SRSS 4.1 on OpenSolaris 2008.11
From Sun Ray User Group Wiki
Background - Goals - Disclaimers
- The purpose of this page is to provide a recipe for SRSS 4.1 installation/configuration on OpenSolaris 2008.11.
- Over time, the plan is to refine this page as knowledge & the product evolves until SRSS officially supports OpenSolaris seamlessly (target release unknown as of Dec 2008).
- This documentation should not be construed as a recommendation to install SRSS 4.1 & OpenSolaris in a production environment.
- These procedures were jointly developed by Bob Doolittle (Sun Ray Engineering) & Matt Hatley (SunFed Desktop Practice).
Assumptions
- Reader has basic Solaris System Administration skills
- Reader has Sun Ray Administration skills
- Execute instructions as root (in a terminal window use cmd: su -). Although not all cmds need to be executed as root, assuming so simply makes the procedures shorter & clearer.
- Unless otherwise noted below, accept default command options.
Download Required Software
OpenSolaris 2008.11 Installation/Configuration Instructions
Boot, Install & reboot OpenSolaris 2008.11
Tell networking to use static addresses. Either:
- Use the System->Administration->Network configuration GUI tool
or execute the following cmdline procedures:
- Edit /etc/nwam/llp to contain a line of the form
NIC static IP/maskbits
for each network interface that should have a static address, where NIC is the name of your network interface, IP is the desired static IP address and maskbits is the length of your netmask. Examples:e1000g0 static 172.16.0.43/16
And then...
e1000g1 static 192.168.128.1/24
- Edit /etc/nwam/llp to contain a line of the form
- Restart NWAM:
svcadm restart nwam
- Restart NWAM:
NWAM is an interesting character (especially how it interacts with Sun Ray). If you simply plan to setup your Sun Ray topology using utadm -L on, continued use of NWAM is fine. If you plan to use a SRSS topology (utadm -a or utadm -A), it gets so dicey, it's easier to Turn off NWAM. More on that below in the Sun Ray Server 4.1 Topology Configuration Instructions section or you can go here to Turn off NWAM.
Ensure DNS is configured (if applicable). Setup /etc/resolv.conf, here's an example:
domain example.acme.com nameserver 192.168.1.1
Activate:
cp /etc/nsswitch.dns /etc/nsswitch.conf svcadm enable dns/client svcadm restart dns/client
Sun Ray Server 4.1 Installation Instructions
Base installation (no change to standard/documented procedures, accept all defaults)...
unzip -qq srss_4.1_solaris.zip cd srss_4.1 ./utinstall
...at this point, normal SRSS installation procedures call for a reboot, but hold off.
Install Apache Tomcat:
gtar xfz <MEDIA-DIR>/srss_4.1/Supplemental/Apache_Tomcat/apache-tomcat-5.5.20.tar.gz -C /opt mv /opt/apache-tomcat-5.5.20 /opt/apache-tomcat
Configure the Xsession.d/xinitrc.d area:
mkdir -p /etc/X11/xinit/xinitrc.d ln -s /etc/opt/SUNWut/xinitrc.d/* /etc/X11/xinit/xinitrc.d
Enable use of GDM by SRSS:
touch /etc/opt/SUNWut/ut_enable_gdm
Ensure TFTP & DHCP packages are available:
- On OpenSolaris 2008.11 the TFTP package is installed by default, but DHCP is not. Install the DHCP packages:
pkg install SUNWdhcs SUNWdhcsb SUNWdhcm
- If you observe the following errors during the pkg install above:
Error Msg: Action install failed for 'etc' (pkg:/SUNWdhcs): Error Msg: KeyError: 'user name not found: root' - Work-around:: touch /etc/passwd The error was caused by bug # 4788 (/etc/passwd file ended up w/ epoch time stamp 1969-12-31) Bug Ref: http://defect.opensolaris.org/bz/show_bug.cgi?id=4788
- If TFTP is missing, install it:
pkg install SUNWtftp
- Enable TFTP: Follow the instructions under http://default-information.blogspot.com/2007/12/opensolaris-tftp-server.html
