C H A P T E R 4 |
Further Management Information |
A system administrator can log in to the Service Processor (SP) using secure shell (SSH) and issue commands, or more commonly, write a shell script that remotely invokes these operations.
The SP includes a suite of commands that enables management and monitoring of the server; this suite of commands is referred to as server management commands. From the command line, for instance, you can write data driven scripts that automate configuration of multiple machines.
The Sun Fire V20z and Sun Fire V40z Servers Network Share Volume CD contains sample scripts for getting started, which you can access after you extract the files on the CD. See Network Share Volume (NSV) CD-ROM for more information about the script locations.
An administrator can make configuration changes for a single SP by using SSH to log in and run commands. For a multi-system environment in which configurations for all SPs must be synchronized, you can automate configuration changes.
As a Unix/Linux administrator, you can use SSH, trusted-host relationships or public-key authentication, and Unix/Linux shell scripting to automate tasks that need to be performed on multiple SPs.
1. Set up your system for scripting.
Sun Fire V20z and Sun Fire V40z remote scripting solutions depend on SSH for authentication and data encryption. If you do not already have SSH, you can obtain a free implementation, OpenSSH, available at www.openssh.org. The SP allows the use of SSH v2 only. Refer to Remote Scripting Using SSH.
2. Create a trusted-host relationship or add your public key for SSH authentication.
In order to use SSH in a scripted environment such that you are not prompted for a password upon the execution of each command, you can establish a trusted-host relationship between the machine from which the commands are sent and the SP on which the commands are executed. (This requires the prior creation of a manager-level user on the SP.) Refer to Creating Trusted-Host Relationships.
You can also add a public key for SSH authentication, allowing you to log in via SSH and execute remote commands without being prompted for a password. Refer to Adding Public Keys.
3. Configure your client for scripting.
You must configure the client machine on which you will be running scripts.
Remote scripting to the SP is done by using a program called SSH. For example, as a user on the UNIX machine client.company.com with the SP name sp.company.com, you could execute a command on the SP from the UNIX client using the following format:
Because the SSH server must authenticate the remote user, the user must either enter a password, or a trusted-host relationship must exist, or the remote user's public key must be installed on the SP.
If using trusted-host relationships for passwordless access, the SP must have a local user of the same name as the remote user (or the remote user should be a member of a directory service group that is mapped to a local SP administrative group).
You can also add your public key file instead of creating a trusted-host relationship to be authenticated via SSH. Refer to Adding Public Keys.
When configured for passwordless access, the ssh daemon on the SP allows the remote user access to sp.company.com without a password, either for logging in, or for issuing remote ssh commands from the command line or from a script.
There are two ways to configure multiple SPs for scripting:
To establish a trusted-host relationship, you must set up a host key which is used to authenticate one host to another. The host's SSH install should generate the host keys. If it does not, follow these steps to generate a host-key pair:
1. Enter the following command:
# ssh-keygen -q -t rsa -f rsa_key -C '' -N ''
2. Move rsa_key to /etc/ssh/ssh_host_rsa_key.
3. Move rsa_key.pub to /etc/ssh/ssh_host_rsa_key.pub.
4. Ensure that only the root user has read or write permissions to /etc/ssh/ssh_host_rsa_key.
The ssh_host_rsa_key.pub file is the file you will transfer to the SP.
Note - Only protocol version 2 key types and 1024-bit key sizes (the default generated by ssh-keygen) are supported. |
5. Continue with Creating Trusted-Host Relationships for instructions on creating public keys that can be used for passwordless access.
Note - Use scp to copy the files to either /tmp or to your home directory. The sp commands will then install the file specified on the command line. |
Adding a trusted-host relationship is one way to allow for passwordless access and thus is a means for one-to-many scripting. Once a host-equivalence relationship has been created with a client, users on that client can remotely execute commands on the Service Processor without being prompted for a password, provided one of the following conditions is met:
Note - Support is available for SSH protocol version 2 key types (RSA or DSA) only. If DNS is enabled on the SP, the client machine must be specified with its DNS name, not an IP address. |
Manager-level users can create a trusted-host relationship for the specified host from the command line using the access add trust command:
# access add trust {-c | --client} HOST {-k | --keyfile} \PUBLIC KEY FILE
Adding a user's public key is another way to allow for passwordless access and thus provide one-to-many scripting. Once a public key for a specific user has been installed on the SP, that user can remotely execute commands on the SP without being prompted for a password, if that user has installed the associated private key on the client.
Note - Support is available for SSH protocol version 2 key types (RSA or DSA) only. |
Only local users can add public keys. Users who obtain authorization from directory services group mappings are not able to add public keys.
Local admin-level or manager-level users can add public keys using the access add public key command:
# access add public key -l PUBLIC_KEY_FILE [-u user]
The public-key file is your RSA or DSA key. Up to 10 users can install public keys; only one key per user is allowed.
