# # CDDL HEADER START # # The contents of this file are subject to the terms of the # Common Development and Distribution License (the "License"). # You may not use this file except in compliance with the License. # # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE # or http://www.opensolaris.org/os/licensing. # See the License for the specific language governing permissions # and limitations under the License. # # When distributing Covered Code, include this CDDL HEADER in each # file and include the License file at usr/src/OPENSOLARIS.LICENSE. # If applicable, add the following below this CDDL HEADER, with the # fields enclosed by brackets "[]" replaced with your own identifying # information: Portions Copyright [yyyy] [name of copyright owner] # # CDDL HEADER END # # Copyright 2009 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # BASEPREFIX=`echo $BASEDIR | sed "s/\//_/g"` # # Clear sysidtool which may have gone into maintenance due to a dependency # cycle with milestone/single-user, when upgrading to a system that # introduces milestone/sysconfig. # cat >> $BASEDIR/var/svc/profile/upgrade <<\_CLRSYSID /usr/sbin/svcadm clear svc:/system/sysidtool:net /usr/sbin/svcadm clear svc:/system/sysidtool:system _CLRSYSID if [ -f $BASEDIR/etc/inet/ipnodes.hostsmerge ]; then rm -f $BASEDIR/etc/inet/ipnodes.hostsmerge fi if [ -h $BASEDIR/var/mail.ABCsavedXYZ ] ; then rmdir $BASEDIR/var/mail/:saved >/dev/null 2>&1 if [ $? = 0 ] ; then rmdir $BASEDIR/var/mail >/dev/null 2>&1 if [ $? = 0 ] ; then mv $BASEDIR/var/mail.ABCsavedXYZ $BASEDIR/var/mail fi fi rm -fr $BASEDIR/var/mail.ABCsavedXYZ fi if [ -h $BASEDIR/var/news.ABCsavedXYZ ] ; then rmdir $BASEDIR/var/news >/dev/null 2>&1 if [ $? = 0 ] ; then mv $BASEDIR/var/news.ABCsavedXYZ $BASEDIR/var/news fi rm -fr $BASEDIR/var/news.ABCsavedXYZ fi PMTAB=$BASEDIR/etc/saf/tcp/_pmtab if [ -f $PMTAB ] ; then sed -e 's/\\x00020ACE......../\\x00020ACE00000000/' \ -e 's/\\x00020203......../\\x0002020300000000/' $PMTAB >/tmp/t.$$ cp /tmp/t.$$ $PMTAB fi AUTH_ATTR=$BASEDIR/etc/security/auth_attr if [ -f $AUTH_ATTR ] ; then sed '/^solaris\.\*/d' $AUTH_ATTR > /tmp/a.$$ cp /tmp/a.$$ $AUTH_ATTR rm -f /tmp/a.$$ fi EXEC_ATTR=$BASEDIR/etc/security/exec_attr if [ -f $EXEC_ATTR ] ; then sed -e '/^Network Security.*sbin\/ipsec.*/ D' \ -e '/^Network Security.*sbin\/ike.*/ D' \ -e '/^Network Security.*inet\/in\.iked.*/ D' \ -e '/^Network Security.*inet\/cert.*/ D' $EXEC_ATTR > /tmp/e.$$ cp /tmp/e.$$ $EXEC_ATTR rm -f /tmp/e.$$ fi INITTAB=$BASEDIR/etc/inittab if [ -f $INITTAB -a -n "$SUNW_PKG_INSTALL_ZONENAME" -a \ "$SUNW_PKG_INSTALL_ZONENAME" != "global" ]; then sed -e '/^ap:/d' -e '/^sp:/d' $INITTAB > /tmp/i.$$ cp /tmp/i.$$ $INITTAB rm -f /tmp/i.$$ fi VFSTAB=$BASEDIR/etc/vfstab if [ -f $VFSTAB -a -n "$SUNW_PKG_INSTALL_ZONENAME" -a \ "$SUNW_PKG_INSTALL_ZONENAME" != "global" ]; then sed '/^\/devices[ ]/d' $VFSTAB > /tmp/v.$$ cp /tmp/v.$$ $VFSTAB rm -f /tmp/v.