Wiki code for smf(5) FAQ

Hide Line numbers
1: = smf(5) Frequently Asked Questions
2: 
3: Table of Contents
4: 
5: **JavaScript must be enabled in your browser to display the table of contents.**
6: 
7: {{{
8:                 Welcome to the smf(5) community FAQ!
9: 
10: This Q&A is divided into four sections:  General for general description
11: of how SMF works and further clarification of official documentation;
12: Administrative for how-to questions; Troubleshooting, and Writing SMF
13: Manifests.  The information on manifest writing covers such a broad range
14: of topics that it merits a section of its own.
15: }}}
16: 
17: == 1. General Section: general descriptions of how smf(5) works
18: 
19: === 1.1. Short listing of SMF files and directories
20: 
21: * /var/svc: logs, manifests, profiles
22: * /lib/svc: methods, seed repository, restore_repository script
23: * /etc/svc: repository.db, repository backups, volatile (a tmpfs)
24: 
25: /var/svc/manifest/site is reserved for manifests specific to your site.
26: 
27: === 1.2. Short listing of SMF commands
28: 
29: * svcs(1): service status listing
30: * svcadm(1M): administrative actions
31: * svccfg(1M): property modification, can be batch or interactive mode
32: * svcprop(1): property reporting, suitable for scripting
33: * inetadm(1M):administrative and property modification for inetd services
34: * inetconv(1M): convert legacy inetd.conf entries to SMF manifest and service
35: 
36: === 1.3. Short listing of relevant SMF man pages
37: 
38: smf(5), svcs(1), svcadm(1M), svccfg(1M), svcprop(1), svc.startd(1M),svc.configd(1M), smf_security(5), smf_bootstrap(5), smf_method(5), smf_restarter(5), service_bundle(4), inetconv(1M), inetadm(1M), inetd(1M)
39: 
40: === 1.4. How permanent is svcadm(1M)?
41: 
42: Unless the "-t" option is used, svcadm(1M) enable/disable is persistent through reboots, patches, and upgrades. The "-t" option indicates that this specified state is good only until the next reboot.
43: 
44: === 1.5. Are milestones the same as run levels?
45: 
46: A milestone is a new mechanism made to be compatible with run-levels. Milestones define a specific state of system readiness, each with a specific set of services enabled. Before smf(5), system boot progresses from run level S to 3, executing scripts in /etc/rc?.d  along the way. With smf(5), system boot does not progress from milestone to milestone, the dependency determines the order of service start.
47: 
48: Except for none, and all, milestones show up as services in SMF. However, the system can only be in one of the following milestones at any time:
49: 
50: none, single-user, multi-user, multi-user-server, all
51: 
52: Regardless of the state of milestone/* as shown by "svcs -a". For the system’s current milestone, check the options_ovr/milestone property of svc:/system/svc/restarter:default
53: 
54: {{{
55: # svcprop -p options_ovr/milestone restarter:default
56: }}}
57: 
58: If this command returns the following error:
59: 
60: {{{
61: svcprop: Couldn’t find property ’options_ovr/milestone’
62: for instance ’svc:/system/svc/restarter:default’.
63: }}}
64: 
65: then the system is in its default milestone.
66: 
67: To view the system’s default milestone, see question [[2.13>>#ADMN13]].
68: 
69: Other milestones exist to declare that some set of services are ready. They are available for use as dependencies. For example, if milestone/devices is online, it indicates that device/fc-fabric and device/local have finished. Use "svcs -d <milestone>" to list the dependencies for the milestone.
70: 
71: === 1.6. Where did the output of the rc scripts go?
72: 
73: rc scripts are now started in the analogous milestone, and all outputs from them during boot are logged to the milestone service’s log file in /var/svc/log. For example, scripts in /etc/rc3.d are run in milestone multi-user-server, invoked by start method /sbin/rc3. The output of those scripts go to /var/svc/log/milestone-multi-user-server:default.log.
74: 
75: * svc:/milestone/single-user:default starts /etc/rcS.d
76: * svc:/milestone/multi-user:default starts /etc/rc2.d
77: * svc:/milestone/multi-user-server:default starts /etc/rc3.d
78: 
79: === 1.7. When I run svcs -a, I see a column labeled STIME. Does that mean "Start Time"?
80: 
81: STIME stands for "State Time", the time when the service entered that state. It is precise to the sub-second, although only the second is printed. "svcs -a" lists services in the order that they finished starting. STIME is not authoritative, svcadm(1M) refresh will update it. To find out when a service was started, you have to look at the log.
