installadm(8) 맨 페이지 - 윈디하나의 솔라나라

분류: 서비스
설명: 맨 페이지 검색 (2016-02-22)
위치: 윈디하나의 솔라나라: installadm(8) 맨 페이지 (처음 오신 분은 윈디하나의 솔라나라 이야기를 읽어주십시오)
윈디하나의 솔라나라 트위터 @solanara

개요

솔라나라에 설명된 어플리케이션에 대해 맨 페이지를 찾아 출력한다.
MAN 페이지에 대한 설명은 윈디하나의 솔라나라: MAN 페이지을 참고하자.
svcadm(8)을 검색하려면 섹션에서 8 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.

installadm(8)

System Administration Commands installadm(8)

NAME
installadm - Manages automated installations on a network

SYNOPSIS
/usr/sbin/installadm [-h|--help]

installadm help [subcommand]

installadm create-service [-n <svcname>]
[-p <prefix>=<origin>
[-K <keypath> -C <certpath>]]
[-a <architecture>]
[-s <FMRI/ISO> |
-t <existing_service>]
[-b <boot property>=<value>,... | -G <grub.cfg>]
[-i <dhcp_ip_start> -c <count_of_ipaddr>]
[-B <server_ipaddr>]
[-M <manifest file>]
[-d <imagepath>]
[-y]

installadm set-service [options] -n <svcname>
[-t <existing_service>]
[-M <manifest name>]
[-d <imagepath>]
[-e | -D]
[-G [none|<grub.cfg>]
[-b [none|<property>=<value>[,... ]]
[-p <policy>]]
[-x [--hash <ca-hash>]]
[-A <ca-certfile>...]
[-C <certfile> -K <keyfile>]
[-g] [-E] [-H]
[-f|--hmac-type <hmac-type>]

installadm update-service [-s FMRI]
[-p <publisher>=<origin>
[-K <keypath> -C <certpath>]]
-n <svcname>

installadm rename-service -n <svcname> -N <newsvcname>

installadm enable -n <svcname>

installadm disable -n <svcname>

installadm delete-service [-r] [-y] -n <svcname>

installadm list [-v|--verbose] -e|--macaddr <macaddr>

installadm create-manifest [options] [source_options]
-n|--service <svcname>

installadm update-manifest -n <svcname> -m <manifest>

installadm update-manifest -n <svcname> -f <filename>
[-m <manifest>] [-e]

installadm delete-manifest -n <svcname> -m <manifest>

installadm create-profile -n <svcname> -f <filename> ...
[-p <profile>]
[-c <criteria>=<value|list|range> ... |
-C <criteriafile>]

installadm set-profile -n <svcname> -p <profile name>
[-P <new profile name>]
[-e install|system|all[,...] ]

installadm update-profile -n <svcname> -f <filename>
[-p <profile>]

installadm delete-profile -n <svcname> -p <profile> ...

installadm export [-o <path>] -n <svcname>
[-m <manifest name>]... [-p <profile name>]...

installadm export [-o <path>]
-n <svcname> | -e <macaddr>
-G

installadm export [-o <path>]
-s | -n <svcname> | -c | -e <macaddr>
[-C] [-K] [-A]

installadm validate -n <svcname>
[-M <manifest_path>]...
[-m <manifest_name>]...
[-P <profile_path>]...
[-p <profile_name>]...

installadm create-client -n <svcname>
-e <macaddr>
[-b <property>=<value>,...]
[-G <grub.cfg>]

installadm set-client -e <macaddr>
[-n <svcname>]
[-b [none|<property>=<value>,... ]]
[-G [none|<grub.cfg>]
[-g]
[-x [-y] [--hash <ca-hash>]
[-A <ca-certfile>]...
[-C <certfile> -K <keyfile>]
[-E]
[-H]
[-f|--hmac-type <hmac-type>]

installadm execute -f <file>

DESCRIPTION
installadm can be invoked interactively, with an individual subcommand,
or by specifying a command file that contains a series of subcommands.

The Automated Installer (AI) is used to automate the installation of
the Oracle Solaris OS on one or more SPARC and x86 systems over a net‐
work.

