'\" te .\" Copyright (c) 2008, 2015, Oracle and/or its affiliates. All rights reserved. .TH installadm 1M "07 Apr 2015" "SunOS 5.11" "System Administration Commands" .SH NAME installadm \- Manages automated installations on a network .SH SYNOPSIS .LP .nf /usr/sbin/installadm [\fIsubcommand\fR] [-h|--help] .fi .LP .nf installadm help [\fIsubcommand\fR] .fi .LP .nf \fBinstalladm create-service\fR [\fB-n\fR <\fIsvcname\fR>] [\fB-p\fR <\fIprefix\fR>=<\fIorigin\fR> [\fB-K\fR <\fIkeypath\fR> \fB-C\fR <\fIcertpath\fR>]] [\fB-a\fR <\fIarchitecture\fR>] [\fB-s\fR <\fIFMRI/ISO\fR> | \fB-t\fR <\fIexisting_service\fR>] [\fB-b\fR <\fIboot property\fR>=<\fIvalue\fR>,... | \fB-G\fR <\fIgrub.cfg\fR>] [\fB-i\fR <\fIdhcp_ip_start\fR> \fB-c\fR <\fIcount_of_ipaddr\fR>] [\fB-B\fR <\fIserver_ipaddr\fR>] [\fB-M\fR <\fImanifest file\fR>] [\fB-d\fR <\fIimagepath\fR>] [\fB-y\fR] .fi .LP .nf \fBinstalladm set-service\fR [\fBoptions\fR] \fB-n\fR <\fIsvcname\fR> [\fB-t\fR <\fIexisting_service\fR>] [\fB-M\fR <\fImanifest name\fR>] [\fB-d\fR <\fIimagepath\fR>] [\fB-e\fR | \fB-D\fR] [\fB-G\fR [\fBnone\fR|<\fIgrub.cfg\fR>] [\fB-b\fR [\fBnone\fR|<\fIproperty\fR>=<\fIvalue\fR>[,... ]] [\fB-p\fR <\fIpolicy\fR>]] [\fB-x\fR [\fB--hash\fR <\fIca-hash\fR>]] [\fB-A\fR <\fIca-certfile\fR>...] [\fB-C\fR <\fIcertfile\fR> \fB-K\fR <\fIkeyfile\fR>] [\fB-g\fR] [\fB-E\fR] [\fB-H\fR] .fi .LP .nf installadm update-service [\fB-s\fR \fIFMRI\fR] [\fB-p\fR <\fIpublisher\fR>=<\fBorigin\fR> [\fB-K\fR <\fIkeypath\fR> \fB-C\fR <\fIcertpath\fR>]] \fB-n\fR <\fIsvcname\fR> .fi .LP .nf \fBinstalladm rename-service\fR \fB-n\fR <\fIsvcname\fR> \fB-N\fR <\fInewsvcname\fR> .fi .LP .nf \fBinstalladm enable\fR \fB-n\fR <\fIsvcname\fR> .fi .LP .nf \fBinstalladm disable\fR \fB-n\fR <\fIsvcname\fR> .fi .LP .nf \fBinstalladm delete-service\fR [\fB-r\fR] [\fB-y\fR] \fB-n\fR <\fIsvcname\fR> .fi .LP .nf installadm list [-a|--all | -s|--server -c|--client -m|--manifest -p|--profile] [-v|--verbose] [-n|--service <\fIsvcname\fR>] .fi .LP .nf installadm list [-v|--verbose] -e|--macaddr <\fImacaddr\fR> .fi .LP .nf installadm create-manifest [\fIoptions\fR] [\fIsource_options\fR] -n|--service <\fIsvcname\fR> .fi .LP .nf installadm update-manifest -n <\fIsvcname\fR> -m <\fImanifest\fR> .fi .LP .nf installadm update-manifest -n <\fIsvcname\fR> -f <\fIfilename\fR> [-m <\fImanifest\fR>] [-e] .fi .LP .nf \fBinstalladm delete-manifest\fR \fB-n\fR <\fIsvcname\fR> \fB-m\fR <\fImanifest\fR> .fi .LP .nf \fBinstalladm create-profile\fR \fB-n\fR <\fIsvcname\fR> \fB-f\fR <\fIfilename\fR> ... [\fB-p\fR <\fIprofile\fR>] [\fB-c\fR <\fIcriteria\fR>=<\fIvalue|list|range\fR> ... | \fB-C\fR <\fIcriteriafile\fR>] [-e install|system|all[,...] ] .fi .LP .nf installadm set-profile -n <\fIsvcname\fR> -p <\fIprofile name\fR> [-P <\fInew profile name\fR>] [-e install|system|all[,...] ] .fi .LP .nf \fBinstalladm update-profile\fR \fB-n\fR <\fIsvcname\fR> \fB-f\fR <\fIfilename\fR> [\fB-p\fR <\fIprofile\fR>] .fi .LP .nf \fBinstalladm delete-profile\fR \fB-n\fR <\fIsvcname\fR> \fB-p\fR <\fIprofile\fR> ... .fi .LP .nf \fBinstalladm export\fR [\fB-o\fR <\fIpath\fR>] \fB-n\fR <\fIsvcname\fR> [\fB-m\fR <\fImanifest name\fR>]... [\fB-p\fR <\fIprofile name\fR>]... .fi .LP .nf \fBinstalladm export\fR [\fB-o\fR <\fIpath\fR>] \fB-n\fR <\fIsvcname\fR> | \fB-e\fR <\fImacaddr\fR> \fB-G\fR .fi .LP .nf \fBinstalladm export\fR [\fB-o\fR <\fIpath\fR>] \fB-s\fR | \fB-n\fR <\fIsvcname\fR> | \fB-c\fR | \fB-e\fR <\fImacaddr\fR> [\fB-C\fR] [\fB-K\fR] [\fB-A\fR] .fi .LP .nf \fBinstalladm validate\fR \fB-n\fR <\fIsvcname\fR> [\fB-M\fR <\fImanifest_path\fR>]... [\fB-m\fR <\fImanifest_name\fR>]... [\fB-P\fR <\fIprofile_path\fR>]... [\fB-p\fR <\fIprofile_name\fR>]... .fi .LP .nf \fBinstalladm set-criteria\fR \fB-n\fR <\fIsvcname\fR> [\fB-m\fR <\fImanifest\fR>] [\fB-p\fR <\fBprofile\fR>]... [[\fB-c\fR <\fIcriteria\fR>=<\fIvalue|list|range\fR>]... | [\fB-C\fR <\fIcriteria.xml\fR>] | [\fB-a\fR <\fIcriteria\fR>=<\fIvalue|list|range\fR>]... | [\fB-d\fR <\fIcriteria\fR>]... | [\fB-D\fR]] .fi .LP .nf \fBinstalladm create-client\fR \fB-n\fR <\fIsvcname\fR> \fB-e\fR <\fImacaddr\fR> [\fB-b\fR <\fIproperty\fR>=<\fIvalue\fR>,...] [\fB-G\fR <\fIgrub.cfg\fR>] .fi .LP .nf \fBinstalladm set-client\fR \fB-e\fR <\fImacaddr\fR> [\fB-n\fR <\fIsvcname\fR>] [\fB-b\fR [\fBnone\fR|<\fIproperty>=,... ]] [\fB-G\fR [\fBnone\fR|<\fIgrub.cfg\fR>] [\fB-g\fR] [\fB-x\fR [\fB-y\fR] [\fB--hash\fR <\fIca-hash\fR>] [\fB-A\fR <\fIca-certfile\fR>]... [\fB-C\fR <\fIcertfile\fR> \fB-K\fR <\fIkeyfile\fR>] [\fB-E\fR] [\fB-H\fR] .fi .LP .nf \fBinstalladm set-server\fR [\fB-i\fR <\fIdhcp_ip_start\fR> \fB-c\fR <\fIcount_of_ipaddr\fR>] [\fB-p\fR <\fIport\fR>] [\fB-P\fR <\fIsecure_port\fR>] [\fB-d\fR <\fIdirectory\fR>] [\fB-l all\fR|<\fICIDR\fR>[,...] | [\fB-L none\fR|<\fICIDR\fR>[,...]]] [\fB-m | -M\fR] [\fB-u | -U\fR] [\fB-z | -Z\fR] [\fB-s | -S\fR] [[\fB-D\fR] [\fB-x\fR [\fB-r\fR] [\fB--hash\fR <\fIca-hash\fR>]] [\fB-g\fR] [\fB-A\fR <\fIca-certfile\fR>...] [\fB-C\fR <\fIcertfile\fR> \fB-K\fR <\fIkeyfile\fR>] [\fB-E\fR] [\fB-H\fR]] .fi .LP .nf \fBinstalladm execute\fR \fB-f\fR <\fIfile\fR> .fi .SH DESCRIPTION .sp .LP \fBinstalladm\fR can be invoked interactively, with an individual subcommand, or by specifying a command file that contains a series of subcommands. .sp .LP The Automated Installer (AI) is used to automate the installation of the Oracle Solaris OS on one or more SPARC and x86 systems over a network. .sp .LP The machine topography necessary to employ AI over the network is to have an install server, a DHCP server (this can be the same system as the install server), and the installation clients. On the install server, install services are set up to contain an AI boot image, which is provided to the clients in order for them to boot over the network, input specifications (AI manifests and derived manifest scripts), one of which will be selected for the client, and Service Management Facility (SMF) configuration profiles, zero or more of which will be selected for the client. .sp .LP The AI boot image content is published as the package \fBinstall-image/solaris-auto-install\fR, and is installed by the \fBcreate-service\fR subcommand. The \fBcreate-service\fR subcommand is also able to accept and unpack an AI ISO file to create the AI boot image. .sp .LP Install services are created with a default AI manifest, but customized manifests or derived manifest scripts (hereafter called "scripts") can be added to an install service by using the \fBcreate-manifest\fR subcommand. See \fIInstalling Oracle Solaris 11.3 Systems\fR for information about how to create manifests and derived manifests scripts. Manifests can also be edited using the interactive manifest editor CLI. The manifest editor CLI, which can be invoked using the \fBcreate-manifest\fR and \fBupdate-manifest\fR subcommands, is an interactive interface that presents the AI manifest content as a set of objects and properties that can be manipulated using subcommands entered at the interactive interface prompt. It allows you to edit a manifest without having to view or understand an XML document (see "MANIFEST EDITOR CLI" section below). The \fBcreate-manifest\fR subcommand also allows criteria to be specified, which are used to determine which manifest or script should be selected for an installation client. Criteria already associated with a manifest or script can be modified using the \fBset-criteria\fR subcommand. .sp .LP Manifests can include information such as a target device, partition information, a list of packages, and other parameters. Scripts contain commands that query a running AI client system and build a custom manifest based on the information it finds. When AI is invoked with a script, AI runs that script as its first task, to generate a manifest. .sp .LP When the client boots, a search is initiated for a manifest or script that matches the client's machine criteria. When a matching manifest or script is found, the client is installed with the Oracle Solaris release according to the specifications in the matching manifest file, or to the specifications in the manifest file derived from the matching script. Each client can use only one manifest or script. .sp .LP Each service has one default manifest or script. The default is used when the criteria of no other manifest or script matches the system being installed. Any manifest or script can be designated as the default. Default manifests can have criteria associated with them which is used when attempting to locate a matching manifest, however this manifest will be returned as the default should no other matching manifest be located. Manifests or scripts with no criteria associated with them can only be used as default manifests or scripts. Manifests or scripts without criteria become inactive when a different manifest or script is designated the default. .sp .LP System configuration profiles are complementary to manifests and scripts in that they also contain specifications for an installation. In particular, profiles are used to specify configuration information such as user name, user password, time zone, host name, and IP address. Profiles can contain variables that are replaced at installation time with appropriate values for the client being installed. In this way, a single profile file can set different configuration parameters on different clients. See the "Examples" section. .sp .LP System configuration profiles are processed by \fBsmf\fR(5) and conform to document format \fBservice_bundle\fR(4). See \fBsysconfig\fR(1M) and Chapter 11, \fIConfiguring the Client System,\fR in \fIInstalling Oracle Solaris 11.3 Systems\fR for more information about system configuration profiles. Each client can use any number of system configuration profiles. A particular SMF property can be specified no more than once for each client system. .sp .LP If you want a specific client to use a specific install service, you can associate that client with the service by using the \fBcreate-client\fR subcommand. You can also use \fBset-client\fR to modify an existing client. .sp .LP Automated installations can be secured with the Transport Layer Security (TLS) protocol. Private certificate and key pairs and Certificate Authority (CA) certificates can be assigned to the install server and to clients. The network download of the boot files of SPARC clients is further secured with OBP hash digest and encryption keys. An automated installation can be secured in the following ways: .RS +4 .TP .ie t \(bu .el o Server authentication: The identity of the server can be verified. .RE .RS +4 .TP .ie t \(bu .el o Client authentication: The identity of the client can be verified. .RE .RS +4 .TP .ie t \(bu .el o Access to automated installations can be controlled. .RE .RS +4 .TP .ie t \(bu .el o Access to server data can be controlled. .RE .RS +4 .TP .ie t \(bu .el o Client data can be protected for all clients or separately for specified clients. .RE .RS +4 .TP .ie t \(bu .el o Data can be encrypted so that it cannot be read over the network. .RE .RS +4 .TP .ie t \(bu .el o Secured IPS package repositories can be accessed. .RE .RS +4 .TP .ie t \(bu .el o A user-specified directory can be securely published by the web server. Client authentication is required to access this directory. .RE .sp .LP The \fBinstalladm\fR utility can be used to accomplish the following tasks: .RS +4 .TP .ie t \(bu .el o Configure the AI server SMF service .RE .RS +4 .TP .ie t \(bu .el o Set up install services and aliases .RE .RS +4 .TP .ie t \(bu .el o Update the net image of certain install services .RE .RS +4 .TP .ie t \(bu .el o Set up installation images .RE .RS +4 .TP .ie t \(bu .el o Set up or delete clients .RE .RS +4 .TP .ie t \(bu .el o Add, update, or delete manifests and scripts .RE .RS +4 .TP .ie t \(bu .el o Specify or modify criteria for a manifest or script .RE .RS +4 .TP .ie t \(bu .el o Export manifests and scripts .RE .RS +4 .TP .ie t \(bu .el o Add or delete system configuration profiles .RE .RS +4 .TP .ie t \(bu .el o Validate profiles .RE .RS +4 .TP .ie t \(bu .el o Specify or modify criteria for profiles .RE .RS +4 .TP .ie t \(bu .el o Export profiles .RE .RS +4 .TP .ie t \(bu .el o Enable or disable install services .RE .RS +4 .TP .ie t \(bu .el o List install services .RE .RS +4 .TP .ie t \(bu .el o List clients for an install service .RE .RS +4 .TP .ie t \(bu .el o List manifests and scripts for an install service .RE .RS +4 .TP .ie t \(bu .el o List profiles for an install service .RE .RS +4 .TP .ie t \(bu .el o Secure data transfers between the install server and the AI clients .RE .RS +4 .TP .ie t \(bu .el o Enable or disable security .RE .RS +4 .TP .ie t \(bu .el o Execute batches of subcommands .RE .SH OPTIONS .sp .LP The \fBinstalladm\fR command has the following option: .sp .ne 2 .mk .na \fB\fB-h\fR\fR .ad .br .na \fB\fB--help\fR\fR .ad .sp .6 .RS 4n Show the usage message for all subcommands. .sp If followed by a subcommand, will show the usage message for that subcommand only. .RE .SH SUB-COMMANDS .sp .LP The \fBinstalladm\fR command has the subcommands listed below. See also the "Examples" section below. .sp .ne 2 .mk .na \fB\fBinstalladm help [\fIsubcommand\fR]\fR\fR .ad .sp .6 .RS 4n Displays a summary of the available commands. .sp .ne 2 .mk .na \fB\fB\fIsubcommand\fR\fR\fR .ad .sp .6 .RS 4n Displays more help for the specified subcommand. .RE .RE .sp .ne 2 .mk .na \fB\fBinstalladm create-service\fR [\fB-n\fR <\fIsvcname\fR>]\fR .ad .br .na \fB[\fB-p\fR <\fIprefix\fR>=<\fIorigin\fR>\fR .ad .br .na \fB[\fB-K\fR <\fIkeypath\fR> \fB-C\fR <\fIcertpath\fR>]]\fR .ad .br .na \fB[\fB-a\fR <\fIarchitecture\fR>]\fR .ad .br .na \fB[\fB-s\fR <\fIFMRI/ISO\fR> |\fR .ad .br .na \fB \fB-t\fR <\fIexisting_service\fR>]\fR .ad .br .na \fB[\fB-b\fR <\fIboot property\fR>=<\fIvalue\fR>,... | \fB-G\fR <\fIgrub.cfg\fR>]\fR .ad .br .na \fB[\fB-i\fR <\fIdhcp_ip_start\fR>\fR .ad .br .na \fB \fB-c\fR <\fIcount_of_ipaddr\fR>]\fR .ad .br .na \fB[\fB-B\fR <\fIserver_ipaddr\fR>]\fR .ad .br .na \fB[\fB-M\fR <\fImanifest file\fR>]\fR .ad .br .na \fB[\fB-d\fR <\fIimagepath\fR>]\fR .ad .br .na \fB[\fB-y\fR]\fR .ad .sp .6 .RS 4n This subcommand sets up a network boot image (net image) in the specified \fIimagepath\fR directory, and creates an install service that specifies how a client booted from the net image is installed. .sp The AI boot image content is published as the package \fBinstall-image/solaris-auto-install \fR. If the \fB-s\fR option is not specified, that package is installed from the first publisher in the system's publisher preference list that provides an instance of that package. The \fB-s\fR option accepts the \fBpkg\fR specification as a full FMRI or location of an image ISO file. The resulting net image is eventually located in \fIimagepath\fR. The net image enables client installations. .sp .LP Note the following specifications: .RS +4 .TP .ie t \(bu .el o When the first install service of a given architecture is created on an install server, an alias of that service, \fBdefault-i386\fR or \fBdefault-sparc\fR, is automatically created. This default service is used for all installations to clients of that architecture that were not added to the install server explicitly with the \fBcreate-client\fR subcommand. To change the service aliased by the \fBdefault-\fIarch\fR\fR service, use the \fBset-service\fR subcommand. To update the \fBdefault-\fIarch\fR\fR service, use the \fBupdate-service\fR subcommand. .sp If a \fBdefault-\fIarch\fR\fR alias is changed to a new install service and a local ISC DHCP configuration is found, this default alias boot file is set as the default DHCP server-wide boot file for that architecture. .RE .RS +4 .TP .ie t \(bu .el o If you want a client to use a different install service than the default for that architecture, you must use the \fBcreate-client\fR subcommand to create a client-specific configuration. .RE The options are any one of the following: .sp .ne 2 .mk .na \fB\fB-n <\fIsvcname\fR>\fR\fR .ad .br .na \fB\fB--service <\fIsvcname\fR>\fR\fR .ad .sp .6 .RS 4n Optional: Uses this install service name instead of a system-generated service name. The <\fIsvcname\fR> can consist of alphanumeric characters, underscores (\fB_\fR), and hyphens (\fB-\fR). The