My little SMF FAQ

Last Update: 09.02.2007 18:30 /bs
This is still work in progess!!!!

My little SMF FAQ

Introduction

This is not a real FAQ - only my collection of SMF related information collected from blogs, usenet entries, discussion, man pages, and my own experiences.

Please note that mostly all of the entries are copied via "cut and paste " from the source mentioned. So all credits go to the authors of the sources mentioned - not me.

I'll update this page everytime I find new information but still believe there should be a FAQ about SMF on one the pages from OpenSolaris.

If you find a bug or know information not mentioned here please let me know - either via email or through the little mail interface on this website.

If you are new to SMF you should read the Solaris Service Management Facility - Quickstart Guide before using this FAQ.

Frankfurt 22.05.2006 Bernd Schemmer

Update 07.06.2006:

The draft of another Q&A for SMF is here

Update 09.02.2007:

There is now als a SMF FAQ on OpenSolaris.org: http://opensolaris.org/os/community/smf/faq/

Questions and Answers

Commands

Q: What commands are used to administrate services?

A: The following commands are used to administrate services:

command	purpose	comment
/usr/bin/svcs	report service status
/usr/bin/svcadm	manipulate service instances
/usr/bin/svcprop	retrieve service configuration properties
/usr/sbin/svccfg	import, export, and modify service configurations
/usr/sbin/inetadm	observe or configure inetd-controlled services
/usr/sbin/inetconv	convert inetd.conf entries into smf service manifests, import them into smf repository

A short overview of the commands is here: Ganesh Hiregoudar: SMF commands and here: Solaris SMF Commands Memo (Sunsolve Doc ID 82049)

Q: What daemons are used by SMF?

A: The following daemons are used by SMF:

daemon	purpose	comment
/lib/svc/bin/svc.startd	Service Management Facility master restarter
/lib/svc/bin/svc.configd	Service Management Facility repository daemon
/usr/lib/inet/inetd	Solaris Management Facility delegated restarter for inet services. From the inetd man page: Services are no longer managed by editing the inetd configuration file, inetd.conf(4). Instead, you use inetconv(1M) to convert the configuration file content into SMF format services, then manage these services using inetadm(1M) and svcadm(1M). Once a service has been converted by `inetconv`, any changes to the legacy data in the `inetd` config file will not become effective. However, `inetd` does alert the administrator when it notices change in the configuration file. See the start description under the "inetd Methods" section for further information. Also note that the current `inetd` cannot be run from outside the SMF. This means it cannot be run from the command line, as was supported by the previous `inetd`. If you attempt to do this, a message is sent to stderr displaying mappings between the options supported by the previous `inetd` to the SMF version of `inetd`.

Directories

Q: What directories are used by SMF ?

A: The following table lists SMF related directories (the list may be incomplete!):

Directory	content	comment
/etc/svc	configuration files
/etc/svc/volatile	log files of the service methods that run before /var is mounted read/write	this directory is mounted on a ram disk
/lib/svc/bin	binaries used by SMF	These binaries should not be called manually!
/lib/svc/capture	Reserved for future work: Capture methods were for configuration migration; I'm still not certain this approach is viable, since the conditions restricting when the capture method should be allowed to run are unclear. Source: SMF discussion @ solaris.org
/lib/svc/method	method scripts for SMF
/lib/svc/monitor	Reserved for future work: The monitor directory is for monitor method commands, when smf(5) gets a full service monitor spec. Monitors and transitions, which I think have been mentioned on the alias before, are closely related. Source: SMF discussion @ solaris.org
/lib/svc/seed	initial SMF repositories
/lib/svc/share	include scripts for methods implemented as scripts
/var/svc/log	log files of the service methods that run after /var is mounted read/write
/var/svc/manifests/*	directories with the manifests	Do NOT change manifests supplied by Sun.
/var/svc/manifests/site	directory for site specific manifests
/var/svc/profiles	directory with profiles

Files

Q: What files are used by SMF ?

A: The following table lists SMF related files (the list may be incomplete!):

file	content	comment
/etc/svc/repository*	SMF repository and backups of the repository
/etc/svc/repository.db	persistent SMF repository	source: Liane's Blog
/etc/svc/volatile/svc_nonpersist.db	non-persistent SMF repository that contains service execution information, such as process IDs, contract IDs, and stae transition times.	source: Liane's Blog
/lib/svc/seed/global.db	initial SMF repository for the global zone
/lib/svc/seed/nonglobal.db	initial SMF repository for non-global zones
/lib/svc/share/smf_include.sh	include file for methods implemented as shell script

/usr/share/lib/xml/dtd/service_bundle.dtd.1	Service description DTD
/var/svc/profile/upgrade	Used for upgrades; this is an undocumented feature, see this thread This file is shell script sourced in by /lib/svc/method/manifest-import.

/sbin/rcS	start script for the legacy scripts in the milestone single-user	do not call manually
/sbin/rc2	start script for the legacy scripts in the milestone multi-user	do not call manually
/sbin/rc3	Start script for the legacy scripts in the milestone multi-user-server	do not call manually

Methods

Q: What methods are supported by the restarter svc.startd?

A: The restarter svc.startd supports the methods

method	type	action	comment
refresh	optional	refresh the configuration of a service	Do NOT kill the process in a refresh method! The default refresh service for a service if not explicitly configured is :true!
start	required	start the service	use :true if your service has no start method
stop	required	stop the service	use :true if your service has no stop method; use :kill to kill all processes in the service contract

Q: What methods are supported by the restarter inetd?

A: The restarter inetd supports the methods

method	type	action	comment
refresh	optional	refresh the configuration of a service
start	required	start the service
stop	required	stop the service

Q: Are there any functions for methods implemented as shell scripts?

A: Yes, you can source in the file /lib/svc/share/smf_include.sh in your shell script

/lib/svc/share/smf_include.sh defines the following functions:

function	what it does	comment
smf_present	returns 0 if SMF is present or a value not equal zero if SMF is not present	the function does not check if the script is called from the restarter
smf_clear_env	clears the environment variables set by smf_include.sh	call this function to clear the environment before calling a daemon
smf_console	Use as "echo message 2>&1 \| smf_console". If SMF_MSGLOG_REDIRECT is unset, message will be displayed to console. SMF_MSGLOG_REDIRECT is reserved for future use.
smf_netstrategy	Sets _INIT_NET_IF to the name for the network-booted interface if we are booting from the network. _INIT_NET_STRATEGY assigned the value of the current network configuration strategy. Valid values for _INIT_NET_STRATEGY are "none", "dhcp", and "rarp" The network boot strategy for a zone is always "none".
smf_kill_contract	To be called from stop methods of non-transient services. Sends SIGNAL to the service contract CONTRACT. If the WAIT argument is non-zero, smf_kill_contract will wait until the contract is empty before returning, or until TIMEOUT expires.

/lib/svc/share/smf_include.sh defines the following return codes for method scripts:

name	value	meaning	comment
SMF_EXIT_OK	0	success
SMF_EXIT_ERR_FATAL	95	failed, administrative action required
SMF_EXIT_ERR_CONFIG	96	unrecoverable configuration error (e.g. a config file is missing)
SMF_EXIT_MON_DEGRADE	97	service is in degraded mode	Note: not supported yet
SMF_EXIT_MON_OFFLINE	98	service is non-responsive and offline
SMF_EXIT_ERR_NOSMF	99	method called outside of SMF
SMF_EXIT_ERR_PERM	100	permission for the method missing

Q: What environment variables are defined by the restarters?

A: The restarter svc.stard and inetd define the following environment variables:

environment variable	content	comment
SMF_FMRI	The service fault management resource identifier (FMRI) of the instance for which the method is invoked.
SMF_METHOD	The full method name of the method that is invoked
SMF_RESTARTER	The service FMRI of the restarter that invokes the method

Q: What are "Method tokens"?

A: Method tokens are placeholder for service values. These placeholders are replaced with their values by the svc.startd daemon. They can only be used as parameter for method calls (start, stop, or refresh)

Sample:

#  
(bash):root@ferrari:/var/develop/script_templates #
svcprop mysql | grep "start/exec"

#   start/exec astring /etc/my_smf_scripts/mysql.server\
start\ \"%r\ +\ \ %m\ +\ %s\ +\ %i\ +\ %f\ %{start/user}\ +\
%{start/group}\"\

Source: SMF discussion @ solaris.org

The restarter svc.startd supports the following method tokens:

%: %%

%r: Name of the restarter, such as svc.startd

%m: Name of the method, such as start or stop

%s: Name of the service

%i: Name of the instance

%f: FMRI of the instance

%{prop[:,]}: Value(s) of a property. The prop might be a property FMRI, a property group name and a property name separated by a /, or a property name in the application property group. These values can be followed by a, (comma) or : (colon). If present, the separators are used to separate multiple e.g. %{start/user}

Note that the method tokens are not supported by the delegated restarter inetd.

see also the smf_method man page

Q: What is the default PATH variable content for methods?

