Minimizing and Automating Installations
The primary goal of this article is to create a simple, reproducible, and secure application installation methodology. A secondary goal is to automate the OS and software installation process.
The following sections provide procedures for each of the tasks:
- "Verifying OS Software"
- "Installing Solaris OE Core Cluster"
- "Installing Patches"
- "Removing Unnecessary Packages"
- "Using JumpStart Software to Configure the OS"
- "Installing and Configuring Software Packages"
- "Checking For Errors"
- "Testing Software Installation"
Verifying OS Software
Verify that the Solaris OE versions installed on the JumpStart boot server are the versions that you require. For the purposes of the testing performed for this article, we use the following Solaris OE versions:
- Solaris 2.6 OE (5/98)
- Solaris 7 OE (11/99)
- Solaris 8 OE (2/02)
- Solaris 9 OE (5/02)
Installing and Configuring a JumpStart Server
The installation and configuration of a JumpStart server is beyond the scope of this article. For information, please refer to the following:
Sun BluePrints™ book JumpStart Technology: Effective Use in the Solaris Operating Environment (http://www.sun.com/blueprints/pubs.html)
Sun BluePrints OnLine article Building a JumpStart Infrastructure, (http://www.sun.com/blueprints/0401/BuildInf.pdf)
FAQ available from SunSolve OnLineSM (http://sunsolve.sun.com)
Solaris Advanced Installation Guide (http://docs.sun.com)
Kernel Patching the Boot Image
Depending on the Solaris OE version used on the JumpStart server and the hardware platform being installed, some kernel patching of the boot image may be required. If you encounter unexpected results during the installation, refer to SunSolve OnLine (http://sunsolve.sun.com) to determine if any patches are required.
For information on how to kernel patch the boot image, refer to the Sun BluePrints JumpStart™ Technology: Effective Use In the Solaris™ Operating Environment.
Using Solaris Security Toolkit Scripts
The JumpStart framework and automation capabilities of the Solaris Security Toolkit software simplify Step 2 through Step 6 of the methodology as described in "Methodology Summary" on page 6. You can download the scripts used to validate and test this methodology from http://www.sun.com/blueprints/tools/. The following list describes the scripts specific to the Sun ONE Web Server installation supported by Solaris OE versions 2.6 through 9.
install-iPlanetWS.driver Provides a framework, based on the Solaris Security Toolkit software, in which all other scripts are run.
install-iPlanetWS.fin Extracts and installs the Sun ONE Web Server software onto the server.
minimize-iPlanetWS.fin Removes unnecessary Solaris OE packages according to the Solaris OE being installed.
minimal-iPlanetWS-Solaris9-64bit.profile Defines which cluster and packages should be installed for a 64-bit Solaris 9 OE installation.
minimal-iPlanetWS-Solaris8-32bit.profile Defines which cluster and packages should be installed for a 32-bit Solaris 8 OE installation.
minimal-iPlanetWS-Solaris8-64bit.profile Defines which cluster and packages should be installed for a 64-bit Solaris 8 OE installation.
minimal-iPlanetWS-Solaris7-32bit.profile Defines which cluster and packages should be installed for a 32-bit Solaris 7 OE installation.
minimal-iPlanetWS-Solaris7-64bit.profile Defines which cluster and packages should be installed for a 64-bit Solaris 7 OE installation.
minimal-iPlanetWS-Solaris26.profile Defines which cluster and packages should be installed for a Solaris 2.6 OE installation.
Installing Solaris OE Core Cluster
The initial installation should include only the Solaris OE Core cluster and a few other packages that contain critical functionality. In JumpStart server terminology, the Core cluster is referred to as the SUNWCreq cluster. For your initial Core cluster, be advised that each OS version requires additional packages. Refer to "Minimizing the Sun ONE Web Server" for version details.
The profile, which is used by JumpStart to define which OS cluster and packages are installed, must specify both the Solaris OE install cluster and any additional packages required. Sample profiles are available in the Solaris Security Toolkit software.
Before making any other changes to the system, it is critical to install on your server all recommended, security, and software vendor patches. This step is especially important when the goal is to minimize the number of installed packages, because some patches may install unwanted packages.
Sun recommends installing the Recommended and Security Patch Cluster for the Solaris OE version being installed. It contains all recommended and security patches. Access to these patch clusters does not require a service contract.
You can find the Recommended and Security Patch Cluster, the Patches Containing Security Fixes, and the Kernel Update Patches on the SunSolve OnLine Web site at: http://sunsolve.sun.com.
The kernel update patch 106541 for Solaris 7 OE is an example of why patches must be installed before you perform any minimization or security hardening. The README and pkgmap of this patch shows that the following files are updated when the patch is installed:
The presence of any of these files may either enable a service that has previously been disabled (rpc, automounter, or volume manager) or overwrite a file with specific configuration information in it (syslog.conf).
Once package removal and system configuration has begun, patch installation should be done only after the README and pkgmap of a package is reviewed for possible conflicts.
Removing Unnecessary Packages
After you install and patch the Solaris OE, remove unnecessary packages. The package removal process deletes all packages not explicitly required by either the OS or the software package being installed.
In the test environment, we use headless Sun4U systems based on SPARC technology and using PCI- based I/O cards. We remove more than half of the 62 packages included in the Solaris 9 OE Core cluster. The number of packages to remove depends upon the system being used. This package removal is automated with the minimize-iPlanetWS.fin script. This script is both application and OS-specific, because each software package and OS has slightly different requirements.
For package listings of all Solaris OE versions, refer to ";Minimizing the Sun ONE Web Server". Different hardware architectures, environments, and software packages may require other packages for your installations.
Additional configuration and hardening of the OS is not covered in this article. Refer to "References and Related Resources" for Sun BluePrints OnLine articles that cover these topics.
Using JumpStart Software to Configure the OS
Due to the repetitive nature of installations in this methodology, the basic network configuration steps for a server are automated. These include both required network and operating systems configurations. We use the Solaris Security Toolkit software to automate the creation of files such as /etc/defaultrouter and to configure services, thereby simplifying system configuration.
Installing and Configuring Software Packages
The final step in the methodology is to install and configure as much of the software package as possible. The level of automation implemented depends on how the software package is installed and the time available to automate the process. In the case of the Sun ONE Web Server software, which uses a curses-based installation process, the only automated task is to extract the source packages into an appropriate directory. Once extracted, the installation routines must be run manually to configure the server. The Solaris Security Toolkit install-iPlanetWS.fin script copies and extracts the software package into the /opt directory of the client.
Checking For Errors
Before installing software applications, it is important that you examine the installation logs on the server for any errors or configuration problems.
The JumpStart logs are located in the /var/sadm/system/logs directory. The begin.log contains all pre-OS installation operations and the finish.log contains all post-OS installation steps. Usually the finish.log contains the most pertinent messages. If you find errors, correct them and repeat the installation. Repeat this process until you resolve all errors.
Testing Software Installation
The software installation is tested manually by running the setup routine and selecting a default configuration for both the administrative and production web server ports. After a default configuration is defined, the startconsole command is used to start up the administration server. For additional information on how to automate the configuration process, refer to the product documentation.
In our test environment, this command, while successfully starting the Sun ONE Web Server software, also attempted to launch a local Netscape™ Communicator session. It failed because Netscape Communicator was not installed locally on the system. Rather than managing the installation locally, we used a remote Netscape Communicator session to configure the web server through the administration port.