Sun Server configuration

This document describes the specific configuration that should be done to a Sun box
at build time to match the required USF standard. For each box the OS version should
be Solaris 2.7. Note that this document does not discuss patch management, but the
most recent patches should be obtained from Sun and added to the Jumpstart build
process.

Standard filesystem sizing

Each host should have at least four disks. Two will be used for the mirrored root disk,
and two for mirrored customer data.
The root disk structure should be as follows:

18G disk layout:

Filesystem Size (G) Purpose
/ 3 The root OS
/opt 3 Application directory
/var 6 All log files
swap (/tmp) 4 Temp and swap space (dual use in Sun)

Notes:
• There is no separate /export/home. Nothing is really stored here and so it is not
required. This does mean that applications such as the Tivoli package should be
altered to put their data under /var and their config files under /usr (where
they should go anyway!). Users should log into a home directory that is where
their data is; they should not be allowed to put non-OS files in the root filesystem.
• The model here provides more than enough space for the root filesystem --
probably only 500M is needed so this should be far more than enough.
• /opt is to be used for application data. Note that this is only for static data -- the
application executables, application support and customer configuration files
only. The customer data files and any log files will be written to elsewhere.
Customer data files should be written to the data disk, and log files should be
written to /var.

• swap is set to 4G -- this should be large enough to hold any savecore image that
may be created. The savecore image itself should be written to /savecore that
should exist on the data disk. Note that savecore doesn't need to be mirrored so
it can be concatenated across both disks effectively halving the space
requirement.
• All midrange servers have two 36 Gb internal disks which will be mirrored using
Veritas Volume Manager. All will have the same root disk layout on install

s0 / 3 Gb Root
s1 swap 4 Gb Primary swap
s3 /var 6 Gb Application logs, Patch/software management
s7 /opt 7 Gb Additional Software

After the root disk has been encapsulated, a public region will exist with approx
18 Gb of free space. This will be used to create the following additional volumes

/data/inf 1 Gb System and Unix PT logs

/savecore 3 Gb Crash Dumps
swap 4 Gb Secondary swap
swap 4 Gb Tertiary swap

General configuration setup

• The following packages should be added:

Package Description
TIVsmCapi Tivoli Storage Manager Solaris 2.6 API
TIVsmCba Tivoli Storage Manager Solaris 2.6 Client
TIVsmCdoc Tivoli Storage Manager Solaris 2.6 Documentation
USFSasert ASERT Security Package v1.4
USFSssh F-Secure SSH

Notes:

• When ASERT is installed it will add a default /etc/hosts.allow. This must be

set up so that remote access is possible! The general contents of this file will be
something like this:
ALL : 194.194. # Socks & admin access
ALL : 195.183. # Socks & admin access
ALL : 194.32. # Socks & admin access
ALL : 213.62.35. # Socks & admin access
ALL : 32.224. # Customer access.
ALL : 32.239. # Customer access.
ALL : 213.62.34. # Back-end host access
ALL : 213.62.36. # Back-end host access

Here the red indicates specific customer access. This will change, of course, from
customer to customer. The intention is not to have an ALL : ALL line, as this
negates the point of this file! Can we build this from an IP book?

• If the box is to be a web server, the default route should be set

(/etc/defaultrouter), otherwise no default route should be added (ie
/etc/defaultrouter should not exist).
• All hosts should have their USF-connected network ports set to 100-full duplex.
This is achieved by modifying /kernel/drv/qfe.conf and|or
/kernel/drv/hme.conf to this:
adv_100fdx_cap=1;
adv_100hdx_cap=0;
adv_10fdx_cap=0;
adv_10hdx_cap=0;
adv_autoneg_cap=0;

ADSM

ADSM should be set up so that its config file (/usr/bin/dsm.sys) has these lines:

schedlogname /var/log/adsm/dsmsched.log
schedlogretention 3 d
errorlogname /var/log/adsm/dsmerror.log
errorlogretention 3 d
INCLEXCL /opt/tivoli/tsm/client/ba/bin/inclexcl.def

The contents of inclexcl.def should be (modify to include only application

configuration files):

*DSM: files to backup USF Servers

*exclude *
*include /home/.../*
include /opt/weblogic/config
exclude /tmp/.../*
exclude /var/archive/.../*

and that the directory /var/log/adsm must exist. In addition the directory
/archive should also exist and be a sym link to /var/archive:

mkdir /var/archive; ln -s /var/archive /archive

This is used by ADSM to perform weekly archiving.

Additional requirements

The following additional requirements should be adopted on each new build:

• IP book used to generate the following files:

/etc/staticroutes
/etc/hosts.allow
/etc/macaddress
• The following additions to the start scripts should be added:
/etc/init.d/macaddress
/etc/init.d/staticroutes
• Direct root login should only be allowed from the console port (disable network
access via /etc/default/login).

• For apps (WebLogic) servers: make sure the muticast address (224.0.0.0) is
bound to the same network on both apps servers (netstat -rn|grep ^224).
• Loopback address setup for web servers. (How do I set this -- I know this is
ifconfig:
lo0:1: flags=859<UP,LOOPBACK,POINTOPOINT,RUNNING,MULTICAST> mtu 8232
inet 62.200.84.136 --> 127.0.0.1 netmask ff000000 ?)

...........................