Blastwave.org - How to get started with Solaris 8 or Solaris 9

This page was updated Tue Aug 19 20:18:48 GMT 2008

Step 0 - Verify your Solaris patches

There is a common error that may occur on Solaris 8 and Solaris 9 if you do not have the following patches :

Solaris 8:
Sparc: 110934
X86: 110935

Solaris 9:
Sparc: 113713
X86: 114568

The wise thing to do is to ensure that you have at least the latest Recommended patch clusters applied to your system as well as the latest revisions of the above patches before you continue.

Step 1 - Get pkg-get

To do much of anything you will need pkg-get on your system.

Those of you that are very security conscious may choose to manually fetch the package and check the MD5 sig. Here then is the link that you will need :

MD5(pkg_get.pkg)= 4121665c56b38967124d618a379c45a2

So download pkg-get software from blastwave.network.com n.b.: md5sum = 4121665c56b38967124d618a379c45a2

You could also simply use the Blastwave Software Distribution DVD.

If you have the DVD then you simply need to insert it into your DVD Drive and then Solaris Volume Manager will automatically mount it at /cdrom/blastwave.org and everything that you need will be there.

# ls -lap /cdrom/blastwave.org
total 1671
dr-xr-xr-x   2 root     sys         2048 Jan 16 15:54 ./
drwxr-xr-x   3 root     other        512 Jan 17 22:32 ../
-r--r--r--   1 root     root        9276 Jan 16 15:55 README
-r--r--r--   1 root     root       59392 Jan 11 12:35 pkg_get.pkg
dr-xr-xr-x   4 root     root        2048 Jan 16 15:53 stable/
dr-xr-xr-x   4 root     root        2048 Sep 13 15:42 unstable/
-r-xr-xr-x   1 root     root      164576 Nov 18  2002 wget-i386
-r-xr-xr-x   1 root     root      164576 Nov 18  2002 wget-i386.bin
-r-xr-xr-x   1 root     root      224672 Nov 18  2002 wget-sparc
-r-xr-xr-x   1 root     root      224672 Nov 18  2002 wget-sparc.bin

Step 2 - Install pkg-get

Once you have the pkg_get.pkg file on your machine then you simply need to install it :

# pkgadd -d /cdrom/blastwave.org/pkg_get.pkg all

Processing package instance <CSWpkgget> from </cdrom/blastwave.org/pkg_get.pkg>

pkg_get - CSW version of automated package download tool
(all) 3.1.3
You may use and copy this software without charge, as you see fit.
The software is copyright (C) Philip Brown, Nov 2002

Dont forget to update /opt/csw/etc/pkg-get.conf with your nearest archive site.


The selected base directory </opt/csw> must exist before installation
is attempted.

Do you want this directory created now [y,n,?,q] y
Using </opt/csw> as the package base directory.
## Processing package information.
## Processing system information.
   2 package pathnames are already properly installed.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of <CSWpkgget> [y,n,?] y

Installing pkg_get - CSW version of automated package download tool as <CSWpkgget>

## Installing part 1 of 1.
/opt/csw/bin/pkg-get
/opt/csw/etc/pkg-get.conf.csw
/opt/csw/share/man/man1m/pkg-get.1m
/var/pkg-get/admin-fullauto
[ verifying class <none> ]
## Executing postinstall script.

Installing /opt/csw/etc/pkg-get.conf.csw to pkg-get.conf

Installation of <CSWpkgget> was successful.
#

Step 3 - Get a copy of wget

This can be a little confusing. Let's go slowly here.

What we are attempting to do is to allow the pkg-get software to actually “get software” from the internet or the local DVD.

Solaris 10 Users Take Note !

    Check for the existence of /usr/sfw/bin/wget first.
    You may already have GNU Wget 1.9.1 installed on your system.
    The pkg-get tool will use /usr/sfw/bin/wget automatically if
    no other version is available on the system.
    This will get you started however eventually you may want the
    up to date version from Blastwave.

To do that you will need wget on your system somewhere. Now this is where things can get confusing. If you were to check to see if wget was actually a package from Blastwave then you would find that yes it is. Furthermore it is a package with dependencies on other things that you don't have yet. The trick here is to install a simple bootstrap version of wget that doesn't need anything special in order to run. It is this small little wget version that will allow you to install everything else. After which you can delete the small copy of wget.

Here is what you need to do. Simply copy the wget binary from the DVD to your local hard drive. If you don't have the DVD ( then get it! ) you can simply download wget from this website:

wget binary for Sparc

wget binary for x86

Regardless of where you get that little binary from you need to put it in /tmp/wget and make sure that it is executable. That means that you may need to do this :

# chmod 755 /tmp/wget

The next step is to ensure that this little binary is in your PATH somewhere. I suggest that you do the following :

# PATH=/tmp:/opt/csw/bin:/usr/sbin:/usr/bin:/usr/dt/bin:/usr/openwin/bin:/usr/ccs/bin
# export PATH

You should now have wget in your PATH and it should be ready to run.

