Oracle Solaris 11.3 gnome desktop |
The allure of a hobbyist server running the "official" version of the legendary Solaris operating system has been growing stronger while I have been playing with openindiana open-source community-driven illumos distribution for a couple of years now primarily as a central storage server for devices across our home networks to share files, and secondarily for having fun with a true Solaris derived environment.
Oracle, the current owners of Solaris, seem to be allowing hobbyist installations of authentic Solaris perfectly legally for non-commercial non-production deployment ("evaluation") via free Oracle Technology Network (OTN) memberships. Best of all, Oracle provide downloads of pre-built and configured Oracle Solaris 11.3 VirtualBox VMs based on the Solaris 11.3 live installation media ready to install and configure, including a complete gnome-derived graphical desktop environment.
Download Oracle Solaris 11.3 Live Media Installation with Desktop EnvironmentVirtualBox VM |
I finally gave in to temptation and went ahead to download Oracle Solaris 11.3 VM Template for Oracle VM VirtualBox to give official Solaris 11.3 a spin. The download extracts to a 1.83 GB sol-11_3-vbox.ova file that is readily imported by Oracle VirtualBox and boots neatly to an awesome Solaris 11 desktop.
Oracle OTN Solaris 11.3 Certificate and Key for Authenticating Access to Solaris Repositories |
There is no need to sign up with OTN to download the Solaris 11 VM. However, I did sign up with OTN to access pkg-register.oracle.com to obtain for free a key file "pkg.oracle.com.key.pem"and certificate "pkg.oracle.com.certificate.pem" that enabled access to the repositories "Oracle Developer Studio Tools and Oracle Solaris Studio Release" and "Oracle Solaris Cluster 4".
Official Solaris 11.3 OTN Repository Accesses Granted via OTN membership |
Instructions on doing this are clearly documented and accessed by clicking on the "Show Details" button next to repositories that access has been granted to via OTN; basically just save the two .pem files to disk and use these commands as root (or use sudo from a user account) to add the repositories to the Solaris 11 package manager:
# pkg set-publisher -k pkg.oracle.com.key.pem -c pkg.oracle.com.certificate.pem -G "*" -g https://pkg.oracle.com/solarisstudio/release solarisstudio
# pkg set-publisher -k pkg.oracle.com.key.pem -c pkg.oracle.com.certificate.pem -G "*" -g https://pkg.oracle.com/ha-cluster/release ha-cluster
The package manager will now list additional repositories solarisstudio and ha-cluster. Subequent pkg update commands include these additional repositories.
Solaris 11 Additional Package Repositories in Package Manager |
However, at the end of the day, I did not install any of the packages made available to me now via the "Oracle Developer Studio Tools and Oracle Solaris Studio Release" and "Oracle Solaris Cluster 4" repositories because a complete suite of GNU C, C++ and FORTRAN development tools is included with the release in the default "solaris" repository and I am far more familiar with gcc than Solaris compilers.
In fact, it appears Oracle has included a great set of "FOSS" (Free and Open Source Software) for evaluation with this Solaris 11.3 release, with a goal of formalizing the FOSS collection into the upcoming release of Solaris 12. Here is more information on selected FOSS evaluation packages for Oracle Solaris.
Basic Solaris 11 Hardening for Increased Security
I always harden my operating systems before deployment, and found some tips on basic hardening of the already-very-secure Solaris 11 operating system at Oracle's Official Guide as well as documented experiences of others. The following are the Solaris hardening steps I performed.Edit /etc/system and add the following two lines at the bottom of the file:
set noexec_user_stack=1
set noexec_user_stack_log=1
The default installation comes with package signature policy set to "verify", which is good:
root@solaris11-3:~# pkg property signature-policy
PROPERTY VALUE
signature-policy verify
However, we would like to enforce the stricter signature policy of "require-signatures" for packages from the official repositories, which in our case are:
root@solaris11-3:~# pkg publisher
PUBLISHER TYPE STATUS P LOCATION
solaris origin online F http://pkg.oracle.com/solaris/release/
solarisstudio origin online F https://pkg.oracle.com/solarisstudio/release/
ha-cluster origin online F https://pkg.oracle.com/ha-cluster/release/
To set "require-signatures" policy and verify for each of our repositories one by one:
root@solaris11-3:~# pkg set-publisher --set-property signature-policy=require-signatures solaris
root@solaris11-3:~# pkg publisher solaris
Publisher: solaris
...
...
Properties:
signature-policy = require-signatures
root@solaris11-3:~# pkg set-publisher --set-property signature-policy=require-signatures solarisstudio
root@solaris11-3:~# pkg publisher solarisstudio
Publisher: solarisstudio
...
Properties:
Properties:
signature-policy = require-signatures
root@solaris11-3:~# pkg set-publisher --set-property signature-policy=require-signatures ha-cluster
root@solaris11-3:~# pkg publisher ha-cluster
Publisher: ha-cluster
...
Properties:
Properties:
signature-policy = require-signatures
root@solaris11-3:~# svcs | grep network
online 20:27:57 svc:/network/connectx/unified-driver-post-upgrade:default
online 20:27:58 svc:/network/socket-config:default
online 20:28:37 svc:/network/netcfg:default
online 20:28:39 svc:/network/tcp/congestion-control:cubic
online 20:28:45 svc:/network/tcp/congestion-control:highspeed
online 20:28:45 svc:/network/sctp/congestion-control:vegas
online 20:28:46 svc:/network/sctp/congestion-control:newreno
online 20:28:46 svc:/network/sctp/congestion-control:highspeed
online 20:28:46 svc:/network/tcp/congestion-control:newreno
online 20:28:46 svc:/network/sctp/congestion-control:cubic
online 20:28:46 svc:/network/tcp/congestion-control:vegas
online 20:28:49 svc:/network/ib/ib-management:default
online 20:29:02 svc:/network/tcp/tcpkey:default
online 20:29:06 svc:/network/smb:default
online 20:29:11 svc:/network/datalink-management:default
online 20:29:19 svc:/network/ipsec/ipsecalgs:default
online 20:29:24 svc:/network/ip-interface-management:default
online 20:29:34 svc:/network/eoib/eoib-post-upgrade:default
online 20:29:41 svc:/network/loopback:default
online 20:29:46 svc:/network/ipmp:default
online 20:30:44 svc:/network/ilomconfig-interconnect:default
online 20:30:44 svc:/network/uucp-lock-cleanup:default
online 20:30:54 svc:/network/npiv_config:default
online 20:31:08 svc:/network/physical:upgrade
online 20:31:11 svc:/network/install:default
online 20:31:11 svc:/network/location:upgrade
online 20:31:25 svc:/network/physical:default
online 20:31:32 svc:/network/location:default
online 20:31:38 svc:/network/ipsec/policy:default
online 20:31:39 svc:/milestone/network:default
online 20:31:45 svc:/network/initial:default
online 20:31:46 svc:/network/iptun:default
online 20:31:49 svc:/network/netmask:default
online 20:31:49 svc:/network/nfs/fedfs-client:default
online 20:31:50 svc:/network/dns/client:default
online 20:31:53 svc:/network/service:default
online 20:31:59 svc:/network/iscsi/initiator:default
online 20:32:00 svc:/network/ntp:default
online 20:32:40 svc:/network/shares:default
online 20:33:11 svc:/network/routing-setup:default
online 20:33:41 svc:/network/rpc/bind:default
online 20:33:43 svc:/network/inetd:default
online 20:33:51 svc:/network/rpc/gss:default
online 20:33:52 svc:/network/rpc/smserver:default
online 20:33:57 svc:/network/routing/ndp:default
online 20:33:58 svc:/network/ssh:default
online 20:34:08 svc:/network/sendmail-client:default
online 20:34:10 svc:/network/smtp:sendmail
At the least, I disabled the sendmail-related services because I will configure postfix later as my email transport service, and also disabled services related to rpc and nfs; there are surely many other services in the list above that we can disable for a hobbyist installation later.
root@solaris11-3:~# svcadm disable /network/smtp:sendmail
root@solaris11-3:~# svcadm disable /network/sendmail-client
root@solaris11-3:~# svcadm disable /network/nfs/fedfs-client
root@solaris11-3:~# svcadm disable /network/rpc/bind
root@solaris11-3:~# svcadm disable /network/rpc/gss
root@solaris11-3:~# svcadm disable /network/rpc/smserver
root@solaris11-3:~# svcadm disable svc:/network/nis/client
root@solaris11-3:~# svcadm disable svc:/network/nis/client
Tighten up the login process by editing /etc/default/login and changing the following parameters as described:
# TIMEOUT sets the number of seconds (between 0 and 900) to wait before
# abandoning a login session.
#
#TIMEOUT=300
# -- Change to abandon idle sessions after 15 minutes - Supratim
TIMEOUT=900
TIMEOUT=900
...
...