- You can also install the TFTP & DHCP packages via the new package manager GUI. Click the "Add More Software" icon on your desktop (Note the "user name not found: root" error & work around above. This condition occurs with package manager GUI as well). If you're unfamiliar with new package manager GUI, there's an excellent explanation included in this OpenSolaris 2008.11 new features presentation [3]
Update /etc/pam.conf to include these stacks for gdm (add the following lines @ EOF):
# START: To support gdm on SRSS, added following by hand... gdm auth requisite /opt/SUNWut/lib/pam_sunray_hotdesk.so.1 gdm auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 property=user gdm auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 gdm auth sufficient /opt/SUNWkio/lib/pam_kiosk.so log=user ignoreuser gdm auth requisite /opt/SUNWkio/lib/pam_kiosk.so log=user gdm auth sufficient /opt/SUNWut/lib/pam_sunray.so gdm auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt gdm auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 clearuser gdm auth requisite pam_authtok_get.so.1 gdm auth required pam_dhkeys.so.1 gdm auth required pam_unix_cred.so.1 gdm auth required pam_unix_auth.so.1 gdm account sufficient /opt/SUNWkio/lib/pam_kiosk.so log=user gdm account sufficient /opt/SUNWut/lib/pam_sunray.so gdm account requisite pam_roles.so.1 gdm account required pam_unix_account.so.1 gdm session requisite /opt/SUNWut/lib/pam_sunray_hotdesk.so.1 gdm session required /opt/SUNWkio/lib/pam_kiosk.so log=user gdm session required pam_unix_session.so.1 gdm password required pam_dhkeys.so.1 gdm password requisite pam_authtok_get.so.1 gdm password requisite pam_authtok_check.so.1 gdm password required pam_authtok_store.so.1 # END: To support gdm on SRSS
Fix a bug in /opt/SUNWut/lib/utdtsession (6803899)
- Edit the file and replace "awk" with "nawk". It only occurs in one place, on line 493.
If you have access to Nevada packages and really want NSCM and RHA functionality, see the Motif section below and follow those steps now.
Make sure you have a /var/dt directory (mkdir /var/dt), otherwise you may get the following errors:
/etc/opt/SUNWut/xmgr/notify[28]: /var/dt/Xpid: cannot open [No such file or directory] /etc/opt/SUNWut/xmgr/notify: failed to obtain master PID from /var/dt/Xpid
OK, now it's cool to reboot:
init 6
Sun Ray Server 4.1 Topology Configuration Instructions
3 methods for setting up SRSS topology:
- 1 Easiest - Public (no DTU boot/IP/DHCP info provided by SRSS): utadm -L on
- 2 Public (some DTU boot info provided by SRSS): utadm -A <SUBNET>
- 3 Private: utadm -a <NIC>
- utadm command details & background is available in the SRSS Admin Guide for Solaris [4]
For options 2 & 3, continued use of OpenSolaris NWAM gets messy. If you follow these procedures/work-arounds to Turn off NWAM, utadm -a & utadm -A will work in the typical way. For example, the following problem is caused by NWAM:
utadm -A 192.168.1.0 Error: host IP address must be set Set host IP address in /etc/inet/hosts files and try again
After turning off NWAM you see this error:
utadm -A 192.168.1.0 ### Configuring /etc/nsswitch.conf ### Configuring Service information for Sun Ray cp: cannot access /usr/dt/config/sessionetc chmod: WARNING: can't access /usr/dt/config/sessionetc.1273 /usr/bin/nawk: can't open file /usr/dt/config/sessionetc.1273 source line number 1 cp: cannot access /usr/dt/config/sessionetc Error: unable to make backup file "/usr/dt/config/sessionetc.bak"
Here is the work-around:
touch /usr/dt/config/sessionetc
Sun Ray Server 4.1 Configuration Instructions
Configure the SRSS Web Mgmt Interface:
/opt/SUNWut/sbin/utconfig
Set Policy:
/opt/SUNWut/sbin/utpolicy -a -g -z both -D
Restart SRSS Services:
/opt/SUNWut/sbin/utrestart -c
At this point SRSS should be hot on OpenSolaris 2008.11!!!
