Experimenting with smf to run parallel sshd service on different port
It’s been long time that I have posted something about my funny experiments at home. Today I just spent some time to write this post for those who want to know about creating a new SMF service . This post also covers the procedure to create a parallel sshd service which runs on non standard port (i.e. 222) instead of regular port ( i.e. 22).
Before going to actual topic, few basic points:
1. /var/svc/manifest/network – it is the directory where we can find existing network service templates like ssh, ftp, rpc, ipsec …etc
Example :
bash-3.2# ls /var/svc/manifest/network
apocd.xml ipfilter.xml ntp4.xml stdiscover.xml
cde-spc.xml ipmievd.xml pfil.xml stlisten.xml
chargen.xml ipsec rarp.xml swat.xml
comsat.xml iscsi_initiator.xml rexec.xml talk.xml
daytime.xml ldap routing telnet.xml
dhcp-server.xml login.xml rpc time.xml
discard.xml network-initial.xml samba.xml tname.xml
dns network-loopback.xml security tnctl.xml
echo.xml network-physical.xml sendmail-client.xml tnd.xml
finger.xml network-routing-setup.xml shares uucp.xml
forwarding.xml network-service.xml shell.xml winbind.xml
ftp.xml nfs slp.xml wins.xml
http-apache2.xml nis smtp-sendmail.xml
inetd-upgrade.xml nssh.xml ssh.xml
inetd.xml ntp.xml ssl
2. Every service template under /var/svc/manifest/network will a have defined service start/stop/restart method scripts under /lib/svc/method
example:
# ls /lib/svc/method
boot-archive manifest-import ppd-cache-update svc-hotplug svc-sma
boot-archive-update mpxio-upgrade print-svc svc-ipmievd svc-snmpdx
console-login net-dtspcd quagga svc-iscsitgt svc-stosreg
devices-local net-init rmtmpfiles svc-kdc svc-syseventd
dns-server net-loopback rpc-bind svc-kdmconfig svc-tnctl
fc-fabric net-physical rpc-cmsd svc-labeld svc-tnd
fs-local net-routing-setup rpc-ttdbserverd svc-legacy-routing svc-tsol-zones
fs-minimal net-svc sendmail-client svc-mdmonitor svc-utmpd
fs-root nfs-client slp svc-metainit svc-volfs
fs-usr nfs-server smtp-sendmail svc-ndp svc-wbem
http-apache2 nisplus sshd svc-nscd svc-webconsole
identity-domain nlockmgr svc-auditd svc-poold svc-zones
identity-node nsshd svc-autofs svc-pools sysidtool-net
inetd-upgrade ntp svc-autoreg svc-power sysidtool-system
installupdates ogl-select svc-consadm svc-rdisc system-log
ipfilter patch-finish svc-cron svc-resource-mgmt x11-server
iscsi-initiator patchchk svc-dmi svc-ripng xntp
iscsid pfil svc-dtlogin svc-route yp
keymap postgres_83 svc-dumpadm svc-sar
ldap-client postgresql svc-forwarding svc-scheduler
3. We have to define port number for our new sshd service, let us call it as nsshd, in /etc/services
Actual procedure to create a new sshd i.e. nsshd service using SMF:
Step 1. Create a new service in /etc/services, by entering below lines just below the ssh service
nssh 222/tcp # Secure Shell
Step 2. Create a nssh.xml file by copying the current sshd.xml from the directory /var/svc/manifest/network
# cd /var/svc/manifest/network
# cp ssh.xml nssh.xml
Step 3. Make below modification to the nssh.xml file so that we can start / stop / restart the nsshd service using SMF commands
change 1:change the name of service from ssh to nssh
from : <service_bundle type=’manifest’ name=’SUNWsshdr:ssh’>
to : <service_bundle type=’manifest’ name=’SUNWsshdr:nssh’>
change 2: Remove below dependent service definition from nssh.xml, because this will be already checked by the primary sshd service.
<dependent
name=’ssh_multi-user-server’
grouping=’optional_all’
restart_on=’none’>
<service_fmri
value=’svc:/milestone/multi-user-server’ />
</dependent>
change 3: mention service start method for nsshd , by changing the below lines
From :
<exec_method
type=’method’
name=’start’
exec=’/lib/svc/method/sshd start’
timeout_seconds=’60′/>
to:
<exec_method
type=’method’
name=’start’
exec=’/lib/svc/method/nsshd start’
timeout_seconds=’60′/>
change 3: mention new service restart method for nsshd, by changing the below lines
From:
<exec_method
type=’method’
name=’refresh’
exec=’/lib/svc/method/sshd restart’
timeout_seconds=’60′ />
To:
<exec_method
type=’method’
name=’refresh’
exec=’/lib/svc/method/nsshd restart’
timeout_seconds=’60′ />
Step 4. Create new service start/stop/restart method for our new service nsshd i.e. /lib/svc/method/nsshd
you can just copy the existing service method /lib/svc/method/sshd to /lib/svc/method/nsshd and make minor modifications to the lines as below. :
From:
‘start’)
/usr/lib/ssh/sshd
;;
To:
‘start’)
/usr/lib/ssh/sshd -p 222
;;
Note: sshd -p 222 will actually start the sshd service to listen at the port 222 instead of regular 22 port.