A: svc.startd sets the PATH to /usr/sbin:/usr/bin before invoking a method.

Q: What environment is used for methods?

A: By default, all enviroment variables, except the PATH variable and the environment variables SMF_FMRI, SMF_METHOD, and SMF_RESTARTER, supplied to the methods are those that svc.startd inherited from init.d

Q: What keywords exist for methods?

A: As of time of this writing the following method keywords exist (I would call them abbreviations)

Keyword	Action	Comment
:kill [-signal]	Kill all processes in the contract of this service	used for example in stop methods
:true	returns 0	used in stop / start methods if you don't need to do any action there

Q: What about calling svcadm for the same service from inside a SMF method for that service?

e.g. It might be useful to disable a service in the start method of a service depending on configuration changes

A: SMF doesn't care. The things you have to watch out for are using a synchronous invocation (svcadm enable/disable -s), which could lead to a deadlock (though I suppose that would eventually be resolved by timing out the method and killing everything) and that it may take svc.startd a while to implement a normal svcadm enable/disable request. That's why the NFS services which temporarily disable themselves use sleep.

Otherwise, svc.startd might restart them until the disable takes effect.

Source: SMF discussion @ solaris.org

Q: How does SMF handle (errornous) calling svcadm enable <FRMI> in the start method of the service <FRMI> (or svcadm disable in the stop method of the service)?

A: No effect. svcadm enable/disable just sets a property on the service, for which svc.configd will notify svc.startd, which will notice that
nothing has changed.

Source: SMF discussion @ solaris.org

Q: How about calling svcadm enable/disable for other services from inside a start/stop method?

A: That should work but if you ever need to use -s, make sure the dependencies won't cause a deadlock.

Source: SMF discussion @ solaris.org

Q: What general restrictions regarding SMF commands apply to SMF methods?

A: svc.startd doesn't interfere with anything your method may do. It's just a matter of when the commands will take effect.

Source: SMF discussion @ solaris.org

Q: How to check if a script is called from an SMF restarter?

A: Check if the environment variable SMF_FMRI is set or not. If you were paranoid, you could check that all of SMF_FMRI, SMF_METHOD, and SMF_RESTARTER were set, and set to self-consistent values.

Note that the function smf_present from /lib/svc/share/smf_include.sh only checks if SMF is running at all!

see Sample for a hybrid script that can be used as method and also called manually by the user for an example.

Source: SMF dicussion @ solaris.org

Q: How to read input from the console from a service?

A: It is discouraged, but entirely possible. :) We put in the warning to discourage software ISVs from putting in services which stop boot to expect configuration of their software. That's hostile to other software running on the system, and is a nasty surprise to people who didn't configure their systems explicitly to do so. We didn't take away the explicit choice from folks who want to deploy their systems that way.

You'd essentially need to create an SMF service which redirects its input and output from the console, and make sure it doesn't conflict with any Solaris services which expect input from the console.

That is, you need to make sure the customer's service isn't running at the same time as the sysid services, kdmconfig service (on x86), boot-archive service, console-login service, or dtlogin/gdm2 services. Where it would need to go depends on your customer's requirements for how early the boot process needs to be stopped (before network services? before filesystem mounts?).

Let us know if we can help with the manifest. You can see the sysid services as an example. Essentially, they just do this in the methods (i.e. in /lib/svc/method/sysidtool-system):

/usr/sbin/sysidsys > /dev/console < /dev/console 2>&1

Source: SMF discussion @solaris.org

Q: If a method fails 3 times in a row the service is put into maintenance mode. Can this value be changed?

A: No, not currently

Source: SMF discussion @solaris.org

Manifests

Q: How to write my first manifest?

A: The best method is to copy the manifest for an existing service and change it to your need.

You can use

system/utmp for a simple standalone daemon
system/coreadm for simple configuration service (e.g. the service runs only once at system start)
network/telnet for an inetd-managed service
network/http:apache2 for an service with dependencies

To create a manifest for an inetd based service there's another easy way:

Create a temporary file (e.g. /tmp/my_new_service) and add the entry for your daemon to a that file using the syntax used in /etc/inetd.conf. After that run

mkdir /tmp/inetd_services

inetconv -i /tmp/my_new_service -n -o /tmp/inetd_services

In /tmp/inetd_services you will then find a manifest for your new services in /etc/inet.conf. Edit it if necessary and use svccfg import to import it.

After importing the manifest you should move it to /var/svc/manifest/site so that it get imported again if the repository hast to rebuild.

The temporary file and the temporary directory are not used anymore and can be removed.

Q: How to check a manifest for syntax errors?

A: Use xmllint to check the syntax of manifests:

$ xmllint --valid /tmp/gdm2-login.xml

/tmp/gdm2-login.xml:26: parser error : Opening and ending tag mismatch:
french_fry line 26 and french_fries

<french_fry>I,m a bad element.</french_fries>

Repository

Q: How to restore the SMF repository?

A: Use

/lib/svc/bin/restore_repository

to restore a backup of the repository

see http://sun.com/msg/SMF-8000-MY for more information on restore_repository.

Q: How to check the integrity of a repository?

A: Use:

REPOSITORY="/var/tmp/myrepository.db"



if [ $( echo PRAGMA integrity_check \; | /lib/svc/bin/sqlite
${REPOSITORY} ) = "^ok$" ] ; then

  echo "The repository is okay"

else

  echo "Looks like the repository is not okay"

fi

Source: /lib/svc/bin/restore_repository

Q: Can I change the number of repository backups?

A: No, the number of backups is hardcoded to 4.

Source: SMF discussion @ solaris.org

There's a work around in Bug Database entry:

Use mdb on svc.configd to change the variable max_repository_backups from the default (4) to the desired value:

# mdb -w /lib/svc/bin/svc.configd
Loading modules: [ svc.configd ]
> max_repository_backups?W 8
svc.configd`max_repository_backups:             0x4             =       0x8
> $q

Q: How to manually backup the repository?

A: There's no supported method to do this right now but there's an RFE to add this feature.

In the meantime you can do a pstop on svc.configd and the copy the file /etc/svc/respository.db.

Source: SMF discussion @ solaris.org

Q: Are there any undocumented parameter for svc.configd?

A: It looks like there are; see this blog entry

Legacy Scripts

Q: Are the legacy scripts executed by /bin/sh as before or does svc.startd honour the "#!" entry in the first line?

A: The latter. If the script's name does not end with .sh, then /etc/rc? launches it with a plain lsvcrun invocation (no -s), which exec()s "/bin/sh -c <script>", which I believe should respect the interpreter of the script.

Source: SMF discussion @ solaris.org

see also the milestone start scripts (/usr/sbin/rc*)

Q: When are legacy scripts executed ?

A: From the smf man page:

Startup programs in the /etc/rc?.d directories are executed as part of the corresponding run-level milestone:

/etc/rcS.d: milestone/single-user:default
/etc/rc2.d: milestone/multi-user:default
/etc/rc3.d: milestone/multi-user-server:default

Execution of each program is represented as a reduced-functionality service instance named by the program's path. These instances are held in a special legacy-run state.

These instances do not have an enabled property and, generally, cannot be manipulated with the svcadm(1M) command. No error diagnosis or restart is done for these programs.

Q: Where are logs of the legacy scripts?

A: The legacy script log to the logfile of the milestone that executes the scripts.

That are

Scripts in the directory /etc/rcS.d log to the logfile of the milestone single-user:

    /var/svc/log/milestone-single-user:default.log

Scripts in the directory /etc/rc2.d log to the logfile of the milestone multi-user:

    /var/svc/log/milestone-multi-user:default.log

Scripts in the directory /etc/rc3.d/ log to the logfile of the milestone multi-user-server:

    /var/svc/log/milestone-multi-user-server:default.log

Q: Can I add a dependency on a legacy script?

A: No, you can't add dependencies on legacy scripts. But you can add dependency on the milestone that executes the legacy script. The same is true for dependents.

See also: SMF discussion @ solaris.org

Q: How long will legacy scripts be supported?

A: Those are Stable interfaces, so, per the documentation in attributes(5), they would need to remain until the next Major release of Solaris ("6.0" -- unlikely ever to happen), and even then an incompatibility would need exceptional justification.

In other words, I think the answer has to be "forever."

Source: SMF discussion @ solaris.org

Services

Q: How to check if a service is running in a script?

A: Use svcs with the -H and -o switch

e.g.

SERVICE_STATE=$"( svcs -H -o state apache2 )"

Q: How to disable a service?

A: Use svcadm disable

e.g.

svcadm disable apache2

Notes: This is an asynchronous call.