Optional Next Steps
Install SRWC 2.1 (no change to standard installation procedures):
unzip -qq srwc_2.1 groupadd uttsc cd srwc_2.1 ./installer /opt/SUNWuttsc/sbin/uttscadm -c /opt/SUNWut/sbin/utrestart
During the uttscadm -c step you will be asked to provide the pathname
of a library that can satisify SRWC's dependency on functions that were originally
delivered in libcrypto.so.0.9.7.
The suggested default of /usr/sfw/lib/libcrypto.so.0.9.8 is fine if
that library actually exists on your system.
If it does not exist then you should specify /lib/libcrypto.so.0.9.8
instead.
(The earlier instructions here assumed that /usr/sfw/lib/libcrypto.so.0.9.8
would always exist but that is no longer true in OpenSolaris build 110, a.k.a. nv_110.
The original instructions would leave you with a broken SRWC install on nv_110.)
If neither /usr/sfw/lib/libcrypto.so.0.9.8 nor
/lib/libcrypto.so.0.9.8 exists then perhaps the SUNWopenssl
package is not installed on your system.
If installing that package doesn't give you a suitable library then your best way
forward is to ask for assistance on the
sunray-users mailing list.
Install Terminal Services Client GUI (it's got a nice SRWC protocol option):
pkg install SUNWtsclient
It's available via tsclient cmd (now) or the Applications->Internet->Terminal Server Client menu option (the menu doesn't update until you perform a logout/login).
How to Use CUPS to Configure an Attached Non-PostScript Printer
On OpenSolaris, the (Common Unix Printing System) CUPS can be used to administer and configure printers. CUPS can also be configured to use printers connected via USB to the DTU.
1. Enable CUPS on the Sun Ray server:
# print-service -s cups
The CUPS Admin GUI is now available at http://localhost:631
2. Change directory to the DTU's printer device files.
/tmp/SUNWut/units/<DTU>/dev/printers/*
3. Change permissions on the printer's device file.
# chmod 777 <device_file>
(Unfortunately, this is not permanent - If someone knows how to make this change permanent, please update here.)
4. Add a new printer using the CUPS Admin GUI.
- Select the "hal backend" as the printer connection
- Use "parallel:<path to your printer>" as a device.
Example
Description: Example Printer Location: Next to my desk Printer Driver: Brother HL-2060 Foomatic/hl1250 (recommended) Printer State: idle, accepting jobs, published. Device URI: parallel:/tmp/SUNWut/units/IEEE802.00144f7f5f91/dev/printers/BrotherA5J292353
How to Disable GDM on the Console
On Servers with memory limitations, you can save a few MB of RAM by disabling GDM/X11 on the local VGA console, which you typically don't need. Do this in one of two ways (tested on OpenSolaris 2009.06):
- Using the gdmsetup command, remove Screen 0 from the configuration
- add the line
0=inactive
to /etc/X11/gdm/custom.conf
In both cases, restart gdm to activate.
Known to Work
- Basic session creation/login
- policies
- audio
- utconfig/SRDS
- FOGs/utreplica
- utadm (assuming OpenSolaris DHCP & TFTP packages are installed: SUNWdhcs SUNWdhcsb SUNWdhcm SUNWtftp & work-arounds are in place)
Known NOT to Work
- Kiosk policy
- NSCM (can be made to work by adding Nevada packages, see 'Motif' below)
- RHA (can be made to work by adding Nevada packages, see 'Motif' below)
- utmhscreen (can be made to work by adding Nevada packages, see 'Motif' below)
Suspected NOT to Work
- utselect (no dtksh)
- utwall (no dterror.ds)
Known Major Issues
- loginGUI depends on SUNWmfrun (libXm.so.4) (affects NSCM, SC, & RHA)
- loginGUI depends on SUNWdtbas (libDtWidget.so.2) (affects NSCM, SC, and RHA)
- loginGUI depends on SUNWtltk (libtt.so.2) (affects NSCM and SC, and RHA)
- loginGUI depends on SUNWxwplt (libXt.so.4) (this was broken in OS2008.05, fixed in nv_93/2008.11 and later: BUGID:6683217)
- After adding the above Nevada packages - very long startup delay in loginGUI (XListFonts) but NSCM and RHA eventually work
- Adding the above Nevada packages may break OpenSolaris legacy symlinks (e.g. /usr/openwin) and cause unknown collateral damage with legacy applications
- On OpenSolaris 2008.11 /usr/openwin is now a symlink to /usr/X11 & these Nevada packages will break the symlink, turning it into a directory again. At that point things that have been moved from /usr/openwin to /usr/X11 in OpenSolaris won't be found via the legacy path.
