last update: 2006-08-09
Solaris 10 package minimalization
+++++++++++++++++++++++++++++++++
on a Sun Fire V490
introduction
============
Best practices generally provide for the installation of only that software
essential to a system's intended function. Ease of use and maintenance may
argue for the installation of small amounts of additional software, but there
is general agreement that installation of software beyond this point not only
wastes space and time in maintaining unnecessary software, but - most
seriously - introduces gratuitous potential security vulnerabilities.
Proceeding from this point, the task then becomes to separate the essential
and desirable from that software which is unnecessary or inappropriate. This
is in general a non-trivial undertaking. Different hardware configurations
will require different software sets, according to such things as processor
type, storage media, and peripheral devices such as network and graphics
cards. Different intended uses of the systems will likewise require different
software sets, and an understanding of their interdependencies. Further
complicating this task is the fact that software package descriptions are
often terse and/or obtuse.
For simplification, software offerings may be viewed as:
- Basic operating system software, essential to boot a stripped-down machine
and provide minimal error-free functionality.
- Device-specific software to support hardware such as removable media,
network and graphics cards, etc.
- Software specific and essential to a system's intended functionality, such
as NFS for a file server.
- Software not absolutely mission-critical, but which provide for convenience
of use and maintenance, such as documentation, monitoring, and patch
software.
- Software providing functions irrelevant to the target system, such as a
compiler on a platform intended as a web server.
- Unusable software, designed for use on a different architecture, or which
supports devices uninstallable on the target system.
In what follows is an application of these considerations to the practical
problem of configuring a Sun Fire V490 running Solaris 10 as a general purpose
server.
practical problem
=================
The first approach taken was to remove, one by one, those packages deemed
unnecessary. Actual package removal can be scripted, but the problem here was
identifying what each package provided, and then deciding whether it was an
appropriate candidate for removal. Unfortunately, the package description - as
returned by "pkginfo -l" - was often nothing more than a restatement of the
package name, or else a phrase of just a few words often incorporating obscure
acronyms and generally shedding little light at to what the package actually
did, or what might break if it were removed. Researching each package prior to
removing it proved to be time-consuming and frustrating. So, instead ...
The next approach was to start with the smallest allowed installation, pare
from there, and then add back unnecessary but desirable packages. So, booted
from JumpStart, selecting the 'rnet' (Reduced Networking Software Group)
metacluster. This amounted to 94 packages, a reasonably small number. Used the
following methodology for further package removal:
- For safety, (in OpenBoot) designated disk0 as the default boot device, with
auto-boot? set to 'false'. Used disk1 as the test disk for package removal.
- Created 'pkg.list', an ASCII file listing all 94 packages in reverse
install order (install order at: Solaris_10/Product/.order ; script to sort
at: PkgInstOrder).
- Executed the following loops:
# On JumpStart client:
----------------------
while pkgrm functional # pkgrm depends on a number of packages.
do
foreach pkg in pkg.list
do
remove pkg from disk1
init 0
if boot disk1 # If clean boot.
clone disk1 disk0 # ~2 min. per clone.