82: 
83: === 1.8. Is SMF integrated with FMA?
84: 
85: No. In particular, the smf(5) doesn’t send any telemetry to fmd(1M).
86: 
87: === 1.9. Can I make my service depend on a zone?
88: 
89: No, smf(5) doesn’t have the mechanism to support dependencies on zones.
90: 
91: === 1.10. Why is "Importing service descriptions…" so slow?
92: 
93: It’s serial and does a lot of syncing (to guard against power failure, etc). We’re working on it (see [[CR 6351623>>http://bugs.opensolaris.org/view_bug.do?bug_id=6351623]]).
94: 
95: === 1.11. svcs(1) shows me a service state with an * next to it, for example, online*, what does it mean?
96: 
97: It means the service is still in transition, use "svcs -v" to see the next state.
98: 
99: === 1.12. Where are SMF logs? Do I need to rotate them?
100: 
101: svc.startd stores log files in the /etc/svc/volatile directory in early stages of boot, before /var is mounted read-write.
102: 
103: SMF logs are kept in /var/svc/log. For service log files, invoke
104: 
105: {{{
106: # svcs -x <service>
107: }}}
108: 
109: This does not work for disabled services. You don’t need to rotate SMF logs, it’s already managed by logadm(1M), see /etc/logadm.conf. Output from the /etc/rc.?/* legacy scripts are collected in the appropriate /var/svc/log/milestone-* file.
110: 
111: === 1.13. Is there additional SMF documentation, in addition to existing man pages?
112: 
113: * [[BigAdmin SMF site>>http://www.sun.com/bigadmin/content/selfheal/]]
114: * [[OpenSolaris SMF site>>Community Group smf.WebHome]]
115: * [[OpenSolaris SMF Community Discussions>>http://www.opensolaris.org/jive/forum.jspa?forumID=24]]
116: * [[Ready-made SMF manifests>>Community Group smf.manifests]]
117: * [[System Administration Guide>>http://docs.sun.com/app/docs/doc/817-1985/6mhm8o5rq?q=817-1985&a=view]]
118: * [[SMF FAQ>>Community Group smf.faq]]
119: 
120: == 2. Administrative Section: administrative "how to…" questions
121: 
122: === 2.1. How can I allow user X to control service Y?
123: 
124: SMF uses RBAC to delegate service management responsibility. The following properties can be set:
125: 
126: action_authorization: can execute method; allows you to do:
127: 
128: * svcadm [enable | disable] -t
129: * svcadm refresh
130: * svcadm restart
131: * svcadm mark maintenance
132: * svcadm clear
133: 
134: value_authorization: can change values of existing property. It allows you to permanently enable or disable a service because you are changing the general/enabled property of the service.
135: 
136: modify_authorization: can change, add, or delete properties.
137: 
138: See /var/svc/manifest/network/ssh.xml for an example.
139: 
140: The value of these properties, a string, must be added to a user security attributed in /etc/user_attr. Here’s how to allow user jdoe to enable/disable ssh:
141: 
142: /var/svc/manifest/network/ssh.xml:
143: 
144: {{{
145:         <property_group name=’general’ type=’framework’>
146:                 <!~-- to start stop sshd ~-->
147:                 <propval name=’action_authorization’ type=’astring’
148:                                 value=’solaris.smf.manage.ssh’ />
149:                 <propval name=’value_authorization’ type=’astring’
150:                                 value=’solaris.smf.manage.ssh’ />
151:         </property_group>
152: 
153:         /etc/user_attr:
154:                 jdoe::::auths=solaris.smf.manage.ssh
155: }}}
156: 
157: The string solaris.smf.manage.ssh can be any arbitrary string, but solaris.smf.manage.ssh is more descriptive than, say, "fooblat".
158: 
159: To see the auction_authorization authorizations for a service, run:
160: 
161: {{{
162: # svcprop -p general/action_authorization
163: }}}
164: 
165: If the service has none, you can add one with svccfg(1M)
166: 
167: {{{
168: # svccfg -s <FMRI> setprop general/action_authorization = astring: \
169: "solaris.smf.manage.service"
170: # svcadm refresh <FMRI>
171: }}}
172: 
173: To allow a user to change the properties in a certain property group, give the user value_authorization. To allow the user to modify, add or remove the properties in a certain property group, give them modify_authorization.
174: 
175: To allow a user to do manage any service, give him solaris.smf.manage. To give a user full control over the repository, give him solaris.smf.modify.