The machine topography necessary to employ AI over the network is to
have an install server, a DHCP server (this can be the same system as
the install server), and the installation clients. On the install
server, install services are set up to contain an AI boot image, which
is provided to the clients in order for them to boot over the network,
input specifications (AI manifests and derived manifest scripts), one
of which will be selected for the client, and Service Management Facil‐
ity (SMF) configuration profiles, zero or more of which will be
selected for the client.

The AI boot image content is published as the package install-
image/solaris-auto-install, and is installed by the create-service sub‐
command. The create-service subcommand is also able to accept and
unpack an AI ISO file to create the AI boot image.

Install services are created with a default AI manifest, but customized
manifests or derived manifest scripts (hereafter called "scripts") can
be added to an install service by using the create-manifest subcommand.
See Automatically Installing Oracle Solaris 11.4 Systems for informa‐
tion about how to create manifests and derived manifests scripts. Mani‐
fests can also be edited using the interactive manifest editor CLI. The
manifest editor CLI, which can be invoked using the create-manifest and
update-manifest subcommands, is an interactive interface that presents
the AI manifest content as a set of objects and properties that can be
manipulated using subcommands entered at the interactive interface
prompt. It allows you to edit a manifest without having to view or
understand an XML document (see "MANIFEST EDITOR CLI" section below).
The create-manifest subcommand also allows criteria to be specified,
which are used to determine which manifest or script should be selected
for an installation client. Criteria already associated with a manifest
or script can be modified using the set-criteria subcommand.

Manifests can include information such as a target device, partition
information, a list of packages, and other parameters. Scripts contain
commands that query a running AI client system and build a custom mani‐
fest based on the information it finds. When AI is invoked with a
script, AI runs that script as its first task, to generate a manifest.

When the client boots, a search is initiated for a manifest or script
that matches the client's machine criteria. When a matching manifest or
script is found, the client is installed with the Oracle Solaris
release according to the specifications in the matching manifest file,
or to the specifications in the manifest file derived from the matching
script. Each client can use only one manifest or script.

Each service has one default manifest or script. The default is used
when the criteria of no other manifest or script matches the system
being installed. Any manifest or script can be designated as the
default. Default manifests can have criteria associated with them which
is used when attempting to locate a matching manifest, however this
manifest will be returned as the default should no other matching mani‐
fest be located. Manifests or scripts with no criteria associated with
them can only be used as default manifests or scripts. Manifests or
scripts without criteria become inactive when a different manifest or
script is designated the default.

System configuration profiles are complementary to manifests and
scripts in that they also contain specifications for an installation.
In particular, profiles are used to specify configuration information
such as user name, user password, time zone, host name, and IP address.
Profiles can contain variables that are replaced at installation time
with appropriate values for the client being installed. In this way, a
single profile file can set different configuration parameters on dif‐
ferent clients. See the "Examples" section.

System configuration profiles are processed by smf(7) and conform to
document format service_bundle(5). See sysconfig(8) and Working With
System Configuration Profiles in Customizing Automated Installations
With Manifests and Profiles for more information about system configu‐
ration profiles. Each client can use any number of system configuration
profiles. A particular SMF property can be specified no more than once
for each client system.

If you want a specific client to use a specific install service, you
can associate that client with the service by using the create-client
subcommand. You can also use create-client to modify an existing
client. Security credentials associated with that client will be
retained.

Automated installations can be secured with the Transport Layer Secu‐
rity (TLS) protocol. Private certificate and key pairs and Certificate
Authority (CA) certificates can be assigned to the install server and
to clients. WANBoot clients further require the use of firmware hash
digest and encryption keys to enable security, which also secures the
download of the initial network boot files. Security may be enabled for
x86 clients as well. Note that when x86 clients use PXEBoot, the ini‐
tial network boot phase is not secured. An automated installation can
be secured in the following ways:

o Server authentication: The identity of the server can be
verified.

o Client authentication: The identity of the client can be
verified.

o Access to automated installations can be controlled.

o Access to server data can be controlled.

o Client data can be protected for all clients or separately
for specified clients.

o Data can be encrypted so that it cannot be read over the
network.

o Secured IPS package repositories can be accessed.

o A user-specified directory can be securely published by the
web server. Client authentication is required to access this
directory.

