|
Solaris Localization Checklist
To use this checklist:
Place your LOGIN NAME inside each brace after the task is completed.
Place NA (Not Applicable) if the task doesn't apply here.
--- THIS CHECKLIST IS INTENDED TO BE DONE IN ORDER! ---
VERIFY EVERYTHING. GET SOMEONE ELSE TO DO IT IF YOU CAN'T!
UnixOps Localization Checklist for SUN - SunOS 5.8+ Specific (SOLARIS 2.8+)
**************************** GENERIC SECTION **************************
MACHINE NAME:
UnixOps support type (check all that apply):
[ ] No support - one time localization only
[ ] NET support
[ ] FULL support (includes first 3 and user support)
[ ] GATE support (host has >1 network interface and subnet)
[ ] DUMPS backups
[ ] All parts have been installed, final location known,
wiring asked to make any necessary connections
[ ] Has a valid CU-Boulder Internet address and all host
attributes are in addhost database.
[ ] Install base OS
[ ] Move this file to hostname:/Localization and continue
to update it there.
[ ] Create /.rhosts (mode 600, owner root) and make it contain
*only* machines it gets its files from. (FQDNs only)
[ ] Create /etc/resolv.conf with the appropriate entries.
[ ] Edit /etc/nsswitch.conf; add 'dns' before 'files' on
the hosts line.
[ ] Install all vendor specific patches available from
http://sunsolve.sun.com or via UnixOps FTP.
[ ] Verify that autoshutdown is disabled in /etc/power.conf
autoshutdown 30 9:00 9:00 noshutdown
[ ] Make sure that the following files have the correct
information:
/etc/netmasks: 255.255.255.0
/etc/hostname.*: non-fully-qual hostname (NFQHN)
/etc/nodename: NFQHN
[ ] /etc/net/*/hosts are links to /etc/hosts
[ ] /etc/inet is a link to /etc:
remove all file links in /etc/ that point to /etc/inet
move all files from /etc/inet to /etc
rmdir /etc/inet
ln -s /etc /etc/inet
[ ] This host has valid routing. A machine with a single
network interface should be running "in.routed -q" or
"in.rdisc -s"
[ ] Change root's login shell to be /bin/csh
[ ] Change root's GECOS password field to ' root'
[ ] Create /.cshrc or copy from a like machine
[ ] Make the link:
ln -s /etc/.login /etc/csh.login
[ ] Create /core by soft-linking to /dev/null
ln -s /dev/null /core
[ ] chmod 400 /dev/openprom
[ ] chmod 4770 /usr/openwin/bin/sys-suspend
[ ] Turn off mipagent - Mobile IP agent
mv /etc/rc3.d/S80mipagent /etc/rc3.d/s80mipagent
[ ] Remove system versions of rdist
rm /usr/ucb/rdist /usr/bin/rdist
client [ ] Create a stub /usr/local tree with the command
mkdir -p /usr/local/{bin,etc}
client [ ] Make the link:
ln -s /usr/bin/tcsh /usr/local/bin/tcsh
in your stub /usr/local
client [ ] Put rdistd in your stub /usr/local/etc
rdist [ ] Install the sudo package in /usr/local
rdist [ ] install Secure Shell 2 package, including ssh2 and sshd2
in your stub /usr/local
[ ] Replace any previously existing ssh_host_key and
ssh_host_key.pub files if this is an upgrade or
reinstallation of the OS.
server [ ] Setup /etc/sudoers to include FTEs, yourself, and any local
admins for this machine
server [ ] Create valid tech.alias, trouble.alias, admin.alias, and
wiring.alias in /usr/local/adm/unixops, mode 644.
server [ ] Make the link
ln -s /var/adm/log /usr/local/adm/logs
[ ] Configure machine to be rdisted to by distribution
host (has /usr/local/etc in root's path, has
/usr/local/etc/rdistd, and distrib host is in /.rhosts).
server [ ] Set up /usr/local/etc/hourlydist if this machine is a server
which will be sharing passwd, group, sudoers, etc. with
clients.
server [ ] If you are distributing the /etc/group file across mixed
architectures you will need to modify /etc/group on the
server to include all groups expected to be found by each
system.
[ ] Remove uucp if you are not running it. (Solaris 2.5/5.5
and earlier run it by default). Remove it's crontab entry.
rm /var/spool/cron/crontabs/uucp
mv /etc/rc2.d/S70uucp /etc/rc2.d/s70uucp
[ ] Disable SNMP (we don't manage our systems with SNMP; we
use syslog).
mv /etc/rc3.d/S76snmpdx /etc/rc3.d/s76snmpdx
mv /etc/rc3.d/S77dmi /etc/rc3.d/s77dmi
[ ] Create /etc/shells and include all shells expected to be
on the system. (This will save much confusion as ftp will
not allow people to ftp in if their shell is not in
this list).