176: 
177: Give a user authorization by modifying /etc/user_attr
178: 
179: {{{
180: # echo "jdoe::::auths=solaris.smf.manage.service" >> /etc/user_attr
181: }}}
182: 
183: You can see a user’s authorizations with "auths jdoe".
184: 
185: === 2.2. How do I add a dependency to an existing service?
186: 
187: By using svccfg(1M), let’s say that you want to add a filesystem/local dependency to a service:
188: 
189: {{{
190: # svccfg -s <FMRI>
191: > addpg myfs-local dependency  <~-- "myfs-local" is the descriptive name
192: > setprop myfs-local/grouping = astring: "require_all"
193: > setprop myfs-local/restart_on = astring: "none"
194: > setprop myfs-local/type = astring: "service"
195: > setprop myfs-local/entities = fmri: "svc:/system/filesystem/local"
196: > exit
197: # svcadm refresh <FMRI>
198: }}}
199: 
200: If you’ve made a mistake, invoke editprop, which will launch the $EDITOR, or vi if $EDITOR is not set. Find your mistake, correct it, and uncomment the hash at the beginning of the command. After saving and quitting the $EDITOR, the command you’ve uncommented is executed.
201: 
202: Note that svccfg import employs a syntax checker to validate your XML manifest. Interactive svccfg does no such validating and will allow you to make a mistake that would have been caught by svccfg import.
203: 
204: === 2.3. Why can’t I just modify my FMRI manifest and add the following…
205: 
206: {{{
207:         <dependency name=’myfs-local’
208:                 grouping=’require_all’
209:                 restart_on=’none’
210:                 type=’service’>
211:                 <service_fmri value=’svc:/system/filesystem/local’ />
212:         </dependency>
213: }}}
214: 
215: Never modify manifests in place. This can’t be stressed enough. Always use svccfg to modify or customize a service. SMF detects customizations by comparing current property values with those from the last manifest imported. If your customizations are in a manifest, then SMF will think that you have no customizations. In a future patch or upgrade, SMF may drop in a new manifest and erase all the customizations you’ve added in the manifest.
216: 
217: === 2.4. How do I back up the repository?
218: 
219: Currently the ability to take repository backup at will does not exist. 4 backup copies are taken automatically and kept in /etc/svc. You can make copies of /etc/svc/repository.db but there is a risk that such a copy won’t be self-consistent if svc.configd(1M) makes a change during the copy.
220: 
221: === 2.5. How do I take a snapshot of a service’s configuration?
222: 
223: Currently you can’t take snapshots at will. There is an RFE filed to make this possible, see [[CR 6199307>>http://bugs.opensolaris.org/view_bug.do?bug_id=6199307]]. You can use svccfg export <service> to get an XML file describing the currently running service.
224: 
225: === 2.6. Why doesn’t "svccfg export apache2" work?
226: 
227: svccfg(1M) only exports services. In /network/http:apache2, network is the functional category, http is the service, apache2 is the instance. You can export the service using svccfg export http, the exported manifest will include the instance. Work is underway to enable svccfg to export instances, see [[CR 6299665>>http://bugs.opensolaris.org/view_bug.do?bug_id=6299665]].
228: 
229: === 2.7. How do I figure out who disabled this service?
230: 
231: Currently smf(5) does not track who does what.
232: 
233: === 2.8. How do I make SMF send me an email when a service changes state?
234: 
235: That level of functionality does not currently exist as of yet.
236: 
237: === 2.9. How can I take a snapshot of all of the services on my system, so I can check for changes later?
238: 
239: There is no ability to take snapshots at will yet. [[CR 6199307>>http://bugs.opensolaris.org/view_bug.do?bug_id=6199307]] has been filed to allow snapshot-at-will, and [[CR 6389280>>http://bugs.opensolaris.org/view_bug.do?bug_id=6389280]] has been filed to allow users to compare snapshots. The alternative is to use svccfg(1M) export to output service properties in XML files and compare those, or svccfg archive to get a full service description for all services in one XML file. Also see [[question 2.5>>#ADMN5]].
240: 
241: === 2.10. I am in milestone single-user for some diagnostic; I want to enable some service but can’t.
242: 
243: This is propably due to your repository not mounted as writeable, you can check this by looking at the output of mount(1M) and check the writeability of the root filesystem.
244: 
245: You can get around this problem by using svcadm enable -t to temporarily enable the service. Better yet, use svcadm enable -rt to also enable all your service’s dependencies all at once.
