Two Useful Solaris SMF Tips
Published October 6th, 2006 in Solaris.
Solaris Service Management Facility (SMF) is a core part of the Predictive Self-Healing technology available in Solaris 10, which provides automatic recovery from software and hardware failures as well as administrative errors. To get a quick start of SMF, follow this link.
Tip 1: Alert you about SMF activities
While the facility eases the support of a large set of services in a unified model on each Solaris system, there is no transparency of the actual process. When a SMF service fails for some reason and automatically restarts, you don’t really know about it unless you keep a close eye on your services logs. This is when a utility written in Perl like SMF Monitor Alert is useful. It runs as a daemon and monitors the SMF service specified in and mail to recipient if something happens. You have a choice of using Mail::Sender Perl module or sendmail. To start the daemon, you need to type something like
#./smfalert.pl -m -p -i "apache:default print/server:default" -r itechnot@itechnote.com
Tip 2: Give authorization to selected user to manage SMF services without root account
The configuration subsystem for the service management facility requires privilege to modify the configuration of a service. Privileges are granted to a user by associating the authorizations to the user through user_attr(4) and prof_attr(4). Robert Milkowski has posted an example using user_attr(4) in his blog.
We all know that with role-based access control (RBAC), we can deliver fine-grained security to any applications. Users can be assigned an authorization, which is a unique string that represents a user’s right to perform some operation or class of operations. Authorization definitions are stored in a database called auth_attr(4).
In the case of SMF, the authorization can be applied in two level - Property Group Authorization and Service Action Authorization. The users can be granted authorization to modify the value of all properties, adding or deleting a property or permanently change the state of a service. The authorization properties include modify_authorization and value_authorization for Property Group Authorization and action_authorization for Service Action Authorization. Here are two examples taken from Robert Milkowski’s blog.
# svccfg -s wpfileback setprop general/action_authorization = astring: wp.applications
# svccfg -s wpfileback setprop general/value_authorization = astring: wp.applications
You can get more info on the man pages related to SMF - smf_security(5) and rbac(5).
Thanks for mentioning!
No worry. Thanks for being the first to post a comment in my site.