# SLEEPTIME controls the number of seconds that the command should
# wait before printing the "login incorrect" message when a
# bad password is provided. The range is limited from
# 0 to 5 seconds.
#
#SLEEPTIME=4
# Max this out to discourage continues dictionary attacks - Supratim
SLEEPTIME=5
# DISABLETIME If present, and greater than zero, the number of seconds
# login will wait after RETRIES failed attempts or the PAM framework returns
# PAM_ABORT. Default is 20. Minimum is 0. No maximum is imposed.
#
#DISABLETIME=20
# Bump up to ten minutes, i.e. if you got the password wrong three times in a
row, wait ten minutes for login prompt to reappear - Supratim
DISABLETIME=600
# RETRIES determines the number of failed logins that will be
# allowed before login exits. Default is 5 and maximum is 15.
# If account locking is configured (user_attr(4)/policy.conf(4))
# for a local user's account (passwd(4)/shadow(4)), that account
# will be locked if failed logins equals or exceeds RETRIES.
#
#RETRIES=5
# If you know the password, you should not need more than three tries - Supratim
RETRIES=3
#
# The SYSLOG_FAILED_LOGINS variable is used to determine how many failed
# login attempts will be allowed by the system before a failed login
# message is logged, using the syslog(3) LOG_NOTICE facility. For example,
# if the variable is set to 0, login will log -all- failed login attempts.
#
#SYSLOG_FAILED_LOGINS=5
# Yes we want to log ALL failed attempts - Supratim
SYSLOG_FAILED_LOGINS=0
We then harden the ssh daemon that is perhaps the most frequently used service for logging into the Solaris server from other internet or intranet hosts. Here is the /etc/ssh/sshd_config file I use for ssh server configuration. It incorporates many tips about securing ssh, as you can see in the comments. You can probably use this file straightaway as-is.
You should also put some sort of notice in /etc/issue file that is presented as a Banner to ssh login users during the login process. In addition, you should also put something appropriate in the /etc/motd file that is presented to the user by the system scripts that run automatically after login. Oracle provides some nice examples and more details about these files here.
You should also put some sort of notice in /etc/issue file that is presented as a Banner to ssh login users during the login process. In addition, you should also put something appropriate in the /etc/motd file that is presented to the user by the system scripts that run automatically after login. Oracle provides some nice examples and more details about these files here.
To have the modified ssh server configuration file take effect and make sure it starts up:
root@solaris11-3:/etc/ssh# svcadm refresh ssh
root@solaris11-3:/etc/ssh# svcadm restart ssh
root@solaris11-3:/etc/ssh# svcs -xv ssh
svc:/network/ssh:default (SSH server)
State: online since May 28, 2017 11:58:55 PM UTC
See: man -M /usr/share/man -s 1M sshd
See: /var/svc/log/network-ssh:default.log
Impact: None.
Enable additional audit logging of privileged actions. Replace <admin-user> with the non-root username you created while installing Solaris (as you know, root is a role in Solaris, not a username).
root@solaris11-3:~# usermod -K audit_flags=cusa:no <admin-user>
UX: usermod: <admin-user> is currently logged in, some changes may not take effect until next login.
root@solaris11-3:~# rolemod -K audit_flags=cusa:no root
root@solaris11-3:~# auditconfig -setpolicy +argv
root@solaris11-3:~# auditconfig -setpolicy +arge
Enable TCP Wrappers in general for inetd based network services:
root@solaris11-3:~# inetadm -M tcp_wrappers=TRUE
root@solaris11-3:/etc/ssh# svcadm restart ssh
root@solaris11-3:/etc/ssh# svcs -xv ssh
svc:/network/ssh:default (SSH server)
State: online since May 28, 2017 11:58:55 PM UTC
See: man -M /usr/share/man -s 1M sshd
See: /var/svc/log/network-ssh:default.log
Impact: None.
root@solaris11-3:~# usermod -K audit_flags=cusa:no <admin-user>
UX: usermod: <admin-user> is currently logged in, some changes may not take effect until next login.
root@solaris11-3:~# rolemod -K audit_flags=cusa:no root
root@solaris11-3:~# auditconfig -setpolicy +argv
root@solaris11-3:~# auditconfig -setpolicy +arge
Enable TCP Wrappers in general for inetd based network services:
root@solaris11-3:~# inetadm -M tcp_wrappers=TRUE
You should have a reasonably secure Solaris 11.3 server at this point, good enough to handle an internet-facing network.
Relax Default Solaris 11 Password Rules
As a purely personal preference, I do not like operating system enforcement of secure password rules. Problems with weak passwords are always due to human stupidity, and we should not call on machines to compensate. Solaris 11.3 default password rules require at least one numeric digit.I relaxed this rule by editing the file /etc/default/passwd to explicitly specify MINNONALPHA=0 instead of the commented-out default of #MINNONALPHA=1 and tested this change by using the passwd command to temporarily set both the user and root passwords to not contain any digits before setting them back to strong secure passwords.
Enable Solaris 11 SNMP Agent
I run a Pandora FMS server to monitor the various networks in my home and on the internet. The Pandora FMS server is configured with Recon tasks that auto-discover hosts on the networks, and SNMP is then used extensively to poll the hosts. In general, an SNMP agent running on any host is often useful in quick monitoring or troubleshooting tasks.Solaris 11.3 SNMP agent Net-SNMP |
The Solaris 11.3 gnome desktop environment conveniently comes with a shortcut "Add More Software" which launches the Package Manager. Not knowing what, if any, SNMP package was already installed, I launched the Package Manager and typed in "SNMP" in the search box. To my pleasant surprise, Net-SNMP agent files and libraries which I am quite familiar with from the Linux world along with Fault Management SNMP agent plugins and MIB and SNMP Notification daemon for system events were already installed. I just had to configure and start the Net-SNMP service up.
The Net-SNMP configuration files on Solaris 11 reside in the directory /etc/net-snmp/snmp. I backed up and changed the main configuration file /etc/net-snmp/snmp/snmpd.conf to have the following very simple configuration, where mycommunitystring stands for the actual community string needed to access this agent securely.
# snmpd.conf
# - All private IPs allowed with community mycommunitystring
com2sec local 10.0.0.0/8 mycommunitystring
com2sec local 172.16.0.0/12 mycommunitystring
com2sec local 192.168.0.0/16 mycommunitystring
com2sec local 127.0.0.1 mycommunitystring
group MyROGroup v1 local
group MyROGroup v2c local
group MyROGroup usm local
view all included .1 80
access MyROGroup "" any noauth exact all none none
syslocation tatooine
syscontact Admin {supratim at riseup dot net}
# Send traps to Pandora FMS Server
trapsink 10.100.0.10
trapcommunity mycommunitystring
Configuration being done, it was time to start the SNMP service up. A quick check showed the service was not enabled by the default installation:
root@solaris11-3:~# svcs -xv net-snmp
svc:/application/management/net-snmp:default (net-snmp SNMP daemon)
State: disabled since May 27, 2017 04:44:29 PM UTC
Reason: Disabled by an administrator.
See: http://support.oracle.com/msg/SMF-8000-05
See: man -M /usr/share/man/ -s 8 snmpd
See: /var/svc/log/application-management-net-snmp:default.log
Impact: This service is not running.
To enable and start the service up:
root@solaris11-3:~# svcadm refresh net-snmp
root@solaris11-3:~# svcadm enable net-snmp
Check to make sure service is now running:
root@solaris11-3:~# svcs -xv net-snmp
svc:/application/management/net-snmp:default (net-snmp SNMP daemon)
State: online since May 27, 2017 07:34:31 PM UTC
See: man -M /usr/share/man/ -s 8 snmpd
See: /var/svc/log/application-management-net-snmp:default.log
Impact: None.
Walk the MIB from another host querying the Solaris 11 host (10.200.0.50):
$ snmpwalk -c mycommunitystring -v2c 10.200.0.50 ISO | grep -i solaris
SNMPv2-MIB::sysDescr.0 = STRING: SunOS solaris11-3.sanyalnet.lan 5.11 11.3 i86pc
SNMPv2-MIB::sysName.0 = STRING: solaris11-3.sanyalnet.lan
HOST-RESOURCES-MIB::hrSWRunParameters.679 = STRING: "-g -d /dev/console -l console -m ldterm,ttcompat -h -p solaris"
HOST-RESOURCES-MIB::hrSWRunParameters.739 = STRING: "-g -d /dev/vt/6 -l console -m ldterm,ttcompat -h -p solaris11-"
HOST-RESOURCES-MIB::hrSWRunParameters.741 = STRING: "-g -d /dev/vt/2 -l console -m ldterm,ttcompat -h -p solaris11-"
HOST-RESOURCES-MIB::hrSWRunParameters.751 = STRING: "-g -d /dev/vt/3 -l console -m ldterm,ttcompat -h -p solaris11-"
HOST-RESOURCES-MIB::hrSWRunParameters.752 = STRING: "-g -d /dev/vt/5 -l console -m ldterm,ttcompat -h -p solaris11-"
HOST-RESOURCES-MIB::hrSWRunParameters.753 = STRING: "-g -d /dev/vt/4 -l console -m ldterm,ttcompat -h -p solaris11-"
HOST-RESOURCES-MIB::hrSWRunParameters.1205 = STRING: "-Djava.security.policy=/usr/share/vpanels/java.policy com.oracle.solaris.v"
HOST-RESOURCES-MIB::hrSWInstalledName.169 = STRING: "SUNWopensolaris-backgrounds"
HOST-RESOURCES-MIB::hrSWInstalledName.501 = STRING: "SUNWopensolaris-backgrounds-xtra"
Forward SYSLOG to Remote SYSLOG SERVER over Secure Tunnel
I run a central syslog server on a VPS in the cloud where I send the system logs from all of my servers. I use the stunnel secure-tunnel utility to forward log entries securely over the internet as described in this post.