246: 
247: === 2.11. How do I turn on verbose logging?
248: 
249: Set the options/logging property of the restarter:
250: 
251: {{{
252: # svccfg -s /system/svc/restarter:default
253: > addpg options application
254: > setprop options/logging = astring: "verbose"
255: > setprop options/type = astring: "framework"
256: > exit
257: # svcadm refresh /system/svc/restarter:default
258: }}}
259: 
260: Also see [[question 3.5>>#TRBL5]] for use of boot -m verbose.
261: 
262: === 2.12. How do I delete a service?
263: 
264: Use svccfg delete. This will fail if the service is running. In that case, either disable the service with svcadm(1M), or use svccfg delete -f. Remove the service manifest. This last step is to avoid SMF re-enabling the service in case of a seed repository recovery when SMF re-imports manifests.
265: 
266: //Warning//: Delete services at your own risk. You might inadvertently upset a milestone or another service which depends on the service you just deleted, and the effect might not be immediately noticeable.
267: 
268: === 2.13. How do I find out what is my system’s default milestone?
269: 
270: {{{
271: # svcprop -p options/milestone restarter:default
272: }}}
273: 
274: If this property does not exist, that is, you get the following error:
275: 
276: {{{
277: svcprop: Couldn’t find property `options/milestone’
278: for instance `svc:/system/svc/restarter:default’.
279: }}}
280: 
281: then the system’s default milestone is all.
282: 
283: The difference between the properties options/milestone and options_ovr/milestone is that the former records your default boot milestone if you have changed it since last boot. The latter records your current milestone if you’ve used svcadm to transition to another milestone since last boot. Your current milestone and your default boot milestone are not necessarily the same. The system always returns to its default milestone every time it boots.
284: 
285: If options/milestone does not exist, the default milestone is all.
286: 
287: If options_ovr/milestone does not exist, the current milestone is the default milestone.
288: 
289: === 2.14. How do I leave my current milestone?
290: 
291: If you want to change run-level, use /sbin/init. Milestones are compatible with run-levels, but are not run-levels. See [[Question 1.5>>#GEN5]]. Changing the system’s milestone does not change its run level.
292: 
293: If you’ve used svcadm milestone or boot -m milestone= to get to where you are now, you can use:
294: 
295: {{{
296: # svcadm milestone <new milestone>
297: }}}
298: 
299: to go to a new milestone.
300: 
301: === 2.15. How do I create my own milestone?
302: 
303: You can’t create milestones that you can boot to. The milestones which svcadm milestone accepts are hardcoded into svcadm(1M) and svc.startd(1M). See [[question 1.5>>#GEN5]] for the milestones that the system can be in.
304: 
305: You can create a milestone to declare that a set of services is ready. Services which have milestone in their name are treated like any other services.
306: 
307: === 2.16. How do I find out which processes are associated with a service?
308: 
309: {{{
310: # svcs -p
311: # svcs -pv
312: }}}
313: 
314: The latter will also return contract IDs.
315: 
316: === 2.17. How do I find out which service is associated with a process?
317: 
318: {{{
319: # ps -e -o ctid,args | grep <process_name>
320: # svcs -o ctid,fmri | grep <pid_found_with_previous_command>
321: }}}
322: 
323: === 2.18. How do I see the process privilege set for my service?
324: 
325: Find a process associated with your service, and use
326: 
327: {{{
328: # ppriv -S <PID>
329: }}}
330: 
331: === 2.19. How do I assign my service to run in a project?
332: 
333: See the work-around for [[CR 6517270>>http://bugs.opensolaris.org/view_bug.do?bug_id=6517270]]:
334: 
335: Specify all required properties directly. In this example, we’re trying to have the smtp:sendmail service start in the sendmail(1M) project.
336: 
337: First, check if the property you’re trying to set is already defined for the service:
338: 
339: {{{
340: # svcprop -p start/project <FMRI>
341: }}}
342: 
343: If this property is set to a value (like :default), do the following to change the project:
344: 
345: {{{
346: # svccfg -s <fmri> setprop start/project = sendmail
347: # svcadm refresh sendmail; svcadm restart sendmail
348: }}}
349: 
350: If it isn’t set, specify all required properties.