You should check the dependents of the service before disabling it (because these services will also be disabled), e.g

(bash):root@ferrari:/root # svcs -D network/physical

STATE         
STIME    FMRI

disabled       12:41:55
svc:/network/iscsi_initiator:default

disabled       12:41:56
svc:/network/cswopenldap:default

online         12:41:58
svc:/system/identity:node

online         12:42:01
svc:/application/print/cleanup:default

online         12:42:52
svc:/network/rpc/cde-calendar-manager:udp

online         12:42:52
svc:/network/rpc/cde-ttdbserver:tcp

online         12:42:52
svc:/network/cde-spc:default

online         12:43:01
svc:/network/ssh:default

online         12:43:02
svc:/filesystem/share_cdrom_images:default

online         12:53:26
svc:/network/ipfilter:default

online         12:53:26
svc:/milestone/network:default

online         12:53:27
svc:/system/identity:domain

You should also check the processes that are in the contract of the service because these services will also be stopped. This is especially important if you want to disable one of the login services like telnet or ssh ...

Use

svcs -p <FRMI>

to retrieve the list of processes in the contract

Q: How to enable a service?

A: Use svcadm enable

e.g.

svcadm enable apache2

Note : This is an asynchronous call.

Q: How to temporary disable/enable a service?

A: Use the -t flag of svcadm

e.g.

svcadm enable -t apache2

svcadm disable -t apache2

Changes made with the -t flag are only valid until the next reboot. Without the -t flag the changes are persistent.

Note : This is an asynchronous call.

Q: How to list temporary enabled services?

A: You can use svcprop(1) for that:

e.g.

# svcadm disable -t svc:/system/cron:default # svcprop -p general_ovr/enabled svc:/system/cron:default 2>/dev/null false # svcadm enable -t svc:/system/cron:default # svcprop -p general_ovr/enabled svc:/system/cron:default 2>/dev/null true # svcadm enable svc:/system/cron:default # svcprop -p general_ovr/enabled svc:/system/cron:default 2>/dev/null #
svcprop returns 'false' if the service is temporary disabled and
'true' if the service is temporary enabled; otherwise it returns nothing.

Use


    svcprop -p general_ovr/enabled \* 2>/dev/null

to list all temporary enabled or temporary disabled services.

Q: How to enable/disable a service if the filesystem with the repository is mounted read-only?

A: Use the -t flag of svcadm

Q: How to enable/disable a service and wait until the service is started/stopped?

A: Use the -s flag of svcadm

e.g.

svcadm enable -s apache2

svcadm disable -s apache2

Note that svcadm normally starts and stops the services asynchronously.

Q: How to refresh a service?

A: Use svcadm refresh, e.g.

svcadm refresh svc:/system/cron:default

Note:

Not every service has a refresh method!
Therefor check the logfile after doing the refresh:

cat /var/svc/log/system-cron:default.log [ Feb 24 10:49:06 Disabled. ] [ Feb 24 10:49:07 Rereading configuration. ] [ Feb 24 10:50:15 Enabled. ] [ Feb 24 10:50:25 Executing start method ("/lib/svc/method/svc-cron") ] [ Feb 24 10:50:25 Method "start" exited with status 0 ] [ May 15 12:05:18 Executing start method ("/lib/svc/method/svc-cron") ] [ May 15 12:05:18 Method "start" exited with status 0 ] [ May 15 12:12:34 Executing start method ("/lib/svc/method/svc-cron") ] [ May 15 12:12:34 Method "start" exited with status 0 ] [ May 15 12:16:49 Executing start method ("/lib/svc/method/svc-cron") ] [ May 15 12:16:49 Method "start" exited with status 0 ] [ May 22 11:22:51 Rereading configuration. ] [ May 22 11:22:51 No 'refresh' method defined. Treating as :true. ]
This service has NO refresh method defined; therefor a refresh will do nothing. In this case you need to disable and enable the service to force a reread of the configuration files if there are no application specific methods to force the application to reread the configuration file(s).

Q: How to delete a service?

A: Disable the service using svcadm and then delete the service using svccfg. After this you should remove the manifest from the directory /var/svc/manifests/<...> (if any exists) to avoid reenabling the service in case of a repository recovery.

Example:

svcadm disable -s svc:/network/swat/tcp:default

svccfg delete svc:/network/swat/tcp:default

[ -f

/var/svc/manifest/site/swat.xml ] &&

rm
/var/svc/manifest/site/swat.xml

Q: How to get a list of all services?

A: Use svcs, e.g



# list all running services (including the services ready to run
but
not yet running)

svcs

# list all configured services

scvs -a



# list all services with problems

svcs -x

Q: How to list all defined services with the description?