The configuration file for syslog daemon on Solaris 11.3 is /etc/syslog.conf. I edited the file to enable forwarding of system log entries to the local LAN endpoint server for the stunnel (10.42.2.1) which forwards them in turn securely to the remote VPS central syslog server. I also adjusted entries for the auth facility to log authorization failures suitably for use with the fail2ban tool that I have discussed in detail in this post.
Here is my complete syslog.conf file. Important: The delimiters in the middle of the lines have to be TAB characters, SPACEs do not work!
#
# Copyright (c) 1991, 2014, Oracle and/or its affiliates. All rights reserved.
#
# syslog configuration file.
#
# This file is processed by m4 so be careful to quote (`') names
# that match m4 reserved words. Also, within ifdef's, arguments
# containing commas must be quoted.
#
# -- Supratim's Remote syslog hosts
# - Forward to CentOS which in turn forwards to VPS and Papertrailapp
# - White space delimiter has to be TABs for this to work; SPACEs do not work!
*.debug @10.42.2.1
# --
*.err;kern.notice;auth.notice /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit /var/adm/messages
*.alert;kern.err;daemon.err operator
*.alert root
*.emerg *
# if a non-loghost machine chooses to have authentication messages
# sent to the loghost machine, un-comment out the following line:
# Required for fail2ban
auth.notice ifdef(`LOGHOST', /var/log/authlog, @loghost)
auth.info /var/adm/auth.log
mail.debug ifdef(`LOGHOST', /var/log/syslog, @loghost)
#
# non-loghost machines will use the following lines to cause "user"
# log messages to be logged locally.
#
ifdef(`LOGHOST', ,
user.err /dev/sysmsg
user.err /var/adm/messages
user.alert `root, operator'
user.emerg *
)
After editing the syslog.conf configuration file, create an empty /var/adm/auth.log file (it is not created by syslog even if configured in the config file), and refresh and restart the syslog daemon:
root@solaris11-3:/etc# touch /var/adm/auth.log
root@solaris11-3:/etc# svcadm refresh system-log
root@solaris11-3:/etc# svcadm restart system-log
root@solaris11-3:/etc# svcs -xv system-log
svc:/system/system-log:default (system log)
State: online since May 27, 2017 08:39:29 PM UTC
See: man -M /usr/share/man -s 1M syslogd
See: /var/svc/log/system-system-log:default.log
Impact: None.
Enable Solaris 11 NTP Time Synchronization Service
A quick check against the Solaris 11 package manager again reveals good news - a NTP v4 daemon is already installed. I just have to configure it to be able to keep the Solaris clock synchronized.Solaris 11 NTP v4 daemon |
The Solaris 11 NTP configuration file is /etc/inet/ntp.conf. The initial installation includes two templates in that directory: /etc/inet/ntp.client and /etc/inet/ntp.server,the intent being one of them can be used as the starting point of the final ntp.conf file. But, I already have a fully functional Solaris 11 NTP configuration file as described in this post, and simply dropped my working ntp.conf into /etc/inet/ directory.
I then checked to make sure the NTP service has not already been started automatically yet:
root@solaris11-3:/etc/inet# svcs -xv ntp
svc:/network/ntp:default (Network Time Protocol (NTP) Version 4)
State: disabled since Sat May 27 16:44:31 2017
Reason: Disabled by an administrator.
See: http://support.oracle.com/msg/SMF-8000-05
See: man -M /usr/share/man -s 1M ntpd
See: man -M /usr/share/man -s 4 ntp.conf
See: man -M /usr/share/man -s 1M ntpq
See: /var/svc/log/network-ntp:default.log
Impact: This service is not running.
root@solaris11-3:/etc/inet# ls -l /etc/inet/ntp.conf
-rw-r--r-- 1 root root 3267 May 27 23:08 /etc/inet/ntp.conf
root@solaris11-3:/etc/inet# svcadm refresh ntp
root@solaris11-3:/etc/inet# svcadm enable ntp
root@solaris11-3:/etc/inet# svcs -xv ntp
svc:/network/ntp:default (Network Time Protocol (NTP) Version 4)
State: online since Sat May 27 23:12:26 2017
See: man -M /usr/share/man -s 1M ntpd
See: man -M /usr/share/man -s 4 ntp.conf
See: man -M /usr/share/man -s 1M ntpq
See: /var/svc/log/network-ntp:default.log
Impact: None.
ntpd errors "frequency error -512 PPM exceeds tolerance 500 PPM" in system log
I have observed entries like "frequency error -512 PPM exceeds tolerance 500 PPM" in my openindiana system logs at /var/adm/messages regularly, and this was also happening on my new Solaris 11.3 system log. Here are typical examples of this:
May 28 10:37:46 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -511 PPM exceeds tolerance 500 PPM
May 28 10:45:48 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -511 PPM exceeds tolerance 500 PPM
May 28 10:45:52 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 11:03:31 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 11:18:18 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 11:28:19 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 11:54:23 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 12:04:27 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 12:18:04 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 12:30:23 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 10:45:48 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -511 PPM exceeds tolerance 500 PPM
May 28 10:45:52 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 11:03:31 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 11:18:18 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 11:28:19 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 11:54:23 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 12:04:27 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 12:18:04 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 12:30:23 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
My guess is the Solaris family of kernels do not like to be stuck inside virtual machines, and NTP's 500 PPM tolerance is regularly exceeded in Solaris virtual machines.
Adding the following tinker panic 0 line at the top of /etc/inet/ntp.conf file may help, according to some online posts that I found. However, it does not solve the issue, and I am still looking for a resolution. I am not overly concerned because the logs seem to indicate these are notices (daemon.notice), not errors.
# -----
# Workaround for unstable clock in virtual machine
# -----
tinker panic 0
Warning: Trying the advice on this Oracle blog post to modify /etc/system to attempt to increase "the system clock tick rate from the default of 100 per second to 1,000 per second, effectively changing the clock resolution from 10ms to 1ms" by adding set hires_tick=1 by itself, as well as followed by set hires_hz=10000 hang the Solaris boot-up process. Do not try these. I had fortunately taken a boot image backup using the beadm create command before trying these and failing, and was able to recover and will not attempt these changes in /etc/system ever again.
Launch the Package Manager and select "All Publishers" in the Publisher drop-down list. Then navigate to Meta Packages -> Group Packages on the left pane. Find the group package "developer-gnu" in the list of group packages on the right pane. Check the selection box at the left of that package, and click the Install/Update button at the top. That's it, when installation finishes, the familiar GNU C and C++ compilers and build tools will be available, along with Fortran and Objective C.
I did a quick check of the C++ compiler, and it all looked good with gcc 4.8.2 compiler working:
user@solaris11-3:~$ gcc --version
gcc (GCC) 4.8.2
Copyright (C) 2013 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
user@solaris11-3:~$ g++ --version
g++ (GCC) 4.8.2
Copyright (C) 2013 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
user@solaris11-3:~$ gmake --version
GNU Make 3.82
Built for i386-pc-solaris2.11
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
user@solaris11-3:~$ cat hello.cpp
#include <iostream>
using namespace std;
int main()
{
std::cout << "hello world!\n";
return 0;
}
user@solaris11-3:~$ g++ -o hello hello.cpp
user@solaris11-3:~$ ./hello
hello world!
Install gnu C, C++, Objective C and FORTRAN Development Environment
GNU Development Environment for Solaris 11 Group Package Installation |
Launch the Package Manager and select "All Publishers" in the Publisher drop-down list. Then navigate to Meta Packages -> Group Packages on the left pane. Find the group package "developer-gnu" in the list of group packages on the right pane. Check the selection box at the left of that package, and click the Install/Update button at the top. That's it, when installation finishes, the familiar GNU C and C++ compilers and build tools will be available, along with Fortran and Objective C.
I did a quick check of the C++ compiler, and it all looked good with gcc 4.8.2 compiler working:
user@solaris11-3:~$ gcc --version
gcc (GCC) 4.8.2
Copyright (C) 2013 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
user@solaris11-3:~$ g++ --version
g++ (GCC) 4.8.2
Copyright (C) 2013 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
user@solaris11-3:~$ gmake --version
GNU Make 3.82
Built for i386-pc-solaris2.11
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
user@solaris11-3:~$ cat hello.cpp
#include <iostream>
using namespace std;
int main()
{
std::cout << "hello world!\n";
return 0;
}
user@solaris11-3:~$ g++ -o hello hello.cpp
user@solaris11-3:~$ ./hello
hello world!
Install and Configure FTP Server on Solaris 11 with Anonymous FTP Access
The default Solaris 11.3 VirtualBox image did not come pre-installed with a FTP server. I found FTP Server and Utilities" in the Package Manager and installed it.
Solaris 11 FTP Server Package Installation |
The FTP server installed is proftpd, which uses the main configuration file /etc/proftpd.conf.
My goal was to deploy a simple anonymous FTP server with read-only access to clients. The basic onfiguration file made available here for establishing "a single server and a single anonymous login" fit the bill perfectly, more so as the Solaris package installer for FTP did create the required "ftp" account and the "nobody" account was already present. as seen in /etc/passwd.
