The following command adds a CA certificate in a file named cert.pem:
$ installadm set-server --default-client-security --ca-cert cert.pem Assigning default client credentials... A new CA certificate has been filed. Changed Server
This CA certificate will be available to authenticate any client certificates that require it.
Example 44 Assign New X.509 CredentialsThe following command assigns a new X.509 certificate and private key and a new CA certificate for the install server:
$ installadm set-server -A cacert.pem -K server.key -C server.crt Assigning server credentials... The key has been replaced. The certificate has been replaced A new CA certificate has been filed. Configuring security for user-specified server cert Configuring web server security. Changed Server Refreshing SMF service svc:/system/install/server:defaultExample 45 Delete a CA Certificate by Hash Value
The following command deletes the specified CA certificate for all clients that use that CA certificate. The value of the –ca-cert option argument is the hash value of the certificate's X.509 subject. Use the –y option to suppress the prompt to confirm that you want to delete the CA certificate.
$ installadm set-server --delete-security \ --recursive --hash d09051e4 Identifier hash: d09051e4 Subject: C=US, O=Oracle, OU=Solaris Deployment, CN=Root CA Issuer: C=US, O=Oracle, OU=Solaris Deployment, CN=Root CA Valid from May 20 11:09:00 2013 GMT to May 18 11:09:00 2023 GMT This CA has the following uses: Note: this is the server CA certificate Client default Note: this is the root CA certificate Deleting this Certificate Authority certificate can prevent credentials from validating. Do you want to delete this Certificate Authority certificate [y|N]: y Identifier hash: d09051e4 Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA Issuer: /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA Valid from May 20 09:50:00 2013 GMT to May 18 09:50:00 2023 GMT This CA has the following uses: Note: this is the server CA certificate Client default Note: this is the root CA certificate Deleting all references to Certificate Authority with hash value d09051e4 Changed ServerExample 46 View AI Server Configuration Parameters
To see the current values for the AI server's most common parameters and a summary of some, you can use the list -s command:
# installadm list -s AI Server Parameter Value ------------------- ----- Hostname ........... ai-server Architecture ....... i386 Active Networks .... 10.0.0.1 Default Image Path . /export/auto_install Managing DHCP? ..... yes Security Enabled? .. yes Server Credentials? .. yes Number of Services . 12 Number of Clients .. 4 Number of Manifests 19 Number of Profiles . 5
To view more detailed information, and some of the less common parameters, use verbose mode:
# installadm list -sv AI Server Parameter Value ------------------- ----- Hostname ...................... ai-server Architecture .................. i386 Active Networks ............... 10.0.0.1 Http Port ..................... 5555 Secure Port ................... 5556 Default Image Path ............ /export/auto_install Multi-Homed? .................. yes Managing DHCP? ................ yes DHCP IP Range ................. none Boot Server ................... - Web UI Enabled? ............... yes Wizard Saves to Server? ....... no Security Enabled? ............. yes Server Credentials? ........... yes Security Key? ................. yes Security Cert: Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=ai-server Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA Valid from: May 20 11:09:00 2013 GMT to: May 18 11:09:00 2023 GMT CA Certificates: f9d73b41 Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA Valid from: May 20 11:09:00 2013 GMT to: May 18 11:09:00 2023 GMT Def Client Credentials? ....... yes Def Client Sec Key? ........... yes Def Client Sec Cert: Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Client default Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA Valid from: May 20 11:09:00 2013 GMT to: May 18 11:09:00 2023 GMT Def Client CA Certs ........... none Def Client FW Encr Key (AES) f6c6bc503ea9ea0f7805ca7fd1d157f2 Def Client FW HMAC-SHA1 Key (inactive) 685417240dba5ae12986e10d750ec6b1b36dc862 Def Client FW HMAC-SHA256 Key (active) bfa514e1f1c11e1e769d954b11600a9660c6ee0d9aca82f9be66d0880751dc44 HMAC Policy ................... HMAC-SHA256 Number of Services ............ 12 Number of Clients ............. 4 Number of Manifests ........... 19 Number of Profiles ............ 5 Telemetry Enabled? ............ yes Telemetry Success: install_log Telemetry Failure: all_logs /system/volatile/telemetry_archive /system/volatile/telemetry_config Telemetry Frequency ........... 5 seconds Telemetry Files Retention ..... 10 day(s) Telemetry Statistics Retention 1 year(s)Example 47 Invoke Interactive Mode
Interactive mode is entered by just issuing the installadm command without any parameters. For example:
# installadm installadm> create-service -n s11-1-i386 -a i386 -y ... installadm> create-profile -n s11-1-i386 -f initial_profile.xml ... installadm> quit
Similarly, interactive mode can be useful when wishing to invoke several commands interactively using a root role through su:
$ su root -c /usr/sbin/installadm installadm> create-manifest -n s11-2-sparc -f /tmp/manifest.xml ... installadm> create-profile -n s11-2-sparc -f /tmp/static_net.xml ...Example 48 Execute Several Commands In Batch
Running several commands in batch mode has the benefit of delaying the refreshing of the SMF services until all commands have completed.
To run several subcommands you must first populate the file:
$ cat >> /tmp/batch <<_EOF create-service -n my_sparc -a sparc create-service -n my_i386 -a i386 create-manifest -n my_sparc -f /tmp/new_default.xml -d create-manifest -n my_i386 -f /tmp/new_default.xml -d ... _EOF # installadm execute -f /tmp/batch ...Example 49 Turn on Telemetry and Send Data at 5 Minute Intervals
Tuning when to send telemetry data will help in reducing network traffic between the AI client and the AI server.
The following example demonstrates how to turn on the sending of telemetry data from the AI client to the AI server at 5 minute intervals.
# installadm set-server --telemetry-enable --telemetry-frequency 300 Automated Installer telemetry has been enabled. Automated Installer telemetry is now set to send data at 300 second intervals.
The following exit values are returned:
The command was processed successfully.
An error occurred.
Invalid command line options were specified.
A service's version is not supported by installadm.
No changes were made - nothing to do.
See attributes(7) for descriptions of the following attributes:
|
ai_manifest(5), service_bundle(5), dhcp(7), environ(7), smf(7), aimanifest(8), ickey(8), sysconfig(8)
Customizing Automated Installations With Manifests and Profiles