The installadm utility can be used to accomplish the following tasks:

o Configure the AI server SMF service

o Set up install services and aliases

o Update the net image of certain install services

o Set up installation images

o Set up or delete clients

o Add, update, or delete manifests and scripts

o Specify or modify criteria for a manifest or script

o Export manifests and scripts

o Add or delete system configuration profiles

o Validate profiles

o Specify or modify criteria for profiles

o Export profiles

o Enable or disable install services

o List install services

o List clients for an install service

o List manifests and scripts for an install service

o List profiles for an install service

o Secure data transfers between the install server and the AI
clients

o Enable or disable security

o Execute batches of subcommands

OPTIONS
The installadm command has the following option:

-h
--help

Show the usage message for all subcommands.

If followed by a subcommand, will show the usage message for that
subcommand only.

SUB-COMMANDS
The installadm command has the subcommands listed below. See also the
"Examples" section below.

installadm help [subcommand]

Displays a summary of the available commands.

subcommand

Displays more help for the specified subcommand.

This subcommand sets up a network boot image (net image) in the
specified imagepath directory, and creates an install service that
specifies how a client booted from the net image is installed.

The AI boot image content is published as the package install-
image/solaris-auto-install. If the -s option is not specified, that
package is installed from the first publisher in the system's pub‐
lisher preference list that provides an instance of that package.
The -s option accepts the pkg specification as a full FMRI or loca‐
tion of an image ISO file. The resulting net image is eventually
located in imagepath. The net image enables client installations.

Note the following specifications:

o When the first install service of a given architecture
is created on an install server, an alias of that ser‐
vice, default-i386 or default-sparc, is automatically
created. This default service is used for all installa‐
tions to clients of that architecture that were not
added to the install server explicitly with the create-
client subcommand. To change the service aliased by the
default-arch service, use the set-service subcommand. To
update the default-arch service, use the update-service
subcommand.

If a default-arch alias is changed to a new install ser‐
vice and a local ISC DHCP configuration is found, this
default alias boot file is set as the default DHCP
server-wide boot file for that architecture.

o If you want a client to use a different install service
than the default for that architecture, you must use the
create-client subcommand to create a client-specific
configuration.

The options are any one of the following:

-n <svcname>
--service <svcname>

Optional: Uses this install service name instead of a system-
generated service name. The <svcname> can consist of alphanu‐
meric characters, underscores (_), and hyphens (-). The first
character of <svcname> cannot be a hyphen. The length of the
svcname cannot exceed 63 characters.

If the -n option is not specified, a service name is generated
automatically. The default name includes architecture and OS
version information.

-s <source>
--source <source>

Optional: Specifies the data source for the net image. This can
be either of:

o The FMRI of an IPS AI net image package. This is the
default. If the -s option is not specified, the new‐
est available version of the install-image/solaris-
auto-install package is used. The package is
retrieved from the publisher specified by the -p
option or from the first publisher in the install
server's publisher preference list that provides an
instance of the package.

o The path to an AI ISO image.

-p <publisher>=<origin>
--publisher <publisher>=<origin>

Optional: Only applies when the service is being created from
an IPS package. Specifies the IPS package repository from where
you want to retrieve the install-image/solaris-auto-install
package. An example is:

solaris=http://pkg.oracle.com/solaris/release/

If the -p option is not specified, the publisher used is the
first publisher in the install server's publisher preference
list that provides an instance of the package.

--key keypath

Optional: Only applies when the service is being created from
an IPS package. Specifies the path to the PEM-formatted key for
the secure IPS publisher.

--cert certpath

Optional: Only applies when the service is being created from
an IPS package. Specifies the path to the PEM-formatted cer‐
tificate for the secure IPS publisher.

-a <architecture>
--arch <architecture>

Optional: Only applies when the service is being created from
an IPS package. Specifies the architecture of the clients to be
installed with this service. The value can be either i386 or
sparc. The default is the architecture of the install server.