[ ] Create /var/adm/log/connect.log, mode 644
[ ] Create /var/adm/log/sudo.log, mode 600
[ ] Install UnixOps syslog.conf - copied from localized system
of same OS and class config.
client [ ] If this host has blessing to mount NFS partitions, add
remote partitons to mount to /etc/vfstab with mount
options rw,bg. If mounting /var/mail via NFS, use
rw,bg,actimeo=0 as mount options. Comment out all
lines in /etc/auto_master and kill the autofs process.
Create needed mount points. Run mountall.
OR:
blessed mounts are setup in /etc/auto_master with
-rw,nosuid,intr,soft,grpid. Create mount points, mount.
server [ ] If it is the NFS server, edit /etc/dfs/dfstab to include the
partitions to be exported. Run shareall to push out the
mount permissions.
server [ ] Run showmount -e on machine and make sure no
partitions are mountable by unauthorized machines.
If you get the error "RPC: Program not registered"
it just means that you haven't exported ANY partitions,
which is fine.
server [ ] If this will be a UniqUID mailhome host, install adduser.
Be sure to configure /usr/local/lib/adduser/adduser.conf
to the customer's specifications. Make sure there are a
good set of user dot files in /usr/local/lib/adduser/homedir
make sure the host trusts itself in order for adduser to
work.
OR:
If in Club UniqUID and this machine is to be part of a ITS
lab, install durm - configure /usr/local/durm/lib/type_db
to the customer's specifications. Make sure there are a
good set of user dot files in /usr/local/durm/skel -
configure /usr/local/durm/lib/durm.rc for correct paths.
server [ ] Make the link:
ln -s /var/mail /usr/spool/mail
server [ ] If in Club UniqUID, install passport and have it
run as a cron job once a month (1st, 2nd, or 15th).
[ ] Make the link:
ln -s /var/mail /usr/spool/mail
[ ] Kernel-level parameters set correctly in /etc/system.
Do we need to force full-duplex 100BaseT?
FIND OUT!
[ ] Disable "execute" for the user stack by adding the
following lines to the end of /etc/system:
set noexec_user_stack=1
set noexec_user_stack_log=1
[ ] Make the links:
ln -s /usr/local/X11/lib/X11 /usr/lib/X11
ln -s /usr/local/X11/include/X11 /usr/include/X11
(You may have to delete old links first!)
[ ] Make the links:
ln -s /usr/lib/fs/ufs/ufsdump /etc/dump
ln -s /usr/lib/fs/ufs/ufsdump /etc/rdump
ln -s /usr/lib/fs/ufs/ufsrestore /etc/restore
ln -s /usr/lib/fs/ufs/ufsrestore /etc/rrestore
[ ] Make the links:
ln -s /usr/lib/netsvc/rwall/rpc.rwalld /usr/sbin/rpc.rwalld
ln -s /usr/lib/netsvc/spray/rpc.sprayd /usr/sbin/rpc.sprayd
[ ] Run admintool as root to add remote network printers.
If this host will be controlling local HP Jetdirect
printers, use HP's JetAdmin tool to add local printers.
[ ] After patch installation is complete, install TCP wrappers.
Binaries are located via anonymous ftp from boulder.
Update /etc/inetd.conf, kill and restart inetd.
MAKE SURE that you "chmod 0" any binaries that you back up,
*particularly* if they are setuid! (/bin/login)
[ ] Turn off automatic savecore upon reboot
/usr/sbin/dumpadm -n
[ ] Remove setuid bit on /usr/sbin/pgxconfig
chmod 511 /usr/sbin/pgxconfig
[ ] Set TCP_STRONG_ISS to 2 in /etc/default/inetinit
[ ] chmod 700 /var/spool/cron
[ ] Disable startup script for native apache web server
mv /etc/rc3.d/S50apache /etc/rc3.d/s50apache
[ ] Create link:
ln -s /usr/local/etc/dt /etc/dt
[ ] If this machine will run CDE, enable the display of
the /etc/motd file in new dtterm windows:
mkdir -p /usr/local/etc/dt/config/C
echo "Dtterm*loginShell: True" > \
/etc/dt/config/C/sys.resources
[ ] If you're rdisting the gnu package to this SERVER,
create a root crontab entry to run
/usr/local/gnu/lib/locate/updatedb once per week.
rdist [ ] Install latest version of CU sendmail
server [ ] IF this is a server, edit the vfstab and add the mount
option "size=?m" to the swap tmpfs line, where ? is equal
to HALF of the size of your swap partition (in megabytes).