Step 4 - Verify that you are ready

We will verify that both wget and pkg-get are in our PATH thus :

# which wget
/tmp/wget
# which pkg-get
/opt/csw/bin/pkg-get

If you don't get those exact results then you have a problem.

You may see something like so :

$ which wget
no wget in /tmp /opt/csw/bin /usr/sbin /usr/bin /usr/dt/bin /usr/openwin/bin /usr/ccs/bin

If you can't find wget or pkg-get on your PATH then you need to go back to Step 1 and try again. You may have put wget in the wrong place or forgotten to rename it to wget.

Step 5 - Edit the pkg-get configuration file

You may be located in Germany or United States or you may have the Blastwave DVD. In each of these cases you should edit the pkg-get configuration file in order that we will get software packages from a nearby source. If you have the DVD then you may do the following :

# vi /opt/csw/etc/pkg-get.conf

# Configuration file for "pkg-get"
# man pkg-get for details on the program

# This config file has been pre-customized for use with CSW packages.
# The latest set of CSW mirrors is always available at
#  http://www.blastwave.org/mirrors.html

# default site, in USA:
#url=http://ibiblio.org/pub/packages/solaris/csw/unstable
url=file:///cdrom/blastwave.org/unstable

The other option is to use a Blastwave Mirror server near you and to ensure that the url in the /opt/csw/etc/pkg-get.conf reflects your choice.

Step 6 - Install the complete wget package

We will now use pkg-get to install the complete wget package along with its man pages and dependencies.

Simply type the following :

# pkg-get -i wget

WARNING : do not be alarmed if you see a large amount of text streaming across your screen.
This is just pkg-get doing its job for you.

A complete log of what you can expect to see is here.

Step 7 - Remove the previous wget binary and correct our PATH

Simply delete the old copy of wget that we no longer need :

# rm /tmp/wget

Also correct our PATH :

# PATH=/opt/csw/bin:/usr/sbin:/usr/bin:/usr/openwin/bin:/usr/dt/bin:/usr/ccs/bin
# export PATH

You may now install GNOME and KDE and Mozilla and anything else that you want.

To install GNOME :
```
# pkg-get -i gnome
```
To install KDE :
```
# pkg-get -i kde_gcc
```
To install Mozilla :
```
# pkg-get -i mozilla
```

Note : By default you may be asked confirmation questions many many many times. This is very annoying when you are installing large suites of software like GNOME or KDE. Something that you should do is look at the man page for pkg-get with the following command :

man -M /opt/csw/man pkg-get

If you actually read that man page you will find a section titled "MORE AUTOMATION" in which you will learn that you can configure the pkgadd ( the software package maintainance utility ) to NOT ASK YOU these questions.

Simply do the following : You must be root for this

cp -p /var/pkg-get/admin-fullauto /var/pkg-get/admin

Now you will be able to run a “pkg-get install foobar” and not get any questions about any of the dependencies of foobar. This makes life very easy. To install a massive package like GNOME you can type “# pkg-get -i gnome” and then walk away for a coffee. Everything will be done for you!

Step 8 - Best Practices

What I have to say here will be “Motherhood” statements at best. Really just a bit of advice if you are making the leap from Linux and wonder where to set the PATH for your users and things like that.

Firstly we need to talk about the root user.

Don't mess with the root user account!

That was less than clear so I guess I had better elaborate.

It seems to be common practice to change the root users default shell.

Don't do that unless you have Solaris 10

What I do recommend is that you change the root users home directory location to /root and nothing more fancy than that. You can edit the /etc/passwd file and change the entry for the root user thus :

root:x:0:1:Super-User:/root:/sbin/sh

Be very diligent about creating the root users home directory right away and ensure that it is only readable by the root user :

# mkdir /root
# chmod 700 /root
# chown root:root /root

Also, you may be wondering why you should not change the root users default shell to bash. Simply put, any other shell than /sbin/sh will be a dynamically linked executable with dependencies. If you were to check /sbin/sh you would find that it is a standalone program :

$ ldd /sbin/sh
ldd: /sbin/sh: file is not a dynamic executable or shared object

That means that your machine can suffer some horrible disaster and still be able to function in single user mode if you can boot the kernel and get to a running shell with the root user. That is becuase the root user only needs /sbin/sh to have a fully functional shell. If you were to use bash or any other shell then you would need a stack of dependencies. Those dependencies may not exist if they are on some other file system or on a damaged file system.