-d <imagepath>
--imagepath <imagepath>

Optional: Specifies the path at which to create the net image.
If not specified, the image is created in a <svcname> directory
at the location defined by the value of the all_ser‐
vices/default_imagepath_basedir property. For the default value
of this property, see "Install Server Configuration Proper‐
ties." A confirmation prompt is displayed unless -y is also
specified.

-y
--noprompt

Optional: Suppresses any confirmation prompts and proceeds with
service creation using the supplied options and any default
values (see -d).

-t <aliasof>
--aliasof <aliasof>

Optional: This new service is an alternate name for the aliasof
install service.

-M <manifest file>
--default-manifest <manifest file>

Optional: Used to designate the path to the default manifest or
derived manifest script to be used for the service.

-b <property>=<value>,...
--boot-args <property>=<value>,...

Optional: For x86 clients only. Sets a property value in the
service-specific boot configuration file in the service image.
Use this option to set boot properties that are specific to
this service. This option can accept multiple comma-separated
property=value pairs.

-G none|<grub.cfg>
--grub-cfg none|<grub.cfg>

Optional: Assigns a new GRUB2 menu file, or removes one if
'none' is specified.

-i <dhcp_ip_start> -c <count_of_ipaddr>
--ip-start <dhcp_ip_start> --ip-count <count_of_ipaddr>

Obsolete: These options have been obsoleted for use in this
context, and you should use the set-server equivalents going
forward. Please refer to the set-server documentation for more
information.

These options will fail if the AI server is not already config‐
ured to manage DHCP.

-B <server_ipaddr>
--bootfile-server <server_ipaddr>

Obsolete: This option has been obsoleted for use in this con‐
text, and you should use the set-server equivalent going for‐
ward. Please refer to the set-server documentation for more
information.

This subcommand enables the modification of an existing service. At
least one of these options must be given:

-t <existing_service>
--aliasof <existing_service>

Makes <svcname> an alias of the <existing_service> install ser‐
vice.

-M <manifest name>
--default-manifest-name <manifest name>

Designates a particular manifest or derived manifests script
that is already registered with the specified service to be the
default manifest or derived manifest script for that service.
Use the installadm list command to show a list of manifests and
derived manifest scripts registered with this service.

$ installadm list -n <svcname> -m

-d <imagepath>
--imagepath <imagepath>

Causes the image to be relocated to the new image path.

-e|--enable | -D|--disable

Enables/Disables the service.

-G none|<grub.cfg>
--grub-cfg none|<grub.cfg>

Assigns a new GRUB2 menu file, or removes one if 'none' is
specified.

-b none|<property>=<value>[,... ]
--boot-args none|<property>=<value>[,... ]

Sets the boot arguments for the GRUB menu, or removes them if
'none' is specified.

-p <policy>
--security-policy <policy>

An install service can be assigned only one of these security
settings. The <policy> can be one of the following security
policy settings which are listed in order of decreasing secu‐
rity:

require-client-auth

Confirms the identity of the AI client. Requires client and
server authentication for all clients of the specified ser‐
vice. All clients of this service must have their firmware
keys defined.

require-server-auth

Confirms the identify of the AI install server. Requires
all clients of the specified service to perform server
authentication. Client authentication is optional, but any
assigned client credentials are required to be provided.
All clients of this service must have their firmware keys
defined.

optional

Allows both authenticated and unauthenticated clients to
access the install service. Client authentication is
optional, but any assigned client credentials are required
to be provided. This is the default behavior.

encr-only

Enables SSL/TLS end-to-end encryption for an x86 install
service. No authentication is performed.

disable

Disables all security for all clients of the specified ser‐
vice.

-x [-y|--noprompt] [--hash <ca-hash>]
--delete-security [-y|--noprompt] [--hash <ca-hash>]

Deletes any security configuration for the service, or a spe‐
cific CA if a --hash is provided. If -y is provided it will not
prompt for confirmation.

-g
--generate-all-certs

Automatically generates and assigns all X.509 security creden‐
tials and generates firmware keys. The CA certificate and
firmware keys are generated only if they do not already exist.

-A <ca-certfile>...
--ca-cert <ca-certfile>...

