Home > Articles > Operating Systems, Server > Solaris

System Protection with SMF

  • Print
  • + Share This
All services on a Solaris 10 system are controlled by the Service Management Facility (SMF). Among the advantages of SMF, which include automatic starting of dependent services and the ability to recover easily from a service outage, is the ability to use the power of role-based access control (RBAC) in an SMF manifest. With RBAC, programs can run with the precise privileges and authorizations that the program needs, and no more. This chapter shows you how to configure four programs — NFS, IP filter, FTP, and the Apache2 Web server — as SMF services.
This chapter is from the book

This chapter is from the book

3.1 Service Management Facility (SMF)

SMF provides a more powerful administrative interface for Solaris services than the traditional UNIX run-control scripts.

Solaris services are executables such as system processes, daemons, applications, and scripts. Database software, Web server software, and site-specific scripts can be controlled by SMF. SMF provides simple, fast, and visible administration through the following features.

  • Services can be enabled, disabled, or restarted with one administrative command, svcadm.
  • Failed services are restarted automatically in dependency order. The source of the failure does not affect the automatic restart.
  • Service objects can be viewed and managed with commands such as svcs, svcadm, and svccfg.
  • Services are easy to debug. The svcs -x command provides an explanation of why a service is not running. Per-service log files also simplify debugging.
  • Services are easy to test, back up, and restore to a particular configuration because configuration states are preserved in service manifests.
  • Systems boot and shut down faster because services are started and stopped according to the dependencies between services. Services can be started in parallel.
  • Administrators can securely delegate tasks to non-root users who have permissions to administer particular services through RBAC rights profiles, roles, authorizations, or privileges.
  • SMF milestones correspond to system init states such as the multiuser run level.
  • SMF can be used on a system that is also using traditional UNIX rc scripts. While this practice is not recommended, you can use traditional scripts for some services and use SMF for others. For more information, see the smf(5), svcadm(1M), svcs(1), and svccfg(1M) man pages.

Manifests, or snapshots of each service, are in a central repository. This overall snapshot initializes the system at reboot. You can define a number of manifest collections, which are called profiles. The limited profile was discussed in Chapter 2, "Hardening Solaris Systems." The svccfg apply profile command configures your system with profile.

  • + Share This
  • 🔖 Save To Your Account