I took a backup of the file and dropped in the basic proftpd.conf in, and restarted the service. However, the service did not start up at this first attempt:
root@solaris11-3:/etc# svcadm refresh ftp
root@solaris11-3:/etc# svcadm enable ftp
root@solaris11-3:/etc# svcs -xv ftp
svc:/network/ftp:default (FTP server)
State: maintenance since May 30, 2017 12:31:02 PM UTC
Reason: Start method failed repeatedly, last exited with status 1.
See: http://support.oracle.com/msg/SMF-8000-KS
See: man -M /usr/share/man -s 1M proftpd
See: file://usr/share/doc/proftpd/
See: /var/svc/log/network-ftp:default.log
Impact: This service is not running.
root@solaris11-3:/etc# cat /var/svc/log/network-ftp:default.log
[ May 30 04:30:17 Disabled. ]
[ May 30 04:30:37 Rereading configuration. ]
[ May 30 12:30:47 Rereading configuration. ]
[ May 30 12:30:54 Enabled. ]
[ May 30 12:30:55 Executing start method ("/usr/lib/inet/proftpd"). ]
2017-05-30 12:30:55,679 solaris11-3.sanyalnet.lan proftpd[3482]: fatal: unknown configuration directive 'DisplayFirstChdir' on line 58 of '/etc/proftpd.conf'
[ May 30 12:30:59 Method "start" exited with status 1. ]
The problematic "DisplayFirstChdir" directive seems to enable display of a ".message" file in each newly chdired directory. I did not really care about this feature, and commented out the "DisplayFirstChdir" directive in the configuration file, and retried. Note: On Solaris 11, a service in maintenance needs to be taken out of maintenance by disabling and enabling it again after fixing the issues that put it into maintenance.
root@solaris11-3:/etc# svcadm disable ftp
root@solaris11-3:/etc# svcadm refresh ftp
root@solaris11-3:/etc# svcadm enable ftp
root@solaris11-3:/etc# svcs -xv ftp
svc:/network/ftp:default (FTP server)
State: offline* transitioning to online since May 30, 2017 12:39:31 PM UTC
Reason: Start method is running.
See: http://support.oracle.com/msg/SMF-8000-C4
See: man -M /usr/share/man -s 1M proftpd
See: file://usr/share/doc/proftpd/
See: /var/svc/log/network-ftp:default.log
Impact: This service is not running.
root@solaris11-3:/etc# svcs -xv ftp
svc:/network/ftp:default (FTP server)
State: online since May 30, 2017 12:39:46 PM UTC
See: man -M /usr/share/man -s 1M proftpd
See: file://usr/share/doc/proftpd/
See: /var/svc/log/network-ftp:default.log
Impact: None.
USER ftp (Login failed): User in /etc/ftpusers
It turns out the error message is perfect; default installation includes the user "ftp" in the list of users to deny FTP service to in the file /etc/ftpusers. The "anonymous" FTP user is an alias of this "ftp" user in /etc/proftpd.conf. So I edited the /etc/ftpusers file and deleted the "ftp" user from it, and retried to log in to the FTP server as anonymous:
Compaq-Presario-CQ61] ➤ ftp 10.200.0.50
Connected to 10.200.0.50.
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [::ffff:10.200.0.50]
Name (10.200.0.50:user): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: @
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
lrwxrwxrwx 1 root root 9 Oct 7 2015 bin -> ./usr/bin
drwxr-xr-x 5 root sys 9 Oct 7 2015 boot
drwxr-xr-x 2 root root 3 Oct 7 2015 cdrom
drwxr-xr-x 200 root sys 200 May 30 01:33 dev
drwxr-xr-x 4 root sys 12 May 30 01:33 devices
drwxr-xr-x 97 root sys 195 May 30 12:56 etc
drwxr-xr-x 3 root sys 3 May 27 15:18 export
dr-xr-xr-x 2 root root 2 Oct 6 2015 home
drwxr-xr-x 19 root sys 19 Oct 7 2015 kernel
drwxr-xr-x 12 root bin 335 May 27 21:06 lib
drwxr-xr-x 2 root root 3 May 30 01:42 media
drwxr-xr-x 2 root sys 2 Oct 7 2015 mnt
dr-xr-xr-x 2 root root 2 Oct 7 2015 net
dr-xr-xr-x 2 root root 2 Oct 7 2015 nfs4
drwxr-xr-x 5 root sys 5 Oct 7 2015 opt
drwxr-xr-x 5 root sys 5 Oct 6 2015 platform
dr-xr-xr-x 124 root root 480032 May 30 12:57 proc
drwx------ 8 root root 14 May 29 13:18 root
drwxr-xr-x 3 root root 3 Oct 7 2015 rpool
lrwxrwxrwx 1 root root 10 Oct 7 2015 sbin -> ./usr/sbin
drwxr-xr-x 7 root root 7 Oct 7 2015 system
drwxrwxrwt 16 root sys 1542 May 30 12:30 tmp
drwxr-xr-x 33 root sys 45 May 28 05:10 usr
drwxr-xr-x 41 root sys 48 May 27 21:05 var
-r--r--r-- 1 root root 277648 Oct 6 2015 zvboot
226 Transfer complete
ftp> pwd
257 "/" is the current directory
ftp> bye
221 Goodbye.
Anonymous login to the proftpd FTP server now worked, but exposing all these directories to anonymous users is obviously not a good thing. The /etc/passwd file did specify / as the login directory for the "ftp" user.
ftp:x:21:21:FTPD Reserved UID:/:
I changed the home directory of the "ftp" user to /media for now since I am not at the point of mounting devices at /media yet.
ftp:x:21:21:FTPD Reserved UID:/media:
ftp:x:21:21:FTPD Reserved UID:/:
ftp:x:21:21:FTPD Reserved UID:/media:
Finally, I dropped a MP3 file from the internet archive into /media/ and retried anonymous FTP, and verified it works as expected.
$ ftp 10.200.0.50
Connected to 10.200.0.50.
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [::ffff:10.200.0.50]
Name (10.200.0.50:rumtuk): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: @
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
Torley_Wong-1981_A.D..mp3
226 Transfer complete
27 bytes received in 0.0026 seconds (10.08 Kbytes/s)
ftp> bin
200 Type set to I
ftp> hash
Hash mark printing on (8192 bytes/hash mark).
ftp> get Torley_Wong-1981_A.D..mp3
200 PORT command successful
150 Opening BINARY mode data connection for Torley_Wong-1981_A.D..mp3 (4487168 bytes)
####################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################
226 Transfer complete
local: Torley_Wong-1981_A.D..mp3 remote: Torley_Wong-1981_A.D..mp3
4487168 bytes received in 1.4 seconds (3088.44 Kbytes/s)
ftp> bye
221 Goodbye.
If you wish, you can additionally follow the instructions here to protect the FTP network service using TCP Wrappers module of ProFTPD (Solaris 11 hardening step).
Configure a Public Passwordless Workgroup-Mode Samba SMB CIFS Server for Sharing Files in Private Networks
A primary purpose of my Solaris 11 installation is to be a shared network drive and file server for all the computers and devices in our home. Specifically, an external USB Hard Disk will be made available as a SMB/CIFS share across the network. No credentials will be required to access this share from any computer on the home subnets as long as the SMB client IP address is in the private address space.
I used the network/samba package because it is independent of ZFS-level sharing features of the
The network/samba package is not the same as service/filesystem/smb package. If you have the service/filesystem/smb package installed, you need to at least disable it using the svcadm disable command first before installing network/samba.
root@solaris11-3:~# svcs -xv smb
svc:/network/smb:default (SMB properties)
State: online since May 31, 2017 02:52:35 AM UTC
See: man -M /usr/share/man -s 4 smb
See: /system/volatile/network-smb:default.log
See: /var/svc/log/network-smb:default.log
Impact: None.
root@solaris11-3:~# svcadm disable smb
Solaris 11 Samba SMB/CIFS File Server Package |
With these goals, I fired up the package manager and searched for "samba". I then installed the "network/samba" package from the search results. Alternatively the GUI can be avoided and the same can be done from the command line using the pkg install command like so:
root@solaris11-3:~# pkg install network/samba
Packages to install: 2
Services to change: 1
Create boot environment: No
Create backup boot environment: No
DOWNLOAD PKGS FILES XFER (MB) SPEED
Completed 2/2 3038/3038 104.6/104.6 433k/s
PHASE ITEMS
Installing new actions 2600/3302
Installing new actions 3302/3302
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
Updating package cache 3/3
Please keep in mind the network/samba package ("samba - A Windows SMB/CIFS fileserver for UNIX") is not the same as service/filesystem/smb package ("SMB/CIFS server libraries and commands"). If you have the service/filesystem/smb package installed, you need to at least disable it using the svcadm disable command before installing network/samba:
root@solaris11-3:~# svcs -xv smb
svc:/network/smb:default (SMB properties)
State: online since May 31, 2017 02:52:35 AM UTC
See: man -M /usr/share/man -s 4 smb
See: /system/volatile/network-smb:default.log
See: /var/svc/log/network-smb:default.log
Impact: None.