Assigns a user-provided PEM-encoded X.509 Certificate Authority
(CA) certificate located at path <ca-certfile>. You only need
to specify each CA chain of trust one time. If the CA chain
includes more than one CA certificate file, use multiple -A
options.

-C <certfile> -K <keyfile>
--cert <certfile> --key <keyfile>

-C assigns a user-provided PEM-encoded X.509 certificate
located at path <certfile>.

-K assigns a user-provided PEM-encoded X.509 private key
located at path <keyfile>. The <keyfile> must have any
passphrase removed.

The -C option must be used with the -K option. If you specify
just the -C and -K options, the associated CA certificate must
have been previously assigned.

If you also specify -A options then this certificate and key
will be validated against those CA Certificates.

-E
--generate-encr-key

Regenerates a security encryption firmware key. Invalidates any
existing key.

Firmware keys are automatically generated if they do not
already exist when you use the -g, -C, -K, or -A options. Once
these keys are generated, you can use the -E and -H options to
replace the existing keys. Specifying the -E or -H option
before firmware keys exist is an error. You can specify both
firmware key options, or you can specify either -E or -H
option. The firmware keys that already exist are invalidated
and replaced with the newly generated values.

-H
--generate-hmac-key

Regenerates a security hashing firmware key (HMAC). Invalidates
any existing key.

-f <hmac-type>
--hmac-type <hmac-type>

Assigns <hmac-type> as the active signature type for the server
and default client, and generates a HMAC key of that type if it
does not exist.

If -g is specified in combination with -f|--hmac-type, creden‐
tials with HMAC signature type <hmac-type> will be generated
and the active signature type will not be changed. If -H is
specified in combination with -f|--hmac-type, a firmware key of
HMAC signature type <hmac-type> will be generated, and the
active signature type will not be changed.

The <hmac-type> is a valid and supported HMAC signature type
and can be either hmac-sha1 or hmac-sha256 for SPARC clients
and services, and only hmac-sha256 for x86 clients and ser‐
vices. <hmac-type> is case-insensitive.

installadm update-service [options] -n|--service <svcname>

Updates the image associated with <svcname>, where <svcname> is an
alias of a service that was created using an IPS AI net image pack‐
age. A new service is created with the updated image, and <svcname>
is aliased to the new service.

The required arguments are:

-n <svcname>
--service <svcname>

Specifies the name of the install service being updated, which
must be an alias of a service that was created using an IPS net
image package.

[options] is one or more of the following:

-p <publisher>=<origin>
--publisher <publisher>=<origin>

The IPS package repository from which to update the <svcname>
image. The following is an example value:

solaris=http://pkg.oracle.com/solaris/release/

A certificate and key may be specified for the publisher by provid‐
ing paths to a key and certificate file to use with the options:

-K|--key <keypath>
-C|--cert <certpath>

If the -p option is not specified, the publisher used is the
publisher that was used to create the image of the service for
which <svcname> is an alias. The package publisher can be seen
in verbose output for that service.

-s <FMRI>
--source <FMRI>

The FMRI of the net image package for the update.

If the -s option is not specified, the newest available version
of the install-image/solaris-auto-install package is used from
the publisher specified in the description of the -p option.

installadm rename-service -n <svcname> -N <newsvcname>

Renames the install service <svcname> to <newsvcname>.

The <newsvcname> can consist of alphanumeric characters, under‐
scores (_), and hyphens (-). The first character of <newsvcname>
cannot be a hyphen. The length of the <newsvcname> cannot exceed 63
characters.

installadm enable -n <svcname>

Obsolete: This subcommand has been obsoleted in preference to the
--enable option of the set-service subcommand.

Enables the svcname install service.

installadm disable -n <svcname>

Obsolete: This subcommand has been obsoleted in preference to the
--enable option of the set-service subcommand.

Disables the svcname install service.

installadm delete-service [options] -n|--service <svcname>

Deletes an install service.

o Deletes the manifests, profiles, client configuration
files, and web server configuration for this install
service.

o Deletes the image used to instantiate the service.

o Deletes all security credentials of the service.

o If the following conditions exist, the bootfile associ‐
ated with this service is removed from the ISC DHCP con‐
figuration:

o The service is a default alias.

o A local ISC DHCP configuration exists.

o The all_services/manage_dhcp property value is true.