351: 
352: {{{
353: # svccfg -s sendmail setprop start/project = astring: sendmail
354: # svccfg -s sendmail setprop start/user = astring: root
355: # svccfg -s sendmail setprop start/group = astring: :default
356: # svccfg -s sendmail setprop start/working_directory = astring: :default
357: # svccfg -s sendmail setprop start/resource_pool = astring: :default
358: # svccfg -s sendmail setprop start/supp_groups = astring: :default
359: # svccfg -s sendmail setprop start/privileges = astring: :default
360: # svccfg -s sendmail setprop start/limit_privileges = astring: :default
361: # svccfg -s sendmail setprop start/use_profile = boolean: false
362: # svcadm refresh sendmail; svcadm restart sendmail
363: }}}
364: 
365: See [[question 4.9>>#MNFST9]] on how to create a +method_context+1 block in a manifest. See [[question 4.10>>#MNFST10]] on how to assign a service to a project in a manifest.
366: 
367: === 2.20. How do I set environment variables for my service?
368: 
369: Set one variable:
370: 
371: {{{
372: # svccfg -s <service name> setenv -m <method name> MYVAR value
373: }}}
374: 
375: Set one variable to multiple values:
376: 
377: {{{
378: # svccfg -s <service name> setenv -m <method name> MYVAR "val1 val2"
379: }}}
380: 
381: Set multiple variables:
382: 
383: {{{
384: # svccfg -s <service name> setenv -m <method name> MYVAR1 val1
385: # svccfg -s <service name> setenv -m <method name> MYVAR2 val2
386: }}}
387: 
388: <method name> can be start, stop, or refresh. Use unsetenv to unset variables. Refresh the service to commit the changes.
389: 
390: == 3. Troubleshooting Section
391: 
392: === 3.1. Why does svcs -x report print/server after a fresh install?
393: 
394: Services which depend on svc:/application/print/server:default are delivered as enabled, but svc:/application/print/server:default is delivered as disabled. This results in the dependent services being placed in the offline state, which svcs -x reports as an error.
395: 
396: === 3.2. "svc:/application/print/server:default" actually has 3 dependents. Despite it being disabled, only two dependents are offline, one dependent (milestone/multi-user) is actually online. How is this possible?
397: 
398: There are 4 types of dependencies. One may think of them in terms of gradient, how much does a service need from a dependency before it considers that dependency satisfied. The relationship print/server has with milestone/multi-user is of type optional_all. This means that print/server can be in the disabled state and still allow milestone/multi-server to run. The relationship print/server has with the other 2 services are of type require_any and require_all, which are satisfied when print/server is online or degraded.
399: 
400: === 3.3. Why is svc.configd(1M) taking up a lot of memory?
401: 
402: You may be running into:
403: 
404: {{{
405: CR 6304200: svc.configd(1M) becomes a heavyweight, weighing in at 500MB
406: The workaround is to kill svc.configd, svc.startd(1M) will start a new
407: one.  This is fixed in patch 118833-36.
408: }}}
409: 
410: === 3.4. Why is svc.configd(1M) taking up a lot of CPU?
411: 
412: You may be running into
413: 
414: {{{
415: CR 6237669: _check_services() SMF logic causing svc.configd overwork.
416: If you are frequently mounting NFS filesystems, every mount is causing
417: SMF to unnecessarily refresh a set of related services and to consume
418: a lot of CPU doing so.  This is fixed in patch 118833-36.
419: }}}
420: 
421: svc.configd(1M) only does work for its clients, and svc.startd(1M) is its biggest client. If this is not the bug you are running into, check svc.startd.
422: 
423: === 3.5. My system hangs during boot. What should I do?
424: 
425: You can observe service start messages during boot by using boot -m verbose. For a system that hangs during boot, boot to milestone none, login and bring the system to milestone all, watch to see where your system hangs.
426: 
427: {{{
428: ok> boot -m verbose, milestone=none
429: (login)
430: # svcadm milestone all
431: }}}
432: 
433: === 3.6. I screwed up my service. What should I do?
434: 
435: If a single service is broken, first run svcs -x <FMRI>, this may tell you what has gone wrong. Check the log files in /var/svc/log/service-name.log.
436: 
437: SMF keeps a snapshot of the last time your service successfully started. As a last resort, you can roll back to that snapshot.
438: 
439: {{{
440: # svccfg -s service:instance
441: > selectsnap start
442: > revert
443: > exit
444: # svcadm refresh service:instance
445: }}}
446: 
447: === 3.7. I screwed up my repository so bad I can’t even boot the system to restore an old repository backup. What do I do?