first character of <\fIsvcname\fR> cannot be a hyphen. The length of the \fIsvcname\fR cannot exceed 63 characters. .sp If the \fB-n\fR option is not specified, a service name is generated automatically. The default name includes architecture and OS version information. .RE .sp .ne 2 .mk .na \fB\fB-s <\fIsource\fR>\fR\fR .ad .br .na \fB\fB--source <\fIsource\fR>\fR\fR .ad .sp .6 .RS 4n Optional: Specifies the data source for the net image. This can be either of: .RS +4 .TP .ie t \(bu .el o The FMRI of an IPS AI net image package. This is the default. If the \fB-s\fR option is not specified, the newest available version of the \fBinstall-image/solaris-auto-install\fR package is used. The package is retrieved from the publisher specified by the \fB-p\fR option or from the first publisher in the install server's publisher preference list that provides an instance of the package. .RE .RS +4 .TP .ie t \(bu .el o The path to an AI ISO image. .RE .RE .sp .ne 2 .mk .na \fB\fB-p <\fIpublisher\fR>=<\fIorigin\fR>\fR\fR .ad .br .na \fB\fB--publisher <\fIpublisher\fR>=<\fIorigin\fR>\fR\fR .ad .sp .6 .RS 4n Optional: Only applies when the service is being created from an IPS package. Specifies the IPS package repository from where you want to retrieve the \fBinstall-image/solaris-auto-install\fR package. An example is \fBsolaris=http://pkg.oracle.com/solaris/release/\fR. .sp If the \fB-p\fR option is not specified, the publisher used is the first publisher in the install server's publisher preference list that provides an instance of the package. .RE .sp .ne 2 .mk .na \fB\fB--key\fR \fIkeypath\fR\fR .ad .sp .6 .RS 4n Optional: Only applies when the service is being created from an IPS package. Specifies the path to the PEM-formatted key for the secure IPS publisher. .RE .sp .ne 2 .mk .na \fB\fB--cert\fR \fIcertpath\fR\fR .ad .sp .6 .RS 4n Optional: Only applies when the service is being created from an IPS package. Specifies the path to the PEM-formatted certificate for the secure IPS publisher. .RE .sp .ne 2 .mk .na \fB\fB-a \fI\fR\fR\fR .ad .br .na \fB\fB--arch \fI\fR\fR\fR .ad .sp .6 .RS 4n Optional: Only applies when the service is being created from an IPS package. Specifies the architecture of the clients to be installed with this service. The value can be either \fBi386\fR or \fBsparc\fR. The default is the architecture of the install server. .RE .sp .ne 2 .mk .na \fB\fB-d <\fIimagepath\fR>\fR\fR .ad .br .na \fB\fB--imagepath <\fIimagepath\fR>\fR\fR .ad .sp .6 .RS 4n Optional: Specifies the path at which to create the net image. If not specified, the image is created in a <\fIsvcname\fR> directory at the location defined by the value of the \fBall_services/default_imagepath_basedir \fR property. For the default value of this property, see "Install Server Configuration Properties." A confirmation prompt is displayed unless \fB-y\fR is also specified. .RE .sp .ne 2 .mk .na \fB\fB-y\fR\fR .ad .br .na \fB\fB--noprompt\fR\fR .ad .sp .6 .RS 4n Optional: Suppresses any confirmation prompts and proceeds with service creation using the supplied options and any default values (see \fB-d\fR). .RE .sp .ne 2 .mk .na \fB\fB-t <\fIaliasof\fR>\fR\fR .ad .br .na \fB\fB--aliasof <\fIaliasof\fR>\fR\fR .ad .sp .6 .RS 4n Optional: This new service is an alternate name for the \fIaliasof\fR install service. .RE .sp .ne 2 .mk .na \fB\fB-M\fR <\fImanifest file\fR>\fR .ad .br .na \fB\fB--default-manifest\fR <\fImanifest file\fR>\fR .ad .sp .6 .RS 4n Optional: Used to designate the path to the default manifest or derived manifest script to be used for the service. .RE .sp .ne 2 .mk .na \fB\fB-b <\fIproperty\fR>=<\fIvalue\fR>,...\fR\fR .ad .br .na \fB\fB--boot-args <\fIproperty\fR>=<\fIvalue\fR>,...\fR\fR .ad .sp .6 .RS 4n Optional: For x86 clients only. Sets a property value in the service-specific boot configuration file in the service image. Use this option to set boot properties that are specific to this service. This option can accept multiple comma-separated \fIproperty\fR=\fIvalue\fR pairs. .RE .sp .ne 2 .mk .na \fB\fB-G\fR \fInone\fR|<\fIgrub.cfg\fR>\fR .ad .br .na \fB\fB--grub-cfg\fR \fInone\fR|<\fIgrub.cfg\fR>\fR .ad .sp .6 .RS 4n Optional: Assigns a new GRUB2 menu file, or removes one if 'none' is specified. .RE .RE .sp .ne 2 .mk .na \fB\fB-i\fR <\fIdhcp_ip_start\fR> \fB-c\fR <\fIcount_of_ipaddr\fR>\fR .ad .br .na \fB\fB--ip-start\fR <\fIdhcp_ip_start\fR> \fB--ip-count\fR <\fIcount_of_ipaddr\fR>\fR .ad .sp .6 .RS 4n Obsolete: These options have been obsoleted for use in this context, and you should use the \fBset-server\fR equivalents going forward. Please refer to the \fBset-server\fR documentation for more information. .sp These options will fail if the AI server is not already configured to manage DHCP. .RE .sp .ne 2 .mk .na \fB\fB-B\fR <\fIserver_ipaddr\fR>\fR .ad .br .na \fB\fB--bootfile-server\fR <\fIserver_ipaddr\fR>\fR .ad .sp .6 .RS 4n Obsolete: This option has been obsoleted for use in this context, and you should use the \fBset-server\fR equivalent going forward. Please refer to the \fBset-server\fR documentation for more information. .RE .sp .ne 2 .mk .na \fB\fBinstalladm set-service\fR [\fBoptions\fR] \fB-n\fR|\fB--service\fR <\fIsvcname\fR>\fR .ad .sp .6 .RS 4n This subcommand enables the modification of an existing service. At least one of these options must be given: .sp .ne 2 .mk .na \fB\fB-t\fR <\fIexisting_service\fR>\fR .ad .br .na \fB\fB--aliasof\fR <\fIexisting_service\fR>\fR .ad .sp .6 .RS 4n Makes <\fIsvcname\fR> an alias of the <\fIexisting_service\fR> install service. .RE .sp .ne 2 .mk .na \fB\fB-M\fR <\fImanifest name\fR>\fR .ad .br .na \fB\fB--default-manifest-name\fR <\fImanifest name\fR>\fR .ad .sp .6 .RS 4n Designates a particular manifest or derived manifests script that is already registered with the specified service to be the default manifest or derived manifest script for that service. Use the \fBinstalladm list\fR command to show a list of manifests and derived manifest scripts registered with this service. .sp .in +2 .nf $ \fBinstalladm list -n -m\fR .fi .in -2 .sp .RE .sp .ne 2 .mk .na \fB\fB-d\fR <\fIimagepath\fR>\fR .ad .br .na \fB\fB--imagepath\fR <\fIimagepath\fR>\fR .ad .sp .6 .RS 4n Causes the image to be relocated to the new image path. .RE .sp .ne 2 .mk .na \fB\fB-e\fR|\fB--enable\fR | \fB-D\fR|\fB--disable\fR\fR .ad .sp .6 .RS 4n Enables/Disables the service. .RE .sp .ne 2 .mk .na \fB\fB-G\fR \fBnone\fR|<\fIgrub.cfg\fR>\fR .ad .br .na \fB\fB--grub-cfg\fR \fBnone\fR|<\fIgrub.cfg\fR>\fR .ad .sp .6 .RS 4n Assigns a new GRUB2 menu file, or removes one if 'none' is specified. .RE .sp .ne 2 .mk .na \fB\fB-b\fR \fBnone\fR|<\fIproperty\fR>=<\fIvalue\fR>[,... ]\fR .ad .br .na \fB\fB--boot-args\fR \fBnone\fR|<\fIproperty\fR>=<\fIvalue\fR>[,... ]\fR .ad .sp .6 .RS 4n Sets the boot arguments for the GRUB menu, or removes them if 'none' is specified. .RE .sp .ne 2 .mk .na \fB\fB-p\fR <\fIpolicy\fR>\fR .ad .br .na \fB\fB--security-policy\fR <\fIpolicy\fR>\fR .ad .sp .6 .RS 4n An install service can be assigned only one of these security settings. The <\fIpolicy\fR> can be one of the following security policy settings which are listed in order of decreasing security: .sp .ne 2 .mk .na \fBrequire-client-auth\fR .ad .RS 23n .rt Confirms the identity of the AI client. Requires client and server authentication for all clients of the specified service. All SPARC clients of this service must have their OBP keys defined. .RE .sp .ne 2 .mk .na \fBrequire-server-auth\fR .ad .RS 23n .rt Confirms the identify of the AI install server. Requires all clients of the specified service to perform server authentication. Client authentication is optional, but any assigned client credentials are required to be provided. All SPARC clients of this service must have their OBP keys defined. .RE .sp .ne 2 .mk .na \fBoptional\fR .ad .RS 23n .rt Allows both authenticated and unauthenticated clients to access the install service. Client authentication is optional, but any assigned client credentials are required to be provided. This is the default behavior. .RE .sp .ne 2 .mk .na \fBencr-only\fR .ad .RS 23n .rt Enables SSL/TLS end-to-end encryption for an x86 install service. No authentication is performed. .RE .sp .ne 2 .mk .na \fB\fBdisable\fR\fR .ad .RS 23n .rt Disables all security for all clients of the specified service. .RE .RE .RE .sp .ne 2 .mk .na \fB\fB-x\fR [\fB-y\fR|\fB--noprompt\fR] [\fB--hash\fR <\fIca-hash\fR>]\fR .ad .br .na \fB\fB--delete-security\fR [\fB-y\fR|\fB--noprompt\fR] [\fB--hash\fR <\fIca-hash\fR>]\fR .ad .sp .6 .RS 4n Deletes any security configuration for the service, or a specific CA if a \fB--hash\fR is provided. If \fB-y\fR is provided it will not prompt for confirmation. .RE .sp .ne 2 .mk .na \fB\fB-g\fR\fR .ad .br .na \fB\fB--generate-all-certs\fR\fR .ad .sp .6 .RS 4n Automatically generates and assigns all X.509 security credentials and generates OBP keys. The CA certificate and OBP keys are generated only if they do not already exist. .RE .sp .ne 2 .mk .na \fB\fB-A\fR <\fIca-certfile\fR>...\fR .ad .br .na \fB\fB--ca-cert\fR <\fIca-certfile\fR>...\fR .ad .sp .6 .RS 4n Assigns a user-provided PEM-encoded X.509 Certificate Authority (CA) certificate located at path <\fIca-certfile\fR>. You only need to specify each CA chain of trust one time. If the CA chain includes more than one CA certificate file, use multiple \fB-A\fR options. .RE .sp .ne 2 .mk .na \fB\fB-C\fR <\fIcertfile\fR> \fB-K\fR <\fIkeyfile\fR>\fR .ad .br .na \fB\fB--cert\fR <\fIcertfile\fR> \fB--key\fR <\fIkeyfile\fR>\fR .ad .sp .6 .RS 4n \fB-C\fR assigns a user-provided PEM-encoded X.509 certificate located at path <\fIcertfile\fR>. .sp \fB-K\fR assigns a user-provided PEM-encoded X.509 + private key located at path <\fIkeyfile\fR>. The <\fIkeyfile\fR> must have any passphrase removed. .sp The \fB-C\fR option must be used with the \fB-K\fR option. If you specify just the \fB-C\fR and \fB-K\fR options, the associated CA certificate must have been previously assigned. .sp If you also specify \fB-A\fR options then this certificate and key will be validated against those CA Certificates. .RE .sp .ne 2 .mk .na \fB\fB-E\fR\fR .ad .br .na \fB\fB--generate-encr-key\fR\fR .ad .sp .6 .RS 4n Regenerates a SPARC OBP firmware security encryption key. Invalidates any existing key. .sp OBP keys are automatically generated if they do not already exist when you use the \fB-g\fR, \fB-C\fR, \fB-K\fR, or \fB-A\fR options. Once these keys are generated, you can use the \fB-E\fR and \fB-H\fR options to replace the existing keys. Specifying the \fB-E\fR or \fB-H\fR option before OBP keys exist is an error. You can specify both OBP key options, or you can specify either \fB-E\fR or \fB-H\fR. The OBP keys that already exist are invalidated and replaced with the newly generated values. .RE .sp .ne 2 .mk .na \fB\fB-h\fR\fR .ad .br .na \fB\fB--generate-hmac-key\fR\fR .ad .sp .6 .RS 4n Regenerates a SPARC OBP firmware security hashing key (HMAC). Invalidates any existing key. .RE .sp .ne 2 .mk .na \fB\fBinstalladm update-service\fR [\fBoptions\fR] \fB-n\fR|\fB--service\fR <\fIsvcname\fR>\fR .ad .sp .6 .RS 4n Updates the image associated with <\fIsvcname\fR>, where <\fIsvcname\fR> is an alias of a service that was created using an IPS AI net image package. A new service is created with the updated image, and <\fIsvcname\fR> is aliased to the new service. .sp The required arguments are: .sp .ne 2 .mk .na \fB\fB-n\fR <\fIsvcname\fR>\fR .ad .br .na \fB\fB--service\fR <\fIsvcname\fR>\fR .ad .RS 23n .rt Specifies the name of the install service being updated, which must be an alias of a service that was created using an IPS net image package. .RE [\fBoptions\fR] is one or more of the following: .sp .ne 2 .mk .na \fB\fB-p\fR <\fIpublisher\fR>=<\fIorigin\fR>\fR .ad .br .na \fB\fB--publisher\fR <\fIpublisher\fR>=<\fIorigin\fR>\fR .ad .sp .6 .RS 4n The IPS package repository from which to update the <\fIsvcname\fR> image. The following is an example value: .sp .in +2 .nf solaris=http://pkg.oracle.com/solaris/release/ .fi .in -2 .sp .RE A certificate and key may be specified for the publisher by providing paths to a key and certificate file to use with the options: .sp .ne 2 .mk .na \fB\fB-K\fR|\fB--key\fR <\fIkeypath\fR>\fR .ad .br .na \fB\fB-C\fR|\fB--cert\fR <\fIcertpath\fR>\fR .ad .RS 24n .rt If the \fB-p\fR option is not specified, the publisher used is the publisher that was used to create the image of the service for which <\fIsvcname\fR> is an alias.T he package publisher can be seen in verbose output for that service. .RE .sp .ne 2 .mk .na \fB-s \fR .ad .br .na \fB--source \fR .ad .RS 24n .rt The FMRI of the net image package for the update. .sp If the \fB-s\fR option is not specified, the newest available version of the \fBinstall-image/solaris-auto-install\fR package is used from the publisher specified in the description of the \fB-p\fR option. .RE .RE .sp .ne 2 .mk .na \fB\fBinstalladm rename-service\fR \fB-n\fR <\fIsvcname\fR> \fB-N\fR <\fInewsvcname\fR>\fR .ad .sp .6 .RS 4n Renames the install service <\fIsvcname\fR> to <\fInewsvcname\fR>. .sp The <\fInewsvcname\fR> can consist of alphanumeric characters, underscores (_), and hyphens (-). The first character of <\fInewsvcname\fR> cannot be a hyphen. The length of the <\fInewsvcname\fR> cannot exceed 63 characters. .RE .sp .ne 2 .mk .na \fB\fBinstalladm enable \fB-n\fR <\fIsvcname\fR>\fR\fR .ad .sp .6 .RS 4n Obsolete: This subcommand has been obsoleted in preference to the \fB--enable\fR option of the \fBset-service\fR subcommand. .sp Enables the \fIsvcname\fR install service. .RE .sp .ne 2 .mk .na \fB\fBinstalladm disable \fB-n\fR <\fIsvcname\fR>\fR\fR .ad .sp .6 .RS 4n Obsolete: This subcommand has been obsoleted in preference to the \fB--enable\fR option of the \fBset-service\fR subcommand. .sp Disables the \fIsvcname\fR install service. .RE .sp .ne 2 .mk .na \fB\fBinstalladm delete-service\fR [\fBoptions\fR] \fB-n\fR|\fB--service\fR <\fIsvcname\fR>\fR .ad .sp .6 .RS 4n Deletes an install service. .RS +4 .TP .ie t \(bu .el o Deletes the manifests, profiles, client configuration files, and web server configuration for this install service. .RE .RS +4 .TP .ie t \(bu .el o Deletes the image used to instantiate the service. .RE .RS +4 .TP .ie t \(bu .el o If the following conditions exist, the bootfile associated with this service is removed from the ISC DHCP configuration: .RS +4 .TP .ie t \(bu .el o The service is a default alias. .RE .RS +4 .TP .ie t \(bu .el o A local ISC DHCP configuration exists. .RE .RS +4 .TP .ie t \(bu .el o The \fBall_services/manage_dhcp\fR property value is \fBtrue\fR. .RE .RE The required arguments are: .sp .ne 2 .mk .na \fB\fB-n\fR <\fIsvcname\fR>\fR .ad .br .na \fB\fB--service\fR <\fIsvcname\fR>\fR .ad .RS 23n .rt Specifies the install service name to delete. .RE Where [\fBoptions\fR] is one or more of: .sp .ne 2 .mk .na \fB\fB-r\fR|\fB--autoremove\fR\fR .ad .sp .6 .RS 4n If specified, any clients assigned to this service, and any services aliased to this service, are also removed. .RE .sp .ne 2 .mk .na \fB\fB-y\fR|\fB--noprompt\fR\fR .ad .sp .6 .RS 4n Suppresses any confirmation prompts and proceeds with service deletion. .RE .RE .sp .ne 2 .mk .na \fB\fBinstalladm list\fR [\fB-v\fR] [\fB-s\fR | \fB-e\fR <\fImacaddr\fR> | [\fB-a\fR | \fB-cmp\fR] [\fB-n\fR <\fIsvcname\fR>]]\fR .ad .sp .6 .RS 4n Without any options, lists the summary of all services on the AI server. The available options are: .sp .ne 2 .mk .na \fB\fB-v\fR\fR .ad .br .na \fB\fB--verbose\fR\fR .ad .sp .6 .RS 4n Produces more verbose listings .RE .sp .ne 2 .mk .na \fB\fB-a\fR\fR .ad .br .na \fB\fB--all\fR\fR .ad .sp .6 .RS 4n Lists the configuration of the AI server in a tree-like output with information about the server, services, clients, manifests and profiles on the AI server. .sp Can only be used in conjunction with the \fB-v\fR or \fB-n\fR options. .RE .sp .ne 2 .mk .na \fB\fB-n\fR <\fIsvcname\fR>\fR .ad .br .na \fB\fB-service\fR <\fIsvcname\fR>\fR .ad .sp .6 .RS 4n Behaves as a filter, only showing clients, manifests or profiles for the specified <\fIsvcname\fR> on the server. .sp This option can be used to filter the \fB-a\fR, \fB-c\fR, \fB-m\fR or \fB-p\fR options. .RE .sp .ne 2 .mk .na \fB\fB-e\fR <\fImacaddress\fR>\fR .ad .br .na \fB\fB--macaddr\fR <\fImacaddress\fR>\fR .ad .sp .6 .RS 4n Lists specific information for the provided <\fImacaddress\fR> only. .sp Can only be used in conjunction with the \fB-v\fR option. .RE .sp .ne 2 .mk .na \fB\fB-s\fR\fR .ad .br .na \fB\fB--server\fR\fR .ad .sp .6 .RS 4n Lists information about server configuration. .sp Cannot be used with the \fB-n\fR option. .RE .sp .ne 2 .mk .na \fB\fB-c\fR\fR .ad .br .na \fB\fB--client\fR\fR .ad .sp .6 .RS 4n Lists the clients of the install services on a local server. .sp When used with \fB-n\fR option, it displays only manifests and scripts for the given service. .RE .sp .ne 2 .mk .na \fB\fB-m\fR\fR .ad .br .na \fB\fB--manifest\fR\fR .ad .sp .6 .RS 4n Lists the manifests and derived manifest scripts associated with the install services on a local server, including criteria for each manifest. Inactive manifests are labeled. Inactive manifests have no associated criteria and are not the default manifest for that service. .sp When used with \fB-n\fR option, it displays only manifests and scripts for the given service. .RE .sp .ne 2 .mk .na \fB\fB-p\fR\fR .ad .br .na \fB\fB--profile\fR\fR .ad .sp .6 .RS 4n Lists the profiles associated with the install services on a local server, including criteria for each profile. .sp When used with \fB-n\fR option, it displays only profiles for the given service. .RE Whenever the list output includes fields that are inaccessible for a user, that is, they do not have sufficient authorisations, then these fields are hidden from the output. Examples of such fields are those related to whether security is enabled or not, the security credentials, and so on. .RE .sp .ne 2 .mk .na \fB\fBinstalladm create-manifest\fR [\fBoptions\fR] \fB-n\fR|\fB--service\fR <\fIsvcname\fR> \fB-f\fR|\fB--file\fR <\fIfilename\fR>\fR .ad .sp .6 .RS 4n Creates a manifest or derived manifests script for a specific install service, thus making the manifest or script available on the network, independently from creating a service. A non-default manifest or script can be used (can be active) only when criteria are associated with it. Criteria can be entered on the command line (\fB-c\fR) or in a criteria XML file (\fB-C\fR). .sp The manifest or derived manifests script to be created can be copied from a file (\fB-f\fR) or an existing manifest of the install service (\fB-M\fR). Additionally specifying the \fB-e\fR allows the user to edit the manifest before it is saved to the install service. If the manifest to be created is not a script, the user is placed into the interactive interface. The interface presents the AI manifest content as a set of non-XML objects and properties that can be manipulated using subcommands entered at the interactive interface prompt, allowing the user to edit the manifest before saving it to the install service. If the manifest to be created is a script, then the user is placed into the editor specified by the environment variable, \fBVISUAL\fR. If \fBVISUAL\fR is not defined, \fBEDITOR\fR is used instead. If neither are defined, then the default editor \fBvi\fR(1) is used. .sp If neither \fB-f\fR nor \fB-M\fR is specified, the user is placed into the interactive interface to interactively specify input for the new manifest (some values are pre-filled with sensible defaults), which is then saved to the install service. See the "MANIFEST EDITOR CLI" section below for more information about the interactive interface. .sp .LP The name of the manifest is determined in the following order: .RS +4 .TP 1. The \fImanifest\fR name specified by the \fB-m\fR option, if present. .RE .RS +4 .TP 2. The value of the \fBai_instance\fR \fBname\fR attribute, if present in the manifest. .RE .RS +4 .TP 3. The base name of the \fIfilename\fR. .RE The required arguments are: .sp .ne 2 .mk .na \fB\fB-n\fR <\fIsvcname\fR>\fR .ad .br .na \fB\fB--service\fR <\fIsvcname\fR>\fR .ad .RS 23n .rt Specifies the name of the install service this manifest or script is to be associated with. .RE [\fIsource_options\fR] can be one of the following: .sp .ne 2 .mk .na \fB\fB-f\fR|\fB--file\fR <\fIfilename\fR> [\fB-e\fR|\fB--edit\fR]\fR .ad .sp .6 .RS 4n Specifies the path name of the manifest or derived manifests script to add. .sp If \fB-e\fR is also specified, the user can edit the manifest before saving it to the install service. If the manifest to be created is not a script, the user is placed into the interactive interface. If the manifest to be created is a script, then the user is placed into the editor specified by the environment variable, \fBVISUAL\fR. If \fBVISUAL\fR is not defined, \fBEDITOR\fR is used instead. If neither are defined, then the default editor \fBvi\fR(1) is used. .RE .sp .ne 2 .mk .na \fB\fB-M\fR|\fB--existing\fR <\fIexisting manifest\fR> [\fB-e\fR|\fB--edit\fR]\fR .ad .sp .6 .RS 4n Specifies the name of an existing manifest or derived manifests script for <\fIsvcname\fR> to copy for the new manifest. .sp If \fB-e\fR is also specified, the user can edit the manifest before saving it to the install service. If the manifest to be created is not a script, the user is placed into the interactive interface. If the manifest to be created is a script, then the user is placed into the editor specified by the environment variable, \fBVISUAL\fR. If \fBVISUAL\fR is not defined, \fBEDITOR\fR is used instead. If neither are defined, then the default editor \fBvi\fR(1) is used. .RE If neither \fB-f\fR nor \fB-M\fR is specified, the user is placed into the interactive interface to interactively specify input for the new manifest (some values are pre-filled with sensible defaults), which is then saved to the install service. The \fB-m\fR option is required to name the new manifest. .sp [\fBoptions\fR] can be one or more of the following: .sp .ne 2 .mk .na \fB\fB-m\fR <\fImanifest\fR>\fR .ad .br .na \fB\fB--manifest\fR <\fImanifest\fR>\fR .ad .sp .6 .RS 4n Specifies the AI instance name of the manifest or derived manifests script. Sets the \fBname\fR attribute of the \fB ai_instance\fR element of the manifest to \fImanifest\fR. The manifest or script is referred to as \fImanifest\fR in subsequent \fBinstalladm\fR commands and \fBinstalladm list\fR output. .RE .sp .ne 2 .mk .na \fB\fB-c\fR <\fIcriteria\fR>=<\fIvalue\fR|\fIlist\fR|\fIrange\fR>...\fR .ad .br .na \fB\fB--criteria\fR <\fIcriteria\fR>=<\fIvalue\fR|\fIlist\fR|\fIrange\fR>...\fR .ad .sp .6 .RS 4n Specifies criteria to be associated with the added manifest or script. See the "Criteria" section below. The \fB-c\fR option can be specified multiple times. .RE .sp .ne 2 .mk .na \fB\fB-C\fR <\fIcriteriafile\fR>\fR .ad .br .na \fB\fB\fB--criteria-file\fR <\fIcriteriafile\fR>\fR\fR .ad .sp .6 .RS 4n Specifies the path name of a criteria XML file containing criteria to be associated with the added manifest or script. .RE .sp .ne 2 .mk .na \fB\fB-d\fR\fR .ad .br .na \fB\fB--default\fR\fR .ad .sp .6 .RS 4n Specifies that this manifest or script is the new default manifest or script for the service. .RE .RE .sp .ne 2 .mk .na \fB\fBinstalladm update-manifest\fR \fB-n\fR|\fB--service\fR <\fIsvcname\fR> \fB-m\fR|\fB--manifest\fR <\fImanifest\fR>\fR .ad .br .na \fB\fBinstalladm update-manifest\fR \fB-n\fR|\fB--service\fR <\fIsvcname\fR> \fB-f\fR|\fB--file\fR <\fIfilename\fR> [\fB-m\fR|\fB--manifest\fR <\fImanifest\fR>] [\fB-e\fR|\fB--edit\fR]\fR .ad .sp .6 .RS 4n Places the user into either the interactive interface or an editor, allowing the user to edit the manifest specified by <\fImanifest name\fR>. If the manifest is not a script, the user is placed into the interactive interface. The interface presents the content of <\fImanifest\fR> as a set of non-XML objects and properties that can be manipulated using subcommands entered at the interactive interface prompt, allowing the user to edit the manifest. If the manifest is a script, then the user is placed into the editor specified by the environment variable, \fBVISUAL\fR. If \fBVISUAL\fR is not defined, \fBEDITOR\fR is used instead. If neither are defined, then the default editor \fBvi\fR(1) is used. .sp If \fB-f\fR <\fImanifest file\fR> is specified, then the manifest is totally replaced by <\fImanifest file\fR>. Additionally specifying the \fB-e\fR option, places the user into an editor or interactive interface as above to allow the user to edit the manifest before saving it to the install service. .sp See the "MANIFEST EDITOR CLI" section below for more information about the interactive interface. .sp Any criteria or default status remain with the manifest or script following the update. .sp .LP The name of the manifest is determined in the following order: .RS +4 .TP 1. The \fImanifest\fR specified by the \fB- m\fR option, if present. .RE .RS +4 .TP 2. The value of the \fBai_instance\fR \fBname\fR attribute, if present in the changed manifest and if it matches the \fBai_instance\fR \fB name\fR value of an existing manifest. .RE .RS +4 .TP 3. The base name of the \fIfilename\fR, if it matches the \fBai_instance\fR \fBname\fR attribute value in an existing manifest, or the name given by \fBinstalladm list\fR if it matches the name of an existing script. .RE The required arguments are: .sp .ne 2 .mk .na \fB\fB-n\fR <\fIsvcname\fR>\fR .ad .br .na \fB\fB--service\fR <\fIsvcname\fR>\fR .ad .sp .6 .RS 4n Specifies the name of the install service of the manifest or script being updated. .sp The following arguments may also be specified: .sp .ne 2 .mk .na \fB\fB-f \fIfilename\fR\fR\fR .ad .br .na \fB\fB--file \fIfilename\fR\fR\fR .ad .RS 23n .rt Specifies the path name of the replacement manifest or derived manifest script. .RE .sp .ne 2 .mk .na \fB\fB-m \fImanifest\fR\fR\fR .ad .br .na \fB\fB--manifest \fImanifest\fR\fR\fR .ad .RS 23n .rt Specifies the name of the manifest to edit or the AI instance name of the replacement manifest or script. Required if \fB-f\fR <\fIfilename\fR> not specified. .RE .sp .ne 2 .mk .na \fB\fB-e\fR\fR .ad .br .na \fB\fB--edit\fR\fR .ad .RS 23n .rt In conjunction with \fB-f\fR <\fIfilename\fR>, allows the user to edit the manifest before saving it to the install service. If the content of the copied file is not a script, the user is placed into the interactive interface. If the content is a script, then the user is placed into the editor specified by the environment variable, \fBVISUAL\fR. If \fBVISUAL\fR is not defined, \fBEDITOR\fR is used instead. If neither are defined, then the default editor \fBvi\fR(1) is used. .RE .RE .RE .sp .ne 2 .mk .na \fB\fBinstalladm delete-manifest -n|--service <\fIsvcname\fR>\fR\fR .ad .br .na \fB\fB-m|--manifest \fImanifest\fR\fR\fR .ad .sp .6 .RS 4n Deletes a manifest or derived manifest script that was published with a specific install service. A default manifest or script cannot be deleted. .sp The required arguments are: .sp .ne 2 .mk .na \fB\fB-n <\fIsvcname\fR>\fR\fR .ad .br .na \fB\fB--service <\fIsvcname\fR>\fR\fR .ad .sp .6 .RS 4n Specifies the name of the install service of the manifest or script being deleted. .RE .sp .ne 2 .mk .na \fB\fB-m \fImanifest\fR\fR\fR .ad .br .na \fB\fB--manifest \fImanifest\fR\fR\fR .ad .sp .6 .RS 4n Specifies the AI instance name of a manifest or derived manifests script as output by \fBinstalladm list\fR with the \fB-n\fR option. .RE .RE .sp .ne 2 .mk .na \fB\fBinstalladm create-profile\fR [\fBoptions\fR] \fB-n\fR|\fB--service\fR <\fIsvcname\fR>\fR .ad .br .na \fB \fB-f\fR|\fB--file\fR \fIfilename\fR...\fR .ad .sp .6 .RS 4n Creates profiles for a specific install service. Criteria can optionally be associated with a profile by either entering them on the command line (\fB-c\fR) or in a criteria XML file (\fB-C\fR). Profiles created without criteria are associated with all clients of the service. .sp .LP The name of the profile is determined in the following order: .RS +4 .TP 1. The \fIprofile\fR specified by the \fB-p\fR option, if present. .RE .RS +4 .TP 2. The base name of the \fIfilename\fR. .RE Profile names must be unique for an AI service. If multiple \fB-f\fR options are used to create more than one profile with the same criteria, then the \fB-p\fR option is invalid and the names of the profiles are derived from their file names. .sp The required arguments are: .sp .ne 2 .mk .na \fB\fB-n <\fIsvcname\fR>\fR\fR .ad .br .na \fB\fB--service <\fIsvcname\fR>\fR\fR .ad .sp .6 .RS 4n Required: Specifies the name of the install service of the profile being created. .RE .sp .ne 2 .mk .na \fB\fB-f \fIfilename\fR...\fR\fR .ad .br .na \fB\fB--file \fIfilename\fR...\fR\fR .ad .sp .6 .RS 4n Required: Specifies the path name of the file with which to add the profile. Multiple profiles can be specified. .RE [\fBoptions\fR] may be one or more of the following: .sp .ne 2 .mk .na \fB\fB-p \fIprofile\fR\fR\fR .ad .br .na \fB\fB--profile \fIprofile\fR\fR\fR .ad .sp .6 .RS 4n Optional: Specifies the name of the profile being created. Valid only for single profile creation. .RE .sp .ne 2 .mk .na \fB\fB-c \fIcriteria\fR=\fIvalue\fR|\fIlist\fR|\fIrange\fR...\fR\fR .ad .br .na \fB\fB--criteria \fIcriteria\fR=\fIvalue\fR|\fIlist\fR|\fIrange\fR...\fR\fR .ad .sp .6 .RS 4n Optional: Specifies criteria to be associated with the profiles. See the "Criteria" section below. Multiple \fB-c\fR options can be specified. .RE .sp .ne 2 .mk .na \fB\fB-C \fIcriteriafile\fR\fR\fR .ad .br .na \fB\fB--criteria-file \fIcriteriafile\fR\fR\fR .ad .sp .6 .RS 4n Optional: Specifies the path name of a criteria XML file containing criteria to be associated with the specified profiles. .RE .sp .ne 2 .mk .na \fB\fB-e\fR \fBinstall\fR|\fBsystem\fR|\fBall\fR[,...]\fR .ad .br .na \fB\fB--environment\fR \fBinstall\fR|\fBsystem\fR|\fBall\fR[,...]\fR .ad .sp .6 .RS 4n Optional: Specifies a comma separated list of environments where the profile should be applied. Specifying \fBinstall\fR indicates that the profile should be applied to the installation environment. Specifying \fBsystem\fR indicates that the profile should be applied to the installed system environment. Specifying \fBall\fR is a convenience to denote that the profile should be applied to both environments. By default, profiles are created with only the system value. .RE .RE .sp .ne 2 .mk .na \fB\fBinstalladm set-profile\fR [\fIoptions\fR] \fB-n\fR|\fB--service\fR <\fIsvcname\fR> \fB-p\fR|\fB--profile\fR <\fIprofile name\fR>\fR .ad .sp .6 .RS 4n Modifies the settings on a profile for a specific install service. A profile can be designated to be applied to the installation environment or the installed system environment using the \fB-e\fR option. A profile can also be renamed by using the \fB-P\fR option. .sp The required arguments are: .sp .ne 2 .mk .na \fB\fB-n\fR <\fIsvcname\fR>\fR .ad .br .na \fB\fB--service\fR <\fIsvcname\fR>\fR .ad .RS 28n .rt Required: Specifies the name of the install service of the profile being modified. .RE .sp .ne 2 .mk .na \fB\fB-p\fR <\fIprofile name\fR>\fR .ad .br .na \fB\fB--profile\fR <\fIprofile name\fR>\fR .ad .RS 28n .rt Required: Specifies the name of the profile to modify. .RE [\fIoptions\fR] may be one or more of the following: .sp .ne 2 .mk .na \fB\fB-P\fR <\fInew profile name\fR>\fR .ad .br .na \fB\fB--new-name\fR <\fInew profile name\fR>\fR .ad .sp .6 .RS 4n Optional: Renames profile to specified name. .RE .sp .ne 2 .mk .na \fB\fB-e\fR \fBinstall\fR|\fBsystem\fR|\fBall\fR[,...]\fR .ad .br .na \fB\fB--environment\fR \fBinstall\fR|\fBsystem\fR|\fBall\fR[,...]