Solaris 10 is different. Solaris 10 has a default Bourne Shell /sbin/sh that is not statically linked anymore. This was done intentionally when the single/multi threaded process model was unified and the statically linked libc was removed. Solaris 10 commands in /sbin should only link with things in /lib. There are symlinks in /usr/lib to /lib for some libraries for backwards compatibility reasons. In fact, Solaris 10 is so smart that both su and login will fall back to /sbin/sh if the shell you specify in /etc/passwd for root can not be executed for some reason. What I am saying here is that you can change root's shell in Solaris 10 and still sleep well at night.

Next item is the default PATH for the root user and regular users. You can set this in the files /etc/default/login and /etc/default/su. Please feel free to be pedantic and set PATH and SUPATH in both of those files to something useful thus :

PATH=/opt/csw/bin:/usr/sbin:/usr/bin:/usr/dt/bin:/usr/openwin/bin:/usr/ccs/bin

Really you can leave /opt/csw/bin out of there entirely if you want. The software from Blastwave is isolated in /opt/csw and will not interfere with your other software. You can use GNOME from somewhere else if you want. Your users can have there own .profile files that determine that they run JDS if they want.

On the other hand your users may place /opt/csw/bin first in their PATH and then will be running with the desktop software and applications from Blastwave. Again, this will be isolated. Don't be surprised if you have problems switching back and forth from different distributions of GNOME however. There are a lot of configuration files that get created in the users home directory and you can really only depend on them to work consistently when you stay on one edition of KDE or GNOME.

Last Word - Security Concerns !

The software repository at Blastwave is built in such a fashion that each and every software package has a digital signature applied to it. That signature ensures that you are actually getting the software that we packaged and checked for you. If the signature does not match then you know that something has been tampered with. Its that simple.

Now how do you take advantage of these security precautions that we have put in place for you?

Let me take you through that step by step !

Install gnupg and md5(gmd5sum)

As the root user you need to use pkg-get to install gnupg and an md5 program.
[Solaris 10 comes with /usr/bin/digest which can do md5 checksums, but otherwise you will need to install the textutils package as well]

bash-3.00# /opt/csw/bin/pkg-get -i gnupg textutils
WARNING: gpg not found
NOTE: To have checksums compared, you must install one of:
  md5  or gmd5sum (gmd5sum is available with GNU textutils)
  try 'pkg-get install textutils'
.

{ Here you will see the license displayed as well as every action taken. }

.
.

{ You will now see a large number of dependencies installed. }

[ verifying class <none> ]

Installation of <CSWgnupg> was successful.

At this point it is worth while to have a look in your /var/sadm/pkg directory to see the number of CSW packages that have been installed. If you see a list similar to this than you are doing well :

drwxr-xr-x   4 root     root         512 Nov 22 23:37 CSWiconv
drwxr-xr-x   4 root     root         512 Nov 22 23:37 CSWexpat
drwxr-xr-x   4 root     root         512 Nov 22 23:37 CSWggettext
drwxr-xr-x   4 root     root         512 Nov 22 23:38 CSWlibnet
drwxr-xr-x   4 root     root         512 Nov 22 23:39 CSWbdb4
drwxr-xr-x   4 root     root         512 Nov 22 23:40 CSWsasl
drwxr-xr-x   4 root     root         512 Nov 22 23:40 CSWoldaprt
drwxr-xr-x   4 root     root         512 Nov 22 23:40 CSWoldapclient
drwxr-xr-x   4 root     root         512 Nov 22 23:40 CSWgsed
drwxr-xr-x   4 root     root         512 Nov 22 23:40 CSWlibtool
drwxr-xr-x   4 root     root         512 Nov 22 23:40 CSWtcpwrap
drwxr-xr-x   4 root     root         512 Nov 22 23:41 CSWreadline
drwxr-xr-x   4 root     root         512 Nov 22 23:41 CSWunixodbc
drwxr-xr-x   4 root     root         512 Nov 22 23:42 CSWoldap
drwxr-xr-x   4 root     root         512 Nov 22 23:42 CSWzlib
drwxr-xr-x   4 root     root         512 Nov 22 23:42 CSWbzip2
drwxr-xr-x   4 root     root         512 Nov 22 23:42 CSWgnupg

You may have more CSW packages than those listed above as the CSWcommon package and a few others would have preceded CSWiconv. The short list above is a time ordered list of CSWgnupg and its dependencies. Here are a few details on what they are :