Step 5. Verify that newly created nssh.xml for syntax errors, using the below command. If no errors you are good to use the file.
bash-3.2# svccfg validate nssh.xml
Step 6. Once the .xml file validated with no errors, we are good to import the service definition to smf and to enable the service.
# cd /var/svc/manifest/network
# svccfg import nssh.xml
Once you import the .xml file the new service is visible in svcs output as below
# svcs -a |grep ssh
online 22:20:48 svc:/network/ssh:default
disabled 22:51:42 svc:/network/nssh:default
to enable the service use the below command:
# svcadm enable svc:/network/nssh:default
# svcs -a |grep ssh
online 22:20:48 svc:/network/ssh:default
online 22:51:42 svc:/network/nssh:default
That’s it the new sshd server daemon is ready to receive new connections from outside. For testing you just to go to different machine and try to run the command
#ssh -p 222 <Server running with nssh>
And from the server macine just verify that new sshd are starting at the port 222, as below
# ps -ef|grep ssh
root 1392 1391 0 22:21:01 ? 0:01 /usr/lib/ssh/sshd
root 1492 1487 0 22:52:29 ? 0:00 /usr/lib/ssh/sshd -p 222
root 1391 1390 0 22:21:01 ? 0:00 /usr/lib/ssh/sshd
root 1390 1 0 22:20:48 ? 0:00 /usr/lib/ssh/sshd
root 1493 1492 0 22:52:29 ? 0:00 /usr/lib/ssh/sshd -p 222
root 1487 1 0 22:51:43 ? 0:00 /usr/lib/ssh/sshd -p 222
Some troubleshooting tips, while experimenting this task;
1. Just incase if you see the service going into maintenance mode when you try enable it, check the service log for the errors. Service startup log can be found from the “svcs -xv” output for each failed service
Example:
# svcs -xv
svc:/network/nssh:default (NSSH server)
State: maintenance since Wed May 30 22:44:53 2012
Reason: Start method failed repeatedly, last exited with status 1.
See: http://sun.com/msg/SMF-8000-KS
See: man -M /usr/share/man -s 1M sshd
See: /var/svc/log/network-nssh:default.log
Impact: This service is not running.
check the log file for errors:
# cat /var/svc/log/network-nssh:default.log
[ May 30 22:44:46 Disabled. ]
[ May 30 22:44:46 Rereading configuration. ]
[ May 30 22:44:53 Enabled. ]
[ May 30 22:44:53 Executing start method ("/lib/svc/method/sshd -p 222 start") ]
Usage: /lib/svc/method/sshd { start | restart }
[ May 30 22:44:53 Method "start" exited with status 1 ]
[ May 30 22:44:53 Executing start method ("/lib/svc/method/sshd -p 222 start") ]
Usage: /lib/svc/method/sshd { start | restart }
[ May 30 22:44:53 Method "start" exited with status 1 ]
[ May 30 22:44:53 Executing start method ("/lib/svc/method/sshd -p 222 start") ]
Usage: /lib/svc/method/sshd { start | restart }
[ May 30 22:44:53 Method "start" exited with status 1 ]
[ May 30 22:49:07 Rereading configuration. ]
2. If you want to import the .xml after some corrections, you should delete the currently loaded configuration with below command, before you import it again.
Example:
# svccfg delete svc:/network/nssh:default
# svccfg import nssh.xml
9 Comments on “Experimenting with smf to run parallel sshd service on different port”
& 1 more suggestion sir,
In intermediate zone–>solaris admin column–> pls add one more blog that contain questions for solaris only (from level 1 to level 3). so we understand what kind of tricky que ask in interview. like in veritas (VXVM & VCS) also.
if my suggestion u like thn pls work & shared with us.
Again many thanks in advance,
Chetan
Hi Ramdev,
I tried this and it works fine except one entry. We need to make this entry to create new service in smf. . in /var/svc/manifest/network/nssh.xml file.
Thanks for the post. keep it up.
Entry is
” “
service entry. I am not able to post it fully.
hi sir this is samiulla from guntur, Andhra pradhesh. i want to be solaris admin. now searching books about solaris 10. i want best book about solaris 10. there are several book on net. Please suggest me good book of solaris 10. thanksssssssss in advance……
please send mail to me. i will wait for your mail.
i really love your blog. it really helpful who are new in networking. thanks alot for your valuable time spend in blog. i selut u.
Hi.. Ramdev.. Thanks for posting this article .If i would see this article 15 days back might be i select for IBM. One of the IBM interviewer asked the question with bit different.
How would you assign port no for an application and what are files need to modify?
is it the same answer?
Hi Raj, the port assignment process is same as mentioned in the post. Sorry about the interview, all the best for your next one.
Thanks..Ramdev…i never get disappoint any time.. i am sure will get better job…