This string should replace the last dash on the tmpfs line.
[ ] ntpdate - This should be run from cron as
/usr/sbin/ntpdate -s timehost
[ ] Do a "catman -w" to build whatis database
*************************** AMANDA SECTION ****************************
!!!! DO THIS ONLY IF THIS MACHINE WILL BE DUMPED BY UnixOPS !!!!
[ ] Machine has operator login with correct operator
password. NOTE: most of the AMANDA install steps below
can be done by simply disting the appropriate package
from distrib host, after operator login has been created.
[ ] AMANDA master host is in ~operator/.amandahosts, and
~operator/.amandahosts is mode 600, owned by operator
[ ] Machine has group operator (and the user operator is in
group operator).
rdist [ ] AMANDA utilities `sendbackup' and `sendsize' are installed
in /usr/local/amanda/libexec [most of the amanda install
process is automated if the amanda package is specfied to
be rdisted to this host by the central distrib host]
rdist [ ] These AMANDA services should appear in /etc/services:
amsendsize 10069/udp
amsenddump 10070/tcp
rdist [ ] AMANDA services should appear in /etc/inetd.conf
amanda dgram udp wait operator \
/usr/local/amanda/libexec/amandad amandad
amandaidx stream tcp nowait operator \
/usr/local/amanda/libexec/amandaidx amandaidx
amidxtape stream tcp nowait operator \
/usr/local/amanda/libexec/amidxtape amidxtape
rdist [ ] All raw disk devices are mode 640, group operator
[ ] /etc/dumpdates is mode 664, group operator
[ ] Add partitions to be dumped to the amanda
master.disklist. USE CHECKOUT!
***************************** END AMANDA SECTION ************************
********************** FREE SOFTWARE PACKAGES SECTION *****************
Verify that these packages are installed if this is a SERVER. Most of
these can be rdisted from our distribution host, otherwise either copy
them from a machine of the same OS and architecture or source code is
in the source tree.
rdist [ ] sudo, visudo
[ ] mailhome (if in Uniquid)
[ ] screensaver installed and setup in /etc/rc2.d/S92screenblank
(if system runs CDE, screen blanking is automatic.)
rdist [ ] top
rdist [ ] da
rdist [ ] webster
[ ] serial file transfer protocols - sz, rz, kermit, xmodem.
rdist [ ] perl
rdist [ ] trn (threaded news reader - needs /usr/local/news)
[ ] scrub
[ ] spacegripe
***************** END FREE SOFTWARE PACKAGES SECTION ******************
********************* EXTRA SOFTWARE PACKAGES SECTION *****************
!!! If customer has a full-service agreement with UnixOps, install any/all
!!! of these at no extra charge. If customer has only net support, this is a
!!! one-time localization, or this is time and materials work, let them
!!! know about the charges marked beside the packages. be sure to inform
!!! billing about which packages you installed.
$100 [ ] X11R6.4
$100 [ ] TeX / detex / latex /culogo font for tex
$100 [ ] GNU distribution (includes, gzip, RCS, *roffs, gs, gcc, g++)
$50 [ ] RAND MH
$50 [ ] emacs (gnu version: most recent)
[ ] unbundled C, C++, Fortran, Pascal, SparkWorks, and/or
AnswerBook (we will install these packages free to full
service customers, but they must contact ITS or
scholarline@colorado.edu to purchase compiler licenses).
******************* END EXTRA SOFTWARE PACKAGES SECTION ***************
**************************** FINAL SECTION ****************************
[ ] All FTEs have accounts on this machine with
sudo (and know about it!) Mail them a notification
of this fact.
[ ] If UnixOps supported, update the /home/unixops/system.list
file - make sure any changes in OS are reflected.
[ ] Update the following fields in the addhost database:
HostName, AdminsAffil, DeptAffil, EtherAddr1, InetAliases,
Model, Serial Number, OSVersion, PhysPhone, Building,
RoomNumber, B-Jack Number, and Responsible Person.
If you cannot change the record yourself, collect the
information and bring it to an FTE for update.
[ ] Do a localization level 0 backup of the system as soon
as the localization is completed (or at any time the
pain threshold is higher for going thru this list than
doing a restore).
[ ] Notify billing about any charges.
[ ] Make sure that hardware configuration is correct. Either
boot -r or touch /reconfigure and reboot
[ ] This host has a nametag plastered on it and all its
peripherals including proper disk labeling with the
partition table. (use mklabels)
[ ] root password is what it should be
************************** END FINAL SECTION **************************
|
|