Admin-level users can only add their own public key. Manager-level users can add a public key for any local user. If the user is not specified in the command, the current user is the default.
To establish a trusted-host relationship, you must set up a host key, which is used to authenticate one host to another. Follow these steps to generate a host-key pair by copying the public key to the SP to which you want passwordless access:
1. Execute the following command:
2. Accept the default values, installing to the following directory:
The following files are created:
$HOME/.ssh/id_rsa
$HOME/.ssh/id_rsa.pub
Follow these steps to add users to the local /etc/password file to attempt trusted-host access to the Service Processor:
1. Set up your host keys by executing the following command:
2. Enable access for clients by launching a Bash shell.
3. Issue the following commands as a manager-level user on the client to establish a trusted-host relationship (manager1 is used in the example in this step):
a. Copy the client key to /tmp on the SP.
# scp /etc/ssh_host_dsa_key.pub manager1@sp.test.com:/tmp
b. Authenticate yourself for the scp command by entering the password for your manager-level user.
c. Add the client key to the set of trusted hosts for this SP.
# ssh sp.test.com access add trust -c client.test.com -k \/tmp/ssh_host_dsa_key.pub
d. Authenticate yourself for the ssh command.
From this point, any user with the same login on both sp.test.com and client.test.com has access without requiring a password to the like-named account on sp.test.com.
4. Create or modify the file /etc/ssh_config to ensure it contains the following entry:
Host *
HostbasedAuthentication yes
Follow these steps to install public keys to enable SSH access.
1. Set up your host keys. Refer to Generating a Host-Key Pair.
2. Install your public key using the access add public key command.
This command generates ~/.ssh/id_dsa and ~/.ssh/id_dsa.pub.
# scp ~/.ssh/id_rsa.pub SP_IP:/tmp
Enter your password when prompted.
# ssh SP_IP access add public key -k /tmp/id_rsa.pub
Enter your password when prompted.
# ssh SP_IP rm -f /tmp/id_rsa.pub
From this point, you have access without requiring a password.
This section describes some basic guidelines for managing your systems by writing scripts for remote execution on one or more SPs.
The following list defines common general output:
Following are common characteristics of table output from a get command:
Note - If running the script from the SP, there is a limited number of commands (not a full bash environment). |
Redirecting the console interaction over the serial port allows the user another method to monitor the server.
The BIOS redirects console output to serial by default (9600, 8N1, no handshake).
This section describes how to configure these options for both Linux- and Solaris-based servers.
The goal of these configurations is to configure the bootloader to redirect its output, pass the kernel the proper parameters and configure a login session on the serial port.
The BIOS redirects console output to serial by default (9600, 8N1, no handshake) until a bootloader program is run from the hard disk drive. The bootloader must be configured to support the serial console in addition to the keyboard, video and mouse (KVM) console.
Two common bootloaders are grub and Linux Loader (LILO).
If you use grub, there are three steps to enable console redirection over serial; these steps all involve editing the grub configuration file:
Note - On Red Hat Linux systems, the file /etc/grub.conf might be a symbolic link to the file /boot/grub/grub.conf. |
1. Pass the proper console parameters to the kernel.
2. Configure the grub menu system to redirect to the proper console.
3. Remove any splash images that would prevent the proper serial-console display.
For more information on the parameters, refer to the file kernel-parameters.txt in your kernel documentation.
For more information on grub, run the command info grub.
The parameter console=ttyS0 tells the system to send the data to the serial port first. The parameter console=tty0 tells the system to send the data to the KVM second.
A working-image section in your grub configuration file should have an entry for the kernel image to boot. The stock kernel entry looks like:
kernel /vmlinuz-kernel_revision ro root=/dev/sda5
where kernel_revision is simply the kernel version that you are using.
1. Change the stock kernel entry of your image to include the console-kernel parameters, as follows:
kernel /vmlinuz-kernel_revision ro root=/dev/sda5 console=ttyS0,9600 console=tty0
Note - These options should all be on one line with no wrap to a second line. |
2. Add the following two lines to the top of your grub configuration file:
serial --unit=0 --speed=9600
terminal serial console
Adding these two lines at the beginning of the file sets up your serial port or your KVM as your grub console so that you can remotely or locally select a boot image from the grub menu.
3. Comment out or remove the following line from your grub configuration file:
splashimage=(hd0,1)/boot/grub/splash.xpm.gz
Removing the splashimage line allows for greater compatibility during your serial connection; with this line removed, the splash image does not prevent the proper grub menu from displaying.
Note - When you enable the BIOS option "Console Redirection After POST", and LILO is used as a bootloader, the system may hang with an "L" printed on the screen.
|
LILO uses the append feature in an image section in order to pass to the kernel the proper parameters for using the serial console.