\fR .ad .br .na \fB\fR .ad .sp .6 .RS 4n Optional: Specifies a comma separated list of environments where the profile should be applied. Specifying \fBinstall\fR indicates that the profile should be applied to the installation environment. Specifying \fBsystem\fR indicates that the profile should be applied to the installed system environment. Specifying \fBall\fR is a convenience to denote that the profile should be applied to both environments. .RE .RE .sp .ne 2 .mk .na \fB\fBinstalladm update-profile\fR \fB-n\fR|\fB--service\fR <\fIsvcname\fR>\fR .ad .br .na \fB\fB-f\fR|\fB--file\fR \fIfilename\fR [\fB-p\fR|\fB--profile\fR \fIprofile\fR]\fR .ad .sp .6 .RS 4n Updates the specified profile from the <\fIsvcname\fR> install service. Replaces the specified profile with the contents of \fIfilename \fR. Any criteria remain with the profile following the update. .sp .LP The profile to be updated is determined in the following order: .RS +4 .TP 1. The \fIprofile\fR specified by the \fB-p\fR option, if present. .RE .RS +4 .TP 2. The base name of the \fIfilename\fR. .RE .sp .ne 2 .mk .na \fB\fB-n <\fIsvcname\fR>\fR\fR .ad .br .na \fB\fB--service <\fIsvcname\fR>\fR\fR .ad .sp .6 .RS 4n Required: Specifies the name of the install service of the profile being updated. .RE .sp .ne 2 .mk .na \fB\fB-f \fIfilename\fR\fR\fR .ad .br .na \fB\fB--file \fIfilename\fR\fR\fR .ad .sp .6 .RS 4n Required: Specifies the path name of the file to use to update the profile. .RE .sp .ne 2 .mk .na \fB\fB-p \fIprofile\fR\fR\fR .ad .br .na \fB\fB--profile \fIprofile\fR\fR\fR .ad .sp .6 .RS 4n Optional: Specifies the name of the profile being updated. Use this option if the name of the profile to update is different from the base name of the \fIfilename\fR. .RE .RE .sp .ne 2 .mk .na \fB\fBinstalladm delete-profile -n|--service <\fIsvcname\fR>\fR\fR .ad .br .na \fB\fB-p|--profile \fIprofile\fR...\fR\fR .ad .sp .6 .RS 4n Deletes the \fIprofile\fR profile from the <\fIsvcname\fR> install service. .sp The required arguments are: .sp .ne 2 .mk .na \fB\fB-n <\fIsvcname\fR>\fR\fR .ad .br .na \fB\fB--service <\fIsvcname\fR>\fR\fR .ad .sp .6 .RS 4n Specifies the name of the install service of the profile being deleted. .RE .sp .ne 2 .mk .na \fB\fB-p \fIprofile\fR...\fR\fR .ad .br .na \fB\fB--profile \fIprofile\fR...\fR\fR .ad .sp .6 .RS 4n Specifies the name of the profile to delete. Multiple \fB- p\fR options can be specified. .RE .RE .sp .ne 2 .mk .na \fB\fBinstalladm export\fR [\fB-o\fR <\fIpath\fR>] [\fIselector\fR] [\fIitems\fR]\fR .ad .sp .6 .RS 4n The \fBexport\fR command has several possible valid combinations of options. The first element [\fIselector\fR] selects the object that is the source of the item to be output: .sp .ne 2 .mk .na \fB\fB-s\fR\fR .ad .br .na \fB\fB--server\fR\fR .ad .RS 23n .rt Specify the server object to be used as the source of security keys or certificates. .RE .sp .ne 2 .mk .na \fB\fB-n <\fIsvcname\fR>\fR\fR .ad .br .na \fB\fB--service <\fIsvcname\fR>\fR\fR .ad .RS 23n .rt Specify a specific service to be used as the source of manifests, profiles, GRUB menu, or security keys or certificates. .RE .sp .ne 2 .mk .na \fB\fB-c\fR\fR .ad .br .na \fB\fB--default-client\fR\fR .ad .RS 23n .rt Specify the server's default client security is to be used for exporting of security keys or certificates. .RE .sp .ne 2 .mk .na \fB\fB-e\fR <\fImacaddr\fR>\fR .ad .br .na \fB\fB-macaddr\fR <\fImacaddr\fR>\fR .ad .RS 23n .rt Specify a client, by it's MAC Address, to be used as the source of security keys or certificates. .RE The next element [\fIitems\fR] specifies the item, or items to be output: .sp .ne 2 .mk .na \fB\fB-m\fR <\fImanifest name\fR>\fR .ad .br .na \fB\fB--manifest\fR <\fImanifest name\fR>\fR .ad .sp .6 .RS 4n Specify a manifest or derived manifest name to export from the specified service. Multiple \fB-m\fR options may be specified. .LP Note - .sp .RS 2 This can be used only with the \fB-n\fR option. .RE .RE .sp .ne 2 .mk .na \fB\fB-p\fR <\fIprofile name\fR>\fR .ad .br .na \fB\fB--profile\fR <\fIprofile name\fR>\fR .ad .sp .6 .RS 4n Specify a profile name to export from the specified service. Multiple \fB-p\fR options may be specified. .LP Note - .sp .RS 2 This can be used only with the \fB-n\fR option. .RE .RE .sp .ne 2 .mk .na \fB\fB-G\fR\fR .ad .br .na \fB\fB--grub-cfg\fR\fR .ad .sp .6 .RS 4n Outputs a the GRUB2 menu (\fBgrub.cfg\fR) file that is currently in use for the service or client. .sp This can be used only with the \fB-n\fR or \fB-e\fR options. .RE .sp .ne 2 .mk .na \fB\fB-c\fR\fR .ad .br .na \fB\fB--cert\fR\fR .ad .sp .6 .RS 4n Outputs the PEM-encoded X.509 certificate for the server, service or client specified. .sp This can be used with any of the selection options \fB-n\fR, \fB-e\fR, \fB-s\fR or \fB-c\fR. .RE .sp .ne 2 .mk .na \fB\fB-K\fR\fR .ad .br .na \fB\fB--key\fR\fR .ad .sp .6 .RS 4n Outputs the PEM-encoded X.509 private key for the server, service or client specified. .sp This can be used with any of the selection options \fB-n\fR, \fB-e\fR, \fB-s\fR or \fB-c\fR. .RE .sp .ne 2 .mk .na \fB\fB-A\fR <\fIhash\fR> ...\fR .ad .br .na \fB\fB--ca-cert\fR <\fIhash\fR> ...\fR .ad .sp .6 .RS 4n Outputs the PEM-encoded X.509 Certificate Authority (CA) certificate with the specified <\fIhash\fR> value. .sp This option can be repeated to export muliple CA Certificates, and also can be used with any of the selection options \fB-n\fR, \fB-e\fR, \fB-s\fR or \fB-c\fR. .RE .RE .sp .ne 2 .mk .na \fB\fBinstalladm validate\fR [\fBoptions\fR] \fB-n\fR|\fB--service\fR <\fIsvcname\fR>\fR .ad .sp .6 .RS 4n Validates specified profiles or manifests. The \fBvalidate\fR subcommand can be used to either validate profiles in the database (\fB-p\fR) or to validate profiles (\fB-P\fR) or manifests (\fB-M\fR) while they are being developed before their entry into the database. .sp The required arguments are: .sp .ne 2 .mk .na \fB\fB-n\fR <\fIsvcname\fR>\fR .ad .br .na \fB\fB--service\fR <\fIsvcname\fR>\fR .ad .RS 23n .rt Specifies the service with which the profiles or manifests are associated and to be validated against. .RE Where [\fBoptions\fR] is one or more of the following: .sp .ne 2 .mk .na \fB\fB-M\fR <\fImanifest_path\fR>\fR .ad .br .na \fB\fB--manifest\fR <\fImanifest_path\fR>\fR .ad .sp .6 .RS 4n Specifies an external manifest file to validate against the provided service. .RE .sp .ne 2 .mk .na \fB\fB-m\fR <\fImanifest_name\fR>\fR .ad .br .na \fB\fB--manifest\fR <\fImanifest_name\fR>\fR .ad .sp .6 .RS 4n Specifies the name of an existing manifest to validate against the provided service. .RE .sp .ne 2 .mk .na \fB\fB-P\fR <\fIprofile_path\fR>\fR .ad .br .na \fB\fB--profile-file\fR <\fIprofile_path\fR>\fR .ad .sp .6 .RS 4n Specifies an external profile file to validate against the provided service. .RE .sp .ne 2 .mk .na \fB\fB-P\fR <\fIprofile_name\fR>\fR .ad .br .na \fB\fB--profile-file\fR <\fIprofile_name\fR>\fR .ad .sp .6 .RS 4n Specifies the name of an existing profile to validate against the provided service. .RE .RE .sp .ne 2 .mk .na \fB\fBinstalladm set-criteria\fR [\fBoptions\fR] \fB-n\fR <\fIsvcname\fR>\fR .ad .br .na \fB[\fB-m\fR <\fImanifest\fR>] [\fB-p\fR <\fIprofile\fR>]...\fR .ad .sp .6 .RS 4n Updates criteria of an already published manifests, derived manifest scripts, or profiles. Criteria can be specified on the command line or in a criteria XML file. .sp Valid criteria are described under the \fBcreate-manifest\fR subcommand. .sp The required arguments are: .sp .ne 2 .mk .na \fB\fB\fB-n\fR <\fIsvcname\fR\fR>\fR .ad .br .na \fB\fB\fB--service\fR <\fIsvcname\fR>\fR\fR .ad .RS 23n .rt Specifies the service with which the profiles or manifests are associated. .RE And one or more of: .sp .ne 2 .mk .na \fB\fB-m\fR <\fImanifest name\fR>\fR .ad .br .na \fB\fB--manifest\fR <\fImanifest name\fR>\fR .ad .RS 30n .rt Specifies the AI instance name of a manifest or derived manifest script. .sp Only one manifest may be specified since it is not possible to have multiple manifests with the same criteria assigned. .RE .sp .ne 2 .mk .na \fB\fB-p\fR <\fIprofile_name\fR>\fR .ad .br .na \fB\fB--profile\fR <\fIprofile_name\fR>\fR .ad .RS 30n .rt Specifies the name of a profile. .RE Then [\fBoptions\fR] is one of the following variations: .sp .ne 2 .mk .na \fB\fB-c\fR <\fIcriteria=value|list|range\fR> ...\fR .ad .br .na \fB\fB--criteria\fR <\fIcriteria=value|list|range\fR> ...\fR .ad .sp .6 .RS 4n Specifies criteria to replace all existing criteria for the manifest, script, or profile. See the "Criteria" section below for possible values. .sp It is possible to specify multiple \fB-c\fR options. .RE .sp .ne 2 .mk .na \fB\fB-C\fR <\fIcriteria.xml\fR>\fR .ad .br .na \fB\fB--criteria-file\fR <\fIcriteria.xml\fR>\fR .ad .sp .6 .RS 4n Specifies the path name of a criteria XML file containing criteria to replace all existing criteria for the manifest, script, or profile. .RE .sp .ne 2 .mk .na \fB\fB-D\fR\fR .ad .br .na \fB\fB--delete-all-criteria\fR\fR .ad .sp .6 .RS 4n .RE .sp .ne 2 .mk .na \fB\fB-a\fR <\fIcriteria=value|list|range\fR> ...\fR .ad .br .na \fB\fB--append-criteria\fR <\fIcriteria=value|list|range\fR> ...\fR .ad .sp .6 .RS 4n Specifies criteria to be appended to the existing criteria for the manifest, script, or profile. See the "Criteria" section below for possible values. If the criteria specified already exists, the \fBvalue|list|range\fR of that criteria is replaced by the specified \fBvalue|list|range\fR. .sp It is possible to specify multiple \fB-a\fR options. .RE .sp .ne 2 .mk .na \fB\fB-d\fR <\fIcriteria\fR> ...\fR .ad .br .na \fB\fB--delete-criteria\fR <\fIcriteria\fR> ...\fR .ad .sp .6 .RS 4n Specifies criteria to be removed from the existing criteria for the manifest, script, or profile. See the "Criteria" section below for possible values. .sp It is possible to specify multiple \fB-d\fR options. .RE .RE .sp .ne 2 .mk .na \fB\fBinstalladm create-client\fR [\fBoptions\fR]\fR .ad .br .na \fB\fB-e\fR|\fB--macaddr\fR <\fImacaddr\fR> \fB-n\fR|\fB--service\fR <\fIsvcname\fR>\fR .ad .sp .6 .RS 4n Accomplishes optional setup tasks for a specified client, in order to provide custom client settings that vary from the default settings used by the \fBcreate-service\fR subcommand. Enables the user to specify a non-default service name and boot arguments or GRUB2 menu for a client. .sp An existing client may be modified using the \fBinstalladm set-client\fR subcommand. .sp .LP If the following conditions exist, the client is configured in the ISC DHCP configuration: .RS +4 .TP .ie t \(bu .el o The client is an x86 system. .RE .RS +4 .TP .ie t \(bu .el o A local ISC DHCP configuration exists. .RE .RS +4 .TP .ie t \(bu .el o The \fBall_services/manage_dhcp\fR property value is \fBtrue\fR. .RE The required arguments are: .sp .ne 2 .mk .na \fB\fB-n <\fIsvcname\fR>\fR\fR .ad .br .na \fB\fB--service <\fIsvcname\fR>\fR\fR .ad .sp .6 .RS 4n Specifies the install service for client installation. .RE .sp .ne 2 .mk .na \fB\fB-e\fR \fImacaddr\fR\fR .ad .br .na \fB\fB--macaddr\fR \fImacaddr\fR\fR .ad .sp .6 .RS 4n Specifies a MAC address for the client. .sp For x86 clients only, [\fBoptions\fR] are may be either one of the following: .sp .ne 2 .mk .na \fB\fB-b <\fIproperty\fR>=<\fIvalue\fR>,...\fR\fR .ad .br .na \fB\fB--boot-args <\fIproperty\fR>=<\fIvalue\fR>,...\fR\fR .ad .sp .6 .RS 4n Sets a property value in the client-specific boot configuration file. Use this option to set boot properties that are specific to this client. This option can accept multiple property=value pairs, or be repeated several times. .RE .sp .ne 2 .mk .na \fB\fB-G\fR <\fIgrub.cfg\fR>\fR .ad .br .na \fB\fB--grub-cfg\fR <\fIgrub.cfg\fR>\fR .ad .sp .6 .RS 4n Specify a custom GRUB2 menu (\fBgrub.cfg\fR) file to use when booting the client. .RE .RE .RE .sp .ne 2 .mk .na \fB\fBinstalladm set-client\fR \fB-e\fR <\fImacaddr\fR>\fR .ad .br .na \fB[\fB-n\fR <\fIsvcname\fR>]\fR .ad .br .na \fB[\fB-b\fR [\fBnone\fR|<\fIproperty\fR>=<\fIvalue\fR>,... ] |\fR .ad .br .na \fB\fB-G\fR [\fBnone\fR|<\fIgrub.cfg\fR>]]\fR .ad .br .na \fB[\fB-g\fR]\fR .ad .br .na \fB[\fB-x\fR [\fB-y\fR] [\fB--hash\fR <\fIca-hash\fR>]\fR .ad .br .na \fB[\fB-A\fR <\fIca-certfile\fR>]...\fR .ad .br .na \fB[\fB-C\fR <\fIcertfile\fR> \fB-K\fR <\fIkeyfile\fR>]\fR .ad .br .na \fB[\fB-E\fR]\fR .ad .br .na \fB[\fB-H\fR]\fR .ad .sp .6 .RS 4n The required arguments are: .sp .ne 2 .mk .na \fB\fB-e\fR \fImacaddr\fR\fR .ad .br .na \fB\fB--macaddr\fR \fImacaddr\fR\fR .ad .RS 21n .rt Specifies a MAC address for the client. .RE Where [\fBoptions\fR] is any of the following: .sp .ne 2 .mk .na \fB\fB-n\fR|\fB--service\fR <\fIsvcname\fR>\fR .ad .sp .6 .RS 4n Will move the client to this service if different + from the existing service it is associated with. .RE .sp .ne 2 .mk .na \fB\fB-g\fR\fR .ad .br .na \fB\fB--generate-all-certs\fR\fR .ad .sp .6 .RS 4n Generates a new set of CA Cert, Client Cert and Key, including an encryption key and hash for SPARC if they are not already in place. .RE .sp .ne 2 .mk .na \fB\fB-x\fR\fR .ad .br .na \fB\fB--delete-security\fR\fR .ad .sp .6 .RS 4n Deletes the client's security information. This can be further modified using the following options: .sp .ne 2 .mk .na \fB\fB-y\fR|\fB--noprompt\fR\fR .ad .RS 20n .rt Specifies that no prompting for confirmations should be done. .RE .sp .ne 2 .mk .na \fB\fB--hash\fR <\fIca-hash\fR>\fR .ad .RS 20n .rt Limits command to deleting only any CA Cert that matches that value. .RE .RE .sp .ne 2 .mk .na \fB\fB-A\fR <\fIca-certfile\fR>...\fR .ad .br .na \fB\fB--ca-cert\fR <\fIca-certfile\fR>...\fR .ad .sp .6 .RS 4n Assigns a user-provided PEM-encoded X.509 Certificate Authority (CA) certificate located at path <\fIca-certfile\fR>. You only need to specify each CA chain of trust one time. If the CA chain includes more than one CA certificate file, use multiple \fB-A\fR options. .RE .sp .ne 2 .mk .na \fB\fB-C\fR <\fIcertfile\fR> \fB-K\fR <\fIkeyfile\fR>\fR .ad .br .na \fB\fB--cert\fR <\fIcertfile\fR> \fB--key\fR <\fIkeyfile\fR>\fR .ad .sp .6 .RS 4n \fB-C\fR assigns a user-provided PEM-encoded X.509 certificate located at path <\fIcertfile\fR>. .sp \fB-K\fR assigns a user-provided PEM-encoded X.509 private key located at path <\fIkeyfile\fR>. The <\fIkeyfile\fR> must have any passphrase removed. .sp The \fB-C\fR option must be used with the \fB-K\fR option. If you specify just the \fB-C\fR and \fB-K\fR options, the associated CA certificate must have been previously assigned. .sp If you also specify \fB-A\fR options then this certificate and key will be validated against those CA Certificates. .RE For SPARC clients only, [\fBoptions\fR] are may be either one of the following: .sp .ne 2 .mk .na \fB\fB-E\fR\fR .ad .br .na \fB\fB--generate-encr-key\fR\fR .ad .RS 23n .rt Regenerates a SPARC OBP firmware security encryption key. Invalidates any existing key. .sp OBP keys are automatically generated if they do not already exist when you use the \fB-g\fR, \fB-C\fR, \fB-K\fR, or \fB-A\fR options. Once these keys are generated, you can use the \fB-E\fR and \fB-H\fR options to replace the existing keys. Specifying the \fB-E\fR or \fB-H\fR option before OBP keys exist is an error. You can specify both OBP key options, or you can specify either \fB-E\fR or \fB-H\fR. The OBP keys that already exist are invalidated and replaced with the newly generated values. .RE .sp .ne 2 .mk .na \fB\fB-H\fR\fR .ad .br .na \fB\fB--generate-hmac-key\fR\fR .ad .RS 23n .rt Regenerates a SPARC OBP firmware security hashing key (HMAC). Invalidates any existing key. .RE For x86 clients only, [\fBoptions\fR] are may be either one of the following: .sp .ne 2 .mk .na \fB\fB-b\fR|\fB--boot-args\fR \fBnone\fR|<\fIproperty\fR>=<\fIvalue\fR>,...