The required arguments are:

-n <svcname>
--service <svcname>

Specifies the install service name to delete.

Where [options] is one or more of:

-r|--autoremove

If specified, any clients assigned to this service, and any
services aliased to this service, are also removed. Any secu‐
rity credentials associated with the service, its aliased ser‐
vices, and any clients, are also removed.

-y|--noprompt

Suppresses any confirmation prompts and proceeds with service
deletion.

installadm list [-v] [-s | -e <macaddr> | [-a | -cmp] [-n <svcname>]]

Without any options, lists the summary of all services on the AI
server. The available options are:

-v
--verbose

Produces more verbose listings

-a
--all

Lists the configuration of the AI server in a tree-like output
with information about the server, services, clients, manifests
and profiles on the AI server.

Can only be used in conjunction with the -v or -n options.

-n <svcname>
-service <svcname>

Behaves as a filter, only showing clients, manifests or pro‐
files for the specified <svcname> on the server.

This option can be used to filter the -a, -c, -m or -p options.

-e <macaddress>
--macaddr <macaddress>

Lists specific information for the provided <macaddress> only.

Can only be used in conjunction with the -v option.

-s
--server

Lists information about server configuration.

Cannot be used with the -n option.

-c
--client

Lists the clients of the install services on a local server.

When used with -n option, it displays only manifests and
scripts for the given service.

-m
--manifest

Lists the manifests and derived manifest scripts associated
with the install services on a local server, including criteria
for each manifest. Inactive manifests are labeled. Inactive
manifests have no associated criteria and are not the default
manifest for that service.

When used with -n option, it displays only manifests and
scripts for the given service.

-p
--profile

Lists the profiles associated with the install services on a
local server, including criteria for each profile.

When used with -n option, it displays only profiles for the
given service.

Whenever the list output includes fields that are inaccessible for
a user, that is, they do not have sufficient authorisations, then
these fields are hidden from the output. Examples of such fields
are those related to whether security is enabled or not, the secu‐
rity credentials, and so on.

installadm create-manifest [options] [source_options]
-n|--service <svcname>

Creates a manifest or derived manifests script for a specific
install service, thus making the manifest or script available on
the network, independently from creating a service. A non-default
manifest or script can be used (can be active) only when criteria
are associated with it. Criteria can be entered on the command line
(-c) or in a criteria XML file (-C).

The manifest or derived manifests script to be created can be
copied from a file (-f) or an existing manifest of the install ser‐
vice (-M). Additionally specifying the -e allows the user to edit
the manifest before it is saved to the install service. If the man‐
ifest to be created is not a script, the user is placed into the
interactive interface. The interface presents the AI manifest con‐
tent as a set of non-XML objects and properties that can be manipu‐
lated using subcommands entered at the interactive interface
prompt, allowing the user to edit the manifest before saving it to
the install service. If the manifest to be created is a script,
then the user is placed into the editor specified by the environ‐
ment variable, VISUAL. If VISUAL is not defined, EDITOR is used
instead. If neither are defined, then the default editor vi(1) is
used.

If neither -f nor -M is specified, the user is placed into the
interactive interface to interactively specify input for the new
manifest (some values are pre-filled with sensible defaults), which
is then saved to the install service. See the "MANIFEST EDITOR CLI"
section below for more information about the interactive interface.

The name of the manifest is determined in the following order:

1. The manifest name specified by the -m option, if
present.

2. The value of the ai_instance name attribute, if present
in the manifest.

3. The base name of the filename.

The required arguments are:

-n <svcname>
--service <svcname>

Specifies the name of the install service this manifest or
script is to be associated with.

[source_options] can be one of the following:

-f|--file <filename> [-e|--edit]

Specifies the path name of the manifest or derived manifests
script to add.