1. In the file /etc/lilo.conf on your Sun Fire V20z or V40z server, enter the consoles in the append statement:
append="console=ttyS0,9600 console=tty0"
2. After modifying the file /etc/lilo.conf, run lilo from the command line to activate the change.
For more information on LILO, run the commands man lilo or man lilo.conf.
You can run a service called getty to enable login on the serial interface.
To enable getty, append the following line to the list of gettys in the /etc/inittab file:
7:12345:respawn:/sbin/agetty 9600 ttyS0
Note - It does not matter where you append this line in the list. |
Note - Make certain that the first number is unique within the inittab file. |
The list of gettys currently looks like the following:
# Run gettys in standard runlevels
1:2345:respawn:/sbin/mingetty tty1
2:2345:respawn:/sbin/mingetty tty2
3:2345:respawn:/sbin/mingetty tty3
4:2345:respawn:/sbin/mingetty tty4
5:2345:respawn:/sbin/mingetty tty5
6:2345:respawn:/sbin/mingetty tty6
To add the serial-console device /dev/ttyS0 to the file /etc/securetty, run the following command:
# echo ttyS0 >> /etc/securetty
Note - The default setting for the output device is screen and for the input device is keyboard. |
To enable Console Redirection over Serial on a Solaris-based server:
In a terminal window, run the eeprom command to change the settings for the output and input devices, as shown here.
eeprom output-device=ttya
eeprom input-device=ttya
To verify that the changes were made:
1. In a terminal window, run the eeprom command with no arguments.
The contents of the bootenv.rc file display in the terminal window.
2. Locate the following lines and verify that they display the correct values.
output-device=ttya
input-device=ttya
To reset the system to the default settings:
To reset the output and input devices to the default settings, run the eeprom command with the following arguments.
eeprom output-device=screen
eeprom input-device=keyboard
Note - Console redirection is enabled by default in the BIOS. |
If the default settings have been changed in the BIOS, the following procedure explains how to change the console-redirection settings.
2. When prompted, press <F2> to enter BIOS setup.
3. Select the Advanced menu from the category selections along the top.
4. Select Console Redirection.
Note - Make note of all settings in this menu, as they are required for configuring the remote-console access and the Serial-Over-LAN (SOL) feature. |
5. Save the changes to the BIOS settings.
6. Press <F10> to exit the BIOS setup.
For the new settings to take effect, you must reboot the server.
A network share volume (NSV) structure is included with the server on the Sun Fire V20z and Sun Fire V40z Servers Network Share Volume CD.
Although the SP functions normally without access to an external file system, a file system is required to enable several features, including event log files, software updates, diagnostics and the troubleshooting dump utility. You can configure the NSV to be shared among multiple SPs. Admin- and manager-level users can configure the external file system; regular users can only view the current configuration.
The following software components are included with the server:
All of these software packages are packaged with the NSV and are installed on the file server when the external file system is installed and configured.
For instructions on extracting and installing the NSV software, refer to the Sun Fire V20z and Sun Fire V40z Servers Installation Guide.
The following compressed packages are included with your server on the Sun Fire V20z and Sun Fire V40z Servers Network Share Volume CD:
When extracted, the compressed packages in TABLE 4-1 populate the following files on the NSV:
/mnt/nsv/
diags
logs
scripts
snmp
spupdate
sw_images (this folder appears after you extract one of the OS-specific Zip files)
SNMP MIBS. Refer to Chapter 3 for details. |
|
The server for updating the SP. Refer to Chapter 1 for details. |
|
Contains a directory hierarchy of platform and SP components, including subdirectories for each version. |
The Serial Over LAN (SOL) feature lets servers transparently redirect the serial character stream from the baseboard Universal Asynchronous Receiver/Transmitter (UART) to and from the remote-client system over LAN. Serial over LAN has the following benefits compared to a serial interface:
Serial over LAN requires a properly configured LAN connection and a console from which an ssh session can be established.
In a Linux environment, you can use a shell such as csh or ksh as your console. This console works well in a scripting environment in which you might want to monitor many servers.
Note - When the SOL feature is enabled, you cannot access the server through the external DB9 serial port (COM A). |
Note - The variable spuser is the user account created when securing the SP. The variable spipaddr is the IP address assigned to the SP.
|
You can enable or disable the SOL feature through the SP.
To enable the feature, run the following command:
# ssh -l spuser spipaddr platform set console -s sp -e -S 9600
To disable the feature, run the following command:
# ssh -l spuser spipaddr platform set console -s platform
To launch an SOL session, run the following command:
# ssh spipaddr -l spuser platform console
You can also terminate an SOL session by terminating the ssh session:
If you are accessing your server using a remote console terminal, you might need to use the escape sequences shown in TABLE 4-3. If a regular function key is not working properly, use the escape sequence listed next to it in the table.
You will most likely need to use the escape sequences if you are using a Linux or Solaris OS.
Copyright © 2004, Sun Microsystems, Inc. All Rights Reserved.