A: Use svcs , e.g.svcs -a -o fmri,desc FMRI DESC lrc:/etc/rcS_d/S50sk98sol - lrc:/etc/rcS_d/S51installupdates - lrc:/etc/rc2_d/S02sloggi - lrc:/etc/rc2_d/S10lu - lrc:/etc/rc2_d/S20sysetup - lrc:/etc/rc2_d/S40llc2 - lrc:/etc/rc2_d/S42ncakmod - lrc:/etc/rc2_d/S47pppd - lrc:/etc/rc2_d/S70uucp - lrc:/etc/rc2_d/S72autoinstall - lrc:/etc/rc2_d/S73cachefs_daemon - lrc:/etc/rc2_d/S76ACT_dumpscript - lrc:/etc/rc2_d/S78cswfconfig - lrc:/etc/rc2_d/S81dodatadm_udaplt - lrc:/etc/rc2_d/S89PRESERVE - lrc:/etc/rc2_d/S90wbem - lrc:/etc/rc2_d/S94ncalogd - lrc:/etc/rc2_d/S98deallocate - lrc:/etc/rc3_d/S16boot_server - lrc:/etc/rc3_d/S50apache - lrc:/etc/rc3_d/S52imq - lrc:/etc/rc3_d/S75seaport - lrc:/etc/rc3_d/S76snmpdx - lrc:/etc/rc3_d/S77dmi - lrc:/etc/rc3_d/S80mipagent - lrc:/etc/rc3_d/S82initsma - lrc:/etc/rc3_d/S84appserv - lrc:/etc/rc3_d/S96init_cssd - lrc:/etc/rc3_d/S99cswrxstack - svc:/network/iscsi_initiator:default - svc:/system/metainit:default SVM initialization svc:/network/nfs/cbd:default NFS callback service svc:/network/rpc/nisplus:default NIS+ svc:/network/rpc/keyserv:default RPC encryption key storage svc:/network/nis/server:default NIS (YP) server svc:/network/ldap/client:default LDAP client svc:/network/nis/client:default NIS (YP) client svc:/network/inetd-upgrade:default inetd-upgrade svc:/application/print/server:default LP print server svc:/network/smtp:sendmail sendmail SMTP mail transfer agent svc:/network/ntp:default Network Time Protocol (NTP) svc:/system/auditd:default Solaris audit daemon svc:/system/mdmonitor:default SVM monitor svc:/system/rcap:default resource capping daemon svc:/network/cswopenldap:default OpenLDAP community developed LDAP software svc:/network/rpc/bootparams:default boot parameter server svc:/network/rarp:default Reverse Address Resolution Protocol (RARP) server svc:/network/dhcp-server:default DHCP server svc:/application/gdm2-login:default GNOME Display Manager svc:/network/dns/server:default - svc:/network/security/kadmin:default Kerberos administration daemon svc:/network/security/krb5kdc:default Kerberos key distribution center svc:/network/security/krb5_prop:default Kerberos propagation daemon for slave KDCs svc:/network/slp:default Service Location Protocol (SLP) svc:/network/apocd/udp:default Configuration Agent svc:/network/nis/passwd:default NIS (YP) password daemon svc:/network/nis/update:default NIS (YP) update daemon svc:/network/nis/xfr:default NIS (YP) transfer daemon svc:/system/consadm:default console monitoring svc:/system/sar:default system activity reporting package svc:/system/basicreg:default - svc:/system/pools:default resource pools framework svc:/system/pools/dynamic:default dynamic resource pools svc:/application/management/common-agent-container-1:default Cacao, a common Java container for JDMK/JMX based management solution svc:/network/rpc/ocfserv:default OpenCard Framework (OCF) communications svc:/network/rpc/rex:default remote execution server svc:/network/rpc/spray:default RPC spray svc:/network/rpc/wall:default network rwall server svc:/network/tname:default trivial name server svc:/network/uucp:default UUCP server svc:/network/chargen:dgram character generator svc:/network/chargen:stream character generator svc:/network/daytime:dgram daytime svc:/network/daytime:stream daytime svc:/network/discard:dgram discard svc:/network/discard:stream discard svc:/network/echo:dgram echo svc:/network/echo:stream echo svc:/network/time:dgram time svc:/network/time:stream time svc:/network/comsat:default comsat svc:/network/login:eklogin remote login svc:/network/login:klogin remote login svc:/network/rexec:default rexec svc:/network/shell:kshell rsh svc:/network/talk:default talk svc:/system/svc/restarter:default master restarter svc:/milestone/name-services:default name services milestone svc:/network/loopback:default loopback network interface svc:/system/filesystem/root:default root file system mount svc:/network/pfil:default packet filter svc:/system/scheduler:default default scheduling class configuration svc:/network/physical:default physical network interfaces svc:/system/identity:node system identity (nodename) svc:/system/boot-archive:default check boot archive content svc:/system/filesystem/usr:default read/write root file systems mounts svc:/site/batstat:default Batstat initialization settings. svc:/site/powernow:default Control AMD power states depending on CPU use. svc:/platform/i86pc/eeprom:default EEPROM emulation svc:/system/keymap:default keyboard defaults svc:/system/device/local:default Standard Solaris device configuration. svc:/milestone/network:default Network milestone svc:/system/filesystem/minimal:default minimal file system mounts svc:/system/rmtmpfiles:default remove temporary files svc:/system/coreadm:default system-wide core file configuration svc:/system/sysevent:default system event notification svc:/system/picl:default platform information and control svc:/system/power:default power management svc:/system/device/fc-fabric:default Solaris FC fabric device configuration. svc:/milestone/devices:default device configuration milestone svc:/application/print/cleanup:default print cleanup svc:/system/cryptosvc:default cryptographic services svc:/system/manifest-import:default service manifest import svc:/network/initial:default initial network services svc:/network/service:default layered network services svc:/milestone/single-user:default single-user milestone svc:/site/acerkb:default Acer Keyboard hacks. svc:/system/filesystem/local:default local file system mounts svc:/system/sysidtool:net sysidtool svc:/system/cron:default clock daemon (cron) svc:/application/opengl/ogl-select:default OpenGL runtime select svc:/network/rpc/bind:default RPC bindings svc:/system/sysidtool:system sysidtool svc:/application/servers/tomcat:default Tomcat svc:/network/nfs/status:default NFS status monitor svc:/network/nfs/nlockmgr:default NFS lock manager svc:/network/rsync:default RSYNC daemon svc:/application/management/webmin:default Webmin, a httpd based system administration tool. svc:/application/font/fc-cache:default FontConfig Cache Builder svc:/network/ipfilter:default IP Filter svc:/network/dns/client:default DNS resolver svc:/system/identity:domain system identity (domainname) svc:/system/name-service-cache:default name service cache svc:/network/inetmenu:default Display configuration svc:/platform/i86pc/kdmconfig:default Display configuration svc:/milestone/sysconfig:default Basic system configuration milestone svc:/system/sac:default SAF service access controller svc:/network/inetd:default inetd svc:/system/utmp:default utmpx monitoring svc:/system/console-login:default Console login svc:/network/rpc/gss:default Generic Security Service svc:/network/rpc/meta:default SVM remote metaset services svc:/network/rpc/smserver:default removable media management svc:/application/x11/xfs:default X Window System font server svc:/application/font/stfsloader:default Standard Type Services Framework (STSF) Font Server loader svc:/network/rpc/cde-calendar-manager:udp CDE calendar manager server svc:/network/rpc/cde-ttdbserver:tcp ToolTalk database server svc:/network/rpc/mdcomm:default SVM multi-node communications svc:/network/rpc/metamed:default SVM remote mediator services svc:/network/rpc/metamh:default SVM remote multihost disk services svc:/network/rpc/rstat:default kernel statistics server svc:/network/rpc/rusers:default network user name service svc:/network/cde-spc:default CDE subprocess control svc:/network/security/ktkt_warn:default Kerberos V5 warning messages daemon svc:/network/swat:default swat svc:/network/nfs/rquota:default remote quota server svc:/network/telnet:default Telnet server svc:/network/ftp:default FTP server svc:/network/finger:default finger svc:/network/login:rlogin remote login svc:/network/shell:default rsh svc:/network/rpc-100235_1/rpc_ticotsord:default 100235 svc:/system/filesystem/volfs:default Volume Management filesystem svc:/network/nfs/mapid:default NFS ID mapper svc:/network/nfs/client:default NFS client svc:/system/filesystem/autofs:default automounter svc:/network/nfs/server:default NFS server svc:/system/system-log:default system log svc:/system/dumpadm:default system crash dump configuration svc:/network/ssh:default SSH server svc:/filesystem/share_cdrom_images:default share_cdrom_images.sh svc:/system/fmd:default Solaris Fault Manager svc:/milestone/multi-user:default multi-user milestone svc:/system/intrd:default interrupt balancer svc:/application/ntop:default ntop Network sniffer svc:/application/mysql:default Mysql database server svc:/network/manserver:default manserver - http server for man 2 html conversion svc:/application/cde-printinfo:default CDE Print Viewer svc:/application/postgresql:default Postgres SQL database server svc:/application/graphical-login/cde-login:default CDE login svc:/application/print/cupsserver:default cups print server svc:/network/http:apache2 Apache 2 HTTP server svc:/network/samba:default SAMBA Server svc:/system/webconsole:console java web console svc:/milestone/multi-user-server:default multi-user plus exports milestone svc:/system/zones:default Zones autoboot svc:/application/print/ipp-listener:default Internet Print Protocol Listening Service svc:/application/print/rfc1179:default BSD print protocol adapter

Q: How to tell if the process is being monitored and which PID it is watching?

A: Use svcs -p, e.g.

svcs -p apache2 STATE STIME FMRI online 18:35:38 svc:/network/http:apache2 18:35:38 1134 httpd 18:35:50 1250 httpd 18:35:50 1252 httpd 18:35:50 1254 httpd 18:35:50 1256 httpd 18:35:50 1258 httpd

Q: How to wait until the status of a service changed?

A: Use svcprop -w, example (from the svcprop manpage):

This example waits for the sendmail instance to change state.

svcprop -w -p restarter/state sendmail

Q: How do I start a service or daemon at run level 2 using SMF?

A: If you're taking a service out of rc2.d, then you need to have a dependency on milestone/single-user, and you need to declare
milestone/multi-user as a dependent (not a dependency). This will ensure that you start after the rcS.d scripts, before any rc2.d scripts
which may depend on you (though before any rc2.d scripts which you may depend on, so you can only do this if your rc2.d dependencies have also been adapted to SMF), and that you will run if the user executes 'init 2' or 'svcadm milestone multi-user'.

e.g.


         ...
         <dependency
                name='single-user'
                grouping='require_all'
                restart_on='none'
                type='service'>
                <service_fmri value='svc:/milestone/single-user' />
        </dependency>

        <dependent 
                name='multi-user' 
                grouping='optional_all'  
                restart_on='none' >
                <service_fmri value='svc:/milestone/multi-user' />
        </dependent>
        ...

Source: SMF discussion @ solaris.org

Service properties

Q: How to view the properties of a service?

A: Use svcprop

e.g.

svcprop apache2

Q: How to view one property of a service?

A: Use svcprop

e.g.

svcprop -p "stop/exec" apache2

Q: How to check if a property of a service is defined?

A: Use svcprop

e.g

svcprop -q  -p stop/exec ipfilter 

if [ $? -eq 0 ] ; then

  echo "Propery is defined"

else

  echo "Property is not defined"

fi

Q: How to check which methods are implemented for a service?

A: Use svcprop, e.g.

svcprop sendmail | grep exec start/exec astring /lib/svc/method/smtp-sendmail\ start stop/exec astring /lib/svc/method/smtp-sendmail\ stop\ %{restarter/contract} refresh/exec astring /lib/svc/method/smtp-sendmail\ refresh

Q: How to list the start/stop scripts of a service?

Use svcprop to read the properties "start/exec" and "stop/exec"

e.g

svcprop -p "start/exec" apache2

svcprop -p "stop/exec" apache2

Q: How to list the logfile of a service?

A: Use svcprop to read the propertie "restarter/logfile"

e.g

svcprop -p "restarter/logfile" apache2

Sample Script to view the logfile of a service

#!/usr/bin/ksh

if [ "$1"x = ""x -o "$1"x = "-h"x ] ; then

  echo "Usage: $( basename $0 ) FMRI [...]"

  exit 2

fi



while [ $# -ne 0 ] ; do

  LOGFILE="$( svcprop -p restarter/logfile $1)"

  echo "

 -----------------------------------------------------------------------------

"

  echo "Reading the logfile of the service \"$1\" ..."



  if [ $? -eq 0 -a "${LOGFILE}"x != ""x ] ; then

    view "${LOGFILE}"

  else

    echo "ERROR: Can not find a logfile for the service
\"$1\" "

    [ $# -eq 1 ] && return

    echo "Press return to continue ..."

    read dummy

  fi

  shift

done

Another script posted first on the SMF Discussion list can be downloaded here: http://www2.petervg.nl/software [09.05.06])

Q: How to change the terminal type of the console?