\fR .ad .sp .6 .RS 4n For x86 clients only, sets the boot arguments for the GRUB menu, or removes them if 'none' is specified, restoring the service GRUB configuration. .sp This option will fail if there is a custom GRUB2 menu already in place for this client. .RE .sp .ne 2 .mk .na \fB\fB-G\fR|\fB--grub-cfg\fR \fBnone\fR|<\fIgrub.cfg\fR>\fR .ad .sp .6 .RS 4n For x86 clients only, assigns a new GRUB2 menu file, or removes one if 'none' is specified. .sp Adding a new GRUB2 menu will replace any existing \fBboot-args\fR specified for this client. .RE .RE .sp .ne 2 .mk .na \fB\fBinstalladm delete-client\fR \fB-e\fR|\fB--macaddr\fR \fImacaddr\fR\fR .ad .sp .6 .RS 4n Deletes an existing client's specific service information that was previously set up using the \fBcreate-client\fR subcommand. .sp .LP If the following conditions exist, the client is unconfigured in the ISC DHCP configuration: .RS +4 .TP .ie t \(bu .el o The client is an x86 system. .RE .RS +4 .TP .ie t \(bu .el o A local ISC DHCP configuration exists. .RE .RS +4 .TP .ie t \(bu .el o The \fBall_services/manage_dhcp\fR property value is \fBtrue\fR. .RE The required arguments are: .sp .ne 2 .mk .na \fB\fB-e\fR \fImacaddr\fR\fR .ad .br .na \fB\fB--macaddr\fR \fImacaddr\fR\fR .ad .RS 21n .rt Specifies the MAC address of the client to delete. .RE .RE .sp .ne 2 .mk .na \fB\fBinstalladm set-server\fR [\fBoptions\fR] [\fBsec_options\fR]\fR .ad .sp .6 .RS 4n Modifies the server configuration. .sp Note the following specifications: .RS +4 .TP .ie t \(bu .el o If \fB-i\fR and \fB-c\fR options are used, and a DHCP server is not yet configured, an ISC DHCP server is configured. .sp If an ISC DHCP server is already configured, that DHCP server is updated. .sp Even when \fB-i\fR and \fB-c\fR arguments are provided and DHCP is configured, no binding exists between the install service being created and the IP range. When \fB-i\fR and \fB-c\fR are passed and the value of \fBall_services\fR/\fBmanage_dhcp\fR is true, the IP range is set up, a new DHCP server is created if needed, and that DHCP server remains up and running for all install services and all clients to use. The network information provided to the DHCP server has no specific bearing on the service being created. .RE .RS +4 .TP .ie t \(bu .el o If the IP range requested is not on a subnet that the install server has direct connectivity to and the install server is multihomed, the \fB-B\fR option is used to provide the address of the bootfile server (usually an IP address on this system). This should only be necessary when multiple IP addresses are configured on the install server and DHCP relays are employed. In all other configurations, the software can determine this automatically. .RE Where [\fBoptions\fR] is at least one of: .sp .ne 2 .mk .na \fB\fB-p\fR <\fIport\fR>\fR .ad .br .na \fB\fB--port\fR <\fIport\fR>\fR .ad .sp .6 .RS 4n Specifies the port that hosts the AI install services web server. By default, the web server is hosted on port 5555. .sp If you want to use a different port number from the default, customize the port property before you create any install services. .RE .sp .ne 2 .mk .na \fB\fB-P\fR <\fIsecure_port\fR>\fR .ad .br .na \fB\fB--secure-port\fR <\fIsecure_port\fR>\fR .ad .sp .6 .RS 4n Specifies the port that hosts the secure AI install + services web server. By default, the web server is + hosted on port 5556. .RE .sp .ne 2 .mk .na \fB\fB-d\fR <\fIdirectory\fR>\fR .ad .br .na \fB\fB--imagepath-basedir\fR <\fIdirectory\fR>\fR .ad .sp .6 .RS 4n Specifies the default location for images created by the \fBinstalladm create-service\fR command. Images are located at \fB/service_name\fR\&. The default value of this property is \fB/export/auto_install\fR. .RE .sp .ne 2 .mk .na \fB\fB-u\fR|\fB--enable-webui\fR\fR .ad .sp .6 .RS 4n Enables the AI Manifest Wizard Web UI, and is mutually exclusive with the \fB-U\fR option. .RE .sp .ne 2 .mk .na \fB\fB-U\fR|\fB--disable-webui\fR\fR .ad .sp .6 .RS 4n Disables the AI Manifest Wizard Web UI, and is mutually exclusive with the \fB-U\fR option. .RE .sp .ne 2 .mk .na \fB\fB-z\fR|\fB--enable-wizard-save\fR\fR .ad .sp .6 .RS 4n Enables the AI Manifest Wizard to write generated manifests to a temporary location on the AI server for ease of addition to a service through \fBinstalladm\fR. Mutually exclusive with the \fB-Z\fR option. .RE .sp .ne 2 .mk .na \fB\fB-Z\fR|\fB--disable-wizard-save\fR\fR .ad .sp .6 .RS 4n Disables the AI Manifest Wizard writing generated manifests to a temporary location on the AI server for ease of addition to a service through \fBinstalladm\fR. Mutually exclusive with the \fB-z\fR option. .RE .sp .ne 2 .mk .na \fB\fB-l\fR \fBall\fR|<\fICIDR\fR>[,...]\fR .ad .br .na \fB\fB--include-networks\fR \fBall\fR|<\fICIDR\fR>[,...]\fR .ad .sp .6 .RS 4n Takes a comma-separated list of networks in CIDR format (for example, \fI192.168.56.0/24\fR) to allow. .sp Use this list of networks to specify which clients this install server serves. Using this option will replace any networks already configured using \fB-l\fR or \fB-L\fR options. .sp Using this option will set the AI install server SMF \fBall_services\fR/\fBnetworks\fR and \fBall_services/exclude_networks\fR values. Specifically, this sets the \fBall_services/exclude_networks\fR property to false. .sp By default, the AI install server is configured to serve install clients on all networks that the server is connected to if the server is multihomed. To return to this state you can use the special 'all' value here. .RE .sp .ne 2 .mk .na \fB\fB-L\fR \fBnone\fR|<\fICIDR\fR>[,...]\fR .ad .br .na \fB\fB--exclude-networks\fR \fBnone\fR|<\fICIDR\fR>[,...]\fR .ad .sp .6 .RS 4n Tells the server to exclude these networks when deciding what to serve out on, mutually exclusive with the \fB-l\fR option. Using this option will replace any networks already configured using \fB-l\fR or \fB-L\fR options. .sp Takes a comma-separated list of networks in CIDR format (for example, \fI192.168.56.0/24\fR) to disallow. .sp Using this option will set the AI install server SMF \fBall_services/networks\fR and \fBall_services/exclude_networks\fR values. Specifically, this sets the \fBall_services/exclude_networks\fR property to true. .sp By default, the AI install server is configured to serve install clients on all networks that the server is connected to if the server is multihomed. To return to this state you can use the special 'none' value here. .RE .sp .ne 2 .mk .na \fB\fB-m\fR\fR .ad .br .na \fB\fB--manage-dhcp\fR\fR .ad .sp .6 .RS 4n Configures the AI server property to manage the DHCP configuration locally. If set the AI server will automatically update the local ISC DHCP configuration when client and service configurations are modified in the install server. .sp If there is no existing ISC DHCP configuration, then the \fB-i\fR and \fB-c\fR options must also be specified to define the address range to manage. .sp Mutually exclusive with the \fB-M\fR option. .RE .sp .ne 2 .mk .na \fB\fB-M\fR\fR .ad .br .na \fB\fB--unmanage-dhcp\fR\fR .ad .sp .6 .RS 4n Configures the AI server property to not manage the DHCP configuration locally, so the AI server will not automatically maintain the ISC DHCP configuration when client or service configurations are modified. .sp Mutually exclusive with the \fB-m\fR option. .RE .sp .ne 2 .mk .na \fB\fB-i\fR <\fIdhcp_ip_start\fR> \fB-c\fR <\fIcount_of_ipaddr\fR>\fR .ad .br .na \fB\fB--ip-start\fR <\fIdhcp_ip_start\fR> \fB--ip-count\fR <\fIcount_of_ipaddr\fR>\fR .ad .sp .6 .RS 4n Changes the DHCP configuration if managing DHCP, the \fB-i\fR and \fB-c\fR options must be specified together. .sp If not already managing DHCP, it will be necessary to also specify the \fB-m\fR option to enable it. .sp These options are used to specify the starting IP address in a range to be added to the local DHCP configuration. .sp The number of IP addresses is provided by the \fB-c\fR option. If a local ISC DHCP configuration does not exist, and \fB-m\fR is also specified, an ISC DHCP server is started. .sp If a local ISC DHCP configuration already exists these addresses will be added to the existing set of managed addressed, provided there is no overlap. .RE .sp .ne 2 .mk .na \fB\fB-B\fR <\fIserver_ipaddr\fR>\fR .ad .br .na \fB\fB--bootfile-server\fR <\fIserver_ipaddr\fR>\fR .ad .sp .6 .RS 4n Used to provide the IP address of the boot server from which clients should request bootfiles. Only required if this IP address cannot be determined by other means. .RE .sp .ne 2 .mk .na \fB\fB-s\fR\fR .ad .br .na \fB\fB--enable-security\fR\fR .ad .sp .6 .RS 4n Mutually exclusive with the -S option. .sp Re-enables security enforcement server-wide after security was disabled by using the \fB--disable-security\fR option. .RE .sp .ne 2 .mk .na \fB\fB-S\fR\fR .ad .br .na \fB\fB--disable-security\fR\fR .ad .sp .6 .RS 4n Mutually exclusive with the \fB-s\fR option. .sp Disables security enforcement server-wide. While security is disabled, no credentials will be issued to clients, and no credentials will be required from clients. While security is disabled, no HTTPS network protection is provided for any of the AI files served to an AI client. User-specified secure files served by the AI web server are not accessible while security is disabled. .sp While security is disabled, you can continue to configure security. Any changes are effective when security is re-enabled. .sp Use caution when disabling security for systems that already have install services configured: The secured AI service data will not require authentication to access, and non-authenticated clients will be able to install Oracle Solaris through AI. .RE .sp .ne 2 .mk .na \fB\fB-D\fR\fR .ad .br .na \fB\fB--default-client-security\fR\fR .ad .sp .6 .RS 4n Limits the [\fBsec_options\fR] to modifying the default client security only as opposed to the server's security settings. .RE The [\fBsec_options\fR] can be any of the following. By default they are applied to the server, unless the \fB-D\fR|\fB--default-client-security\fR option is specified: .sp .ne 2 .mk .na \fB\fB-x\fR [\fB--hash\fR <\fIca-hash\fR> [\fB-r\fR]]\fR .ad .br .na \fB\fB--delete-security\fR [\fB--hash\fR <\fIca-hash\fR> [\fB--recursive\fR]]\fR .ad .sp .6 .RS 4n Delete any configured security. If \fB--hash\fR is specified, only CA Certificates with that hash will be removed. .sp Without \fB-r\fR, deletes the CA certificate previously assigned to the install server (or the default client with \fB-D\fR specified). .sp With \fB-r\fR, deletes the specified CA certificate for the server and any clients that use that CA certificate. .sp Deletes the CA certificate previously assigned to the install server, the specified client, default clients. .sp The value of <\fIca-hash\fR> is the hash value of the certificate's X.509 subject. Use the \fBlist -v\fR subcommand to display the CA certificate hash. .sp When the CA certificate is deleted for a client, that client can no longer be authenticated. If you use the specified CA certificate to generate certificates, the \fBinstalladm\fR command will not be able to generate certificates. .RE .sp .ne 2 .mk .na \fB\fB-g\fR\fR .ad .br .na \fB\fB--generate-all-certs\fR\fR .ad .sp .6 .RS 4n Automatically generates and assigns all X.509 + security credentials and generates OBP keys. The CA + certificate and OBP keys are generated only if they + do not already exist. .RE .sp .ne 2 .mk .na \fB\fB-A\fR <\fIca-certfile\fR>...\fR .ad .br .na \fB\fB--ca-cert\fR <\fIca-certfile\fR>...\fR .ad .sp .6 .RS 4n Assigns a user-provided PEM-encoded X.509 Certificate Authority (CA) certificate located at path <\fIca-certfile\fR>. You only need to specify each CA chain of trust one time. If the CA chain includes more than one CA certificate file, use multiple \fB-A\fR options. .RE .sp .ne 2 .mk .na \fB\fB-C\fR <\fIcertfile\fR> \fB-K\fR <\fIkeyfile\fR>\fR .ad .br .na \fB\fB--cert\fR <\fIcertfile\fR> \fB--key\fR <\fIkeyfile\fR>\fR .ad .sp .6 .RS 4n \fB-C\fR assigns a user-provided PEM-encoded X.509 certificate located at path <\fIcertfile\fR>. .sp \fB-K\fR assigns a user-provided PEM-encoded X.509 private key located at path <\fIkeyfile\fR>. The <\fIkeyfile\fR> must have any passphrase removed. .sp The \fB-C\fR option must be used with the \fB-K\fR option. If you specify just the \fB-C\fR and \fB-K\fR options, the associated CA certificate must have been previously assigned. .sp If you also specify \fB-A\fR options then this certificate and key will be validated against those CA Certificates. .RE .sp .ne 2 .mk .na \fB\fB-E\fR\fR .ad .br .na \fB\fB--generate-encr-key\fR\fR .ad .sp .6 .RS 4n Regenerates a SPARC OBP firmware security encryption key. Invalidates any existing key. .sp OBP keys are automatically generated if they do not already exist when you use the \fB-g\fR, \fB-C\fR, \fB-K\fR, or \fB-A\fR options. Once these keys are generated, you can use the \fB-E\fR and \fB-H\fR options to replace the existing keys. Specifying the \fB-E\fR or \fB-H\fR option before OBP keys exist is an error. You can specify both OBP key options, or you can specify either \fB-E\fR or \fB-H\fR. The OBP keys that already exist are invalidated and replaced with the newly generated values. .RE .sp .ne 2 .mk .na \fB\fB-H\fR\fR .ad .br .na \fB\fB--generate-hmac-key\fR\fR .ad .sp .6 .RS 4n Regenerates a SPARC OBP firmware security hashing key (HMAC). Invalidates any existing key. .RE .RE .sp .ne 2 .mk .na \fB\fBinstalladm execute\fR \fB-f\fR <\fIfile\fR>\fR .ad .sp .6 .RS 4n Executes a list of subcommands from <\fIfile\fR> in sequence as a batch job. .sp Has the added benefit of leaving refresh/restart of SMF services until the completion of the batch run. .sp The required arguments are: .sp .ne 2 .mk .na \fB\fB-f\fR <\fIfile\fR>\fR .ad .br .na \fB\fB--file\fR <\fIfile\fR>\fR .ad .RS 17n .rt The file containing a list of subcommands to be executed, one line per subcommand. .sp Blank lines, and those starting with a '#' are ignored. .RE .RE .SH INTERACTIVE MODE .sp .LP The interactive mode provides an \fBinstalladm\fR prompt at which it is possible to enter subcommands one after the other. The main benefits of interactive mode are: .RS +4 .TP .ie t \(bu .el o To input several commands using just the subcommand form, especially useful if using sudo or pfexec to run \fBinstalladm\fR with additional privileges or authorisations. .RE .RS +4 .TP .ie t \(bu .el o Tab-completion of the subcommands. .RE .sp .LP In interactive mode, there are several other commands available to use that are not used by the one-command usage: .sp .ne 2 .mk .na \fB\fBshell []\fR\fR .ad .RS 21n .rt If specified, will execute the <\fIcommand\fR> in a sub-shell based on the value of the environment variable SHELL. .sp Without any parameters will start a sub-shell to be used interactively. .sp There is also a short-form of this command '\fB!\fR' that can be used as "\fB!ls\fR" to execute the \fBls\fR command. .RE .sp .ne 2 .mk .na \fB\fBquit\fR\fR .ad .RS 21n .rt Quits the interactive prompt. .RE .SH CRITERIA .sp .LP Manifests, derived manifest scripts, and profiles can be used to configure AI clients differently according to certain characteristics, or criteria. Only one manifest or script can be associated with a particular client. Any number of profiles can be associated with a particular client. .sp .LP The criteria values are determined by the AI client during startup. .sp .LP See the "Examples" section to see how to specify criteria on the command line. For information about creating a criteria file, see \fIInstalling Oracle Solaris 11.3 Systems\fR. .sp .sp .TS tab(); cw(1.38i) cw(4.13i) lw(1.38i) lw(4.13i) . CriteriaDescription \fBarch\fRArchitecture per \fBuname -m\fR. \fBcpu\fRCPU class per \fBuname -p\fR. \fBhostname\fRAssigned host name. \fBipv4\fRIP version 4 network address. \fBmac\fRT{ Hexadecimal MAC address with colon (:) separators. T} \fBmem\fRMemory size in MB per \fBprtconf\fR(1M). \fBnetwork\fRIP version 4 network number. \fBplatform\fRT{ Platform name returned by \fBuname -i\fR for x86 systems and \fBprtconf -b\fR for SPARC systems. T} \fBzonename\fRName of a zone per \fBzones\fR(5). .TE .sp .LP The \fBipv4\fR, \fBmac\fR, \fBmem\fR, and \fBnetwork\fR specifications can be expressed as ranged values seperated by a hyphen (\fB-\fR). To specify no limit to one end of a range, use \fBunbounded\fR. Precedence is given to specific value matches versus range matches when determining a matching manifest. .sp .LP The \fBarch\fR, \fBcpu\fR, \fBhostname\fR, \fBplatform\fR, and \fBzonename\fR specifications can be expressed as a quoted list of values separated by white space. .SH INSTALL SERVER CONFIGURATION PROPERTIES .sp .LP The following properties of the \fBsvc:/system/install/server:default\fR SMF service are used to configure the install server. .sp .LP The majority of these are configurable using the \fBset-server\fR subcommand which would be the preferred mechanism for updating them. .sp .ne 2 .mk .na \fB\fBall_services/networks\fR\fR .ad .sp .6 .RS 4n A list of networks in CIDR format (for example, \fI192.168.56.0/24\fR) to allow or disallow, depending on how the \fBall_services/exclude_networks\fR property is set. .sp Use this list of networks to specify which clients this install server serves. By default, the AI install server is configured to serve install clients on all networks that the server is connected to if the server is multihomed. .RE .sp .ne 2 .mk .na \fB\fBall_services/exclude_networks\fR\fR .ad .sp .6 .RS 4n A boolean value. If true, exclude networks specified by the \fBall_services/networks\fR property from being served by this install server. If false, include the networks