- Due to the loginGUI startup delay and issues related to adding the above packages to OpenSolaris, it is recommended at this time that NSCM not be configured, and that the -D option be used with utpolicy to avoid RHA. Although NSCM and RHA can be used and do function properly, the startup delays may be unacceptably lengthy.
- RHA = Remote Hotdesk Authentication. A new security feature in SRSS 4.1. It means that loginGUI is used to authenticate, outside of the session, when hotdesking to an existing session (instead of the in-session screen locker). Kind of like NSCM has always been, but now for cards as well. The new -D utpolicy switch disables it - provides legacy behavior.
Motif
If you have access to the Nevada SUNWmfrun, SUNWtltk, and SUNWdtbas packages, it is possible (with some work) to install these on OpenSolaris in a non-damaging way, and get NSCM, RHA, and utmhscreen to work properly.
If you are using the OpenSolaris /dev (development) repo or 2009.06 pre-release builds, these packages are in the /devel repo as of build 110, and can be installed with pkg install.
If you are using the 2008.11 /release (stable) repo, or an older build, and thus need to use the Nevada packages, do the following after installing SRSS and before rebooting:
rm /usr/openwin mkdir /usr/openwin mount -Flofs /usr/X11 /usr/openwin rm /usr/X11/share/include mkdir /usr/X11/share/include mount -Flofs /usr/X11/include /usr/X11/share/include pkgadd SUNWmfrun SUNWtltk SUNWdtbas (ignore the warnings about missing dependencies and setuid executables) umount /usr/openwin rmdir /usr/openwin ln -s /usr/X11 /usr/openwin umount /usr/X11/share/include rmdir /usr/X11/share/include ln -s /usr/X11/include /usr/X11/share/include
That takes care of the packages. Now things will work, but experience a very long startup delay due to missing fonts. To fix this, replace /opt/SUNWut/lib/app-defaults/loginGUI.res with the following contents:
!#
!# This is a hacked-up loginGUI.res designed to substitute existing fonts for OpenSolaris
!#
!# loginGUI Resource File
!#
*foreground: #000000
*background: #a8a8a8
*highlightColor: #ef506f
*title.font: -adobe-*-medium-r-normal-*-*-*-*-*-p-107-*-*:
*title.fontList: -adobe-*-medium-r-normal-*-*-*-*-*-p-107-*-*:
*welcome.font: -adobe-*-medium-r-normal-*-*-*-*-*-p-137-*-*:
*welcome.fontList: -adobe-*-medium-r-normal-*-*-*-*-*-p-137-*-*:
*prompt.font: -adobe-*-medium-r-normal-*-*-*-*-*-p-107-*-*:
*prompt.fontList: -adobe-*-medium-r-normal-*-*-*-*-*-p-107-*-*:
*text.font: -adobe-*-medium-r-normal-*-*-*-*-*-p-103-*-*:
*text.fontList: -adobe-*-medium-r-normal-*-*-*-*-*-p-103-*-*:
*text.foreground: #ffffff
*text.background: #808080
*text.Translations: #override\n\
Ctrl<Key>u:delete-adobe-*-to-start-of-line()\n\
Ctrl<Key>k:delete-adobe-*-to-end-of-line()\n\
Ctrl<Key>a:beginning-adobe-*-of-line()\n\
Ctrl<Key>e:end-adobe-*-of-line()\n\
Ctrl<Key>b:backward-adobe-*-character()\n\
Ctrl<Key>f:forward-adobe-*-character()\n\
Shift<Key>Tab: prev-adobe-*-tab-group() \n\
