OpenIndiana in your Business

From last [post][./archives/2012/01/index.html#e2012-01-23T213947.txt] we now have a "CA" in your environment, configuring your directory service will envolve the following steps: + Configuring DNS. + Generating certificate request. + Sign the request from the caroot zone. + Copy the cert and cacert from the caroot zone. + Configure the ldap server. + Configure the ldap client. + Add some entry.

I will skip the dns configuration, but for the sake of following you will need to have an entry called ds.example.com. This will be the FQDN when you will generate the certificate request. To generate the request you can follow these steps: # mkdir /var/certs # cd /var/certs # openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem

Since my last post I did some research and I should have checked before posting, I'm missing one crucial step to create a secure environment, I need a CA to do so. In OpenIndiana, you can actually create a zone that won't have network access so it's secure. I wish we had encrypted dataset from Solaris 11 :), but maybe later, that would even be more secure.
Let's create that zone:

$ sudo zonecfg -z caroot <<EOF
create
set zonename=caroot
set zonepath=/zones/caroot
set autoboot=true
add capped-cpu
set ncpu=1
end
add capped-memory
set physical=64m
set swap=128m
set locked=40m
end
exit
EOF
$ sudo zoneadm -z caroot install
$ sudo zoneadm -z caroot boot && zlogin -e @ -C caroot
Follow the instruction to configure the zone. I always use admin as the first user on the zone or server, but this is a personnal preference.
$ sudo zlogin caroot
In the zone issue the CA.pl command to configure your CA, follow the instruction.
# CA.pl

Now that you have a zone that can act as a CA for your environment, you can continue the steps required to configure your directory services.

In my previous posts (Part 1,Part II) I do talk about using OpenDS as a ldap directory server, that project now being defunct I will fall back to openldap; I could have gone to OpenDJ, but I want to be able to turn this environment in a Apple friendly environment (Mac laptop are still the best :)).
I did not go through the installation step of OpenIndiana as it is quite similar to the installation of OpenSolaris, the steps I used roughly are avaialble here. Now that I have a working environment where I can ssh into to do the installation I need to create a zone. I do create that zone because I don't want to install any software in the global zone unlees absolutly required. The step to create a zone are the following, create a zfs filesystem to install the zones, create a virtual network interface for the zone, configure a zone, install the zone, boot the zone, login into the console and finish the configuration and finally reboot that configured zone. Here are the steps for a zone I created alphads

$ sudo zfs create -o mountpoint=/zones hpool/zones
$ sudo dladm create-vnic -l net0 alphads_net0
$ sudo zonecfg -z alphads <<EOF
create
set zonename=alphads
set zonepath=/zones/alphads
set autoboot=true
set ip-type=exclusive
add net
set physical=alphads_net0
end
exit
EOF
$ sudo zoneadm -z alphads install
$ sudo zoneadm -z alphads boot && zlogin -e @ -C alphads
Follow the instruction to configure the zone. I always use admin as the first user on the zone or server, but this is a personnal preference.
$ sudo zlogin alphads

Now you are logged into the zone and ready to start turning this zone into you primary directory service zone, what are the directory services we will use: LDAP and DNS of course. OpenIndiana as a package for both, openldap and bind. In a near future I would like to replace bind with NSD and unbound. Good news is that unbound is in the SFE pkg repo for OI, will need to build NSD from source :(.

# pkg install service/network/dns/bind library/openldap 

This should install 5 packages and the following services should now be available

disabled       10:42:36 svc:/network/ldap/server:openldap_24
disabled       10:42:36 svc:/network/dns/server:default

I will skip the named configuration as this should be pretty straight forward and it's explained here. For openldap now, let's take a look at a basic configuration that we will need to evolve. For example, we will start with a none TLS/SSL setup to test basic functionnality and then switch to an TLS/SSL setup for reall implementation and security. Also, I've named this zone alaphads because there will be a zone named betads that will act as a ldap slave and dns secondary so we can add redundancy in the future (migrate the zone to an other host).
For openldap configuration we will need some external files to make the setup work with OpenIndiana, like we need the schema files for solaris.

# cd /etc/openldap/schema
# curl http://web.singnet.com.sg/~garyttt/DUAConfigProfile.schema.txt > DUAConfigProfile.schema
# curl http://web.singnet.com.sg/~garyttt/solaris.schema.txt > solaris.schema

We will continue this later, still need to do some research.

Ok this blog needs some updating, but it's irrevelant to talk about OpenSolaris in your business as the project as been dead for a while. So now what, Linux, nah too many blogs and I'm not a Linux fan; BSD variant, hmmm...even if I like BSD (this blog is hosted on OpenBSD :)), I still prefer Solaris. So what are my options, the illumos derivative:

• OpenIndiana
• SmartOS

Others:

• Schillix

So out of the current choices available to me, OpenIndiana is the easiest to implement so I will go that route. SmartOS seems really nice but too far from my OpenSolaris knowledge. Let's hope I can revive this project of mine a providing a written journey from the installation to maintaining an OpenSolarisIllumos derivative.

Following the Part I article, here's how to configure OpenSolaris (and Solaris) to use the newly created OpenDS instance. For this article I will use the following ldifs:

• my_skel.ldif
• my_entries

I like encryption, so let's make sure we can use the selfsigned certificate for now.