If -e is also specified, the user can edit the manifest before
saving it to the install service. If the manifest to be created
is not a script, the user is placed into the interactive inter‐
face. If the manifest to be created is a script, then the user
is placed into the editor specified by the environment vari‐
able, VISUAL. If VISUAL is not defined, EDITOR is used instead.
If neither are defined, then the default editor vi(1) is used.

-M|--existing <existing manifest> [-e|--edit]

Specifies the name of an existing manifest or derived manifests
script for <svcname> to copy for the new manifest.

If neither -f nor -M is specified, the user is placed into the
interactive interface to interactively specify input for the new
manifest (some values are pre-filled with sensible defaults), which
is then saved to the install service. The -m option is required to
name the new manifest.

[options] can be one or more of the following:

-m <manifest>
--manifest <manifest>

Specifies the AI instance name of the manifest or derived mani‐
fests script. Sets the name attribute of the ai_instance ele‐
ment of the manifest to manifest. The manifest or script is
referred to as manifest in subsequent installadm commands and
installadm list output.

-c <criteria>=<value|list|range>...
--criteria <criteria>=<value|list|range>...

Specifies criteria to be associated with the added manifest or
script. See the "Criteria" section below. The -c option can be
specified multiple times.

-C <criteriafile>
--criteria-file <criteriafile>

Specifies the path name of a criteria XML file containing cri‐
teria to be associated with the added manifest or script.

-d
--default

Specifies that this manifest or script is the new default mani‐
fest or script for the service.

installadm update-manifest -n|--service <svcname>
-m|--manifest <manifest>

installadm update-manifest -n|--service <svcname> -f|--file <filename>
[-m|--manifest <manifest>] [-e|--edit]

Places the user into either the interactive interface or an editor,
to edit the manifest specified by <manifest name>. If the manifest
is not a script, the user is placed into the interactive interface.
The interface presents the content of <manifest> as a set of non-
XML objects and properties that can be manipulated using subcom‐
mands entered at the interactive interface prompt, allowing the
user to edit the manifest. If the manifest is a script, then the
user is placed into the editor specified by the environment vari‐
able, VISUAL. If VISUAL is not defined, EDITOR is used instead. If
neither are defined, then the default editor vi(1) is used.

If -f <manifest file> is specified, then the current manifest is
totally replaced by the contents of <manifest file>. Additionally
specifying the -e option, places the user into an editor or inter‐
active interface as above to allow the user to edit the manifest
before saving it to the install service.

See the "MANIFEST EDITOR CLI" section below for more information
about the interactive interface.

Any criteria or default status remain with the manifest or script
following the update.

The name of the manifest is determined in the following order:

1. The manifest specified by the -m option, if present.

2. The value of the ai_instance name attribute, if present
in the changed manifest and if it matches the
ai_instance name value of an existing manifest.

3. The base name of the filename, if it matches the
ai_instance name attribute value in an existing mani‐
fest, or the name given by installadm list if it matches
the name of an existing script.

The required arguments are:

-n <svcname>
--service <svcname>

Specifies the name of the install service of the manifest or
script being updated.

The following arguments may also be specified:

-f filename
--file filename

Specifies the path name of the replacement manifest or derived
manifest script.

-m manifest
--manifest manifest

Specifies the name of the manifest to edit or the AI instance
name of the replacement manifest or script. Required if -f
<filename> not specified.

-e
--edit

In conjunction with -f <filename>, allows the user to edit the
manifest before saving it to the install service. If the con‐
tent of the copied file is not a script, the user is placed
into the interactive interface. If the content is a script,
then the user is placed into the editor specified by the envi‐
ronment variable, VISUAL. If VISUAL is not defined, EDITOR is
used instead. If neither are defined, then the default editor
vi(1) is used.

installadm delete-manifest -n|--service <svcname>
-m|--manifest manifest

Deletes a manifest or derived manifest script that was published
with a specific install service. A default manifest or script can‐
not be deleted.

The required arguments are:

-n <svcname>
--service <svcname>

Specifies the name of the install service of the manifest or
script being deleted.

-m manifest
--manifest manifest

Specifies the AI instance name of a manifest or derived mani‐
fests script as output by installadm list with the -n option.

installadm create-profile [options] -n|--service <svcname>
-f|--file filename...