448: 
449: If neither boot -s nor boot -m milestone=none provides a shell for you, then you’ll have to boot net or boot from a CD. Then mount the root filesystem and run
450: 
451: {{{
452: # /lib/svc/bin/restore_repository -r /path/to/root
453: }}}
454: 
455: === 3.8. svcs -x says service Y was "disabled by an administrator", but I didn’t disable it.
456: 
457: SMF does not record who does what, it assumes that the service was disabled by an administrator. Incidentally, you only see this when using svcs -x <FMRI>, invocations of svcs(1) or with the -l or -v option will just show the the state as being disabled.
458: 
459: === 3.9. When I set {nis/client, nis/server} to be enabled in site.xml, why is it not enabled after install?
460: 
461: If you installed your system using jumpstart, the first time your system boots, site.xml is applied and then /lib/svc/method/sysidtool-system resets the name service according to the sysidcfg(4) file, disables {nis/client, nis/server} and undoes what site.xml has done. This is a bug, see [[CR 6421535>>http://bugs.opensolaris.org/view_bug.do?bug_id=6421535]].
462: 
463: To get around this, create another service that depends on sysidtool-system which re-applies site.xml.
464: 
465: === 3.10. Why hasn’t my service started even though the file: dependency is now fulfilled?
466: 
467: There is no file event to signal SMF that a file has come online. If SMF tries to start your service and finds that a file: dependency is not satisfied, it continues to think so forever. See [[CR 5106165>>http://bugs.opensolaris.org/view_bug.do?bug_id=5106165]].
468: 
469: The workaround is to run svcadm refresh. If the file is on a remote filesystem, make sure your manifest includes the appropriate filesystem dependency to allow your service to find the files it needs before it starts.
470: 
471: === 3.11. Why is network/physical in maintenance?
472: 
473: One possible reason is that you may have aliased your hostname to 127.0.0.1, the loopback address, and then used that hostname in your /etc/hostname.interface file.
474: 
475: === 3.12. Why doesn’t svcs -x know why my /system/console-login is in the offline state?
476: 
477: If you boot to milestone none and from there go to milestone all (see [[question 3.5>>#TRBL5]]) without exiting the sulogin shell, svc.startd(1M) keeps console-login in the offline state. svcs -x sees that all of console-login’s dependencies are satisfied, and can’t figure out why console-login is offline. Your system is fine. svc.startd(1M) will notice when you’ve logged out of your sulogin shell and will start console-login properly after that.
478: 
479: In another situation, if you have a file: dependency which was not satisfied when your service start, but the file is present when you run svcs -x, SMF reports that it can’t determine the reason why your service is offline. You should refresh your service (see [[question 3.9>>#TRBL9]]).
480: 
481: === 3.13. I just jumpstarted a system and I get this message after it boots
482: 
483: {{{
484: svc:/milestone/multi-user-server:default
485: (multi-user plus exports milestone)
486: State: offline since Wed Feb 08 11:44:58 2006
487: Reason: Dependency svc:/system/install is absent.
488: }}}
489: 
490: However, I can’t find svc:/system/install anywhere.
491: 
492: system/install is an service that gets added to the repository after the install is complete, but before the reboot. This service is not needed if you build your system using jumpstart, and it is removed before the reboot. If your finish script has a reboot call, and your system reboots before SMF has a chance to completely remove system/install, you will get this.
493: 
494: Don’t call reboot in your jumpstart finish script. To fix, use svccfg(1M) to remove the dependency from multi-user-server milestone.
495: 
496: {{{
497: # svccfg -s multi-user-server listpg
498: }}}
499: 
500: Find the dependency name for svc:/system/install, and delete it.
501: 
502: {{{
503: # svccfg -s multi-user-server delpg
504: }}}
505: 
506: == 4. Writing SMF Manifests Section
507: 
508: === 4.1. How do I write an SMF manifest?
509: 
510: The same way you write an rc script: start with Sun-delivered manifests as examples. Copy and cut and paste as you need.
511: 
512: Manifests you can use as examples:
513: 
514: * /var/svc/manifest/system/utmp.xml for a simple standalone daemon
515: * /var/svc/manifest/system/coreadm.xml for a service which run once at boot
516: * /var/svc/manifest/network/telnet.xml for an inetd-managed service
517: * /var/svc/manifest/network/http-apache2.xml for a service with dependencies
518: * /var/svc/manifest/network/ssh.xml for a service which uses RBAC authorization
519: 
520: The DTD - Document Type Definition, is /usr/share/lib/xml/dtd/service_bundle.dtd.1, and is defined at the top of each manifest. You need at least 3 things: the service name, the start and stop method, and dependencies.
