 |
|||
|
|
|
 |
|
How To Prepare a System for Production.update 11/07/2001 By Colin A. Bitterfield A note on these recommendations. Since Solaris 2.6 is end of life and Solaris 8 is the flagship OS currently. This article is targeted to Solaris 8. Some of the tuning parameters listed will did not exist in Solaris 2.6 and others are no longer an issue in 8.Edit or Create the following Files:a. /etc/default/login+ CONSOLE=/dev/console + PATH=/opt/sfw/bin:/usr/local/bin:/usr/bin:/usr/sbin:/usr/openwin/bin:/u sr/dt/bin:/usr/ccs/bin:/usr/ucb:. + SUPATH=/opt/sfw/bin:/usr/local/bin:/usr/bin:/usr/sbin:/usr/openwin/bin: /usr/dt/bin:/usr/ccs/bin:/usr/ucb + SYSLOG_FAILED_LOGINS=3 b. /etc/default/su+ PATH=/opt/sfw/bin:/usr/local/bin:/usr/bin:/usr/sbin:/usr/openwin/bin:/u sr/dt/bin:/usr/ccs/bin:/usr/ucb + SUPATH=/opt/sfw/bin:/usr/local/bin:/usr/bin:/usr/sbin:/usr/openwin/bin: /usr/dt/bin:/usr/ccs/bin:/usr/ucb c. /etc/default/telnetd+ BANNER="" d. /etc/default/ftpd+ BANNER="" e. /etc/default/inetinit- TCP_STRONG_ISS=1 + TCP_STRONG_ISS=2 f. /etc/inetd.confPlease note that a router filter should be in place for not allowing REXEC type commands from outside the network. g. /etc/init.d/inetsvc- /usr/sbin/inetd -s& + /usr/sbin/inetd -s -t& h. create file /etc/notrouter# touch /etc/notrouter i. Modify /etc/init.d/inetinit (At end), set TCP tuning parameters.
+/usr/sbin/ndd -set /dev/tcp tcp_mss_def_ipv4 846 +/usr/sbin/ndd -set /dev/arp arp_cleanup_interval 150000 Reference: This information is an excerpt from "SUN Tuning and Performance" by Adrian Cockcroft and Richard Pettit second edition. (use at own risk, these are some of my recommendations for web services based machine) +/usr/sbin/ndd -set /dev/tcp tcp_time_wait_interval 60000 +/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 1024 +/usr/sbin/ndd -set /dev/tcp tcp_xmit_hiwat 32768 +/usr/sbin/ndd -set /dev/tcp tcp_recv_hiwat 32768 +/usr/sbin/ndd -set /dev/tcp tcp_slow_start_initial 2 Reference: This one is from a test I performed on moving small files via FTP. I saw a 500% improvement with this setting change. +/usr/sbin/ndd -set /dev/tcp tcp_deferred_ack_interval1 j. Modify /etc/systemReference: This is the manual for all tuning parameters in Solaris 8.Do *not* make hundreds of changes because you think you need them. Please read the book by Adrian Cockcroft and Richard Pettit. * Good Values to add from defaults * This adjusts many other parameters that use this as a base for calculation set maxusers=512 * This parameter allows more "telnet/pty" connections * Note max_pty is no longer required to be set in Solaris 8. See tuning manaual. * set the tcp hash size set tcp:tcp_conn_hash_size=8192 * Do not set this higher than the default unless you absolutely need to. rlim_fd_max * Do not set this higher than the default unless you absolutely need to. rlim_fd_cur Below are some examples to add for various packages. Please note that the 2 examples below overlap with two different settings. If you need both on the same machine, choose the large value of the parameter. * For Oracle set shmsys:shminfo_shmmax=4294967295 set shmsys:shminfo_shmmin=1 set shmsys:shminfo_shmmni=100 set shmsys:shminfo_shmseg=10 set semsys:seminfo_semmni=100 set semsys:seminfo_semmsl=100 set semsys:seminfo_semmns=200 set semsys:seminfo_semopm=100 set semsys:seminfo_semvmx=32767 * The following lines are required for Exploring the GNOME Desktop (version 1.4) set shmsys:shminfo_shmmax = 0x2000000 set shmsys:shminfo_shmmni = 0x1000 set shmsys:shminfo_shmseg = 0x100 * End of settings for Exploring the GNOME Desktop (version 1.4) k. modify /etc/skel/local.profile-PATH=/usr/bin:/usr/ucb:/etc:. l. modify /etc/profile(At Beginning) +LD_LIBRARY_PATH=/opt/sfw/lib:/usr/local/lib:/usr/lib:/usr/openwin/lib: /usr/dt/lib +MANPATH=/opt/sfw/man:/usr/man:/usr/local/man:/usr/dt/man:/usr/openwin/ man +CC=/opt/sfw/bin/gcc +EDIT=vi +export LD_LIBRARY_PATH MANPATH CC EDIT (Later you may want to change the prompts to reflect relative path and hostname) m. modify /etc/.login(If you use any of the C shells) n. Create /etc/issue# banner “restricted” “ system” “$HOSTNAME” > /etc/issue (For Instance) o. modify /etc/motdMake sure to add a section on acceptable use of the system and a phone number to contact in case of issues. p. Deactivate Sendmail1. If a not a mail server, mv /etc/rc2.d/S88sendmail to K88sendmail & make sure that mailhost resolves to the central mail server. q. Deactivate LPD/LPR servicesIf not a print server, mv /etc/rc2.d/S80lp to K80lp and edit the /etc/inetd.conf and comment out the printer line. r. Install OpenSSHInstall openssl package # ssh-keygen -t rsa1 -f /usr/local/etc/ssh_host_key -N ""
s. A More Serious Lock DownDisable all "R" commands in /etc/inetd.conf Disabletelnet services and only allow SSH Disable ftp services Remove almost everything from the inetd.conf t. Notes on CDE desktopsMake sure to create the directories: /etc/dt/config /etc/dt/config/Xsession.d You can place a ksh script into the Xession.d to set environmental values. See the article on environmental manager. u. Notes on /etc/skelIf you need to create a directrory structure for each user when you create the accounts, create the directories and files here. For instance: Using profiles you can custom edit a file during the useradd process. i.e. a customer index.html for each new user. ./public_html ./projects v. Add on packages to make your life easier.
If you need a free ssh client for your PC than putty.exe is your best bet. A single small < 1MB executeable. No install required. One File. |
|
last update on 28 Apr, 2005 |
|
|
| [Colin's Home] [News] [Contact me] [Articles] [Solaris Resources] [Win32 Resources] [Mooniacs] [Aviation] [Photo Albums] [Family] [Private] |