specified by the \fBall_services/networks\fR property. .RE .sp .ne 2 .mk .na \fB\fBall_services/port\fR\fR .ad .sp .6 .RS 4n Specifies the port that hosts the AI install services web server. By default, the web server is hosted on port 5555. .sp If you want to use a different port number from the default, customize the port property before you create any install services. .RE .sp .ne 2 .mk .na \fB\fBall_services/secure_port\fR\fR .ad .sp .6 .RS 4n Specifies the port that hosts the secure AI install services web server. By default, the web server is hosted on port 5556. .RE .sp .ne 2 .mk .na \fB\fBall_services/webserver_files_dir\fR\fR .ad .sp .6 .RS 4n Specifies a directory on the local system that the AI web server will serve using its standard port (defined by the \fBall_services/port\fR property). This directory will be accessible at the following location: .sp \fBhttp://server:port/files\fR .RE .sp .ne 2 .mk .na \fB\fBall_services/webserver_secure_files_dir\fR\fR .ad .sp .6 .RS 4n Specifies a directory on the local system that the AI web server will serve using its secure port (defined by the \fBall_services/secure_port\fR property). This directory will be accessible at the following location: .sp \fBhttps://server:secure_port/secure_files\fR .sp Only authenticated clients can access this directory. For greatest security, files in the \fBwebserver_secure_files_dir\fR directory should be owned by user webservd and group webservd and have no world access. .RE .sp .ne 2 .mk .na \fB\fBall_services/default_imagepath_basedir\fR\fR .ad .sp .6 .RS 4n Specifies the default location for images created by the \fBinstalladm create-service\fR command. Images are located at \fBall_services/default_imagepath_basedir/service_name\fR. The default value of this property is \fB/export/auto_install\fR. .RE .sp .ne 2 .mk .na \fB\fBall_services/manage_dhcp\fR\fR .ad .sp .6 .RS 4n A boolean value. If true, automatically update the local ISC DHCP configuration when client and service configurations are modified in the install server. If false, does not automatically maintain the ISC DHCP configuration. .RE .SH MANIFEST EDITOR CLI .sp .LP The manifest editor CLI is an interactive interface that presents the AI manifest content as a set of objects and properties that can be manipulated using subcommands entered at the interactive interface prompt. It allows you to interactively edit a manifest during \fBcreate-manifest\fR or \fBupdate-manifest\fR without having to view or understand an XML document. .sp .LP The interface provides a visual representation of the objects and properties in the manifest. Objects can contain properties that can be set, deleted, or added, as well as sub-objects (themselves objects) that can be traversed, added, deleted, or moved. .sp .LP The following subcommands are available within the interface: .sp .ne 2 .mk .na \fBOperations subcommands\fR .ad .RS 26n .rt \fBset\fR, \fBadd\fR, \fBdelete\fR, and \fBmove\fR .RE .sp .ne 2 .mk .na \fBNavigation subcommands\fR .ad .RS 26n .rt \fBselect\fR, \fBcancel\fR, and \fBend\fR .RE .sp .ne 2 .mk .na \fBAdditional subcommands\fR .ad .RS 26n .rt \fBhelp\fR, \fBinfo\fR, \fBwalk\fR, \fBcommit\fR, \fBexit\fR, \fBvalidate\fR, and \fBshell\fR .RE .sp .ne 2 .mk .na \fB\fBhelp\fR [\fIsubcommand\fR]\fR .ad .sp .6 .RS 4n Without any parameters, provides a list of available subcommands. If a subcommand is specified, help is provided for that specific subcommand. .RE .sp .ne 2 .mk .na \fB\fBinfo\fR [\fB-v\fR|\fB--verbose\fR]\fR .ad .sp .6 .RS 4n By default, displays all properties and objects up to one level down. For objects more than one level down, a summary line is displayed, followed by ' ...'. Use the \fB-v \fR option to show details of objects more than one level down. When multiples of a given object exist, the order is designated by <\fIobject\fR>[<\fIposition\fR#>],for example, disk[3]. .RE .sp .ne 2 .mk .na \fB\fBselect\fR <\fIobject\fR>\fR .ad .br .na \fB\fBselect\fR <\fIobject\fR>[<\fIposition\fR#>]\fR .ad .br .na \fB\fBselect\fR <\fIobject\fR> <\fIproperty\fR>=<\fIvalue\fR> \fR .ad .sp .6 .RS 4n Selects an object and navigates to that level. The object may be further specified by \fIposition#\fR or by the value of a property. .RE .sp .ne 2 .mk .na \fB\fBcancel\fR\fR .ad .sp .6 .RS 4n Discards any changes made on the current level and navigates up one level. .RE .sp .ne 2 .mk .na \fB\fBend\fR\fR .ad .sp .6 .RS 4n Validates changes made on the current level and, if no validation errors occur, navigates up one level. At top level, same as '\fBexit\fR'. .RE .sp .ne 2 .mk .na \fB\fBset\fR <\fIproperty\fR>=<\fIvalue\fR>\fR .ad .sp .6 .RS 4n Sets the value of an object's <\fIproperty\fR> to <\fIvalue\fR>. .RE .sp .ne 2 .mk .na \fB\fBadd\fR [\fB-w\fR|\fB--walk\fR] <\fIobject\fR>\fR .ad .br .na \fB\fBadd\fR <\fIproperty\fR>=<\fIvalue\fR>\fR .ad .sp .6 .RS 4n Adds an object or a property. If \fB-w\fR is specified for an object, the object is added and a '\fBwalk\fR' is started. Without \fB-w\fR, the new object's '\fBinfo\fR' is automatically displayed, showing the properties/default values of the added object. .RE .sp .ne 2 .mk .na \fB\fBdelete\fR <\fIproperty\fR>\fR .ad .br .na \fB\fBdelete\fR <\fIproperty\fR>=<\fIvalue\fR>\fR .ad .br .na \fB\fBdelete\fR <\fIobject\fR>\fR .ad .br .na \fB\fBdelete\fR <\fIobject\fR>[<\fIposition\fR#>]\fR .ad .br .na \fB\fBdelete\fR <\fIobject\fR> <\fIproperty\fR>=<\fIvalue\fR>\fR .ad .sp .6 .RS 4n Deletes an object or property. The property may be specified by value and the object may be specified by \fIposition#\fR or by the value of a property. .RE .sp .ne 2 .mk .na \fB\fBmove\fR <\fIobject\fR> <\fIold position#\fR> <\fInew position#\fR>\fR .ad .sp .6 .RS 4n Moves object to a different position. Valid objects to move are designated in '\fBinfo\fR' output by '[<\fIposition#\fR>]'. .RE .sp .ne 2 .mk .na \fB\fBwalk\fR\fR .ad .sp .6 .RS 4n Prompts for every settable property associated with the current object. For each property, displays the name and current value and allows a new value to be entered. Recursively walks down sub objects and allows addition of new subobjects. Can be interrupted with \fBCtrl\fR-\fBD\fR. .RE .sp .ne 2 .mk .na \fB\fBvalidate\fR\fR .ad .sp .6 .RS 4n Validates settings at the current level. This is an optional subcommand. The subcommands, '\fBend\fR' and '\fBexit\fR', validate implicitly. .RE .sp .ne 2 .mk .na \fB\fBcommit\fR\fR .ad .sp .6 .RS 4n Validates changes, saves manifest, and continues editing. Valid at top level only. Following a successful commit, a new baseline is established and \fBcancel\fR can no longer revert any changes made earlier. .RE .sp .ne 2 .mk .na \fB\fBexit\fR\fR .ad .sp .6 .RS 4n Prompts whether to save manifest and exit (changes are validated), exit without saving uncommitted changes, or continue editing. .RE .sp .ne 2 .mk .na \fB\fBshell\fR <\fIsolaris command\fR>\fR .ad .br .na \fB!<\fIsolaris command\fR>\fR .ad .sp .6 .RS 4n Executes the <\fIsolaris command\fR> in a sub-shell based on the value of the environment variable \fBSHELL\fR. Without any parameters, will start a sub-shell to be used interactively. Can be used to easily execute a system command or view system information from within the interface. .RE .SS "Manifest Editor CLI Examples" .LP \fBExample 1 \fRCreating a New Manifest and Changing the Publisher to Point to a Local Repository .sp .in +2 .nf # \fBinstalladm create-manifest -n sol_11_3 -m mymanifest\fR Type help to see list of subcommands. installadm:mymanifest> info http-proxy: auto-reboot: false create-swap: true create-dump: true software: type: IPS name: facet[1]: facet.locale.*=false ... facet[20]: facet.locale.zh_TW=true ... publisher: name=solaris ... pkg-list: action=install ... disk: Section not specified pool: action: create name: rpool is-root: true mountpoint: pool-option: Section not specified dataset-option: Section not specified be-option: Section not specified vdev: Section not specified filesystem[1]: name=export ... option: Section not specified filesystem[2]: name=export/home ... option: Section not specified volume: Section not specified boot-mods: Section not specified configuration: Section not specified installadm:mymanifest> select software installadm:mymanifest:software> select publisher installadm:mymanifest:software:publisher> set origin=http://myrepo.example.com/solaris installadm:mymanifest:software:publisher> info name: solaris key: cert: ca-cert: origin: http://myrepo.example.com/solaris mirror: installadm:mymanifest:software:publisher> end installadm:mymanifest:software> end installadm:mymanifest> exit 1. Save manifest and exit 2. Exit without saving uncommitted changes 3. Continue editing Please select choice: 1 100% : Created Manifest: 'mymanifest' # .fi .in -2 .sp .LP \fBExample 2 \fRCreating a Second Manifest for the Install Service Based on a Previously Created Manifest .sp .LP The following example creates a second manifest for the install service based on the manifest created in Example 1, but additionally adds a new package to the list of packages to be installed. .sp .in +2 .nf # installadm installadm> create-manifest -n sol_11_3 -m newmanifest -M mymanifest -e Type help to see list of subcommands. installadm:newmanifest> select software installadm:newmanifest:software> select pkg-list installadm:newmanifest:software:pkg-list> add name=pkg:/my/new/pkg installadm:newmanifest:software:pkg-list> exit 1. Save manifest and exit 2. Exit without saving uncommitted changes 3. Continue editing Please select choice: 1 Created Manifest: 'newmanifest' installadm> .fi .in -2 .sp .LP \fBExample 3 \fRReplacing the Contents of a Manifest .sp .LP The following example replaces the contents of a manifest, oldmanifest, with that of \fB/tmp/replace.xml\fR, and additionally changes the \fBauto-reboot\fR property from false to true and adds a new publisher, by using \fBwalk\fR to set the publisher properties desired. .sp .in +2 .nf # installadm update-manifest -n sol_11_3 -m oldmanifest \ -f /tmp/replace.xml -e installadm:oldmanifest> select software installadm:oldmanifest:software> add -w publisher * To terminate walk, use Ctrl-D * name []: newpublisher key []: cert []: ca-cert []: origin []: http://myrepo.example.com/solaris origin []: mirror []: installadm:oldmanifest:software:publisher> end installadm:oldmanifest:software> end installadm:oldmanifest> set auto-reboot=true installadm:oldmanifest> exit 1. Save manifest and exit 2. Exit without saving uncommitted changes 3. Continue editing Please select choice: 1 Changed Manifest: 'oldmanifest' # .fi .in -2 .sp .LP \fBExample 4 \fRUpdating an Existing Manifest .sp .LP The following example updates an existing manifest, testmanifest, so that the disk is no longer selected by ctd name, but by size. .sp .in +2 .nf # installadm update-manifest -n sol_11_3 -m testmanifest installadm:testmanifest> select disk installadm:testmanifest:disk> info in-zpool: rpool in-vdev: name: name: c0t0d0 name-type: ctd disk-selection-props: Section not specified keyword: Section not specified iscsi: Section not specified gpt-partition: Section not specified partition: Section not specified slice: Section not specified installadm:testmanifest:disk> delete name Are you sure you want to remove 'name'? [y|N]: y Object 'name' deleted. installadm:testmanifest:disk> add disk-selection-props type: vendor: chassis: size: installadm:testmanifest:disk:disk-selection-props> set size=750gb installadm:testmanifest:disk:disk-selection-props> end installadm:testmanifest:disk> info in-zpool: rpool in-vdev: name: Section not specified disk-selection-props: type: vendor: chassis: size: 750gb keyword: Section not specified iscsi: Section not specified gpt-partition: Section not specified partition: Section not specified slice: Section not specified installadm:testmanifest:disk> end installadm:testmanifest> end 1. Save manifest and exit 2. Exit without saving uncommitted changes 3. Continue editing Please select choice: 1 100% : Changed Manifest: 'testmanifest' .fi .in -2 .sp .SH EXAMPLES .LP \fBExample 5 \fRSet Up a New x86 Install Service From a Package Repository .sp .LP Set up an install server and an x86 install service for the first time. .sp .LP If you are not using the SPARC OBP's network-boot-arguments variable to configure an AI client, then a DHCP server must be configured to supply the AI service configuration. If you already have the OBP or DHCP server configured, this step may be skipped. Otherwise, \fBinstalladm\fR can setup and manage a local ISC DHCP server for AI clients to boot from. To configure this you can use the \fBset-server\fR subcommand: .sp .LP The \fBset-server\fR subcommand is used to set a starting IP address and total count of IP addresses, in order to configure the DHCP server. .sp .in +2 .nf # \fBinstalladm set-server -i 172.0.0.10 -c 10\fR .fi .in -2 .sp .sp .LP The starting IP address of \fI172.0.0.10\fR and 10 IP addresses are added to the local ISC DHCP configuration. If a local ISC DHCP configuration does not exist, an ISC DHCP server is started. .sp .LP If you do not specify a source for the net image, an IPS package is used, for example: .sp .in +2 .nf # \fBinstalladm create-service -y\fR .fi .in -2 .sp .sp .LP On an x86 install server, this command sets up an x86 net image and install service with a default name in a directory at the image location specified by the value of the \fBall_services/default_imagepath_basedir\fR property. For the default value of this property, see "Install Server Configuration Properties." The \fB-y\fR option confirms that the default location is acceptable. Since the architecture is not specified, the service created is of the same architecture as the install server. This command assumes that a package repository on the \fBpkg publisher\fR list for the install server contains the \fBinstall-image/solaris-auto-install\fR package. .sp .LP The command sets up a net image and an install service using the default image path and the service name, \fB/export/auto_install/sol-11_1-i386\fR. .sp .LP Because this is the first x86 service created, the default-i386 service is automatically created and aliased to this service. The default-i386 alias is operational, and a client booted through PXE will boot and install from the default-i386 service if not specifically configured using create-client. .LP \fBExample 6 \fRSet Up a New SPARC Install Service From a Package Repository .sp .LP To specify the creation of a SPARC service on an x86 install server, use the \fB-a\fR option: .sp .in +2 .nf # \fBinstalladm create-service -y -a sparc\fR .fi .in -2 .sp .sp .LP If you do not specify a source for the net image, an IPS package is used by default. .sp .LP This net image enables SPARC client installations. .sp .LP Because this is the first SPARC service created, the \fBdefault-sparc\fR service is automatically created and aliased to this service. The \fBdefault-sparc\fR alias is operational, and a SPARC client will boot and install from the \fBdefault-sparc\fR service. .LP \fBExample 7 \fRSet Up an x86 Install Service From a Different Package Repository .sp .LP By default, the \fBsolaris-auto-install\fR package is obtained from the systems configured publishers. .sp .LP To specify an alternative package repository for the \fBsolaris-auto-install\fR package, use the \fB-p\fR option. For example, use the following command to specify the ai-image publisher located at \fIhttp://example.company.com:4281\fR as the publisher of the \fBsolaris-auto-install\fR package: .sp .in +2 .nf # \fBinstalladm create-service -y \ -p ai-image=http://example.company.com:4281\fR .fi .in -2 .sp .LP \fBExample 8 \fRSet Up a New x86 Install Service From an ISO File .sp .LP An x86 install service can be created from an ISO image using: .sp .in +2 .nf # \fBinstalladm create-service -n sol-11_1-i386 \ -s /export/isos/sol-11_1-ai-x86.iso \ -y\fR .fi .in -2 .sp .sp .LP The AI ISO image is at \fB/export/auto_install/sol-11_1-sparc\fR. The command sets up a net image and an install service at \fB/export/images/sol-11_1-i386\fR that is based on the AI ISO image. This net image enables client installations. .LP \fBExample 9 \fRSet Up a New SPARC Install Service From an ISO File .sp .LP A SPARC install service from an ISO image can