A: Use

svccfg -s system/console-login 'setprop
ttymon/terminal_type =
sun'

To view the current settings use

svcprop -p ttymon/terminal_type system/console-login

sun

To see all of the ttymon family of properties, issue:

svcprop -p ttymon system/console-login

ttymon/device astring /dev/console

ttymon/label astring console

ttymon/modules astring ldterm,ttcompat

ttymon/nohangup boolean true

ttymon/prompt astring \`uname\ -n\`\ console\ login:

ttymon/timeout count 0

ttymon/terminal_type astring sun

Q: What properties are implemented for services managed by inetd?

A: From the inetd man page:

The properties comprising the basic configuration for inetd managed services are as follows:

property	meaning	comment
bind_fail_interval	The time interval in seconds between a failed bind attempt and a retry. The values `0` and `-1` specify that no retries are attempted and the first failure is handled the same as exceeding `bind_fail_max`.	default: -1
`bind_fail_max`	The maximum number of times `inetd` retries binding to a service's associated port before giving up. The value `-1` specifies that no retry limit is imposed. If none of the service's protocols were bound to before any imposed limit is reached, the service goes to the `maintenance` state; otherwise, if not all of the protocols were bound to, the service goes to the `degraded` state.	default: -1
`con_rate_offline`	The time in seconds a service will remain offline if it exceeds its configured maximum connection rate, `max_con_rate`. The values `0` and `-1` specify that connection rate limiting is disabled.	default: -1
`endpoint_type`	The type of the socket used by the service or the value `tli` to signify a TLI-based service. Valid socket type values are: `stream`, `dgram`, `raw`, `seqpacket`.
`failrate_cnt`	The count portion of the service's failure rate limit. The failure rate limit applies to `wait`-type services and is reached when `count` instances of the service are started within a given time. Exceeding the rate results in the service being transitioned to the `maintenance` state. This is different from the behavior of the previous `inetd`, which continued to retry every 10 minutes, indefinitely. The `failrate_cnt` check accounts for badly behaving servers that fail before consuming the service request and which would otherwise be continually restarted, taxing system resources. Failure rate is equivalent to the `-r` option of the previous `inetd`. The values `0` and `-1` specify that this feature is disabled.	default: 40 (?)
`failrate_interval`	The time portion in seconds of the service's failure rate. The values `0` and `-1` specify that the failure rate limit feature is disabled.	default: 60 (?)
`inherit_env`	If true, pass `inetd`'s environment on to the service's start method. Regardless of this setting, `inetd` will set the variables `SMF_FMRI`, `SMF_METHOD`, and `SMF_RESTARTER` in the start method's environment, as well as any environment variables set in the method context. These variables are described in smf_method(5).
`isrpc`	If true, this is an RPC service.
`max_con_rate`	The maximum allowed connection rate, in connections per second, for a `nowait`-type service. The values `0` and `-1` specify that that connection rate limiting is disabled.	default: -1
`max_copies`	The maximum number of copies of a `nowait` service that can run concurrently. The values `0` and `-1` specify that copies limiting is disabled.	default: -1
`name`	Can be set to one of the following values: a service name understood by getservbyname(3SOCKET); if `isrpc` is set to `true`, a service name understood by getrpcbyname(3NSL); if `isrpc` is set to `true`, a valid RPC program number.
proto	In the case of socket-based services, this is a list of protocols supported by the service. Valid protocols are: `tcp`, `tcp6`, `tcp6only`, `udp`, `udp6`, and `udp6only`. In the case of TLI services, this is a list of netids recognized by getnetconfigent(3NSL) supported by the service, plus the values `tcp6only` and `udp6only`. RPC/TLI services also support nettypes in this list, and `inetd` first tries to interpret the list member as a nettype for these service types. The values `tcp6only` and `udp6only` are new to `inetd`; these values request that `inetd` listen only for and pass on true `IPv6` requests (not IPv4 mapped ones).
`rpc_low_version`	Lowest supported RPC version. Required when `isrpc` is set to `true`.
`rpc_high_version`	Highest supported RPC version. Required when `isrpc` is set to `true`.
`tcp_trace`	If true, and this is a `nowait`-type service, `inetd` logs the client's IP address and TCP port number, along with the name of the service, for each incoming connection, using the syslog(3C) facility. `inetd` uses the `syslog` facility `code` daemon and `notice` priority level. See syslog.conf(4) for a description of `syslog` codes and severity levels. This logging is separate from the logging done by the TCP wrappers facility. `tcp_trace` is equivalent to the previous `inetd`'s `-t` option (and the `/etc/default/inetd` property `ENABLE_CONNECTION_LOGGING`).	default: false
`tcp_wrappers`	If `true`, enable TCP wrappers access control. This applies only to services with `endpoint_type` set to `streams` and `wait` set to `false`. The `syslog` facility `code` daemon is used to log allowed connections (using the `notice` severity level) and denied traffic (using the `warning` severity level). See syslog.conf(4) for a description of `syslog` codes and severity levels. The stability level of the TCP wrappers facility and its configuration files is External. As the TCP wrappers facility is not controlled by Sun, intra-release incompatibilities are not uncommon. See attributes(5). For more information about configuring TCP wrappers, you can refer to the `tcpd(1M)` and `hosts_access(4)` man pages, which are delivered as part of the Solaris operating system at `/usr/sfw/man`. These pages are not part of the standard Solaris man pages, available at `/usr/man`. `tcp_wrappers` is equivalent to the previous inetd's `/etc/default/inetd` property `ENABLE_TCPWRAPPERS`	default: false
`wait`	If `true` this is a `wait`-type service, otherwise it is a `nowait`-type service. A `wait`-type service has the following characteristics: Its `inetd_start` method will take over listening duties on the service's bound endpoint when it is executed. `inetd` will wait for it to exit after it is executed before it resumes listening duties. Datagram servers must be configured as being of type `wait`, as they are always invoked with the original datagram endpoint that will participate in delivering the service bound to the specified service. They do not have separate "listening" and "accepting" sockets. Connection-oriented services, such as TCP stream services can be designed to be either of type `wait` or `nowait`.

Q: Can I use svccfg to change properties in an SMF method?

A: Yes. svcadm refresh would be required to get the changes into the running snapshot (which is required to get no-option svcprop to report them). svcadm refresh is an asynchronous request to svc.startd, and I don't think you can count on it finishing while your method is running.

Source: SMF discussion @ solaris.org

Q: Can I create temporary properties? (properties that are automatically deleted with a reboot)

A: You can both modify existing non-persistent property groups or create your own, as long as you have sufficient privilege. Modifying system property groups, of course, is asking for trouble.

Source: SMF discussion @ solaris.org

Q: Can I dynamically change the the timeout value inside a method and svc.startd uses the new value for the current method run?

A: svc.startd reads timeouts just before the method is executed, so no, you can't change it in-flight. Since it reads them from the running snapshot, a change would become effective on the next svcadm refresh.

Source: SMF discussion @ solaris.org

Q: How to add a new dependency for a service without changing the manifest?

A: Use svccfg, example:

#!/usr/bin/ksh



# name of the new property

#

  IPFILTER_INETMENU_DEPENDENCY="inetmenu-service" 



# FRMI of the service for which we want to add a new dependecy

#

  IPFILTER_FRMI="svc:/network/ipfilter:default"



# FRMI of the service that our service should be dependent on

#

  SERVICE_NAME="svc:/network/inetmenu:default"



# first check if the dependency is already configured

#

  svcprop -q -p "${IPFILTER_INETMENU_DEPENDENCY}"
"${IPFILTER_FRMI}" 

  if [ $? -eq 0 ] ; then

    echo "The dependency is already configurd - nothing
to do here"

  else

    echo "Configuring dependency ..."



# create a temporary input file for svccfg

#

    TMPFILE="/tmp/tmpfile.$$"



    cat <<EOT >"${TMPFILE}"

select ${IPFILTER_FRMI}

addpg   ${IPFILTER_INETMENU_DEPENDENCY} dependency

setprop ${IPFILTER_INETMENU_DEPENDENCY}/grouping = astring:
"optional_all"

setprop ${IPFILTER_INETMENU_DEPENDENCY}/restart_on = astring: "none"

setprop ${IPFILTER_INETMENU_DEPENDENCY}/type = astring: "service"

setprop ${IPFILTER_INETMENU_DEPENDENCY}/entities = fmri:
"${SERVICE_NAME}"

end

EOT



# add the dependency

#

    svccfg -f "${TMPFILE}"

 

# refresh the service to make the dependency active

#                                                                            


    svcadm refresh "${IPFILTER_FRMI}"



# remove the temporary file

#

    rm "${TMPFILE}"



  fi

Note that AFAIK the only reliable method to check for dependency cycles is to use

svcadm refresh
<service>

or reboot. Both actions will put the service into maintenance mode if a dependency cycle is detected.