root@solaris11-3:~# svcadm disable smb
The Samba server configuration file is /etc/samba/smb.conf. I created a /etc/samba/smb.conf with the following simple contents to enable a public share:
# -----
# /etc/samba/smb.conf
# Simple Samba/CIFS server configuration for unauthenticated shared network drive
# accessible from intranet private IP address space
# For network/samba package on Solaris 11.3 (SunOS 5.11)
# Supratim Sanyal, May 31, 2017
# -----
[global]
workgroup = ENTERPRISE
server string = SANYALnet Solaris 11.3 LAN Samba/CIFS Shared Drive
hosts allow = 10.0.0.0/255.0.0.0,172.16.0.0/255.240.0.0,192.168.0.0/255.255.0.0
log file = /var/log/samba/log.%m
max log size = 50
map to guest = bad user
# Disable printer support
disable spoolss = yes
load printers = no
printing = bsd
printcap name = /dev/null
[sanyalnet-shared]
path = /media/USB-Storage/sanyalnet-shared
public = yes
only guest = yes
writable = yes
printable = no
guest ok = yes
read only = no
I then created the log directory and set global read-write permissions on the shared directory:
root@solaris11-3:/etc/samba# mkdir /var/log/samba
root@solaris11-3:/etc/samba# chmod 777 /media
Then I refreshed, started and verified the samba service.
root@solaris11-3:/etc/samba# svcadm refresh samba
root@solaris11-3:/etc/samba# svcadm enable samba
root@solaris11-3:/etc/samba# svcs -xv samba
svc:/network/samba:default (SMB file server)
State: offline* transitioning to online since May 31, 2017 04:31:55 PM UTC
Reason: Start method is running.
See: http://support.oracle.com/msg/SMF-8000-C4
See: man -M /usr/share/man -s 1m smbsmbd
See: man -M /usr/share/man -s 4 smb.conf
See: /var/svc/log/network-samba:default.log
Impact: This service is not running.
root@solaris11-3:/etc/samba# svcs -xv samba
svc:/network/samba:default (SMB file server)
State: online since May 31, 2017 04:32:06 PM UTC
See: man -M /usr/share/man -s 1m smbsmbd
See: man -M /usr/share/man -s 4 smb.conf
See: /var/svc/log/network-samba:default.log
Impact: None.
Finally, I successfully verified the shared drive is visible and I could transfer files from and to the shared drive from a Windows 10 workstation on the same network.
Samba Server hosted on Solaris 11 Accessed from Windows 10 |
Configure Solaris 11.3 as a http web server using Apache httpd daemon
Web page served by Apache httpd web-server on Solaris 11 |
The Oracle Solaris 11.3 VirtualBox Virtual Machine came with Apache web server installed at the directory /usr/apache2/2.2 with the configuration files in /etc/apache2/2.2 and the DocumentRoot (web-root) directory for the default website configured to be at /var/apache2/2.2/htdocs. The primary configuration file is at /etc/apache2/2.2/httpd.conf. The version of Apache httpd daemon installed is 2.2.31:
root@solaris11-3:~# /usr/apache2/2.2/bin/httpd -v
Server version: Apache/2.2.31 (Unix)
Server built: Sep 24 2015 08:41:55
Then I commented out the following lines from both the 32-bit and 64-bit Apache module configuration files /etc/apache2/2.2/conf.d/modules-32.load and /etc/apache2/2.2/conf.d/modules-64.load to disable the DAV and Info modules:
#LoadModule dav_module libexec/mod_dav.so
#LoadModule info_module libexec/mod_info.so
#LoadModule dav_fs_module libexec/mod_dav_fs.so
root@solaris11-3:~# chown -R webservd:webservd /usr/apache2
root@solaris11-3:~# chmod -R 750 /usr/apache2/2.2/bin /etc/apache2/2.2
root@solaris11-3:~# svcadm disable http
root@solaris11-3:~# svcadm refresh http
root@solaris11-3:~# svcadm enable http
root@solaris11-3:~# svcs -xv http
svc:/network/http:apache22 (Apache 2.2 HTTP server)
State: online since May 31, 2017 08:52:28 PM UTC
See: man -M /usr/apache2/2.2/man -s 8 httpd
See: http://httpd.apache.org
See: /var/svc/log/network-http:apache22.log
Impact: None.
TAKE A BACKUP!
At this point taking a backup is extremely important, since the next steps are dangerous because we will be playing with external USB hard disks. You can take a backup of the entire Virtual Machine as well as use the beadm create and beadm activate commands twice to create a boot environment to fall back to if the 2nd (more recent) environment is hosed, i.e. something likeroot@solaris11-3:~# beadm create -d "baseline before USB HDD support" BeforeExtHDD
root@solaris11-3:~# beadm create -d "USB HDD experiment" ExtHDDExperimental
root@solaris11-3:~# beadm activate ExtHDDExperimental
root@solaris11-3:~# reboot
This way, if the External Hard Disk mounting attempts result in a kernel that keeps panicking, you can choose a prior boot environment from the grub menu.
MOUNTING EXTERNAL USB HDD WITH WINDOWS 95 / FAT 32 FILE SYSTEM FOR READING AND WRITING ON SOLARIS 11.3
Install VirtualBox Guest Additions
In a nutshell, for an external USB drive to work seamlessly at USB 2.0 speeds with VirtualBox Solaris 11.3 virtual machine, we need to install the companion version of VirtualBox Guest Additions corresponding to the installed version of Oracle VirtualBox host software itself, on both the VirtualBox host software installation and the Solaris 11.3 virtual machine that runs under the VirtualBox virtualization environment.To get USB 2.0 transfer speeds from an external USB hard disk, I needed to upgrade the VirtualBox Guest Additions included in the Oracle Solaris 11.3 Oracle VirtualBox VM to the same version as my installed VirtualBox release on the host computer. I had already installed the extension pack on the VirtualBox host software right after installing VirtualBox itself by downloading and double-clicking "Oracle_VM_VirtualBox_Extension_Pack-5.1.22-115126.vbox-extpack" corresponding to the installed version of VirtualBox.
root@solaris11-3:~# pkginfo | grep -i guest
application SUNWvboxguest Oracle VM VirtualBox Guest Additions
root@solaris11-3:~# pkgrm SUNWvboxguest
The following package is currently installed:
SUNWvboxguest Oracle VM VirtualBox Guest Additions
(i386) 5.0.4,REV=r102546.2015.09.08.10.07
Do you want to remove this package? [y,n,?,q] y
## Removing installed package instance <SUNWvboxguest>
This package contains scripts which will be executed with super-user
permission during the process of removing this package.
Do you want to continue with the removal of this package [y,n,?,q] y
## Verifying package <SUNWvboxguest> dependencies in global zone
## Processing package information.
## Executing preremove script.
Removing VirtualBox service...
Removing VirtualBox kernel modules...
Device busy
Cannot unload module: vboxms
Will be unloaded upon reboot.
VirtualBox pointer integration module unloaded.
Device busy
Cannot unload module: vboxguest
Will be unloaded upon reboot.
VirtualBox guest kernel module unloaded.
Restoring X.Org...
Done.
## Removing pathnames in class <manifest>
## Removing pathnames in class <none>
/var/svc/manifest/application/virtualbox
/usr/share/gnome/autostart/vboxclient.desktop
/usr/sbin/vboxmslnk
/usr/lib/xorg/modules/drivers/vboxvideo_drv.so
/usr/lib/amd64/VBoxOGLpassthroughspu.so
/usr/lib/amd64/VBoxOGLpackspu.so
/usr/lib/amd64/VBoxOGLfeedbackspu.so
/usr/lib/amd64/VBoxOGLerrorspu.so
/usr/lib/amd64/VBoxOGLcrutil.so
/usr/lib/amd64/VBoxOGLarrayspu.so
/usr/lib/amd64/VBoxOGL.so
/usr/lib/VBoxOGLpassthroughspu.so
/usr/lib/VBoxOGLpackspu.so
/usr/lib/VBoxOGLfeedbackspu.so
/usr/lib/VBoxOGLerrorspu.so
/usr/lib/VBoxOGLcrutil.so
/usr/lib/VBoxOGLarrayspu.so
/usr/lib/VBoxOGL.so
/usr/kernel/fs/vboxfs
/usr/kernel/fs/amd64/vboxfs
/usr/kernel/drv/vboxms.conf
/usr/kernel/drv/vboxms
/usr/kernel/drv/vboxguest.conf
/usr/kernel/drv/vboxguest
/usr/kernel/drv/amd64/vboxms
/usr/kernel/drv/amd64/vboxguest
/usr/bin/VBoxService
/usr/bin/VBoxControl
/usr/bin/VBoxClient-all
/usr/bin/VBoxClient
/opt/VirtualBoxAdditions/x11restore.pl
/opt/VirtualBoxAdditions/x11config15sol.pl
/opt/VirtualBoxAdditions/vboxmslnk
/opt/VirtualBoxAdditions/vboxguest.sh
/opt/VirtualBoxAdditions/vboxclient.desktop
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_71.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_70.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_19.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_18.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_17.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_16.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_15.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_14.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_13.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_117.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_114.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_113.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_112.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_111.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_110.so