be created using the command: .sp .in +2 .nf \fB# installadm create-service -n sol-11_1-sparc \ -s /export/isos/sol-11_1-ai-sparc.iso \ -d /export/images/sol-11_1-sparc\fR .fi .in -2 .sp .sp .LP The AI ISO image is at \fB/export/isos/sol-11_1-ai-sparc.iso\fR. The command sets up a net image and an install service at \fB/export/images/sol-11_1-sparc\fR that is based on the AI ISO image. This net image enables client installations. .LP \fBExample 10 \fRAssociate a Client With an Install Service .sp .LP Use the following sample command to associate a client with a specific install service. The install service must already exist. .sp .in +2 .nf # \fBinstalladm create-client -b "console=ttya" \\fR \fB-e 0:e0:81:5d:bf:e0 -n sol-11_1-i386\fR .fi .in -2 .sp .sp .LP In this example, the command creates a client-specific setup for the system with MAC address \fB0:e0:81:5d:bf:e0\fR. This client will use the install service previously set up, named \fBsol-11_1-i386\fR, and that service's associated net image. The command sets the boot property \fBconsole=ttya\fR in the client-specific boot configuration file in \fB/etc/netboot\fR. .LP \fBExample 11 \fRAdd a New Install Service Without Modifying the Default Service .sp .LP Use the following sample command to add a new service named \fBsol-11-sparc\fR, retaining existing services, and leaving the existing default unchanged. .sp .in +2 .nf # \fBinstalladm create-service -n sol-11-sparc \\fR \fB-s /export/isos/sol-11-1111-ai-sparc.iso \\fR \fB-d /export/ai/sol-11-sparc\fR .fi .in -2 .sp .LP \fBExample 12 \fRUpdate the \fBdefault-i386\fR Service .sp .LP Use the following sample command to update the \fBdefault-i386\fR alias service to be associated with the latest available image. The \fBinstalladm list\fR command shows the service before and after the command. The example assumes that an updated net image package is available from the publisher that was originally used to create the \fBdefault-i386\fR service alias. .sp .in +2 .nf # \fBinstalladm list\fR Service Name Base Service Status Arch Type Ali Cli Man Pro ------------ -------- ------ ---- ---- --- --- --- --- default-i386 solaris11-i386 on i386 pkg 0 1 1 0 solaris11-i386 - on i386 pkg 1 0 1 0 # \fBinstalladm update-service default-i386\fR \&... Creating new i386 service: solaris11_1-i386 Aliasing default-i386 to solaris11_1-i386 ... \&... # \fBinstalladm list\fR Service Name Base Service Status Arch Type Ali Cli Man Pro ------------ -------- ------ ---- ---- --- --- --- --- default-i386 solaris11_1-i386 on i386 pkg 0 1 1 0 solaris11-i386 - on i386 pkg 0 0 1 0 solaris11_1-i386 - on i386 pkg 1 0 1 0 .fi .in -2 .sp .LP \fBExample 13 \fRAdd a New Install Service and Update the \fBdefault-sparc\fR Service .sp .LP Use the following two sample commands to add a new service named \fBmy-sparc-service\fR, retaining existing services, and making the new service the default for SPARC clients. .sp .in +2 .nf # \fBinstalladm create-service -n solaris11_1-sparc \\fR \fB-s /export/isos/sol-11_1-ai-sparc.iso \\fR \fB-d /export/ai/solaris11_1-sparc\fR # \fBinstalladm set-service \\fR \fB--aliasof=solaris11_1-sparc default-sparc\fR .fi .in -2 .sp .LP \fBExample 14 \fRAdd a Custom Default AI Manifest to an Install Service .sp .LP Use the following sample command to add a new manifest to the \fBsol-11_1-i386\fR install service, and make it the service's default manifest. The manifest data is in \fBmy_default.xml\fR. Future \fBinstalladm \fR commands will refer to this manifest as \fBmy_default\fR. The \fB-d\fR option makes it the default manifest for the service. .sp .in +2 .nf # \fBinstalladm create-manifest -d -f my_default.xml \\fR \fB-m my_default -n sol-11_1-i386\fR .fi .in -2 .sp .LP \fBExample 15 \fRAdd a Derived Manifests Script to an Install Service .sp .LP Use the following sample command to add a derived manifests script named \fBmy_script\fR to an existing install service named \fBsolaris11_1-i386\fR. Scripts are added in the same way that manifests are added. .sp .in +2 .nf # \fBinstalladm create-manifest -f my_script.py \\fR \fB-m my_script -n solaris11_1-i386\fR .fi .in -2 .sp .sp .LP See \fIInstalling Oracle Solaris 11.3 Systems\fR for information about how to create derived manifest scripts. .LP \fBExample 16 \fRReplace the Default AI Manifest for an Install Service .sp .LP Use the following sample command to replace the default manifest for an existing install service, \fBsol-11_1-sparc\fR, with a custom manifest that has already been added to the service as \fBcustom_manifest\fR. The manifest was added to the service by specifying \fB-m custom_manifest\fR to the \fBcreate-manifest\fR subcommand. .sp .in +2 .nf # \fBinstalladm set-service \\fR \fB--default-manifest=custom_manifest sol-11_1-sparc\fR .fi .in -2 .sp .LP \fBExample 17 \fRList Install Services .sp .LP Use the following sample command to list the install services on a local server. .sp .in +2 .nf # \fBinstalladm list\fR Service Name Base Service Status Arch Type Ali Cli Man Pro ------------ -------- ------ ---- ---- --- --- --- --- default-i386 solaris11_1_6_2_0-i386 on i386 pkg 0 1 1 0 default-sparc solaris11_1_6_2_0-sparc on sparc pkg 0 0 1 0 solaris11_1_6_2_0-i386 - on i386 pkg 1 0 1 0 solaris11_1_6_2_0-sparc - on sparc pkg 1 0 1 0 .fi .in -2 .sp .LP \fBExample 18 \fRList Clients Associated With an Install Service .sp .LP Use the following sample command to list the clients of a specific install service on a local server. .sp .in +2 .nf $ \fBinstalladm list -c -n default-i386\fR Service Name Client Address Arch Secure Custom Args Custom Grub ------------ -------------- ---- ------ ----------- ----------- default-i386 00:11:22:33:44:55 i386 no yes no AA:BB:CC:DD:EE:FF i386 no no no .fi .in -2 .sp .LP \fBExample 19 \fRList Manifests Associated With an Install Service .sp .LP Use the following sample command to list the manifests and derived manifest scripts associated with a specific install service on a local server. .sp .in +2 .nf $ \fBinstalladm list -m -n default-sparc\fR Service Name Manifest Name Type Status Criteria ------------ ------------- ---- ------ -------- default-sparc mem xml active mem = 4086 MB custom_manifest xml default / active mem = 512 - 1024 MB orig_manfiest xml inactive none test_derived derived inactive none .fi .in -2 .sp .sp .LP This example shows the following output: .RS +4 .TP .ie t \(bu .el o A non-default manifest with criteria (\fBmem\fR) .RE .RS +4 .TP .ie t \(bu .el o A default manifest with criteria indicating it is still active (\fBcustom_manifest\fR) .RE .RS +4 .TP .ie t \(bu .el o A non-default manifest (\fBorig_default\fR) that is marked inactive because it has no criteria and it is not the default .RE .RS +4 .TP .ie t \(bu .el o A non-default derived manfest that is marked inactive because it has no criteria and it is not the default .RE .LP \fBExample 20 \fRList Profiles .sp .LP Use the following sample command to list the system configuration profiles for all install services on a local server. .sp .in +2 .nf $ \fBinstalladm list -p\fR Service Name Profile Name Criteria ------------ ------------ -------- solaris11_1_6_2_0-i386 sc_all-i386.xml none solaris11_1_6_2_0-sparc sc_all-sparc.xml none sc_network.xml ipv4 = 10.0.2.100 - 10.0.2.199 network = 10.0.0.0 .fi .in -2 .sp .LP \fBExample 21 \fRAdd a Custom AI Manifest With No Name to an Install Service .sp .LP Use the following sample command to add the manifest in \fB/export/my_manifest.xml\fR to \fBsol-11_1-i386\fR with a criterion of MAC address equaling \fBaa:bb:cc:dd:ee:ff\fR. .sp .in +2 .nf # \fBinstalladm create-manifest \\fR \fB-f /export/my_manifest.xml -n sol-11_1-i386 \\fR \fB-c mac="aa:bb:cc:dd:ee:ff"\fR .fi .in -2 .sp .sp .LP In this example, the manifest does not contain a name attribute, so the manifest name is taken from the file name. .sp .in +2 .nf $ \fBinstalladm list -m -n sol-11_1-i386\fR Service Name Manifest Name Type Status Criteria ------------ ------------- ---- ------ -------- sol-11_1-i386 my_manifest.xml xml active mac = AA:BB:CC:DD:EE:FF orig_default xml default none .fi .in -2 .sp .LP \fBExample 22 \fRAdd a Custom AI Manifest With a Custom Name to an Install Service .sp .LP Use the following sample command to add the manifest in \fB/export/my_manifest.xml\fR to \fBsol-11_1-i386\fR with the criterion of IPv4 range from 10.0.2.100 and 10.0.2.199. .sp .in +2 .nf # \fBinstalladm create-manifest \\fR \fB-f /export/my_manifest.xml \\fR \fB-n sol-11_1-i386 -m custom_name \\fR \fB-c ipv4="10.0.2.100-10.0.2.199"\fR .fi .in -2 .sp .sp .LP In this example, the manifest name is taken from the \fB-m\fR option. .sp .in +2 .nf $ \fBinstalladm list -m -n sol-11_1-i386\fR Service Name Manifest Name Type Status Criteria ------------ ------------- ---- ------ -------- sol-11_1-i386 custom_name xml active ipv4 = 10.0.2.100 - 10.0.2.199 orig_default xml default none .fi .in -2 .sp .LP \fBExample 23 \fRAdd a Custom AI Manifest With Name Specified In the Manifest .sp .LP Use the following sample command to add the manifest in \fB/export/manifest3.xml\fR to \fBsol-11_1-i386\fR with criteria of 2048 MB memory or greater and an architecture of \fBi86pc\fR. .sp .in +2 .nf # \fBinstalladm create-manifest \\fR \fB-f /export/manifest3.xml -n sol-11_1-i386 \\fR \fB-c mem="2048-unbounded" -c arch=i86pc\fR .fi .in -2 .sp .sp .LP In this example, the manifest name is taken from the \fBname\fR attribute of the \fBai_instance\fR element in the manifest, as shown in the following partial manifest: .sp .in +2 .nf .fi .in -2 .sp .in +2 .nf $ \fBinstalladm list -m -n sol-11_1-i386\fR Service Name Manifest Name Type Status Criteria ------------ ------------- ---- ------ -------- sol-11_1-i386 my_name xml active arch = i86pc mem = 2048 - unbounded orig_default xml default none .fi .in -2 .sp .LP \fBExample 24 \fRAdd a System Configuration Profile To an Install Service .sp .LP Use the following sample command to add the profile in \fB/export/profile4.xml\fR to \fBsol-11_1-i386\fR with criteria of any of the host names \fBmyhost1\fR, \fBhost3\fR, or \fBhost6\fR. .sp .in +2 .nf # \fBinstalladm create-profile \\fR \fB-f /export/profile4.xml -n sol-11_1-i386 -p profile4 \\fR \fB-c hostname="myhost1 host3 host6"\fR $ \fBinstalladm list -p -n sol-11_1-i386\fR Service Name Profile Name Criteria ------------ ------------ -------- sol-11_1-i386 profile4 hostname = myhost1, host3, host6 .fi .in -2 .sp .LP \fBExample 25 \fRAdd a System Configuration Profile For All Clients .sp .LP If you do not specify criteria, then the profile is used by all clients that use the specified install service. In the following example, the created profile is used by all clients that use the \fBsol-11_1-i386\fR service. .sp .in +2 .nf # \fBinstalladm create-profile -f /export/locale.xml \\fR \fB-n sol-11_1-i386\fR $ \fBinstalladm list -p -n sol-11_1-i386\fR Service Name Profile Name Criteria ------------ ------------ -------- sol-11_1-i386 profile4 hostname = myhost1, host3, host6 locale.xml none .fi .in -2 .sp .LP \fBExample 26 \fRApply a System Configuration Profile to the Installation Environment .sp .LP Use the following sample command to specify that a system configuration profile be applied to the installation environment. .sp .in +2 .nf # \fBinstalladm set-profile -p profile4 -e install -n sol-11_1-i386\fR # \fBinstalladm list -p -n sol-11_1-i386\fR Service Name Profile Name Environment Criteria ------------ ------------ ----------- -------- sol-11_1-i386 profile4 install hostname = myhost1, host3, host6 locale.xml system none .fi .in -2 .sp .LP \fBExample 27 \fRAdd a System Configuration Profile With Variables .sp .LP A profile can use variables that are replaced with custom client configuration information at client installation time. Using such variables, a profile file can be reused for any number of different systems. .sp .LP This example uses one system configuration profile file to assign each install client a unique host name. The \fBhostname.xml\fR file contains the following line: .sp .in +2 .nf .fi .in -2 .sp .LP At installation time, \fB{{AI_HOSTNAME}}\fR is replaced with the actual host name of that system. For example, when \fBhostname.xml\fR is used to configure the client with host name \fBmyhost1\fR, the \fBhostname.xml\fR profile contains the following line: .sp .in +2 .nf .fi .in -2 .sp .LP For more information about using replacement tags with profiles, see \fIUsing System Configuration Profile Templates\fR in \fIInstalling Oracle Solaris 11.3 Systems\fR. .LP \fBExample 28 \fRAdd Criteria To an Existing Manifest .sp .LP Use the following sample command to append the criterion of 4096 MB memory or greater to the criteria of \fBmanifest2\fR of \fBsol-11_1-i386\fR. .sp .in +2 .nf # \fBinstalladm set-criteria -m manifest2 \\fR \fB-n sol-11_1-i386 -a mem="4096-unbounded"\fR .fi .in -2 .sp .LP \fBExample 29 \fRReplace the Criteria for an Existing Manifest .sp .LP Use the following sample command to replace the criteria of \fBmanifest2\fR of \fBsol-11_1-i386\fR with the criteria specified in the file \fB/tmp/criteria.xml\fR. .sp .in +2 .nf # \fBinstalladm set-criteria -m manifest2 \\fR \fB-n sol-11_1-i386 -C /tmp/criteria.xml\fR .fi .in -2 .sp .sp .LP See \fIInstalling Oracle Solaris 11.3 Systems\fR for information about the contents of the criteria XML file. .LP \fBExample 30 \fRValidate Profile Files Under Development .sp .LP Use the following sample command to validate the profiles stored in the files \fBmyprofdir/myprofile.xml\fR and \fByourprofdir/yourprofile.xml\fR during their development. .sp .in +2 .nf # \fBinstalladm validate -P myprofdir/myprofile.xml \e\fR \fB-P yourprofdir/yourprofile.xml -n sol-11_1-i386\fR .fi .in -2 .sp .LP \fBExample 31 \fRExport Profile Contents .sp .LP Use the following sample command to export the profile \fBmyprofile.xml\fR in the service \fBsol-11_1-i386\fR. .sp .in +2 .nf # \fBinstalladm export -p myprofile -n sol-11_1-i386\fR .fi .in -2 .sp .LP \fBExample 32 \fRReplace the Contents of an Existing AI Manifest .sp .LP Use the following sample command to update the manifest in service \fBsol-11_1-i386\fR that has the manifest name, or AI instance name, \fBspec\fR with the contents of the manifest in the file \fB/home/admin/new_spec.xml\fR. .sp .in +2 .nf # \fBinstalladm update-manifest -n sol-11_1-i386 \e\fR \fB-f /home/admin/new_spec.xml -m spec\fR .fi .in -2 .sp .LP \fBExample 33 \fRExport and Update an Existing AI Manifest .sp .LP Use the following sample commands to export the data of an existing manifest named \fBspec\fR in service \fBsol-11_1-i386\fR, and then update the manifest with modified content. .sp .in +2 .nf # \fBinstalladm export -n sol-11_1-i386 -m spec \e\fR \fB-o /home/admin/spec.xml\fR .fi .in -2 .sp .sp .LP Make changes to \fB/home/admin/spec.xml\fR. .sp .in +2 .nf $ \fBpfexec installadm update-manifest -n sol-11_1-i386 \e\fR \fB-f /home/admin/spec.xml -m spec\fR .fi .in -2 .sp .LP \fBExample 34 \fRExport and Update an Existing Profile .sp .LP Use the following sample commands to export the data of an existing profile named \fBprof1\fR in service \fBsol-11_1-i386\fR, and then update the profile with modified content. .sp .in +2 .nf # \fBinstalladm export -n sol-11_1-i386 -p prof1 \e\fR \fB-o /home/admin/prof1.xml\fR .fi .in -2 .sp .sp .LP Make changes to \fB/home/admin/prof1.xml\fR. .sp .in +2 .nf # \fBinstalladm update-profile -n sol-11_1-i386 \e\fR \fB-f /home/admin/prof1.xml -p prof1\fR .fi .in -2 .sp .LP \fBExample 35 \fRSet Initial Server Authentication .sp .LP The first step in configuring security is to assign server credentials. Use the following command to generate all server security credentials automatically: .sp .in +2 .nf # \fBinstalladm set-server --generate-all-certs\fR Generating server credentials... The root CA certificate has been generated. The CA signing certificate request has been generated. The signing CA certificate has been generated. A new certificate key has been generated. A new certificate has been generated. Generating new encryption key... To set the OBP encryption key for server authentication only, enter this OBP command: set-security-key wanboot-aes 8bd64e25e00497f194fa93de2a92157c enerating new hashing key (HMAC)... To set the OBP hashing (HMAC) key for server authentication only, enter this OBP