PS: The example code fraqment above will create a dependency cycle!

Service states

Q: What service states are supported by inetd?

A: From the inetd man page :

Services managed by inetd can be in the states

uninitialized, online, degraded, offline, disabled, and maintenance.

Q: What is the service state "offline"?

A: A service is in the state "offline" if it is enabled and ready to run but one or more dependencies are not yet fullfilled.

Use

svcs -d <fmri>

to view the dependencies of a service

Please note that a service is also in the state "offline" if the start or stop method is running. Therefor you should check the reason for the state, e.g.

svcs -x svc:/milestone/multi-user-server:default
svc:/milestone/multi-user-server:default (multi-user plus exports milestone)
 State: offline since Wed May 24 12:13:19 2006
Reason: Start method is running.
   See: http://sun.com/msg/SMF-8000-C4
   See: init(1M)
   See: /var/svc/log/milestone-multi-user-server:default.log
Impact: 1 dependent service is not running.  (Use -v for list.)
bash-3.00#

Q: What is the service state "degraded"?

A: In the current implementation, this state cannot occur. Future work to integrate smf(5) with the fault management features wll utilize this state. An example would be a hardware failure involving a cryptographic accelerator: the crypto services would use their software implementations (unaccelerated), but would be in the degraded state because potentially useful system capabilities are faulty.

Source: Solaris Forum

inetd managed services

Q: How to list all services managed by inetd?

A: Use inetadm, e.g

inetadm ENABLED STATE FMRI enabled online svc:/application/x11/xfs:default enabled online svc:/application/font/stfsloader:default enabled offline svc:/application/print/rfc1179:default enabled online svc:/network/rpc/gss:default disabled disabled svc:/network/rpc/mdcomm:default disabled disabled svc:/network/rpc/meta:default disabled disabled svc:/network/rpc/metamed:default disabled disabled svc:/network/rpc/metamh:default enabled online svc:/network/rpc/rstat:default enabled online svc:/network/rpc/rusers:default disabled disabled svc:/network/rpc/spray:default disabled disabled svc:/network/rpc/wall:default enabled online svc:/network/security/ktkt_warn:default disabled disabled svc:/network/security/krb5_prop:default enabled online svc:/network/telnet:default disabled disabled svc:/network/comsat:default enabled online svc:/network/finger:default disabled disabled svc:/network/login:eklogin disabled disabled svc:/network/login:klogin enabled online svc:/network/login:rlogin disabled disabled svc:/network/rexec:default enabled online svc:/network/shell:default disabled disabled svc:/network/shell:kshell disabled disabled svc:/network/talk:default disabled disabled svc:/platform/sun4u/dcs:default enabled online svc:/network/rpc-100235_1/rpc_ticotsord:default enabled online svc:/network/rpc-100083_1/rpc_tcp:default enabled online svc:/network/nfs/rquota:default

Q: How to view the default values for inetd managed services?

A: Use inetadm -p, e.g.

inetadm -p NAME=VALUE bind_addr="" bind_fail_max=-1 bind_fail_interval=-1 max_con_rate=-1 max_copies=-1 con_rate_offline=-1 failrate_cnt=40 failrate_interval=60 inherit_env=TRUE tcp_trace=FALSE tcp_wrappers=FALSE

Q: How to list the properties of an inetd managed service?

A: Use inetadm -l, e.g.

inetadm -l svc:/network/telnet:default SCOPE NAME=VALUE name="telnet" endpoint_type="stream" proto="tcp6" isrpc=FALSE wait=FALSE exec="/usr/sbin/in.telnetd" user="root" default bind_addr="" default bind_fail_max=-1 default bind_fail_interval=-1 default max_con_rate=-1 default max_copies=-1 default con_rate_offline=-1 default failrate_cnt=40 default failrate_interval=60 default inherit_env=TRUE default tcp_trace=FALSE default tcp_wrappers=FALSE

Q: How to check if the TCP wrapper is enabled for a service?

A: Use inetadm -l, e.g.

inetadm -l svc:/network/telnet:default | grep tcp_wrappers default tcp_wrappers=FALSE

Q: How to enable the TCP wrapper for a service?

A: Use inetadm -m, e.g.

inetadm -m svc:/network/telnet:default tcp_wrappers=true # # check the new status # inetadm -l svc:/network/telnet:default | grep tcp_wrappers tcp_wrappers=TRUE

see also here and here, or here

Note the man page for hosts.allow and hosts.deny is

man -M /usr/sfw/man hosts_options

Q: How to disable the TCP wrapper for a service?

A: Use inetadm -m, e.g.

inetadm -m svc:/network/telnet:default tcp_wrappers=false # # check the new status # bash-3.00# inetadm -l svc:/network/telnet:default | grep tcp_wrappers tcp_wrappers=FALSE

see also here and here, or here

Note the man page for hosts.allow and hosts.deny is

man -M /usr/sfw/man hosts_options

Q: How to start a service managed by inetd?

A: Use inetadm -e, e.g.

inetadm -e kshell # # check the results # bash-3.00# inetadm | grep kshell enabled disabled svc:/network/shell:kshell

Q: How to stop a service managed by inetd?

A: Use inetadm -d, e.g.

inetadm -d kshell # # check the results # inetadm | grep kshell disabled disabled svc:/network/shell:kshell

Q: Are inetd internal services still provided by inetd itself?

Services formelery provided by inetd itself (called internal services) are still provided by inetd and can not be converted with inetconf.

Internal services are:

discard
time
daytime
chargen
echo

(see also the source code of inetconv)

Installation

Q: Can I create a flash archive with an already populated SMF repository?

A: Yes, you can.

Source: SMF discussion @solaris.org

Q: What would be the best way to change a system-provided manifest ?

A: First, file a bug against the service where you're looking to change the manifest. If you or a customer of yours is finding a need to change a system-provided manifest, that means there's a change in behaviour that isn't supported by the manifest. It shouldn't be necessary to change system manifests, all behaviour changes *should* be customizable with supported configuration variables/properties -- but there are some lingering bugs/rfes in a few services. It should be a high priority to get these filed and fixed, which we can't do without data about what changes people are making!

Once you've done that, here's the procedure:

- File a bug documenting the lack of supported way to change the config you want to change. (Hey, can I stress this enough? :) )

- Copy the existing method to a new location.

If you want to make the customization in a single local zone rather than in the global zone and all local zones, you'll need to put the new method into a zone-modifyable location. (e.g. somewhere in /opt)

- Modify the method with your changes.

- Configure the REPOSITORY to point at your new method:

svccfg -s <fmri> setprop start/exec = "<method invocation>"

- When you're ready to commit the changes you made and start the service with the new method:

svcadm refresh <fmri> (commit the changes)
svcadm restart <fmri> (restart the service)

What's absolutely critical here is that you customize the service using the repository directly, not by changing manifests and re-uploading them. SMF tries very very hard to preserve administrator customizations. The way it knows what's an adminstrator customization is that it can tell the difference between config imported from a manifest and config made using svccfg (or libscf calls). We ship manifests as uneditable (packaging type f), so it isn't supported to change them. There's even a comment in all our manifests which say this!

So, what's the benefit of SMF knowing that this was an explicit administrator customization? When the system is upgraded, the customization will be preserved. If you stick the customization in the manifest, it won't be, as we believe that the manifest is the only one that ever delivered that change and it should be updated by the patch.

After a patch which changes the method, you'll need to re-apply your changes to the method, of course, as your method might have diverged from changes that we delivered in the patch/upgrade. That's why filing a bug is really important -- properties which influence behaviour rather than setting the method directly will not need to be modified across a patch/upgrade.

(It's clearly a bit early for me to be trying to explain the subtleties of this, so feel free to nudge about clarifications of particularly opaque sentences.)

Source: SMF discussion @solaris.org

Q: Is there a way how to store private data in SMF configuration repository? For example a password readable only by root?

A: There is no way to store private data in the repository. That was a design constraint for SMF, and we have no plans
to change it in the foreseeable future.

Source: SMF discussion @solaris.org

Q: Is /etc/inetd.conf still used?

A: No, /etc/inetd.conf is not used by inetd anymore. You can use inetconv to convert entries from /etc/inetd.conf into services. Changes in inetd.conf after the conversion are ignored by inetd.

But note that inetd checks if the entries in /etc/inetd.conf changed since last inetconv conversion while executing the start or refresh method. If it has, then a message telling the administrator to re-run inetconv to effect the changes made is logged iin syslog

Source: inetd man page

Profiles

Q: How to start writing new profiles?

A: Use either one of the existing profiles in /var/svc/profile as a starting point or create a profile from your running configuration using

svccfg extract >./myprofile

and edit it.

Q: How to apply a profile?

A: Use

svccfg apply /var/svc/profile/generic_limited_net.xml

Q: How to change the initial profile while installing?