$ pfexec keytool -keystore /vol0/ldap/config/keystore -export -alias server-cert -rfc -file /tmp/opends.pem
$ pfexec pkg install SUNWtlsu
$ cd /var/ldap
$ pfexec certutil -N -d .
$ pfexec certutil -A -n defaultCert -i /tmp/opends.pem -t CT -d .
$ pfexec chmod a+r *.db

Also part of this I would say that configuring kerberos would make a lot of sense, we want to have as much security as possible. So let's start by making a kdc master server on my machine

$ pfexec pkg install SUNWkdc SUNWscp
$ pfexec kdcmgr -a sebasp/admin -r CORP.ALESIUM.NET create master

References: OpenSolaris / OpenDS / OpenSolaris client ldap

In every IT environment these days, directory services are quite important. In the old days Sun Microsystems came up with NIS to have some kind of directory services. In the Microsoft world we now use Active Directory. So with OpenSolaris what can I use? If you check the repository, OpenDS is available in there. So let's use that.

$ pfexec pkg install pkg:/service/network/ldap/opends
$ pfexec groupadd -g 230 ldap
$ pfexec bash
# echo "solaris.smf.manage.opends:::Manage OpenDS Service States::help=SmfOpenDSStates.html" >> /etc/security/auth_attr
# roleadd -c "OpenDS Role" -s /usr/bin/pfsh -A solaris.smf.manage.opends -K \
 defaultpriv=basic,netiprivaddr,sys_resource -g ldap -u 230 ldap 
# /usr/opends/configure --instancePath /vol0/ldap --userName ldap \
  --groupName ldap
# su ldap
$ /usr/opends/setup

Now you need to configure your directory server according to your needs. Use QuickSetup. Make sure you configure SSL a self signed certificate (unless you have one).

In Part II I will show how to configure your directory for Unix authentication, and configure 2 clients, Solaris and OpenSolaris.

We usually compile our own software (like Apache) for our company. We also use gcc most of the time on Linux systems. Now that I'm using OpenSolaris as my base I've moved some compilation to Sun Studio instead of GCC and dmake instead of gmake. Let me show you how.

Apache is something we used often so here's how to compile it on OpenSolaris and SunStudio 12u1:

$ export PREFIX=/vol0/local/apache2
$ export SYSCONF=/vol0/apache2
$ export DMAKE_MODE=parallel
$ export DMAKE_MAX_JOBS=16
$ CC="/opt/sunstudio12.1/bin/cc" CFLAGS="-xtarget=generic -m64 -xO4 -I/usr/sfw/include/openssl" \
CXX="CC" CXXFLAGS="-xtarget=generic -m64 -xO4 -I/usr/sfw/include/openssl" \
LDFLAGS="-L/usr/sfw/lib/amd64 -R/usr/sfw/lib/amd64" \
./configure --with-included-apr --prefix=$PREFIX --sysconfdir=$SYSCONF/conf \
--enable-mods-shared="deflate headers proxy proxy-balancer proxy-connect proxy-ftp proxy-http \
rewrite ssl usertrack vhost_alias dav dav_fs dav_lock ldap authnz_ldap" --with-ssl=/usr/sfw --with-ldap
$ dmake
$ pfexec dmake install

I did this test on my 2xOpteron box, I've compiled apache with gmake and dmake here are the results:

	gmake	dmake
real	7m54.940s	5m7.966s
user	4m22.984s	4m29.292s
sys	3m27.918s	3m45.937s

This will compile 64bit Apache 36% faster then your standard make && make install. Good to know :)

Thanks to LiveTime for the apache config options, I'll use the php and mysql one too :). And to this post on Sun's developer site.

Updating OpenSolaris from the command line is quite simple

$ pkexec pkg install SUNWipkg
$ pfexec pkg image-update --be-name `uname -n`-`uname -i`-`date %Y%m%d`

NWAM, Network automagic for OpenSolaris is probably good for workstations but you are talking about server installation, that's not an option. So for our OpenSolaris box here we will revert back to standard solaris netowrk configuration.

$ pfexec svcadm disable physical:nwam
$ pfsh
$ echo "zion.corp.alesium.net" > /etc/hostname.rge0
$ echo "192.168.2.10 zion.corp zion.corp.alesium.net" >> /etc/hosts
$ echo "zion" > /etc/nodename
$ echo "192.168.2.1" > /etc/defaultrouter
$ echo "192.168.2.0 255.255.255.0" >> /etc/netmasks
$ cp /etc/nsswitch.dns /etc/nsswitch.conf
$ hg add
$ hg commit -m "Fixed ip"
$ exit
$ pfexec svcadm enable physical:default

You now have a fixed IP

One of the challenges I see is change management and mostly tracking the changes on servers. To that end on my current install I've started using mercurial to track changes I make to /etc. This way I can rollback and also detect changes made by external process.

If you remember correctly we left the last install at the command login. So now you can login using and issue the following command to install mercurial.

$ pfexec pkg install SUNWmercurial

Once mercurial is installed you can now init /etc and add the content.

$ cd /etc
$ cat > /tmp/.hgignore
notices/LICENSE
mnttab
svc/volatile/svc_nonpersist.db
zfs/zpool.cache
dev/.devfsadm_dev.lock
devices/snapshot_cache
saf/zsmon/_pid
svc/repository-boot
svc/volatile/filesystem-autofs.lock
devices/devname_cache
svc/repository.db
^D
$ pfexec mv /tmp/.hgignore .
$ pfexec hg init
$ pfexec hg commit -m "Initial import"

You now have /etc that is version controled. In the next few posts I shall script some backup and diff procedure so you are aware of the changes made on /etc.