Ctrl<Key>Tab: next-adobe-*-tab-group()
*enableBtn1Transfer: button2_transfer
*enableButtonTab: True
*enableDefaultButton: True
*help_text.font: -adobe-*-medium-r-normal-*-*-*-*-*-p-107-*-*:
*help_text.fontList: -adobe-*-medium-r-normal-*-*-*-*-*-p-107-*-*:
*XmPushButton.font: -adobe-*-medium-r-normal-*-*-*-*-*-p-103-*-*:
*XmPushButton.fontList: -adobe-*-medium-r-normal-*-*-*-*-*-p-103-*-*:
*QuickLogin.font: -adobe-*-medium-r-normal-*-*-*-*-*-p-103-*-*:
*QuickLogin.fontList: -adobe-*-medium-r-normal-*-*-*-*-*-p-103-*-*:
*Exit.font: -adobe-*-medium-r-normal-*-*-*-*-*-p-103-*-*:
*Exit.fontList: -adobe-*-medium-r-normal-*-*-*-*-*-p-103-*-*:
*On.font: -adobe-*-medium-r-normal-*-*-*-*-*-p-103-*-*:
*On.fontList: -adobe-*-medium-r-normal-*-*-*-*-*-p-103-*-*:
*Off.font: -adobe-*-medium-r-normal-*-*-*-*-*-p-103-*-*:
*Off.fontList: -adobe-*-medium-r-normal-*-*-*-*-*-p-103-*-*:
*options.font: -adobe-*-medium-r-normal-*-*-*-*-*-p-103-*-*:
*options.fontList: -adobe-*-medium-r-normal-*-*-*-*-*-p-103-*-*:
That's it! Now after rebooting and configuring your system as detailed above you have access to the NSCM and RHA policies.
OpenSolaris 2009.06
A couple of aspects are now simpler with 2009.06.
- Motif libraries are now in the OpenSolaris repository, so you should now run
pkg install SUNWmfrun SUNWtltk SUNWdtbas
- There's a bug however in one of the I18N libraries which makes loginGUI fail except in the C locale (CR 6822673, fixed in snv_115). To work around this, you can either leave NSCM disabled and disable RHA (don't add -M to utpolicy, do add -D), or you can edit /etc/opt/SUNWut/loginGUI.start as follows:
197c197 < $LOGIN_GUI_PROG -l "$LOGIN_TYPE" "$@" & --- > LANG=C $LOGIN_GUI_PROG -l "$LOGIN_TYPE" "$@" &
- After performing the above steps, NSCM, RHA, utselect, utwall, and utmhscreen should all work
- There's a bug (6807063) that requires you to run utrestart -c after bootup to make SRSS become operational. If this is a problem, you can fix it by editing /etc/init.d/utacleanup as follows:
211,218c211,214
< OS=`uname -s`
< if [ "$OS" = "SunOS" ]; then
< if isGDMOK2Use && [ "`/bin/svcs -o STATE -H gdm 2>/dev/null`" = "online" ]
< then
< XMGR=gdm
< else
< XMGR=dtlogin
< fi
---
> if [ "`uname -s` `uname -r`" = "SunOS 5.10" ] \
> || [ -x /usr/dt/bin/dtlogin -a ! -f ${ETCOPTDIR}/ut_enable_gdm ]
> then
> XMGR=dtlogin
- There's a Solaris bug (6795892) that, although it's been marked as fixed, still impacts SRSS 4.1. It has to do with a rewrite of the networking stack (a project called "Volo"). If you receive 26D then apply the following workaround (copied from the CR Workaround):
In /etc/sock2path change the following lines:
2 2 0 tcp
2 2 6 tcp
26 2 0 tcp
26 2 6 tcp
2 1 0 udp
2 1 17 udp
26 1 0 udp
26 1 17 udp
to:
2 2 0 /dev/tcp
2 2 6 /dev/tcp
26 2 0 /dev/tcp6
26 2 6 /dev/tcp6
2 1 0 /dev/udp
2 1 17 /dev/udp
26 1 0 /dev/udp6
26 1 17 /dev/udp6
i.e replace 'udp' with '/dev/udp' and 'tcp' with '/dev/tcp' (and add a
6 to the end of the family 26 lines), then reboot.