A: Before the first reboot issue

ln -sf /a/var/svc/profile/<your_profile>
/a/var/svc/profile/generic.xml

Alternative create the file /a/var/svc/profile/site.xml

Milestones

Q: What milestones exist and how do the compare to the old run-level?

A: The following milestones exist:

milestone	runlevel	comment
none	n/a	mostly used for debugging only
single-user	S
multi-user	2
mutli-user-server	3
all	n/a	maybe 3+

see this thread on opensolaris for more infos.

In Solaris Express snv_41 the following milestones exist:

milestone	runlevel	comment
none	n/a	mostly used for debugging only
single-user	S
multi-user	2
mutli-user-server	3
all	n/a	maybe 3+
name-services	n/a
network	n/a
devices	n/a
sysconfig	n/a

Q: What's the functional difference between milestone "multi-user-server" and "all"?

A: At the multi-user-server milestone, services which milestone/multi-user-server doesn't depend on (directly or indirectly) will be disabled. For milestone all, no services are automatically disabled.

Source: SMF discussion @solaris.org

Q: Can I create new milestones my self and use them like the builtin milestones?

A: Not yet.

Source: SMF discussion @solaris.org

Q: How to exit the single user mode?

A: Use

svcadm milestone all

Note that exit or CTRL-D does not work anymore to leave the single user mode.

Q: In which milestone am I?

A: Use

svcprop -p options_ovr/milestone svc:/system/svc/restarter:default

Note :

The error message

svcprop: Couldn't find property `options_ovr/milestone' for instance `svc:/system/svc/restarter:default'.

means you're in the default milestone (normally this is the milestone "all")

Q: How to print the default milestone

svcprop svc:/system/svc/restarter:default | grep "options/milestone" || echo "The Default milestone is all"

Q: How to change the default milestone?

A: Use

svcadm milestone -d [new_default_milestone]

e.g.

svcadm milestone -d
svc:/milestone/multi-user-server:default

Note that this commands invocation also immediately changes the current runlevel to the new default milestone.

The default milestone is defined by the options/milestone property on the master restarter, svc:/system/svc/restarter:default.

So it should be possible to change this property to change the default milestone without changing the current milestone (Not tested yet!)

Misc / Unsorted

Q: What does the delete attribute mean in the /usr/share/lib/xml/dtd/service_bundle.dtd.1 ?

A: The delete attribute instructs svccfg import to delete an element from the repository, if it exists. The intent is to clean out obsolete elements installed by previous manifest versions.

This mechanism has been largely superceded by svccfg import's last-import functionality. It will automatically detect when an element has been removed from the manifest, and will delete it if it hasn't been customized.

Source: Solaris Forum

Q: How to add SMF to a package?

A: see here

Q: Is there a GUI for managing services?

A: Yes, WebMin now supports SMF (at least in the newer Nevada builds). There's also a beta of a standalone Java application for managing Services; see here

A small zenity application to manage SMF services can be downloaded from this page and another version is here.

Q: Where can I find an overview about SMF?

A: Read the smf man page and the Solaris Service Management Facility - Quickstart Guide.

Q: What's the order of the output of svcs -a?

A: It's by state and then by STIME (state time), sorted to sub-second precision, even though only seconds are displayed. That way after a boot services are displayed in precisely the order that they finished starting.

Source: SMF discussion @solaris.org

Error and trouble shooting

Q: How to turn on verbose logging?

A: Set the options/logging property of the restarter:

 /usr/sbin/svccfg -s system/svc/restarter:default
svc:/system/svc/restarter:default> addpg options application
svc:/system/svc/restarter:default> setprop options/logging = \
astring: verbose
svc:/system/svc/restarter:default> exit

Q: How to view the log file of a service?

A: Use for example the following code

view $( svcprop apache2 | grep -i log | cut -f3 -d " " )

Q: What infos to use to check a failed service?

A: Some general hints for trouble shooting a failed service, e.g

bash-3.00# svcs -x svc:/network/ntp:default svc:/network/ntp:default (Network Time Protocol (NTP)) State: maintenance since Fri May 26 14:40:07 2006 Reason: Start method exited with $SMF_EXIT_ERR_CONFIG. See: http://sun.com/msg/SMF-8000-KS See: xntpd(1M) See: ntpdate(1M) See: ntpq(1M) See: /var/svc/log/network-ntp:default.log Impact: This service is not running. bash-3.00#
bash-3.00# svcprop svc:/network/ntp:default | grep start/exec start/exec astring /lib/svc/method/xntp bash-3.00# svcs -d svc:/network/ntp:default STATE STIME FMRI online 13:33:11 svc:/network/service:default

check the reason for the failure in the output of svcs -x (Start method exited with $SMF_EXIT_ERR_CONFIG. in the example above)
check the log file of the service (/var/svc/log/network-ntp:default.log in the example above)
check the start script for the service (/lib/svc/method/xntp in the example above)
check the dependencies of the service (svc:/network/service:default in the example above)
check the SMF website of the service failure (http://sun.com/msg/SMF-8000-KS in the example above)

Q: How to repair a failed service?

A: There are two main reason a service can fail:

1. One of the dependencies of the service are not fullfilled

In this case the state of the service is "offline". Check the dependencies of the service (using "svcs -d <FRMI>") and repair the failed dependencies. The service will be restarted automatically after all dependencies are online (svcadm enable is NOT necessary).

Example:

# check why the service rfc1179 is offline # bash-3.00# svcs -l svc:/application/print/rfc1179:default fmri svc:/application/print/rfc1179:default name BSD print protocol adapter enabled true state offline next_state none state_time Mon May 22 14:23:22 2006 restarter svc:/network/inetd:default dependency require_all/error svc:/application/print/server (disabled) bash-3.00# svcs svc:/application/print/server STATE STIME FMRI disabled 14:22:57 svc:/application/print/server:default # rfc1179 needs the service print/server which is disabled # start the service print/server # bash-3.00# svcadm enable svc:/application/print/server # now check the service rfc1179 again # bash-3.00# svcs -x svc:/application/print/rfc1179:default svc:/application/print/rfc1179:default (BSD print protocol adapter) State: online since Tue May 23 12:16:20 2006 See: in.lpd(1M) Impact: None.

2. The start script of the service failed.

In this case the state of the service is "maintenance". View the logfile of the service and correct the failure. After doing this issue

svcadm clear <FRMI>

The service will then be restarted automatically by the SFM daemon (svcadm enable is NOT necessary).

Example:

# start ntp # bash-3.00# svcadm enable svc:/network/ntp:default # check the ntp service # bash-3.00# svcs -x svc:/network/ntp:default svc:/network/ntp:default (Network Time Protocol (NTP)) State: maintenance since Tue May 23 11:51:21 2006 Reason: Start method exited with $SMF_EXIT_ERR_CONFIG. See: http://sun.com/msg/SMF-8000-KS See: xntpd(1M) See: ntpdate(1M) See: ntpq(1M) See: /var/svc/log/network-ntp:default.log Impact: This service is not running. # start of ntp failed, check the log file # bash-3.00# cat /var/svc/log/network-ntp:default.log [ Feb 24 10:48:03 Disabled. ] [ Feb 24 10:48:03 Rereading configuration. ] [ May 23 11:51:21 Enabled. ] [ May 23 11:51:21 Executing start method ("/lib/svc/method/xntp") ] [ May 23 11:51:21 Method "start" exited with status 96 ] # nothing found in the logfile; check the script used to start ntp # # in the script we will see that the script needs the config file : # cat /lib/svc/method/xntp # ... # [ -f /etc/inet/ntp.conf ] || exit $SMF_EXIT_ERR_CONFIG # ... # check if the config file exists # bash-3.00# ls -l /etc/inet/ntp.conf bash-3.00# /etc/inet/ntp.conf: No such file or directory # the config file does not exist -> create it # bash-3.00# vi /etc/inet/ntp.conf # now clear the maintenance mode of the service # bash-3.00# svcadm clear svc:/network/ntp:default # check the ntp service again # bash-3.00# svcs -x svc:/network/ntp:default svc:/network/ntp:default (Network Time Protocol (NTP)) State: online since Tue May 23 12:05:27 2006 See: xntpd(1M) See: ntpdate(1M) See: ntpq(1M) See: /var/svc/log/network-ntp:default.log Impact: None.

Q: What does the error message below mean?

Mar 24 16:18:37/311 ERROR: svc:/application/postgres:default: Could not interpret user property. Mar 24 16:18:37/311: application/postgres:default failed

A: One of the user properties for your service is invalid; use "svcprop <FMRI>" and check all properties of your service; e.g. make sure that the user and group if defined exists, etc.

Q: I see sometimes a temporary svc frmi with the format "svc:/TEMP<..> and wondering what's going on here ?