521: 
522: The Service Developer Introduction is very helpful, you can find [[here>>http://www.sun.com/bigadmin/content/selfheal/sdev_intro.html]].
523: 
524: The collection of manifest written by the SMF user community is available on the opensolaris.org "SMF Methods and Manifests" site, located [[here>>Community Group smf.manifests]].
525: 
526: === 4.2. How do I check my manifest for syntax error?
527: 
528: svccfg import has a built-in validator, and won’t import your manifest if it has errors. Use svccfg validate <XML file> to check your syntax without importing the file. You can also use xmllint(1M):
529: 
530: {{{
531: # xmllint ~--valid <XML file>
532: }}}
533: 
534: === 4.3. Which filesystem service should I depend on?
535: 
536: You should at least depend on, directly or indirectly, filesystem/minimal. If your service requires one or more files, then you should also depend, directly or indirectly, on the filesystem service that will make that file available before your service starts.
537: 
538: {{{
539: svcs:/system/filesystem/root /usr is mounted
540: svcs:/system/filesystem/usr / and /usr are read-write
541: svcs:/system/filesystem/minimal /var, /var/adm, /var/run, and /tmp tmp are mounted
542: svcs:/system/filesystem/local all other filesystems are mounted
543: }}}
544: 
545: === 4.4. What do I need in my manifest in order delegate service administration to a user?
546: 
547: See [[question 2.1>>#ADMN1]] You need:
548: 
549: {{{
550: <property_group name=’general’ type=’framework’>
551:         <propval name=’action_authorization’ type=’astring’
552:                         value=’solaris.smf.manage.service’ />
553:         <propval name=’value_authorization’ type=’astring’
554:                         value=’solaris.smf.manage.service’ />
555: </property_group>
556: }}}
557: 
558: modify_authorization are typically given per-property group, instead of in the general property group.
559: 
560: Don’t forget to modify /etc/user_attr to add the value string to the user security profile:
561: 
562: {{{
563: /etc/user_attr:
564:         jdoe::::auths=solaris.smf.manage.ssh
565: }}}
566: 
567: === 4.5. What do I need in my manifest to keep my service from restarting every time it core dumps or a child process exits?*
568: 
569: By default, SMF interprets a core dump or an external signal sent to a service as an error and tries to restart the service. To instruct SMF to ignore these conditions, add the following to your manifest:
570: 
571: {{{
572: <property_group name=’startd’ type=’framework’>
573:         <propval name=’ignore_error’ type=’astring’
574:                 value=’core,signal’ />
575: </property_group>
576: }}}
577: 
578: === 4.6. What are method tokens and how are they used?
579: 
580: They are placeholder for service values, and are replaced with their values by the svc.startd(1M) daemon. They can only be used as parameter for method calls (start, stop, or refresh). Method tokens are not supported by the delegated restarter inetd.
581: 
582: svc.startd(1M) supports the following method tokens:
583: 
584: {{{
585: % %%
586: %r Name of the restarter, such as svc.startd
587: %m Name of the method, such as start or stop
588: %s Name of the service
589: %i Name of the instance
590: %f FMRI of the instance
591: %{prop[:,]} Value(s) of a property.
592: }}}
593: 
594: See the smf_method(5) manpage for more.
595: 
596: === 4.7. What does a timeout_seconds value of "0" or "-1" mean?
597: 
598: "0" or "-1" denote infinite timeout; we recommend you use "0" and not "-1".
599: 
600: === 4.8. What is the inetconv property group used for?
601: 
602: It’s a record of the original inetd.conf(4) line the inetconv(1M) used to generate the manifest. You don’t need it if you’re writing a new manifest.
603: 
604: === 4.9. How do I restrict my service to have only the privileges it needs?
605: 
606: You need to find out what privileges your service needs, then construct a method context to tell SMF to start and stop the service with only those privileges.
607: 
608: Download the [[privdebug.pl script>>Community Group security.files]]
609: 
610: Instruction on how to use privdebug.pl is beyond the scope of this FAQ, but can be found in the [["Privilege Debugging in the Solaris 10 Operating System" Blueprint>>http://www.sun.com/blueprints/0206/819-5507.pdf]].
611: 
612: After the privdebug exercise you will have a set of privileges required for the application to start and to stop. You will add to, or subtract from the set of basic privileges to create a set of privileges that your application uses.