This will revert back to using old streams sockets for UDP and TCP.
Opensolaris-Dev 129 +
With the introduction of OpenSolaris build 129 onwards, some changes have been made to GDM.
You may see the following error in /var/log/gdm/:XX.log:
Fatal server error: could not open default font 'fixed'
To solve this, you need to apply the following work-arounds:
Edit /etc/gdm/custom.conf and change the Greeter line to:
Greeter=/usr/lib/gdm-simple-greeter
Create a file /etc/opt/SUNWut/X11/fontpath with the following contents:
/usr/X11/lib/X11/fonts/100dpi /usr/X11/lib/X11/fonts/100dpi-ISO8859-1 /usr/X11/lib/X11/fonts/100dpi-ISO8859-15 /usr/X11/lib/X11/fonts/75dpi /usr/X11/lib/X11/fonts/75dpi-ISO8859-1 /usr/X11/lib/X11/fonts/75dpi-ISO8859-15 /usr/X11/lib/X11/fonts/encodings /usr/X11/lib/X11/fonts/fonts /usr/X11/lib/X11/fonts/isas /usr/X11/lib/X11/fonts/misc /usr/X11/lib/X11/fonts/misc-ISO8859-1 /usr/X11/lib/X11/fonts/misc-ISO8859-15 /usr/X11/lib/X11/fonts/Type1
Opensolaris-Dev 134 + (or maybe 130+)
In some of the latest Opensolaris builds, the above fontpaths have changed to:
/usr/share/fonts/X11/100dpi /usr/share/fonts/X11/100dpi-ISO8859-1 /usr/share/fonts/X11/100dpi-ISO8859-15 /usr/share/fonts/X11/75dpi /usr/share/fonts/X11/75dpi-ISO8859-1 /usr/share/fonts/X11/75dpi-ISO8859-15 /usr/share/fonts/X11/encodings /usr/share/fonts/X11/isas /usr/share/fonts/X11/misc /usr/share/fonts/X11/misc-ISO8859-1 /usr/share/fonts/X11/misc-ISO8859-15 /usr/share/fonts/X11/Type1
Furthermore, you need to fix some library path issues. Quick and dirty:
/usr/lib# ln -s xorg/libXfont.so /usr/lib# ln -s xorg/libXfont.so.1 /usr/lib# cd amd64/ /usr/lib/amd64# ln -s xorg/libXfont.so.1 ^C /usr/lib/amd64# ln -s ../xorg/amd64/libXfont.so /usr/lib/amd64# ln -s ../xorg/amd64/libXfont.so.1 /usr/lib# ln -s xorg/libfontenc.so /usr/lib# ln -s xorg/libfontenc.so.1 /usr/lib# cd amd64/ /usr/lib/amd64# ln -s ../xorg/amd64/libfontenc.so.1 /usr/lib/amd64# ln -s ../xorg/amd64/libfontenc.so
And even *further* more you'll need to hack /opt/SUNWut/lib/xmgr/gdm/remove-dpy since gdmdynamic arguments appear to have changed:
Replace:
gdmglue="; gdmdynamic -b -d "'$UT_DPY'
With:
gdmglue="; gdmdynamic -d "'$UT_DPY'
Of course, you could also find the appropriate script that start Xnewt and edit LD_LIBRARY_PATH accordingly. I'll leave that to someone closer to SunRay development than me.
Check out Chris Gerhard's Blog for some additional details.
