This section includes information on managing SMF services.
You can use RBAC rights profiles to allow users to manage some of the
SMF services, without having to give the user root
access.
The rights profiles define what commands the user can run. For SMF, the following
profiles have been created:
Service Management
— User can add,
delete or modify services.
Service Operator
— User can request
state changes of any service instance, such as restart and refresh.
For specific information about the authorizations, see the smf_security ( 5 ) man page. For instructions to assign a rights profile, see How to Change the RBAC Properties of a User in System Administration Guide: Security Services .
How to Disable a Service Instance
Use the following procedure to disable a service. The service status change is recorded in the service configuration repository. Once the service is disabled, the disabled state will persist across reboots. The only way to get the service running again is to enable it.
Become superuser or assume a role that includes the Service Management
rights profile.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC in System Administration Guide: Security Services .
Check the dependents of the service you want to disable.
If this service has dependents that you need, then you cannot disable this service.
# svcs -D FMRI
Disable the service.
# svcadm disable FMRI
Example 15.7. Disabling the rlogin Service
The output from the first command shows that the rlogin service has no dependents. The second command in this example disables the rlogin service. The third command shows that the state of the rlogin service instance is disabled.
#svcs -D network/login:rlogin
#svcadm disable network/login:rlogin
STATE STIME FMRI #svcs network/login:rlogin
STATE STIME FMRI disabled 11:17:24 svc:/network/login:rlogin
How to Enable a Service Instance
Use the following procedure to enable a service. The service status change is recorded in the service configuration repository. Once the service is enabled, the enabled state will persist across system reboots if the service dependencies are met.
Become superuser or assume a role that includes the Service Management
rights profile.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC in System Administration Guide: Security Services .
Determine whether service dependencies are satisfied.
If
the service is enabled, then the service dependencies are satisfied. If not,
use svcadm enable
r
FMRI to recursively
enable all dependencies.
# svcs -l FMRI|grep enabled
Enable a service.
# svcadm enable FMRI
Example 15.8. Enabling the rlogin Service
The second command in this example enables the rlogin service. The third command shows that the state of the rlogin service instance is online.
#svcs -l network/login:rlogin|grep enabled
enabled false #svcadm enable network/login:rlogin
#svcs network/login:rlogin
STATE STIME FMRI online 12:09:16 svc:/network/login:rlogin
Example 15.9. Enabling a Service in Single-user Mode
The following command enables rpcbind. The
t
option
starts the service in temporary mode which does not change the service repository.
The repository is not writable in single-user mode. The
r
option
recursively starts all the dependencies of the named service.
# svcadm enable -rt rpc/bind
How to Restart a Service
If a service is currently running but needs to be restarted due to a configuration change or some other reason, the service can be restarted without you having to type separate commands to stop and start the service. The only reason to specifically disable and then enable a service is if changes need to be made before the service is enabled, and after the service is disabled.
Become superuser or assume a role that includes the Service Management
rights profile.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC in System Administration Guide: Security Services .
Restart a service.
# svcadm restart FMRI
How to Restore a Service That Is in the Maintenance State
Become superuser or assume a role that includes the Service Management
rights profile.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC in System Administration Guide: Security Services .
Determine if any process that are dependent to the service have not stopped.
Normally, when a service instance is in a maintenance state, all processes associated with that instance have stopped. However, you should make sure before you proceed. The following command lists all of the processes that are associated with a service instance as well as the PIDs for those processes.
# svcs -p FMRI
Kill any remaining processes.
Repeat this step for all processes that are displayed by the svcs command.
# pkill -9 PID
If necessary, repair the service configuration.
Consult
the appropriate service log files in /var/svc/log
for
a list of errors.
Restore the service.
# svcadm clear FMRI
How to Revert to Another SMF Snapshot
If the service configuration is wrong, the problem can be fixed by reverting
to the last snapshot that started successfully. In this procedure, a previous
snapshot of the console-login
service is used.