CSWbdb4        berkeleydb4 - Embedded database libraries and utilities
CSWbzip2       bzip2 - a high-quality block-sorting file compressor
CSWexpat       expat -  XML Parser Toolkit
CSWggettext    ggettext - GNU gettext
CSWgnupg       gnupg - GNU Privacy Guard
CSWgsed        gsed - The GNU non-interactive text Stream-oriented EDitor (sed)
CSWiconv       libiconv - GNU iconv library
CSWlibnet      libnet - the libnet packet construction library
CSWlibtool     libtool - GNU tool for compiling libraries
CSWoldap       openldap - ldap clients,libraries and server
CSWoldapclient openldap_client - ldap client and libraries
CSWoldaprt     openldap_rt - ldap runtime libraries
CSWreadline    readline - library to enable interactive line editing
CSWsasl        sasl - Simple Authentication and Security Layer
CSWtcpwrap     tcpwrappers - (ipv6 patched) lib and tools for pre-screening tcp connections
CSWunixodbc    unixodbc - ODBC access to data sources
CSWzlib        zlib - Zlib Data Compression Library

Import the PGP public key

You need to carefully copy the PGP keyblock from the mirrors webpage and you need to ensure that you include everything from the BEGIN line to the END line. If your system has a connection to the internet then you can simply use wget to fetch the page with the command :

# /opt/csw/bin/wget --output-document=pgp.key http://www.blastwave.org/mirrors.html
--10:39:55--  http://www.blastwave.org/mirrors.html
           => `pgp.key'
Resolving www.blastwave.org... 131.188.30.245
Connecting to www.blastwave.org[131.188.30.245]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16,060 [text/html]

100%[====================================>] 16,060        52.41K/s

10:39:56 (52.33 KB/s) - `pgp.key' saved [16060/16060]

You must then have a file called pgp.key which will contain the PGP public key in it.
Use the following command to import the PGP key :

# gpg --import pgp.key
gpg: /root/.gnupg: directory created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key E2F07E92: public key "Distribution Manager <dm@blastwave.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1

The end result of these actions will be a greater degree of software package security for your system.

WARNING : You will only get the added benefit of digital signature checking if your pkg-get.conf file is correctly configured. The following two lines must NOT be uncommented in your /opt/csw/etc/pkg-get.conf file :

#use_gpg=false
#use_md5=false

Proof - How do we know that this works ?

We at Blastwave are quite serious about security and quality and thus this digital signature process must be tested and demonstrated. In order to verify functionality we simply corrupt a package on our own internal mirror and then test thus :

First we check the sig on the a2ps package :

# gmd5sum ./unstable/sparc/5.8/a2ps-4.13b-SunOS5.8-sparc-CSW.pkg.gz
a43455a32f2229a9ace1b111ef69df8a  ./unstable/sparc/5.8/a2ps-4.13b-SunOS5.8-sparc-CSW.pkg.gz

Then we add some garbage data to that package file :

# echo "barfoo-foobar" >> ./unstable/sparc/5.8/a2ps-4.13b-SunOS5.8-sparc-CSW.pkg.gz
# gmd5sum ./unstable/sparc/5.8/a2ps-4.13b-SunOS5.8-sparc-CSW.pkg.gz
1e111f60f994952dd1a3ad0cd0502383  ./unstable/sparc/5.8/a2ps-4.13b-SunOS5.8-sparc-CSW.pkg.gz

Lastly we try to install that package with another machine from our now corrupted mirror server :

# pkg-get -i a2ps
No existing install of CSWa2ps found. Installing...
Trying http://tester.blastwave.org/rsync/unstable/sparc/5.8/a2ps-4.13b-SunOS5.8-sparc-CSW.pkg.gz
a2ps-4.13b-SunOS5.8-sparc-CSW.pkg.gz-*: No such file or directory
--13:06:59--  http://tester.blastwave.org/rsync/unstable/sparc/5.8/a2ps-4.13b-SunOS5.8-sparc-CSW.pkg.gz
           => `a2ps-4.13b-SunOS5.8-sparc-CSW.pkg.gz'
Resolving tester.blastwave.org... 192.168.35.20
Connecting to tester.blastwave.org[192.168.35.20]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,366,593 [text/plain]

100%[====================================>] 1,366,593     --.--K/s

13:06:59 (10.45 MB/s) - `a2ps-4.13b-SunOS5.8-sparc-CSW.pkg.gz' saved [1366593/1366593]

ERROR: checksum a2ps-4.13b-SunOS5.8-sparc-CSW.pkg.gz does not match remote checksum
(perhaps you need to pkg-get -U ?)

Thus you see that the package install stops right away and alerts you to the fact that the checksum is wrong.

Corollary - Software Package Security

If you carefully followed these steps then you should now be able to install or download a package with the digital signature being verified for you.

Each and every package will be checked for a valid signature and thus your software package integrity can be trusted.

Written by Dennis Clarke
Updated Tue Aug 19 20:24:31 GMT 2008



Blastwave™ · Open Source Software for Solaris™ and OpenSolaris™