add pkg to pkgrm.list
else
clone disk0 disk1
add pkg to pkgkeep.list
endif
remove pkg from pkg.list
done
done
# On JumpStart server:
----------------------
foreach pkg in pkgrm.list
do
add 'package $pkg delete' to client's profile file
done
foreach pkg in pkg.list
do
add 'package $pkg delete' to client's profile file
re-JumpStart client
if boot client
add pkg to pkgrm.list
else
add pkg to pkgkeep.list
remove 'package $pkg delete' from client's profile file
endif
remove pkg from pkg.list
done
results
=======
minimal package set necessary to boot cleanly:
----------------------------------------------
1 SUNWesu Extended System Utilities
2 SUNWcakr Core Solaris Kernel Architecture (Root)
3 SUNWcar Core Architecture, (Root)
4 SUNWckr Core Solaris Kernel (Root)
5 SUNWcsd Core Solaris Devices
6 SUNWfcp Sun FCP SCSI Device Driver
7 SUNWcsr Core Solaris, (Root)
8 SUNWcsu Core Solaris, (Usr)
9 SUNWcslr Core Solaris Libraries (Root)
10 SUNWfctl Sun Fibre Channel Transport layer
11 SUNWqlc Qlogic ISP 2200/2202 Fibre Channel Device Driver
12 SUNWssad SPARCstorage Array Drivers
13 SUNWpd PCI Drivers
14 SUNWcsl Core Solaris, (Shared Libs)
15 SUNWcfplr fp cfgadm plug-in library (root)
16 SUNWlibsasl SASL v2
17 SUNWpr Netscape Portable Runtime
18 SUNWtls Network Security Services
19 SUNWlibmsr Math & Microtasking Libraries (Root)
20 SUNWzlib The Zip compression library
21 SUNWlxml The XML library
22 SUNWtecla Tecla command-line editing library
23 SUNWadmr System & Network Administration Root
24 SUNWmdr Solaris Volume Manager, (Root)
25 SUNWipfr IP Filter utilities, (Root)
26 SUNWced Sun GigaSwift Ethernet Adapter Driver
27 SUNWcnetr Core Solaris Network Infrastructure (Root)
28 SUNWib Sun InfiniBand Framework
# pkg_name error message if not installed (in brief)
-- ---------------- ----------------------------------------------------------
1 SUNWesu "rebooting system due to change(s) in /etc/default/init"
2 SUNWcakr "Boot load failed."
3 SUNWcar "boot: cannot open kernel/sparcv9/unix"
4 SUNWckr "boot: error loading interpreter (misc/sparcv9/krtld)"
5 SUNWcsd "panic: ... /etc/name_to_major file not found"
6 SUNWfcp "panic: BAD TRAP: in module "scsi" due to a NULL pointer"
7 SUNWcsr "WARNING: Cannot find /system/contract" boot aborts to OBP
8 SUNWcsu "system/boot-archive:default failed" boot aborts to OBP
9 SUNWcslr (boot silently aborts to OBP)
10 SUNWfctl "Can't load the root filesystem"
11 SUNWqlc "Can't load the root filesystem"
12 SUNWssad "Can't load the root filesystem"
13 SUNWpd (login failure: no input taken from console)
14 SUNWcsl (login failure: no pam_authtok_get.so.1; mult. svc. fails)
15 SUNWcfplr "Console login service(s) cannot run"
16 SUNWlibsasl "login: fatal: libsasl.so.1: open failed"
17 SUNWpr "login: fatal: libnspr4.so: open failed"
18 SUNWtls "login: fatal: libnss3.so: open failed"
19 SUNWlibmsr "svccfg: fatal: libm.so.2: open failed"
20 SUNWzlib "svccfg: fatal: libz.so.1: open failed"
21 SUNWlxml "svccfg ... failed" (svccfg needs libxml2.so.2)
22 SUNWtecla "svccfg ... failed" (svccfg needs libtecla.so.1)
23 SUNWadmr "sysidtool:net failed", "rpc_ticotsord:default failed"
24 SUNWmdr "system/metainit:default failed"
25 SUNWipfr "network/pfil:default failed"
26 SUNWced "network/physical:default misconfigured"
27 SUNWcnetr "network/physical:default misconfigured"
28 SUNWib "WARNING: add_spec: No major number for ib"
Notes:
- Packages are listed in order of seriousness of consequences of removal.
- Removal of any of the first twelve listed packages will result in a system
unable to boot to the login prompt at multiuser. SUNWesu is listed first as
it enters a reboot loop. Removal of the other eleven packages in the first
dozen results in being dropped back to either single-user or to OBP.
- Removal of any of the next six packages on the list (13 - 18) result in
login failures. SUNWpd is listed first in this group as the console cannot
even receive keyboard input when this package is removed.
- Removal of any of the next four packages (19 - 22) result in overall SMF
failure.
- Removal of any of the next five packages (23 - 27) result in failures of
specific services.
- Removal of the last package on the list, SUNWib, merely issues the warning
shown.
- Performing package removal in reverse install order resulted in few
dependency warnings. No packages were removed upon which other packages
were dependent, with these exceptions:
- Interdependent packages (such as SUNWnisr and SUNWnisr) were mutually
removed.