613: 
614: To see the default basic set of privileges:
615: 
616: {{{
617: # ppriv -l basic
618: }}}
619: 
620: For example, if your application needs:
621: 
622: {{{
623: proc_fork, proc_exec, net_privaddr to start
624: proc_fork, proc_exec, and proc_session to stop
625: }}}
626: 
627: and your basic set of privilege contains:
628: 
629: {{{
630: file_link_any, proc_fork, proc_exec, proc_info, proc_session
631: }}}
632: 
633: To start you need to:
634: 
635: {{{
636: subtract file_link_any, proc_info, proc_session FROM basic
637: add net_privaddr TO basic
638: }}}
639: 
640: To stop you need to:
641: 
642: {{{
643: subtract file_link_any, proc_info FROM basic
644: }}}
645: 
646: Insert a method_context block inside your exec_method block in your service manifest, as demonstrated below:
647: 
648: {{{
649: <exec_method
650:         type=’method’
651:         name=’start’
652:         exec=’/path/to/method start’
653:         timeout_seconds=’0’ >
654:         <method_context>
655:         <method_credential
656:                 user=’someuser’
657:                 privileges=’basic,!file_link_any,!proc_info,
658:                                 !proc_session,net_privaddr’/>
659:         </method_context>
660: </exec_method>
661: 
662: <exec_method
663:         type=’method’
664:         name=’stop’
665:         exec=’/path/to/method stop’
666:         timeout_seconds=’0’ >
667:         <method_context>
668:         <method_credential
669:                 user=’someuser’
670:                 privileges=’basic,!file_link_any,!proc_info’/>
671:         </method_context>
672: </exec_method>
673: }}}
674: 
675: Common mistakes include bracketing with <exec_method> </exec_method>, and writing "/>" after timeout_seconds instead of ">". The correct way is
676: 
677: {{{
678: <exec_method
679:         ... properties >
680:         <method_context>
681:         <method_credential
682:                 ... properties />
683:         </method_context>
684: </exec_method>
685: }}}
686: 
687: Also, setting a value for user is required. Import the manifest and check your service. See [[question 2.18>>#ADMN18]] for how to view your service’s privilege set.
688: 
689: === 4.10. How do I assign my service to run in a project in a manifest?
690: 
691: {{{
692: <exec_method
693:         type=’method’
694:         name=’start’
695:         exec=’/path/to/method start’
696:         timeout_seconds=’0’ >
697:         <method_context
698:                 project=projectname’ >
699:         <method_credential
700:                 user=’someuser’ />
701:         </method_context>
702: </exec_method>
703: }}}
704: 
705: === 4.11. Where do I put manifests that I’ve written?
706: 
707: Manifests for both Solaris and third-party services should be installed in the appropriate subdirectory under /var/svc/manifest. Site-local service manifests should be installed under /var/svc/manifest/site. (Manifests can be stored in other locations, but only manifests stored under /var/svc/manifest will be automatically imported by SMF).
708: 
709: svc.startd(1M) methods invoke executables, and these executables can be installed wherever you would normally place other executables. Following the conventions defined in filesystem(5), we recommend putting method scripts which are intended for use by only SMF — i.e. not by a human user — under the relevant "lib" directory. Method scripts for Solaris-provided methods are stored in /lib/svc/method. Method scripts for third-party services should be stored under /opt/packagename (/opt/packagename/lib/svc/method is recommended for consistency, but isn’t required). Method scripts for site-local services should be stored in whatever tree the site reserves for its libraries/binaries.
710: 
711: == 5. How To Contribute
712: 
713: //special thanks to Christine Tran, David Bustos, Bernd Schemmer, and all contributing SMF community members.//
714: 
715: This page represents a list of commonly asked questions, with corresponding answers, regarding the Service Management Facility introduced within Solaris 10. The FAQ is intended to be a "living document" that enables users and developers to increase their understanding of smf(5), the development of service manifests,and knowledge of the administrative command-line utilities.
716: 
717: We strongly encourage and welcome contribution from the SMF Community. Please send your feedback, in addition to Q&A contributions to smf-discuss AT opensolaris DOT org. Please include "SMF FAQ" within your "Subject: " line.
718: 
719:  Last updated 06-Nov-2008 09:32:52 PDT
OpenSolaris

Top Menu

Wiki code for smf(5) FAQ

Search

Collectives

Community Group

Project

User Group

Subsites

Community Group smf Pages