A: Whenever "svccfg import" is used, a temporary service is created before the real service is created or upgraded. This is necessary to create the last-import snapshot properly. svccfg automatically deletes the temporary service upon successful completion. If you find such services on your system, then a svccfg import didn't finish properly. You should look for error messages from wherever svccfg import was invoked (usually system/manifest-import's log, in /var/svc/manifest, or during a pkgadd) and svccfg core files. The temporary service itself is meaningless and can be deleted. In fact, if svccfg import goes to create a temporary service but it already exists, it prints an error message and exits without importing anything.

Source: SMF discussion @solaris.org

Q: Where can I find trouble shooting hints in case SMF fails to start?

A: Read the instructions on the console. In addition there are instructions for this case in the file /lib/svc/share/README.

You might also take a look at the various blog entries talking about SMF or read this document on sunsolve.

Q: Hints for failed legacy scripts (rcS.d, rc2.d, and rc3.d)

A: If a legacy script runs longer than the expected timeout for the approbiate milestone service (default 1800 sec) the script is killed by the SMF daemon and the status of the milestone is set to "maintenance". All legacy scripts in the same run level that would run after the failed legacy script are NOT executed.

Example:

(bash):root@ferrari:/root # ls -1 /etc/rc3.d K96init.cssd README S16boot.server S50apache S52imq S75seaport S76snmpdx S77dmi S80mipagent S82initsma S84appserv S96init.cssd S99cswrxstack (bash):root@ferrari:/root #
If in this example S82initsma fails, the scripts S84appserv, S96init.cssd, and S99cswrxstack will not run.

To find & fix the failed script is the easiest part - but how to get the milestone into the status "online" again?
"svcadm refresh FRMI" works but doing this will re-execute *all* legacy scripts in that run level.

There's no propper way to fix this situation right now.

Looks like this is a bug; I filled a bug report for it (6436011) ; see also SMF discussion @solaris.org

Q: The apache2 service does not start after a reboot but it starts succesfull if enabled with svcadm?

A: If the httpd.conf file or the htdocs directory is not in the root filesystem the apache2 service may or may not start automatically a reboot.

The reason is a missing dependency on "local filesystem" in the service.

To resolve this issue add a dependency on "svc:/system/filesystem/local:default" to the apache2 service (see here for example code for doing this)

Note: In Solaris snv_37 this issue is fixed

Misc

Links

FAQ on opensolaris.org: http://opensolaris.org/os/community/smf/faq/

Predictive Self-Healing Knowledge Article Web

The draft of another Q&A for SMF is here

Open Solaris Projekt: Enhanced SMF Profiles

Secure by Default

SMF Usage page

Man Pages


svcs manpage			http://docs.sun.com/app/docs/doc/816-5165/6mbb0m9th?a=view

svcadm manpage 			http://docs.sun.com/app/docs/doc/816-5166/6mbb1kqi3?a=view

svcprop manpage			http://docs.sun.com/app/docs/doc/816-5165/6mbb0m9tg?a=view

svccfg man page			http://docs.sun.com/app/docs/doc/816-5166/6mbb1kqi4?a=view


inetadm manpage			http://docs.sun.com/app/docs/doc/816-5166/6mbb1kq3u?a=view

inetconv manpage		http://docs.sun.com/app/docs/doc/816-5166/6mbb1kq3v?a=view

inetd man page			http://docs.sun.com/app/docs/doc/816-5166/6mbb1kq40?a=view


svc.startd manpage		http://docs.sun.com/app/docs/doc/816-5166/6mbb1kqi6?a=view

svc.configd manpage		http://docs.sun.com/app/docs/doc/816-5166/6mbb1kqi5?a=view


smf man page			http://docs.sun.com/app/docs/doc/816-5175/6mbba7f3o?a=view

smf_security man page		http://docs.sun.com/app/docs/doc/816-5175/6mbba7f3s?a=view

smf_method man page		http://docs.sun.com/app/docs/doc/816-5175/6mbba7f3q?a=view

smf_restarter man page          http://docs.sun.com/app/docs/doc/816-5175/6mbba7f3r?a=view

smf_bootstrap man page          http://docs.sun.com/app/docs/doc/816-5175/6mbba7f3p?a=view

service bundle man page		http://docs.sun.com/app/docs/doc/816-5174/6mbb98ujl?a=view

Articles

Solaris Service Management Facility - Quickstart Guide

Solaris Service Management Facility - Service Developer Introduction

SMF and RBAC authorizations

Blog Entries

Blog Entries by Liane Praza (I found ths page to late ....)

Liane Praza: A journey to the center of boot

Liane Praza: smf milestones, runlevels, and system maintenance

Liane Praza: smf repository design and implementation choices

Liane Praza: what's with these "legacy" services anyways?

Liane Praza: smf(5) and fault isolation on Solaris 10

Liane Praza: what services do I have?

Liane Praza: smf(5) and init.d script compatibility

Liane Praza: assembling services for boot with smf(5)

Liane Praza: smf(5) fault/retry models

Liane Praza: How does :kill work?

Stephen Hahn: smf(5): the system knowing more means...

Stephen Hahn: mf(5): asking versus doing

Stephen Hahn: smf(5): authorizations built-in

Stephen Hahn: smf(5): manifest editing assistance

Stephen Hahn: Bespoke services: application/catman

Stephen Hahn: Bespoke services: application/vncserver

Tobin Coziahr: SMF/Predictive Self Healing Overview

Tobin Coziahr: SMF/Predictive Self Healing Overview: Part 2

Tobin Coziahr: SMF/Predictive Self Healing: Graphing service dependencies

Tobin Coziahr: SMF/ Predictive Self Healing: svcs(1)

Tobin Coziahn: SMF/ Predictive Self Healing: svcadm(1)

YakShaving - Creating an SMF service (part 1)

YakShaving - Creating an SMF service (part 2)

YakShaving - Creating an SMF service (part 3)

Ganesh Hiregoudar: SMF commands

Dan Price: Debugging SMF problems

Ben Rockwood: A SMF Manifest CheatSheet

Jonathan Adam: Debugging smf -managed processes

Tom Whittens Blog

Jerry Jelinek: SVM and SMF

How to copy a service

Credits

Mattew Flanagan - Bug Correction for How do I start a service daemon at run level 2 using SMF?

Abbreviations

Abbreviation, name	meaning	comment
legacy scripts	these are the rc scripts in the directories /etc/rcS.d, /etc/rc2.d, and /etc/rc3.d
FRMI	Fault Managed Resource Identifier
RBAC	Role Based Acess Control
SMF	Service Management Facility
SDS	Solstice Disk Suite (now SVM)
SVM	Solaris Volume Manager (was SDS)

History

09.02.2007	Added link to the FAQ on OpenSolaris.org http://opensolaris.org/os/community/smf/faq/
26.07.2006	Updated: Links
25.07.2006	Updated: Links
17.07.2006	Updated: Links
03.07.2006	Updated: Milestones New: Are inetd internal services still provided by inetd
10.06.2006	Corrected: How do I start a service daemon at run level 2 using SMF? New: Added the link Open Solaris Projekt: Enhanced SMF Profiles
08.06.2006	Updated: Hints for failed legacy scripts
07.06.2006	Changed: Only syntax and spelling errors corrected added link to the draft of another Q&A for SMF: here
01.06.2006	New: How to list temporary enabled services
30.05.2006	New: Can I add a dependency on a legacy New: What keywords exist for methods
29.05.2006	New: How to check which methods are
26.05.2006	Update: How do I start a service or daemon at run level 2 using SMF New: What infos to use to check a failed
24.05.2006	Update: What is the service state offline New: Hints for failed legacy scripts (rcS.d, rc2.d, and rc3.d) Update: What files are used by SMF Improved: How to list all defined services with the description New: How do I start a service or daemon at run level 2 using SMF
23.05.2006	New: How to repair a failed service
22.05.2006	Corrected: In which milestone am I Corrected: How to change the default milestone New: How to print the default milestone New Section: inetd managed services New: How to list all defined services with the description New: How to refresh a service
18.05.2006	New: How to do manually backup the repository?
11.05.2006	Update: Files used by SMF New: Are there any undocumented parameter
09.05.2006	Update: How to list the logfile of a service?
08.05.2006	New: How to tell if the process is being monitored and which PID it is watching? Update: How to list the logfile of a service?
28.04.2006	Update: How to disable a service? New: How to add a new dependency for a service without changing the manifest? New: How to delete a service? New: How to check if a property of a service is defined? Update: The apache2 service does not start after a reboot but it starts succesfull if enabled with svcadm?
18.04.2006	Update: Can I change the number of repository backups?
10.04.2006	New: What's the order of the output of svcs -a
07.04.2006	Update: How to list the logfile of a service
06.04.2006	Update: Directories,
05.04.2006	removed the HowTo Section; added more infos about using the SMF commands
03.04.2006	added more information
30.03.2006	added more information
29.03.2006	added links to man pages added more information
28.03.2006	initial release