- SUNWperl584core and SUNWperl584usr were removed even though they are
listed as being required by SUNWesu. This effectively disables:
/usr/bin/kstat: executable /usr/perl5/bin/perl script
/usr/sbin/projadd: executable /usr/perl5/bin/perl script
/usr/sbin/projdel: executable /usr/perl5/bin/perl script
/usr/sbin/projmod: executable /usr/perl5/bin/perl script
- SUNWlxml claims dependency on SUNWlibms; however, SMF tools appear to
work without SUNWlibms.
- 19 of the remaining 28 packages claim dependency on SUNWkvm; however,
these claims may be specious as a number of packages seem to report
dependencies on 'core' packages pro forma.
At this point, with 28 packages, the system boots cleanly and supports
OpenSSH with Kerberos authentication. But we probably want to add a small
number of additional packages for ease of use and maintenance:
pkgadd capability
-----------------
pkgadd uses bzcat, so if we are adding packages manually we must first add:
system SUNWbzip The bzip compression utility
frequently referenced libraries
-------------------------------
system SUNWlibC Sun Workshop Compilers Bundled libC
system SUNWlibCx Sun WorkShop Bundled 64-bit libC
patch tools
-----------
system SUNWswmt Install and Patch Utilities
system accounting
-----------------
system SUNWaccr System Accounting [r]
system SUNWaccu System Accounting [u]
Volume Manager (DiskSuite follow-on)
------------------------------------
system SUNWmdr Volume Manager [r]
system SUNWmdu Volume Manager [u]
sendmail
--------
system SUNWsndmr Sendmail [r]
system SUNWsndmu Sendmail [u]
Perl
----
system SUNWperl584core Perl 5.8.4 (core)
system SUNWperl584usr Perl 5.8.4 [u]
strings,truss,
--------------
system SUNWtoo Programming Tools
lsof
----
application SMClsof lsof
OpenSSH X Window tunneling
--------------------------
Addition of thes packages will allow an X Window application run on the V490
to display remotely through an OpenSSH connection.
system SUNWxwplt X11 platform software
system SUNWxwice X11 ICE library and iceauth
man pages
---------
system SUNWman On-Line Manual Pages
system SUNWdoc Documentation Tools
freeware
--------
system SUNWgzip The GNU Zip (gzip) compression utility
system SUNWzip The Info-Zip (zip) compression utility
system SUNWzlib The Zip compression library
system SUNWbash GNU Bourne-Again shell (bash)
system SUNWtcsh Tenex C-shell (tcsh)
system SUNWgpch The GNU Patch utility
system SUNWless The GNU pager (less)
conclusion
==========
A V490 can be configured as a general purpose server, supporting OpenSSH
(including X Window tunneling), Logical Volume Manager, Perl; and including
man pages, some system administration tools (such as patch, truss, and lsof),
plus assorted freeware (compression utilities, alternate shells), with just
53 packages: 28 essential, 25 elective. To this, of course, must be added
whatever packages are required to support the V490's intended service.
53 package set:
---------------
SMClsof (sunfreeware.com)
SUNWaccr
SUNWaccu
SUNWadmr
SUNWbash
SUNWbzip
SUNWcakr
SUNWcar
SUNWced
SUNWcfplr
SUNWckr
SUNWcnetr
SUNWcsd
SUNWcsl
SUNWcslr
SUNWcsr
SUNWcsu
SUNWdoc
SUNWesu
SUNWfcp
SUNWfctl
SUNWgpch
SUNWgzip
SUNWib
SUNWipfr
SUNWless
SUNWlibC
SUNWlibCx
SUNWlibmsr
SUNWlibsasl
SUNWlxml
SUNWman
SUNWmdr
SUNWmdr
SUNWmdu
SUNWpd
SUNWperl584core
SUNWperl584usr
SUNWpr
SUNWqlc
SUNWsndmr
SUNWsndmu
SUNWssad
SUNWswmt
SUNWtcsh
SUNWtecla
SUNWtls
SUNWtoo
SUNWxwice
SUNWxwplt
SUNWzip
SUNWzlib
SUNWzlib