/opt/VirtualBoxAdditions/i386/vboxmslnk
/opt/VirtualBoxAdditions/i386/vboxfsmount
/opt/VirtualBoxAdditions/i386/pam_vbox.so
/opt/VirtualBoxAdditions/i386/VBoxService
/opt/VirtualBoxAdditions/i386/VBoxControl
/opt/VirtualBoxAdditions/i386/VBoxClient
/opt/VirtualBoxAdditions/i386
/opt/VirtualBoxAdditions/amd64/vboxmslnk
/opt/VirtualBoxAdditions/amd64/vboxfsmount
/opt/VirtualBoxAdditions/amd64/pam_vbox.so
/opt/VirtualBoxAdditions/amd64/VBoxService
/opt/VirtualBoxAdditions/amd64/VBoxControl
/opt/VirtualBoxAdditions/amd64/VBoxClient
/opt/VirtualBoxAdditions/amd64
/opt/VirtualBoxAdditions/VBoxService
/opt/VirtualBoxAdditions/VBoxISAExec
/opt/VirtualBoxAdditions/VBoxControl
/opt/VirtualBoxAdditions/VBoxClient
/opt/VirtualBoxAdditions/VBox.sh
/opt/VirtualBoxAdditions/LICENSE
/opt/VirtualBoxAdditions/1099.vboxclient
/opt/VirtualBoxAdditions
/etc/fs/vboxfs/mount
/etc/fs/vboxfs
/dev/vboxguest
## Updating system information.
Removal of <SUNWvboxguest> was successful.
root@solaris11-3:~# reboot
Once Solaris 11.3 returned after reboot, I used VirtualBox's "Devices" menu to select "Insert Guest Additions CD Image". As soon as I did this, the virtual Guest Additions CD was auto-mounted at /media/VBOXADDITIONS_5.1.22_115126 and new icon was added to the Desktop. I then installed the package VBoxSolarisAdditions.pkg from /media/VBOXADDITIONS_5.1.22_115126.
root@solaris11-3:/media/VBOXADDITIONS_5.1.22_115126# ls -l
total 102841
dr-xr-xr-x 2 root root 2048 Apr 28 15:35 32Bit
dr-xr-xr-x 2 root root 2048 Apr 28 15:35 64Bit
-r-xr-xr-x 1 root root 647 Aug 16 2016 AUTORUN.INF
-r-xr-xr-x 1 root root 6381 Apr 28 16:27 autorun.sh
dr-xr-xr-x 2 root root 2048 Apr 28 15:35 cert
dr-xr-xr-x 2 root root 4096 Apr 28 15:35 OS2
-r-xr-xr-x 1 root root 4824 Apr 28 16:27 runasroot.sh
-r-xr-xr-x 1 root root 8140237 Apr 28 16:27 VBoxLinuxAdditions.run
-r-xr-xr-x 1 root root 17782784 Apr 28 17:28 VBoxSolarisAdditions.pkg
-r-xr-xr-x 1 root root 16400296 Apr 28 16:35 VBoxWindowsAdditions-amd64.exe
-r-xr-xr-x 1 root root 10039072 Apr 28 16:29 VBoxWindowsAdditions-x86.exe
-r-xr-xr-x 1 root root 268496 Apr 28 16:27 VBoxWindowsAdditions.exe
root@solaris11-3:/media/VBOXADDITIONS_5.1.22_115126# pkgadd -d VBoxSolarisAdditions.pkg
The following packages are available:
1 SUNWvboxguest Oracle VM VirtualBox Guest Additions
(i386) 5.1.22,REV=r115126.2017.04.28.18.28
Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:
Processing package instance <SUNWvboxguest> from </media/VBOXADDITIONS_5.1.22_115126/VBoxSolarisAdditions.pkg>
Oracle VM VirtualBox Guest Additions(i386) 5.1.22,REV=r115126.2017.04.28.18.28
Oracle Corporation
Using </> as the package base directory.
## Processing package information.
## Processing system information.
## Verifying package dependencies.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.
This package contains scripts which will be executed with super-user
permission during the process of installing this package.
Do you want to continue with the installation of <SUNWvboxguest> [y,n,?] y
Installing Oracle VM VirtualBox Guest Additions as <SUNWvboxguest>
## Installing part 1 of 1.
/etc/fs/vboxfs/mount <symbolic link>
/opt/VirtualBoxAdditions/1099.vboxclient
/opt/VirtualBoxAdditions/LICENSE
/opt/VirtualBoxAdditions/VBox.sh
/opt/VirtualBoxAdditions/amd64/VBoxClient.Z
/opt/VirtualBoxAdditions/amd64/VBoxControl.Z
/opt/VirtualBoxAdditions/amd64/VBoxService.Z
/opt/VirtualBoxAdditions/amd64/pam_vbox.so
/opt/VirtualBoxAdditions/amd64/vboxfs
/opt/VirtualBoxAdditions/amd64/vboxfs_s10
/opt/VirtualBoxAdditions/amd64/vboxfsmount
/opt/VirtualBoxAdditions/amd64/vboxmslnk
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_110.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_111.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_112.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_113.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_114.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_117.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_118.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_13.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_14.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_15.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_16.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_17.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_18.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_19.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_70.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_71.so.Z
/opt/VirtualBoxAdditions/i386/VBoxClient.Z
/opt/VirtualBoxAdditions/i386/VBoxControl.Z
/opt/VirtualBoxAdditions/i386/VBoxService.Z
/opt/VirtualBoxAdditions/i386/pam_vbox.so
/opt/VirtualBoxAdditions/i386/vboxfs
/opt/VirtualBoxAdditions/i386/vboxfs_s10
/opt/VirtualBoxAdditions/i386/vboxfsmount
/opt/VirtualBoxAdditions/i386/vboxmslnk
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_110.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_111.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_112.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_113.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_114.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_117.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_118.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_13.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_14.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_15.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_16.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_17.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_18.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_19.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_70.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_71.so.Z
/opt/VirtualBoxAdditions/solaris_xorg.conf
/opt/VirtualBoxAdditions/solaris_xorg_modeless.conf
/opt/VirtualBoxAdditions/vbox_vendor_select
/opt/VirtualBoxAdditions/vboxclient.desktop
/opt/VirtualBoxAdditions/vboxguest.sh
/opt/VirtualBoxAdditions/vboxmslnk
/opt/VirtualBoxAdditions/x11config15sol.pl
/opt/VirtualBoxAdditions/x11restore.pl
/usr/bin/VBoxClient <symbolic link>
/usr/bin/VBoxClient-all <symbolic link>
/usr/bin/VBoxControl <symbolic link>
/usr/bin/VBoxService <symbolic link>
/usr/kernel/drv/amd64/vboxguest
/usr/kernel/drv/amd64/vboxms
/usr/kernel/drv/vboxguest
/usr/kernel/drv/vboxguest.conf
/usr/kernel/drv/vboxms
/usr/kernel/drv/vboxms.conf
/usr/lib/VBoxOGL.so
/usr/lib/VBoxOGLarrayspu.so
/usr/lib/VBoxOGLcrutil.so
/usr/lib/VBoxOGLerrorspu.so
/usr/lib/VBoxOGLfeedbackspu.so
/usr/lib/VBoxOGLpackspu.so
/usr/lib/VBoxOGLpassthroughspu.so
/usr/lib/amd64/VBoxOGL.so
/usr/lib/amd64/VBoxOGLarrayspu.so
/usr/lib/amd64/VBoxOGLcrutil.so
/usr/lib/amd64/VBoxOGLerrorspu.so
/usr/lib/amd64/VBoxOGLfeedbackspu.so
/usr/lib/amd64/VBoxOGLpackspu.so
/usr/lib/amd64/VBoxOGLpassthroughspu.so
/usr/sbin/vboxmslnk <symbolic link>
[ verifying class <none> ]
/opt/VirtualBoxAdditions/VBoxClient <linked pathname>
/opt/VirtualBoxAdditions/VBoxControl <linked pathname>
/opt/VirtualBoxAdditions/VBoxISAExec <linked pathname>
/opt/VirtualBoxAdditions/VBoxService <linked pathname>
[ verifying class <manifest> ]
## Executing postinstall script.
Uncompressing files...
Configuring VirtualBox guest kernel module...
VirtualBox guest kernel module loaded.
VirtualBox pointer integration module loaded.
Creating links...
Installing video driver for X.Org 1.14.5...
Configuring client...
Installing 64-bit shared folders module...
Installing 32-bit shared folders module...
Configuring services (this might take a while)...
Enabling services...
Updating boot archive...
Done.
Please re-login to activate the X11 guest additions.
If you have just un-installed the previous guest additions a REBOOT is required.