Become superuser or assume a role that includes the Service Management
rights profile.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC in System Administration Guide: Security Services .
Run the svccfg command.
# svccfg
svc:>
Select the service instance that you want to fix.
You must use an FMRI that fully defines the instance. No shortcuts are allowed.
svc:> select system/console-login:default
svc:/system/console-login:default>
Generate a list of available snapshots.
svc:/system/console-login:default> listsnap
initial
running
start
svc:/system/console-login:default>
Select to revert to the start
snapshot.
The start
snapshot is the last snapshot in which
the service successfully started.
svc:/system/console-login:default> revert start
svc:/system/console-login:default>
Quit svccfg.
svc:/system/console-login:default> quit
#
Update the information in the service configuration repository.
This step updates the repository with the configuration information
from the start
snapshot.
# svcadm refresh system/console-login
Restart the service instance.
# svcadm restart system/console-login
How to Create an SMF Profile
A profile is an XML file which lists SMF services and whether each should be enabled or disabled. Profiles are used to enable or disable many services at once. Not all services need to be listed in a profile. Each profile only needs to include those services that need to be enabled or disabled to make the profile useful.
Create a profile.
In this example, the svccfg command is used to create a profile which reflects which services are enabled or disabled on the current system. Alternately, you could make a copy of an existing profile to edit.
# svccfg extract> profile.xml
If you are using JumpStart, if you have large numbers of identical systems, or if you want to archive the system configuration for later restoration, you may want to use this procedure to create a unique version of a SMF profile.
Edit the profile.xml
file to make any required
changes.
Change the name of the profile in the service_bundle
declaration.
In this example the name is changed to profile
.
#cat profile.xml
... <service_bundle type=`profile` name=`profile
` xmIns::xi='http://www.w3.org/2003/XInclude' ...
Remove any services that should not be managed by this profile.
For each service, remove the three lines that describe the service.
Each service description starts with <service
and ends
with </service
. This example shows the lines for the
LDAP client service.
# cat profile.xml
...
<service name='network/ldap/client' version='1' type='service'>
<instance name='default' enabled='true'/>
</service>
Add any services that should be managed by this profile.
Each service needs to be defined using the three line syntax shown above.
If necessary, change the enabled flag for selected services.
In this example, the sendmail service is disabled.
#cat profile.xml
... <service name='network/smtp' version='1' type='service'> <instance name='sendmail' enabled='false
'/> </service> ...
When necessary, apply the new profile.
See How to Apply an SMF Profile for instructions.
How to Apply an SMF Profile
Become superuser or assume a role that includes the Service Management
rights profile.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC in System Administration Guide: Security Services .
Apply an profile.
In this example, the profile.xml
profile
is used.
# svccfg apply profile.xml
For specific instructions
for switching between the generic_limited_net.xml
and generic_open.xml
and the properties that need to be applied when
making this switch, please see Changing Services Offered to the Network with generic*.xml
Changing
Services Offered to the Network with generic*.xml
In the Solaris Express 7/06 release, the netservices command
switches system services between minimal network exposure and the traditional
network exposure (as in previous Solaris releases). The switch is done with
the generic_limited.xml
and generic_open.xml
profiles.
In addition, some services properties are changed by the command to limit
some services to a local-only mode or to the traditional mode, as appropriate.
In the Solaris Express 7/06 release, the generic_limited_net
profile and the local-mode only service properties are applied
by default.
Become superuser or assume a role that includes the Service Management
rights profile.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC in System Administration Guide: Security Services .
Run the netservices command.
In this example, the open or traditional network exposure is selected.
# /usr/sbin/netservices open
Example 15.10. Limiting Network Service Exposure
This command changes properties to run some services in local mode,
as well as restricts which services are enabled with the generic_limited_net
profile. The command should only be used if the generic_open.xml
profile had been applied.
# /usr/sbin/netservices limited