$$ fi # # Get rid of obsolete BIND 8 server instance # cat >> $BASEDIR/var/svc/profile/upgrade <<\_DEL_BIND8 obs_se=/usr/sbin/in.named cur_se=`svcprop -p start/exec svc:/network/dns/server 2>/dev/null` if [ "$obs_se" = "$cur_se" ]; then svcadm disable -s svc:/network/dns/server:default svccfg delete svc:/network/dns/server:default # If this was the only instance, delete the service also svcs network/dns/server >/dev/null 2>&1 || \ svccfg delete svc:/network/dns/server fi _DEL_BIND8 # # Get rid of obsolete DARPA trivial name server (Death to IEN-116!) # cat >> $BASEDIR/var/svc/profile/upgrade <<\_DEL_TNAME svcs svc:/network/tname > /dev/null 2>&1 if [ "$?" = 0 ]; then svccfg delete -f svc:/network/tname fi _DEL_TNAME # # Remove stale GLD services # SVCCFG_REPOSITORY=$PKG_INSTALL_ROOT/etc/svc/repository.db export SVCCFG_REPOSITORY if [ -x /usr/sbin/svcadm -a -x /usr/sbin/svccfg -a \ -f $PKG_INSTALL_ROOT/var/svc/manifest/network/datalink.xml ]; then if [ -r $PKG_INSTALL_ROOT/etc/svc/volatile/repository_door ]; then # # Local package install. Need to disable the services first # before deleting. # svcadm disable -s svc:/network/aggregation >/dev/null 2>&1 svcadm disable -s svc:/network/datalink-init >/dev/null 2>&1 svcadm disable -s svc:/network/datalink >/dev/null 2>&1 fi svccfg delete svc:/network/aggregation >/dev/null 2>&1 svccfg delete svc:/network/datalink-init >/dev/null 2>&1 svccfg delete svc:/network/datalink >/dev/null 2>&1 fi # The ipsecalgs and policy services are delivered enabled. # The ike and manual-key services are delivered disabled. The # system administrator will need to enable them after creating # the config file(s). If the system has been upgraded and the # config files exist, enable the services on first boot. # The file in /tmp indicates that this system had already been # upgraded. The service will only be enabled on first upgrade. IKEMANIFEST=`echo ike.xml"$BASEPREFIX" | cut -c 1-256` if [ ! -f /tmp/${IKEMANIFEST} ]; then cat >> ${PKG_INSTALL_ROOT}/var/svc/profile/upgrade <<\_IPSECUPGRD if [ -f /etc/inet/ike/config ]; then /usr/sbin/svcadm enable svc:/network/ipsec/ike:default fi _IPSECUPGRD else rm /tmp/${IKEMANIFEST} fi MANKEYMANIFEST=`echo manual-key.xml"$BASEPREFIX" | cut -c 1-256` if [ ! -f /tmp/${MANKEYMANIFEST} ]; then cat >> ${PKG_INSTALL_ROOT}/var/svc/profile/upgrade <<\_IPSECUPGRD if [ -f /etc/inet/secret/ipseckeys ]; then /usr/sbin/svcadm enable svc:/network/ipsec/manual-key:default fi _IPSECUPGRD else rm /tmp/${MANKEYMANIFEST} fi # # If the eeprom service is present, remove it. We can't use # /var/svc/profile/upgrade as it runs before manifest-import. # /usr/sbin/svccfg -s svc:/platform/i86pc/eeprom:default end >/dev/null 2>&1 if [ "$?" = 0 ]; then if [ -r $PKG_INSTALL_ROOT/etc/svc/volatile/repository_door ]; then svcadm disable -s svc:/platform/i86pc/eeprom:default \ >/dev/null 2>&1 fi svccfg delete svc:/platform/i86pc/eeprom >/dev/null 2>&1 rm -f $PKG_INSTALL_ROOT/var/svc/profile/platform_i86pc.xml rm -f $PKG_INSTALL_ROOT/var/svc/profile/platform.xml fi # # svc:/network/rpc/keyserv is expected to be off on systems that don't # set domainname. On systems that do define a default domain, leave the # setting as previously set. # cat >> $BASEDIR/var/svc/profile/upgrade <<\_CSVC_UPGRADE_2 if [ ! -f /etc/defaultdomain ]; then svcadm disable network/rpc/keyserv fi _CSVC_UPGRADE_2 if [ "$UPDATE" != yes ]; then # # On initial install, default to ns_files.xml. The installer will # customize, if appropriate. # ln -s ns_files.xml $BASEDIR/var/svc/profile/name_service.xml elif [ ! -r $BASEDIR/var/svc/profile/name_service.xml ] || \ [ ! -L $BASEDIR/var/svc/profile/name_service.xml ]; then # # Associate name service profile, if none present. # grep ldap $BASEDIR/etc/nsswitch.conf >/dev/null 2>&1 is_ldap=$? grep nis $BASEDIR/etc/nsswitch.conf >/dev/null 2>&1 is_nis=$? if [ $is_ldap = 0 ]; then ns_profile=ns_ldap.xml elif [ $is_nis = 0 ]; then ns_profile=ns_nis.xml else ns_profile=ns_files.xml fi # Remove stale copy of name_service.xml, if it is not a symlink. if [ ! -L $BASEDIR/var/svc/profile/name_service.xml ]; then /usr/bin/rm -f $BASEDIR/var/svc/profile/name_service.xml fi ln -s $ns_profile $BASEDIR/var/svc/profile/name_service.xml grep dns $BASEDIR/etc/nsswitch.conf >/dev/null 2>&1 if [ $? = 0 ]; then echo "/usr/sbin/svcadm enable network/dns/client" >> \ $BASEDIR/var/svc/profile/upgrade fi fi # # Associate correct inetd services profile. # rm -f $BASEDIR/var/svc/profile/inetd_services.xml if [ "$UPDATE" = yes ]; then ln -s inetd_upgrade.xml $BASEDIR/var/svc/profile/inetd_services.xml # Ensure inetd-upgrade is run post-upgrade echo "/usr/sbin/svcadm enable network/inetd-upgrade" >> \ $BASEDIR/var/svc/profile/upgrade else ln -s inetd_generic.xml $BASEDIR/var/svc/profile/inetd_services.xml fi # # /etc/svc/repository.db was previously packaged but it is now generated # from one of the seed repositories and then updated by svccfg(1M). # Therefore, removef(1M) is used to remove the packaging database entry # although the repository itself is preserved. # /usr/sbin/removef $PKGINST /etc/svc/repository.db >/dev/null 2>&1 /usr/sbin/removef -f $PKGINST >/dev/null 2>&1 PROFILEDIR=$BASEDIR/var/svc/profile GENERICXML=${PROFILEDIR}/generic.xml if [ -f $BASEDIR/var/SUNWcsr-apply-limited-net ]; then UPGRADEFILE=${PROFILEDIR}/upgrade ln -sf ./generic_limited_net.xml ${GENERICXML} cat >> ${UPGRADEFILE} <<\_ENABLE_LIMITED_NET # # apply the generic_limit_net profile selected at install # time, and set the accompanying properties since they can't # be readily set in the profile as of yet. # apply_limited_net() { /usr/sbin/netservices limited } # apply_limited_net as last action of this upgrade script trap apply_limited_net 0 _ENABLE_LIMITED_NET rm -f $BASEDIR/var/SUNWcsr-apply-limited-net else # # This is not an initial (zone-)install: we are upgrading. # # If we have a previous version of generic.xml, keep that. # Otherwise (upgrade from pre-SMF filesystem) take the default # action, i.e., sym-link to ./generic_open.xml # if [ ! -h $GENERICXML -a ! -f $GENERICXML ]; then ln -s ./generic_open.xml $GENERICXML fi fi # generic.xml is now dynamically maintained at install/upgrade time # and no longer delivered by any package. We therefore removef(1) # any reference to it in the package database. removef $PKGINST /var/svc/profile/generic.xml >/dev/null 2>&1 removef -f $PKGINST >/dev/null 2>&1 # Solaris audit's internal "enable/disable" state is maintained by # c2audit; if c2audit accepts the auditconfig query, then auditing is # enabled. If that is the case, then SMF should always enable auditd # in the global zone and also in a non-global zone if perzone auditing # is in use. cat >> $BASEDIR/var/svc/profile/upgrade <<\_ENABLE_AUDIT /usr/sbin/auditconfig -getcond 2> /dev/null if [ $? -eq 0 ]; then if [ `/sbin/zonename` = global ]; then /usr/sbin/svcadm enable system/auditd else echo `/usr/sbin/auditconfig -getpolicy` | grep perzone > /dev/null if [ $? -eq 0 ]; then /usr/sbin/svcadm enable system/auditd fi fi fi _ENABLE_AUDIT # if platform/sun4u/mpxio-upgrade service exists, then # delete the service on boot after upgrading. if [ "$UPDATE" = yes ]; then cat >> $BASEDIR/var/svc/profile/upgrade <<\_MPXIOUPGRD /usr/bin/svcs platform/sun4u/mpxio-upgrade > /dev/null 2>&1 if [ "$?" = 0 ]; then /usr/sbin/svccfg delete svc:/platform/sun4u/mpxio-upgrade fi _MPXIOUPGRD fi # # Add nwam to sysidconfig app list so sys-unconfig does the right thing # cat >> $BASEDIR/var/svc/profile/upgrade <<\_NWAM_SYSID /usr/sbin/sysidconfig -b "${PKG_INSTALL_ROOT}" -l |\ /usr/bin/grep -s net-nwam >/dev/null if [ $? -ne 0 ]; then /usr/sbin/sysidconfig -b "${PKG_INSTALL_ROOT}" \ -a /lib/svc/method/net-nwam fi _NWAM_SYSID # # Migrate /etc/acctadm.conf settings to smf(5) repository. Enable the instance # if the configuration differs from the default configuration. # cat >> $BASEDIR/var/svc/profile/upgrade <<\_ACCTADM if [ -f /etc/acctadm.conf ]; then . /etc/acctadm.conf fmri="svc:/system/extended-accounting:flow" svccfg -s $fmri setprop config/file = \ ${ACCTADM_FLOW_FILE:="none"} svccfg -s $fmri setprop config/tracked = \ ${ACCTADM_FLOW_TRACKED:="none"} svccfg -s $fmri setprop config/untracked = \ ${ACCTADM_FLOW_UNTRACKED:="extended"} if [ ${ACCTADM_FLOW_ENABLE:="no"} = "yes" ]; then svccfg -s $fmri setprop config/enabled = "true" else svccfg -s $fmri setprop config/enabled = "false" fi if [ $ACCTADM_FLOW_ENABLE = "yes" -o $ACCTADM_FLOW_FILE != "none" -o \ $ACCTADM_FLOW_TRACKED != "none" ]; then svcadm enable $fmri fi fmri="svc:/system/extended-accounting:process" svccfg -s $fmri setprop config/file = \ ${ACCTADM_PROC_FILE:="none"} svccfg -s $fmri setprop config/tracked = \ ${ACCTADM_PROC_TRACKED:="none"} svccfg -s $fmri setprop config/untracked = \ ${ACCTADM_PROC_UNTRACKED:="extended,host"} if [ ${ACCTADM_PROC_ENABLE:="no"} = "yes" ]; then svccfg -s $fmri setprop config/enabled = "true" else svccfg -s $fmri setprop config/enabled = "false" fi if [ $ACCTADM_PROC_ENABLE = "yes" -o $ACCTADM_PROC_FILE != "none" -o \ $ACCTADM_PROC_TRACKED != "none" ]; then svcadm enable $fmri fi fmri="svc:/system/extended-accounting:task" svccfg -s $fmri setprop config/file = \ ${ACCTADM_TASK_FILE:="none"} svccfg -s $fmri setprop config/tracked = \ ${ACCTADM_TASK_TRACKED:="none"} svccfg -s $fmri setprop config/untracked = \ ${ACCTADM_TASK_UNTRACKED:="extended"} if [ ${ACCTADM_TASK_ENABLE:="no"} = "yes" ]; then svccfg -s $fmri setprop config/enabled = "true" else svccfg -s $fmri setprop config/enabled = "false" fi if [ $ACCTADM_TASK_ENABLE = "yes" -o $ACCTADM_TASK_FILE != "none" -o \ $ACCTADM_TASK_TRACKED != "none" ]; then svcadm enable $fmri fi rm /etc/acctadm.conf fi _ACCTADM exit 0