Installation of <SUNWvboxguest> was successful.
root@solaris11-3:/media/VBOXADDITIONS_5.1.22_115126# cd
root@solaris11-3:~#
Connect External Hard Disk with NTFS Formatted Volume to Solaris 11.3 and find device name
I shut Solaris 11.3 down from the desktop GUI and connected an NTFS-formatted Western Digital USB disk drive to a USB port on the VM host, reconfiguring the VM to connect the USB drive to Solaris 11 over USB 2.0.
|
GParted on Solaris 11.3 Showing NTFS volume on external USB Hard Drive |
Install the Tools to Mount NTFS Volume: FUSE and NTFS-3G for Solaris 11
Now that I know the name of the device corresponding to the Windows NTFS volume on the external USB hard disk, I proceeded to install the software tools needed to mount it on Solaris 11.3.Adding SFE Solaris 11 Repo
The software needed to mount NTFS volumes on Solaris 11 are available for free from SFE - Software Packages for Solaris, OpenIndiana and OmniOS, To get access to the software, I launched the Package Manager from the desktop icon and first added the Solaris 11 IPS Packages Repository as a publisher using File -> Add Publisher... with the URI http://sfe.opencsw.org/localhosts11.Adding Solaris 11 SFE Repository to Package Manager using Publisher URI |
Install fusefs on Oracle Solaris 11.3 to read/write NTFS volumes
To install FUSE (File System in User Space), I searched for "fuse" in the Package Manager searchbox at the top right, checked the fusefs from publisher localhosts11 and library/libfuse from publisher solaris check-boxes, and clicked on "Install/Update". I then clicked Proceed on the Install Confirmation pop-up.Install FUSE file system and FuseFS libraries on Solaris 11 |
Install ntfs-3g on Oracle Solaris 11.3 to read/write NTFS volumes
Installing ntfs-3g turned out to be a bit tricky, and I had to build and install it from the source package. The problem with the ntfs-3g binary package is it includes the tools in the ntfsprogs package which was already installed in the Oracle Solaris 11.3 VirtualBox Virtual Machine distribution. Trying to uninstall ntfsprogs threw up dependencies on GParted and partition manager tools that I did not want to uninstall in turn because they are so useful. Building and installing ntfs-3g from source actually overwrites the ntfsprogs tools without requiring complex resolution of dependencies by uninstalling useful programs.I installed the ntfs-3g/src source package from the SFE localhosts11 repository using the package manager.
NTFS-3G Source Package Installation on Solaris 11.3 |
Installing the ntfs-3g source package ntfs-3g/src using the Package Manager basically dropped the compressed source tarball at /usr/src/SFEntfs-3g-2016.2.22AR.2/SOURCES/ntfs-3g_ntfsprogs-2016.2.22AR.2.tgz. I uncompressed, built and installed ntfs-3g from this source tarball:
root@solaris11-3:~# cd /usr/src/SFEntfs-3g-2016.2.22AR.2/SOURCES
root@solaris11-3:/usr/src/SFEntfs-3g-2016.2.22AR.2/SOURCES# tar xvzf ntfs-3g_ntfsprogs-2016.2.22AR.2.tgz
root@solaris11-3:/usr/src/SFEntfs-3g-2016.2.22AR.2/SOURCES# cd ntfs-3g_ntfsprogs-2016.2.22AR.2
root@solaris11-3:/usr/src/SFEntfs-3g-2016.2.22AR.2/SOURCES/ntfs-3g_ntfsprogs-2016.2.22AR.2# ./configure
root@solaris11-3:/usr/src/SFEntfs-3g-2016.2.22AR.2/SOURCES/ntfs-3g_ntfsprogs-2016.2.22AR.2# make
root@solaris11-3:/usr/src/SFEntfs-3g-2016.2.22AR.2/SOURCES/ntfs-3g_ntfsprogs-2016.2.22AR.2# make install
Here is a log of the complete terminal session of building ntfs-3g on Solaris from source and installing it.
Mounting the NTFS Volume
The device name for the NTFS partition of the external USB drive is /dev/dsk/c3t0d0p1 as I had found by running GParted previously. With fusefs and ntfs-3g now installed, we can now finally mount the NTFS volume from the USB disk on a directory:
root@solaris11-3:~# mkdir /media/USB-Storage
root@solaris11-3:~# lowntfs-3g /dev/dsk/c3t0d0p1 /media/USB-Storage/
The disk contains an unclean file system (0, 0).
The file system wasn't safely closed on Windows. Fixing.
The "The disk contains an unclean file system (0, 0). The file system wasn't safely closed on Windows. Fixing." message typically happens during mounting a NTFS volume on Solaris 11.3 using lowntfs-3g or ntfs-3g if the volume was previously mounted on Windows and Windows was shut down in the "hybrid" fast-startup (fastboot) mode.
A quick test to make sure we can write to and read from the NTFS volume, and we are all set on a read-write NTFS volume mounted on Solaris 11.3 using fuse and ntfs-3g.
root@solaris11-3:~# mount
...
/media/USB-Storage on /devices/pci@0,0/pci8086,265c@b/storage@1/disk@0,0:r read/write/nosetuid/nodevices/rstchown/dev=5080000 on Fri Jun 9 03:30:14 2017
root@solaris11-3:~# cp /etc/release /media/USB-Storage/
root@solaris11-3:~# ls -l /media/USB-Storage/
total 305
drwxrwxrwx 1 root root 0 Jun 2 23:54 $RECYCLE.BIN
-rwxrwxrwx 1 root root 187 Jun 9 03:37 release
drwxrwxrwx 1 root root 151552 Jun 7 19:16 sanyalnet-shared
drwxrwxrwx 1 root root 4096 Jun 2 23:55 System Volume Information
Once the NTFS volume is mounted and available, Solaris 11.3 even places an icon for the new NTFS volume on the desktop automatically. Double-clicking on this new icon opens up File Browser showing the files contained in the NTFS volume:
Desktop Icon for External USB Hard Disk NTFS Volume on Solaris 11.3 |
Auto-mount NTFS volume on Solaris 11.3 using ntfs-3g and fuse
To mount the USB HDD automatically on reboot of Solaris 11.3, I created a file /etc/rc.local with the following contents
# ---
# /etc/rc.local
#
# Commands to execute at end of boot
# This is a linked from /etc/rc3.d/S99local
# Solaris 11 still supports this
# ---
/usr/bin/lowntfs-3g /dev/dsk/c3t0d0p1 /media/USB-Storage/
# chmod +x /etc/rc.local
# ln -s /etc/rc.local /etc/rc3.d/S99local
# ls -l /etc/rc.local /etc/rc3.d/S99local
-rwxr-xr-x 1 root root 357 Jan 23 19:30 /etc/rc.local
lrwxrwxrwx 1 root root 13 Jan 20 19:12 /etc/rc3.d/S99local -> /etc/rc.local
Then I rebooted and verified if the auto-mount on boot worked.
root@solaris11-3:~# uptime
1:48pm up 13 min(s), 2 users, load average: 2.64, 1.84, 1.01
root@solaris11-3:~# dmesg | grep lowntfs
Jun 9 13:44:18 solaris11-3.sanyalnet.lan lowntfs-3g[970]: [ID 702911 daemon.notice] Version 2016.2.22AR.2 integrated FUSE 27
Jun 9 13:44:18 solaris11-3.sanyalnet.lan lowntfs-3g[970]: [ID 702911 daemon.notice] Requested device /dev/dsk/c3t0d0p1 canonicalized as /devices/pci@0,0/pci8086,265c@b/storage@1/disk@0,0:r
Jun 9 13:44:18 solaris11-3.sanyalnet.lan lowntfs-3g[970]: [ID 702911 daemon.notice] Mounted /devices/pci@0,0/pci8086,265c@b/storage@1/disk@0,0:r (Read-Write, label "WD My Book 1110 External HDD USB", NTFS 3.1)
Jun 9 13:44:18 solaris11-3.sanyalnet.lan lowntfs-3g[970]: [ID 702911 daemon.notice] Cmdline options:
Jun 9 13:44:18 solaris11-3.sanyalnet.lan lowntfs-3g[970]: [ID 702911 daemon.notice] Mount options: allow_other,nonempty,relatime,fsname=/devices/pci@0,0/pci8086,265c@b/storage@1/disk@0,0:r
Jun 9 13:44:18 solaris11-3.sanyalnet.lan lowntfs-3g[970]: [ID 702911 daemon.notice] Ownership and permissions disabled, configuration type 6
root@solaris11-3:~# mount | grep -i USB-Storage
/media/USB-Storage on /devices/pci@0,0/pci8086,265c@b/storage@1/disk@0,0:r read/write/nosetuid/nodevices/rstchown/dev=5080000 on Fri Jun 9 13:44:18 2017
root@solaris11-3:~# ls -l /media/USB-Storage/
total 305
drwxrwxrwx 1 root root 0 Jun 2 23:54 $RECYCLE.BIN
-rwxrwxrwx 1 root root 187 Jun 9 03:37 release
drwxrwxrwx 1 root root 151552 Jun 7 19:16 sanyalnet-shared
drwxrwxrwx 1 root root 4096 Jun 2 23:55 System Volume Information
Looks like everything worked and we are all set!
The completed reconfigured network configuration looks like this.
root@solaris11-3:~# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
net0: flags=100001000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,PHYSRUNNING> mtu 1500 index 2
inet 10.42.2.3 netmask ffffff00 broadcast 10.42.2.255
ether 8:0:27:11:5:2f
lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1
inet6 ::1/128
net0: flags=120002000840<RUNNING,MULTICAST,IPv6,PHYSRUNNING> mtu 1500 index 2
inet6 ::/0
ether 8:0:27:11:5:2f
I installed and configured fail2ban with reporting to my existing server account at blocklist.de by first executing:
root@solaris11-3:~# pkg install network/fail2ban
Packages to install: 1
Services to change: 1
Create boot environment: No
Create backup boot environment: No
DOWNLOAD PKGS FILES XFER (MB) SPEED
Completed 1/1 99/99 0.1/0.1 47.8k/s
PHASE ITEMS
Installing new actions 134/134
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
Updating package cache 4/4
root@solaris11-3:~# svcs -xv fail2ban
svc:/network/fail2ban:default (?)
