- Overview
- Enhancing Security
- Recommendations and Methodologies for Minimization
- Background
- Qualifying a Solaris Configuration
- Automating Domain Installations
- Using Scripts to Qualify a Solaris Configuration
- Minimization Methodology
- About the Authors
- Acknowledgements
- Related Resources
- Ordering Sun Documents
- Accessing Sun Documentation Online
Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
Automating Domain Installations
The JumpStart framework is used in this article to install the OS and packages required to support an application. Installing and qualifying a Solaris configuration of a domain for an application is a repetitive task, so the automation that JumpStart technology provides is very desirable; it simplifies the duplication of effort and reduces user errors.
This section describes how JumpStart technology is used for automating minimized installations and applying critical patches.
This section contains the following topics:
"Configure the JumpStart Server" on page 13
"Configure Minimal Domain Install Profile" on page 14
"Install Patches" on page 15
Configure the JumpStart Server
The following list briefly summarizes the process of setting up a JumpStart server for installing a domain after a minimal profile is defined.
Verify the JumpStart infrastructure.
-
Build and configure a JumpStart environment (not covered in this article, see "Related Resources" on page 39 for other sources).
-
Configure the domain to use the JumpStart environment (not covered in this article).
-
Verify that the JumpStart environment has the appropriate Solaris OE versions available.
Configure minimal domain install profiles.
Install most recent patch clusters on JumpStart server.
NOTE
Installing the Solaris Security Toolkit software on the JumpStart server is the recommended practice. This allows minimized profiles to be configured with ease, allows patches to be easily installed using pre-existing finish scripts within the Solaris Security Toolkit software, and allows automated installation of packages that are not part of the Solaris OE. For more information about Solaris Security Toolkit features, refer to the Sun BluePrint book titled Securing Systems with the Solaris Security Toolkit.
Refer to the Sun BluePrints book JumpStart™ Technology–Effective Use in the Solaris™ Operating Environment for instructions on configuring the JumpStart server and verifying the software.
Configure Minimal Domain Install Profile
Minimized domains are defined by specifying a JumpStart profile in the rules file on the JumpStart server.
Profiles are located on the JumpStart server. They consist of the packages to be added and removed from a metacluster.
A metacluster is a collection of packages that suninstall (the subsystem for installing the Solaris OE) uses to specify what to install on the system. The usual metacluster installed to a domain is SUNWCXall and contains every package in the OS, but this is mostly unnecessary. The minimization process identifies the packages within metacluster SUNWCXall that are needed and separates them from those that are not.
A minimized profile is specified as a subset of the smallest metacluster available, which is currently metacluster SUNWCreq in Solaris OE versions 8 and 9. Within this metacluster are packages that are not needed. Also, some additional packages are needed that are not in SUNWCreq but are in SUNWCXall.
To delete unwanted packages, use the delete keyword in the profile for the package. To add needed packages, use the add keyword in the profile for the package.
Additional keywords are available that can be added to a profile. These are beyond the scope of this article.
A minimized profile might look like the following.
install_type initial_install cluster SUNWCreq package SUNWxwdvx delete package SUNWxwmox delete package SUNWadmfu add package SUNWadmfw add [...]
Each application to be installed is likely to contain additional Solaris packages that must be installed. These are added to the minimal profile. The process for discovering these is covered in "Minimization Methodology" on page 21.
Install Patches
Installing patches is critical to the security of any minimized system. Download the latest Solaris Recommended Patch Cluster from SunSolveSM and install it on the Jumpstart server.
For minimized systems, only patches that contain some or all of the packages already installed on a minimized system are patched.
The patch cluster install script uses patchadd to install patches. The return code given by patchadd can often be misleading. The patchadd command reports return "code 8" when it can only partially install a patch. Also, it reports return code 8 if no patches are added, because none of the packages are installed on the minimized system.
To see what patchadd modified, type something similar to the following.
# patchadd -p | grep 111293-04 Patch: 111293-04 Obsoletes: 111052-01 Requires: Incompatibles: Packages:SUNWcsl SUNWcslx SUNWcsr
The patching of a system occurs by executing a finish script specified in the JumpStart install server configuration. The finish script runs the cluster patch install script, which installs the patches in the patch cluster. The patch cluster should be copied to the JumpStart server. The finish script is executed by specifying it in the rules file. This is the same file that specifies the profile to install during a JumpStart installation.
NOTE
Applying the patch cluster might install new packages if they form part of a patch. For example, when installing the patch cluster, after a JumpStart of the profile for X application support under Solaris 8 OE occurred, the patching process installed new package SUNWxcu4.