OpenSolaris as a Xen domU
From Sfvlug
# -*- python -*-
if xm_vars.env.get('install'):
kernel = "/var/lib/xen/images/osol-0906-unix.amd64"
ramdisk = "/var/lib/xen/images/osol-0906-x86.microroot.amd64"
extra = "/platform/i86xpv/kernel/amd64/unix " + \
"- nowin -B install_media=cdrom"
disk = [ "phy:/dev/VolGroup00/osolvm,xvda,w",
"file:/home/jeff/OpenSolaris/osol-0906-x86.iso,6:cdrom,r"
]
on_reboot = "destroy"
on_crash = "destroy"
else:
kernel = "/var/lib/xen/images/osol.0906.xpv.unix"
ramdisk = "/var/lib/xen/images/osol.0906.xpv.boot_archive"
extra = "/platform/i86xpv/kernel/amd64/unix -B " + \
"zfs-bootfs=rpool/ROOT/opensolaris," + \
"bootpath=/xpvd/xdf@51712:a"
disk = [ "phy:/dev/VolGroup00/osolvm,xvda,w" ]
on_reboot = "restart"
on_crash = "restart"
name = "osolvm"
uuid = "280b2556-94c8-49e0-b9c8-1127d57cee9c"
maxmem = 1024
memory = 1024
vcpus = 1
on_poweroff = "destroy"
vif = [ "mac=00:16:3E:A8:01:04,bridge=xenbr0" ]
The above is how I got started, installed and running with OpenSolaris 0906 in Xen. As anybody should know, installation is just the beginning. Next I sat down and tried to turn my OpenSolaris installation into a functional member of my LAN.
And just what does being a functional member of my LAN mean? In short it means users are authenticated via LDAP, they NFS mount their HOME directories using the automounter, and the machine participates in IPv6. It also means my own user account needs to be treated as the administrator via some mechanism available, be that using su(1m), sudo(1m), or something else. In the case of OpenSolaris, that something else is called pfexec(1).
LDAP Authentication under OpenSolaris
Unfortunately, and leading to much hair pulling, the Solaris pam_ldap and nss_ldap modules don't use SSL the way we can easily manipulate it using the openssl command line. However, they do use the Netscape Security Services package, so I had to learn how to use the tools in that package. First was to install the package:
pkg install SUNWtlsu
Step two, initialize a new security database with the Netscape tool. This will generate three files, cert8.db, key3.db, and secmod.db. Change the permissions as they need to be world readable.
cd /var/ldap certutil -N -d `pwd` chmod 0644 *.db
Step three, assuming a copy of your root CA certificate is in /tmp, import it and optionally, list out the database's contents which should now be only your root CA.
certutil -A -n cacert -i /tmp/cacert.pem -a -t CT -d `pwd` certutil -L -d `pwd`
Now, here's the part that tripped me up every time I tried this. In spite of the fact the commands say TLS, the Solaris client does not use starttls! It seems to only work using traditional SSL. This means the client does not connect to the plain text TCP port of 389, do a starttls command and upgrade to encryption; instead it must connect to port 636 which is LDAPS. I kept trying to do port 389 with TLS and failed.
ldapclient -v manual -a credentialLevel=proxy \
-a proxyDN=cn=Manager,dc=example,dc=com \
-a proxyPassword=soopersekrit \
-a defaultServerList=ldap:636 \
-a defaultSearchBase=dc=example,dc=com \
-a authenticationMethod=tls:simple \
-a serviceAuthenticationMethod=pam_ldap:tls:simple \
-a certificatePath=/var/ldap \
-a serviceSearchDescriptor=passwd:ou=People,dc=example,dc=com \
-a serviceSearchDescriptor=group:ou=Group,dc=example,dc=com
If you leave in the -v flag for verbose output, you'll see a lot of information fly by, followed by one or more services, possibly even networking, being stopped and started. It may take several seconds before the command returns. One final note, I don't know if the serviceAuthenticationMethod parameter is actually required, but it doesn't seem to hurt my case any.