State: disabled since June 10, 2017 06:52:11 PM UTC
Reason: Disabled by an administrator.
See: http://support.oracle.com/msg/SMF-8000-05
See: /var/svc/log/network-fail2ban:default.log
Impact: This service is not running.
root@solaris11-3:~# svcadm refresh fail2ban
root@solaris11-3:~# svcadm enable fail2ban
root@solaris11-3:~# svcs -xv fail2ban
svc:/network/fail2ban:default (?)
State: online since June 10, 2017 06:53:35 PM UTC
See: /var/svc/log/network-fail2ban:default.log
Impact: None.
and then grabbed action.d/blocklist_de.local from here. I then took help from my prior post about Fail2Ban on openindiana "Fail2Ban Intrusion Prevention on Solaris 11 OPENINDIANA SunOS 5.11 Illumos with Reporting to Blocklist.de" to configure it with full reporting capability to blocklist.de.
I then reconfigured the ProFTP FTP server to use a folder on the external USB drive as ftproot. Finally I zeroed out the empty space on the ZFS file system and compacted the virtual machine hard drive, took a backup and put it into production at http://sanyal.duckdns.org:81.
To mount the USB HDD automatically on reboot of Solaris 11.3, I created a file /etc/rc.local with the following contents
# ---
# /etc/rc.local
#
# Commands to execute at end of boot
# This is a linked from /etc/rc3.d/S99local
# Solaris 11 still supports this
# ---
/usr/bin/lowntfs-3g /dev/dsk/c3t0d0p1 /media/USB-Storage/
and then placed a symbolic link from /etc/rc3.d/S99local to /etc/rc.local
# chmod +x /etc/rc.local
# ln -s /etc/rc.local /etc/rc3.d/S99local
# ls -l /etc/rc.local /etc/rc3.d/S99local
-rwxr-xr-x 1 root root 357 Jan 23 19:30 /etc/rc.local
lrwxrwxrwx 1 root root 13 Jan 20 19:12 /etc/rc3.d/S99local -> /etc/rc.local
root@solaris11-3:~# uptime
1:48pm up 13 min(s), 2 users, load average: 2.64, 1.84, 1.01
root@solaris11-3:~# dmesg | grep lowntfs
Jun 9 13:44:18 solaris11-3.sanyalnet.lan lowntfs-3g[970]: [ID 702911 daemon.notice] Version 2016.2.22AR.2 integrated FUSE 27
Jun 9 13:44:18 solaris11-3.sanyalnet.lan lowntfs-3g[970]: [ID 702911 daemon.notice] Requested device /dev/dsk/c3t0d0p1 canonicalized as /devices/pci@0,0/pci8086,265c@b/storage@1/disk@0,0:r
Jun 9 13:44:18 solaris11-3.sanyalnet.lan lowntfs-3g[970]: [ID 702911 daemon.notice] Mounted /devices/pci@0,0/pci8086,265c@b/storage@1/disk@0,0:r (Read-Write, label "WD My Book 1110 External HDD USB", NTFS 3.1)
Jun 9 13:44:18 solaris11-3.sanyalnet.lan lowntfs-3g[970]: [ID 702911 daemon.notice] Cmdline options:
Jun 9 13:44:18 solaris11-3.sanyalnet.lan lowntfs-3g[970]: [ID 702911 daemon.notice] Mount options: allow_other,nonempty,relatime,fsname=/devices/pci@0,0/pci8086,265c@b/storage@1/disk@0,0:r
Jun 9 13:44:18 solaris11-3.sanyalnet.lan lowntfs-3g[970]: [ID 702911 daemon.notice] Ownership and permissions disabled, configuration type 6
root@solaris11-3:~# mount | grep -i USB-Storage
/media/USB-Storage on /devices/pci@0,0/pci8086,265c@b/storage@1/disk@0,0:r read/write/nosetuid/nodevices/rstchown/dev=5080000 on Fri Jun 9 13:44:18 2017
root@solaris11-3:~# ls -l /media/USB-Storage/
total 305
drwxrwxrwx 1 root root 0 Jun 2 23:54 $RECYCLE.BIN
-rwxrwxrwx 1 root root 187 Jun 9 03:37 release
drwxrwxrwx 1 root root 151552 Jun 7 19:16 sanyalnet-shared
drwxrwxrwx 1 root root 4096 Jun 2 23:55 System Volume Information
Configure final IP v4 address and Default Routing Gateway
I reconfigured Solaris 11 networking to the final production IP v4 address and gateway, based on excellent online documentation provided by Oracle including Creating Persistent (Static) Routes and Configuring IP Interfaces. I have no use for IPv6 which I did not configure.Configure Solaris 11.3 IP Address
root@solaris11-3:~# dladm show-phys
LINK MEDIA STATE SPEED DUPLEX DEVICE
net0 Ethernet up 1000 full e1000g0
root@solaris11-3:~# dladm show-link
LINK CLASS MTU STATE OVER
net0 phys 1500 up --
root@solaris11-3:~# ipadm show-if
IFNAME CLASS STATE ACTIVE OVER
lo0 loopback ok yes --
net0 ip ok yes --
root@solaris11-3:~# ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/v4 static ok 127.0.0.1/8
net0/v4 static ok 10.200.0.50/24
lo0/v6 static ok ::1/128
net0/v6 addrconf ok fe80::a00:27ff:fe11:52f/10
root@solaris11-3:~# ipadm delete-ip net0
root@solaris11-3:~# ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/v4 static ok 127.0.0.1/8
lo0/v6 static ok ::1/128
root@solaris11-3:~# ipadm create-ip net0
root@solaris11-3:~# ipadm create-addr -T static -a 10.42.2.3/24 net0/v4
root@solaris11-3:~# ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/v4 static ok 127.0.0.1/8
net0/v4 static ok 10.42.2.3/24
lo0/v6 static ok ::1/128
Configure Solaris 11.3 Routing Default Gateway
root@solaris11-3:~# route -p show
persistent: route add default 10.200.0.1
root@solaris11-3:~# route -p flush
delete persistent net default: gateway 10.200.0.1
default 10.200.0.1 done
root@solaris11-3:~# route -p show
No persistent routes are defined
root@solaris11-3:~# route -p add default 10.42.2.1
add net default: gateway 10.42.2.1
add persistent net default: gateway 10.42.2.1
root@solaris11-3:~# route -p show
persistent: route add default 10.42.2.1
The completed reconfigured network configuration looks like this.
root@solaris11-3:~# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
net0: flags=100001000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,PHYSRUNNING> mtu 1500 index 2
inet 10.42.2.3 netmask ffffff00 broadcast 10.42.2.255
ether 8:0:27:11:5:2f
lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1
inet6 ::1/128
net0: flags=120002000840<RUNNING,MULTICAST,IPv6,PHYSRUNNING> mtu 1500 index 2
inet6 ::/0
ether 8:0:27:11:5:2f
root@solaris11-3:~# netstat -rn
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ---------- ---------
default 10.42.2.1 UG 6 3228
10.42.2.0 10.42.2.3 U 5 1550 net0
127.0.0.1 127.0.0.1 UH 2 4 lo0
Routing Table: IPv6
Destination/Mask Gateway Flags Ref Use If
--------------------------- --------------------------- ----- --- ------- -----
::1 ::1 UH 2 32 lo0
Wrapping Up
Install fail2ban with intrusion reporting to blocklist.de
I installed and configured fail2ban with reporting to my existing server account at blocklist.de by first executing:
root@solaris11-3:~# pkg install network/fail2ban
Packages to install: 1
Services to change: 1
Create boot environment: No
Create backup boot environment: No
DOWNLOAD PKGS FILES XFER (MB) SPEED
Completed 1/1 99/99 0.1/0.1 47.8k/s
PHASE ITEMS
Installing new actions 134/134
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
Updating package cache 4/4
root@solaris11-3:~# svcs -xv fail2ban
svc:/network/fail2ban:default (?)
State: disabled since June 10, 2017 06:52:11 PM UTC
Reason: Disabled by an administrator.
See: http://support.oracle.com/msg/SMF-8000-05
See: /var/svc/log/network-fail2ban:default.log
Impact: This service is not running.
root@solaris11-3:~# svcadm refresh fail2ban
root@solaris11-3:~# svcadm enable fail2ban
root@solaris11-3:~# svcs -xv fail2ban
svc:/network/fail2ban:default (?)
State: online since June 10, 2017 06:53:35 PM UTC
See: /var/svc/log/network-fail2ban:default.log
Impact: None.
Other final reconfiguration
I then reconfigured the ProFTP FTP server to use a folder on the external USB drive as ftproot. Finally I zeroed out the empty space on the ZFS file system and compacted the virtual machine hard drive, took a backup and put it into production at http://sanyal.duckdns.org:81.