command: set-security-key wanboot-hmac-sha1 4cff95a8fb0b08699de9f1ca5e5251a796b497de Configuring web server security. Changed Server Refreshing SMF service svc:/system/install/server:default Configuring web server security. .fi .in -2 .sp .LP \fBExample 36 \fRSet Initial Default Client Authentication .sp .LP Assign default client credentials so that the identity of clients can be verified to the server. Use the following command to generate a set of default client credentials. These credentials will be used for any AI client that does not have credentials assigned by specifying the client's MAC address or by specifying the install service that client will use. .sp .in +2 .nf $ \fBinstalladm set-server --default-client-security \\fR \fB--generate-all-certs\fR Generating default client credentials... A new certificate key has been generated. A new certificate has been generated. Generating new encryption key... To set the OBP encryption key, enter this OBP command: set-security-key wanboot-aes c17e4842331456680d818f4ef515f222 Generating new hashing key (HMAC)... To set the OBP hashing (HMAC) key, enter this OBP command: set-security-key wanboot-hmac-sha1 f3e943d6669835264fcaf0f7fbfb80e45beea7f3 Changed Server .fi .in -2 .sp .LP \fBExample 37 \fRSet Client Authentication for a Specific SPARC Client .sp .LP Generate and assign unique X.509 credentials and OBP keys to a SPARC client: .sp .in +2 .nf $ \fBinstalladm set-client -e 2:0:0:0:0:0 \\fR\ \fB--generate-all-certs\fR Generating credentials for client 02:00:00:00:00:00... A new certificate key has been generated. A new certificate has been generated. Generating new encryption key... To set the OBP encryption key, enter this OBP command: set-security-key wanboot-aes 42a04f73ee6950859febb96d97b7d2bd Generating new hashing key (HMAC)... To set the OBP hashing (HMAC) key, enter this OBP command: set-security-key wanboot-hmac-sha1 7fbed772b69bf104e5e2f72a4c47d42b62bf074b Changed Client : '02:00:00:00:00:00' .fi .in -2 .sp .LP \fBExample 38 \fRDisplay the OBP Keys for a Specific Client .sp .LP Some time after the SPARC client has been configured, you need to know how to set the security keys for that client in the OBP. Use the installadm "\fBlist -e \fR" command with the \fB--verbose\fR option to display the required OBP keys: .sp .in +2 .nf # \fBinstalladm list -e 2:0:0:0:0:0 -v\fR Service Name Client Address Arch Secure Custom Args Custom Grub ------------ -------------- ---- ------ ----------- ----------- solaris11_2 02:00:00:00:00:00 sparc yes no no Client Credentials? yes Security Key? ...... yes Security Cert: Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=CID 01020000000000 Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA Valid from: May 20 10:20:00 2013 GMT to: May 18 10:20:00 2023 GMT CA Certificates: d09051e4 Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA Valid from: May 20 09:50:00 2013 GMT to: May 18 09:50:00 2023 GMT OBP Encr Key (AES) . 42a04f73ee6950859febb96d97b7d2bd OBP Hash (HMAC) .... 7fbed772b69bf104e5e2f72a4c47d42b62bf074b Boot Args .......... - .fi .in -2 .sp .sp .LP The displayed Key and Hash can be set by using the OBP set-security-key commands at the ILOM or ALOM system console at the ok prompt, for example: .sp .in +2 .nf set-security-key wanboot-aes 42a04f73ee6950859febb96d97b7d2bd set-security-key wanboot-hmac-sha1 7fbed772b69bf104e5e2f72a4c47d42b62bf074b .fi .in -2 .sp .LP \fBExample 39 \fREnforce Client Authentication for All Clients of an AI Service .sp .LP The following command requires client and server authentication for all clients of the \fBsol-11_2-sparc\fR install service. The \fB\&'optional'\fR security policy value is the default value. .sp .in +2 .nf # \fBinstalladm set-service -p require-client-auth -n\fR sol-11_2-sparc Security policy for service sol-11_2-sparc changing from 'optional' to 'require-client-auth'. Changed Service : 'sol-11_2-sparc' Refreshing SMF service svc:/system/install/server:default .fi .in -2 .sp .sp .LP All clients of the \fBsol-11_2-sparc\fR install service must be assigned and must supply valid security X.509 client and server authentication credentials. Since this is a SPARC install service, OBP firmware security keys must be entered for all clients. .LP \fBExample 40 \fRGenerate Default Credentials for All Clients of a Specified Install Service .sp .LP The following command generates credentials that will be attributed to any client of the \fBsolaris11_2-sparc\fR install service that does not have custom client credentials. See Example 30, "Set Client Authentication for a Specific SPARC Client," for an example of assigning custom client credentials. .sp .in +2 .nf # \fBinstalladm set-service -n sol-11_1-sparc \\fR --generate-all-certs Generating credentials for service sol-11_1-sparc... A new certificate key has been generated. A new certificate has been generated. Generating new encryption key... To set the OBP encryption key, enter this OBP command: set-security-key wanboot-aes 0bd1d30d603174b7fc3ee7fd7654c3c8 Generating new hashing key (HMAC)... To set the OBP hashing (HMAC) key, enter this OBP command: set-security-key wanboot-hmac-sha1 35caa0c8596585c852f120d3872e9227e724496e Changed Service : 'sol-11_1-sparc' .fi .in -2 .sp .sp .LP These credentials are also attributed to any clients that are subsequently assigned to the \fBsolaris11_2-sparc\fR install service by using the \fBcreate-client\fR subcommand. .sp .LP When you use default credentials, multiple clients are assigned identical credentials and can view each other's installation data. .LP \fBExample 41 \fRProduce a Security Summary Listing .sp .LP When "\fBinstalladm list\fR" is run with sufficient authorisations, it will by default list a summary of the security of the server, service and/or client: .sp .in +2 .nf # \fBinstalladm list -s\fR AI Server Parameter Value ------------------- ----- Hostname ........... ai-server Architecture ....... i386 Active Networks .... 10.0.0.1 Image Path Base Dir . /export/auto_install Managing DHCP? ..... yes Security Enabled? .. yes Server Credentials? .. yes Number of Services . 12 Number of Clients .. 4 Number of Manifests 19 Number of Profiles . 5 # \fBinstalladm list\fR Service Name Base Service Status Arch Type Secure Ali Cli Man Pro ------------ -------- ------ ---- ---- ------ --- --- --- --- default-i386 solaris11_2-i386 on i386 pkg no 0 1 4 0 default-sparc solaris11_2-sparc on sparc pkg no 0 0 3 0 solaris11_1_6_2_0-i386 - on i386 pkg no 1 0 2 2 solaris11_1_6_2_0-sparc - on sparc pkg no 1 0 1 2 solaris11_2-i386 - on i386 pkg yes 0 0 1 0 solaris11_2-sparc - on sparc pkg yes 0 2 2 0 # \fBinstalladm list -c\fR Service Name Client Address Arch Secure Custom Args Custom Grub ------------ -------------- ---- ------ ----------- ----------- default-i386 00:11:22:33:44:55 i386 yes yes no solaris11_1_6_2_0-sparc AA:BB:CC:DD:EE:FF sparc yes no no solaris11_2-sparc 02:00:00:00:00:00 sparc yes no no 03:00:00:00:00:00 sparc yes no no .fi .in -2 .sp .LP \fBExample 42 \fRProduce a Security Verbose Listing .sp .LP When "\fBinstalladm list -v\fR" is run with sufficient authorisations, verbose output of the security configuration of the server, service and/or client (some output omitted for brevity): .sp .in +2 .nf # \fBinstalladm list -sv\fR AI Server Parameter Value ------------------- ----- \&... Security Enabled? ...... yes Server Credentials? .... yes Security Key? .......... yes Security Cert: Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=ai-server Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA Valid from: May 20 09:50:00 2013 GMT to: May 18 09:50:00 2023 GMT CA Certificates: d09051e4 Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA Valid from: May 20 09:50:00 2013 GMT to: May 18 09:50:00 2023 GMT f9d73b41 Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA Valid from: May 20 09:50:00 2013 GMT to: May 18 09:50:00 2023 GMT OBP Encr Key (AES) ..... 8bd64e25e00497f194fa93de2a92157c OBP Hash (HMAC) ........ 4cff95a8fb0b08699de9f1ca5e5251a796b497de Def Client Credentials? yes Def Client Sec Key? .... yes Def Client Sec Cert: Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Client default Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA Valid from: May 20 09:52:00 2013 GMT to: May 18 09:52:00 2023 GMT Def Client CA Certs .... none Def Client OBP Encr Key c17e4842331456680d818f4ef515f222 Def Client OBP Hash .... f3e943d6669835264fcaf0f7fbfb80e45beea7f3 \&... # \fBinstalladm list -v -n solaris11_2-sparc\fR Service Name Base Service Status Arch Type Secure Ali Cli Man Pro ------------ -------- ------ ---- ---- ------ --- --- --- --- sol-11_2-sparc - on sparc iso yes 0 2 1 0 ... Supports Security? .. yes Security Enabled? ... yes Security Policy ..... require-client-auth Service Credentials? yes Security Key? ....... yes Security Cert: Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=AI Service sol-11_2-sparc Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA Valid from: May 20 10:33:00 2013 GMT to: May 18 10:33:00 2023 GMT CA Certificates ..... none OBP Encr Key (AES) .. 0bd1d30d603174b7fc3ee7fd7654c3c8 OBP Hash (HMAC) ..... 35caa0c8596585c852f120d3872e9227e724496e .fi .in -2 .sp .LP \fBExample 43 \fRAdd a New CA Certificate for Validating Client Certificates .sp .LP The following command adds a CA certificate in a file named \fBcert.pem\fR: .sp .in +2 .nf $ \fBinstalladm set-server --default-client-security --ca-cert cert.pem\fR Assigning default client credentials... A new CA certificate has been filed. Changed Server .fi .in -2 .sp .sp .LP This CA certificate will be available to authenticate any client certificates that require it. .LP \fBExample 44 \fRAssign New X.509 Credentials .sp .LP The following command assigns a new X.509 certificate and private key and a new CA certificate for the install server: .sp .in +2 .nf $ \fBinstalladm set-server -A cacert.pem -K server.key -C server.crt\fR Assigning server credentials... The key has been replaced. The certificate has been replaced A new CA certificate has been filed. Configuring security for user-specified server cert Configuring web server security. Changed Server Refreshing SMF service svc:/system/install/server:default .fi .in -2 .sp .LP \fBExample 45 \fRDelete a CA Certificate by Hash Value .sp .LP The following command deletes the specified CA certificate for all clients that use that CA certificate. The value of the \fB--ca-cert\fR option argument is the hash value of the certificate's X.509 subject. Use the \fB-y\fR option to suppress the prompt to confirm that you want to delete the CA certificate. .sp .in +2 .nf $ \fBinstalladm set-server --delete-security \\fR --recursive --hash d09051e4 Identifier hash: d09051e4 Subject: C=US, O=Oracle, OU=Solaris Deployment, CN=Root CA Issuer: C=US, O=Oracle, OU=Solaris Deployment, CN=Root CA Valid from May 20 11:09:00 2013 GMT to May 18 11:09:00 2023 GMT This CA has the following uses: Note: this is the server CA certificate Client default Note: this is the root CA certificate Deleting this Certificate Authority certificate can prevent credentials from validating. Do you want to delete this Certificate Authority certificate [y|N]: y Identifier hash: d09051e4 Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA Issuer: /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA Valid from May 20 09:50:00 2013 GMT to May 18 09:50:00 2023 GMT This CA has the following uses: Note: this is the server CA certificate Client default Note: this is the root CA certificate Deleting all references to Certficate Authority with hash value d09051e4 Changed Server .fi .in -2 .sp .LP \fBExample 46 \fRView AI Server Configuration Parameters .sp .LP To see the current values for the AI server's most common parameters and a summary of some, you can use the \fBlist -s\fR command: .sp .in +2 .nf # \fBinstalladm list -s\fR AI Server Parameter Value ------------------- ----- Hostname ........... ai-server Architecture ....... i386 Active Networks .... 10.0.0.1 Default Image Path . /export/auto_install Managing DHCP? ..... yes Security Enabled? .. yes Server Credentials? .. yes Number of Services . 12 Number of Clients .. 4 Number of Manifests 19 Number of Profiles . 5 .fi .in -2 .sp .sp .LP To view more detailed information, and some of the less common parameters, use verbose mode: .sp .in +2 .nf # \fBinstalladm list -sv\fR AI Server Parameter Value ------------------- ----- Hostname ............... ai-server Architecture ........... i386 Active Networks ........ 10.0.0.1 Http Port .............. 5555 Secure Port ............ 5556 Default Image Path ..... /export/auto_install Multi-Homed? ........... yes Managing DHCP? ......... yes DHCP IP Range .......... none Boot Server ............ - Web UI Enabled? ........ yes Wizard Saves to Server? no Security Enabled? ...... yes Server Credentials? .... yes Security Key? .......... yes Security Cert: Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=ai-server Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA Valid from: May 20 11:09:00 2013 GMT to: May 18 11:09:00 2023 GMT CA Certificates: f9d73b41 Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA Valid from: May 20 11:09:00 2013 GMT to: May 18 11:09:00 2023 GMT OBP Encr Key (AES) ..... 8bd64e25e00497f194fa93de2a92157c OBP Hash (HMAC) ........ 4cff95a8fb0b08699de9f1ca5e5251a796b497de Def Client Credentials? yes Def Client Sec Key? .... yes Def Client Sec Cert: Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Client default Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA Valid from: May 20 11:09:00 2013 GMT to: May 18 11:09:00 2023 GMT Def Client CA Certs .... none Def Client OBP Encr Key c17e4842331456680d818f4ef515f222 Def Client OBP Hash .... f3e943d6669835264fcaf0f7fbfb80e45beea7f3 Number of Services ..... 12 Number of Clients ...... 4 Number of Manifests .... 19 Number of Profiles ..... 5 .fi .in -2 .sp .LP \fBExample 47 \fRInvoke Interactive Mode .sp .LP Interactive mode is entered by just issuing the installadm command without any parameters. For example: .sp .in +2 .nf # \fBinstalladm\fR installadm> create-service -n s11-1-i386 -a i386 -y \&... installadm> create-profile -n s11-1-i386 -f initial_profile.xml \&... installadm> quit .fi .in -2 .sp .sp .LP Similarly, interactive mode can be useful when wishing to invoke several commands interactively using a root role through su: .sp .in +2 .nf $ \fBsu root -c /usr/sbin/installadm\fR installadm> create-manifest -n s11-2-sparc -f /tmp/manifest.xml \&... installadm> create-profile -n s11-2-sparc -f /tmp/static_net.xml \&... .fi .in -2 .sp .LP \fBExample 48 \fRExecute Several Commands In Batch .sp .LP Running several commands in batch mode has the benefit of delaying the refreshing of the SMF services until all commands have completed. .sp .LP To run several subcommands you must first populate the file: .sp .in +2 .nf $ \fBcat >> /tmp/batch <<_EOF\fR create-service -n my_sparc -a sparc create-service -n my_i386 -a i386 create-manifest -n my_sparc -f /tmp/new_default.xml -d create-manifest -n my_i386 -f /tmp/new_default.xml -d \&... _EOF # installadm execute -f /tmp/batch \&... .fi .in -2 .sp .SH EXIT STATUS .sp .LP The following exit values are returned: .sp .ne 2 .mk .na \fB\fB0\fR\fR .ad .RS 13n .rt The command was processed successfully. .RE .sp .ne 2 .mk .na \fB\fB1\fR\fR .ad .RS 13n .rt An error occurred. .RE .sp .ne 2 .mk .na \fB\fB2\fR\fR .ad .RS 13n .rt Invalid command line options were specified. .RE .sp .ne 2 .mk .na \fB\fB3\fR\fR .ad .RS 13n .rt A service's version is not supported by installadm. .RE .sp .ne 2 .mk .na \fB\fB4\fR\fR .ad .RS 13n .rt No changes were made - nothing to do. .RE .SH ATTRIBUTES .sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp .sp .TS tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) . ATTRIBUTE TYPEATTRIBUTE VALUE _ Availability\fBinstall/installadm\fR _ Interface StabilityCommitted .TE .SH SEE ALSO .sp .LP \fBaimanifest\fR(1M), \fBsysconfig\fR(1M), \fBickey\fR(1M), \fBai_manifest\fR(4), \fBservice_bundle\fR(4), \fBdhcp\fR(5), \fBsmf\fR(5), \fBenviron\fR(5) .sp .LP Part\ III, \fIInstalling Using an Install Server,\fR in \fIInstalling Oracle Solaris 11.3 Systems\fR .sp .LP \fITransitioning From Oracle Solaris 10 JumpStart to Oracle Solaris 11.3 Automated Installer\fR