Creates profiles for a specific install service. Criteria can
optionally be associated with a profile by either entering them on
the command line (-c) or in a criteria XML file (-C). Profiles cre‐
ated without criteria are associated with all clients of the ser‐
vice.

The name of the profile is determined in the following order:

1. The profile specified by the -p option, if present.

2. The base name of the filename.

Profile names must be unique for an AI service. If multiple -f
options are used to create more than one profile with the same cri‐
teria, then the -p option is invalid and the names of the profiles
are derived from their file names.

The required arguments are:

-n <svcname>
--service <svcname>

Required: Specifies the name of the install service of the pro‐
file being created.

-f filename...
--file filename...

Required: Specifies the path name of the file with which to add
the profile. Multiple profiles can be specified.

[options] may be one or more of the following:

-p profile
--profile profile

Optional: Specifies the name of the profile being created.
Valid only for single profile creation.

-c criteria=value|list|range...
--criteria criteria=value|list|range...

Optional: Specifies criteria to be associated with the pro‐
files. See the "Criteria" section below. Multiple -c options
can be specified.

-C criteriafile
--criteria-file criteriafile

Optional: Specifies the path name of a criteria XML file con‐
taining criteria to be associated with the specified profiles.

-e install|system|all[,...]
--environment install|system|all[,...]

Optional: Specifies a comma separated list of environments
where the profile should be applied. Specifying install indi‐
cates that the profile should be applied to the installation
environment. Specifying system indicates that the profile
should be applied to the installed system environment. Specify‐
ing all is a convenience to denote that the profile should be
applied to both environments. By default, profiles are created
with only the system value.

installadm set-profile [options] -n|--service <svcname>
-p|--profile <profile name>

Modifies the settings on a profile for a specific install service.
A profile can be designated to be applied to the installation envi‐
ronment or the installed system environment using the -e option. A
profile can also be renamed by using the -P option.

The required arguments are:

-n <svcname>
--service <svcname>

Required: Specifies the name of the install service of the pro‐
file being modified.

-p <profile name>
--profile <profile name>

Required: Specifies the name of the profile to modify.

[options] may be one or more of the following:

-P <new profile name>
--new-name <new profile name>

Optional: Renames profile to specified name.

-e install|system|all[,...]
--environment install|system|all[,...]

installadm update-profile -n|--service <svcname>
-f|--file filename [-p|--profile profile]

Updates the specified profile from the <svcname> install service.
Replaces the specified profile with the contents of filename. Any
criteria remain with the profile following the update.

The profile to be updated is determined in the following order:

1. The profile specified by the -p option, if present.

2. The base name of the filename.

-n <svcname>
--service <svcname>

Required: Specifies the name of the install service of the pro‐
file being updated.

-f filename
--file filename

Required: Specifies the path name of the file to use to update
the profile.

-p profile
--profile profile

Optional: Specifies the name of the profile being updated. Use
this option if the name of the profile to update is different
from the base name of the filename.

installadm delete-profile -n|--service <svcname>
-p|--profile profile...

Deletes the profile profile from the <svcname> install service.

The required arguments are:

-n <svcname>
--service <svcname>

Specifies the name of the install service of the profile being
deleted.

-p profile...
--profile profile...

Specifies the name of the profile to delete. Multiple -p
options can be specified.

installadm export [-o <path>] [selector] [items]

The export command has several possible valid combinations of
options. The first element [selector] selects the object that is
the source of the item to be output:

-s
--server

Specify the server object to be used as the source of security
keys or certificates.

-n <svcname>
--service <svcname>

Specify a specific service to be used as the source of mani‐
fests, profiles, GRUB menu, or security keys or certificates.

-c
--default-client

Specify the server's default client security is to be used for
exporting of security keys or certificates.

-e <macaddr>
-macaddr <macaddr>

Specify a client, by its MAC Address, to be used as the source
of security keys or certificates.

The next element [items] specifies the item, or items to be output:

-m <manifest name>
--manifest <manifest name>

Specify a manifest or derived manifest name to export from the
specified service. Multiple -m options may be specified.

Note -

This can be used only with the -n option.

-p <profile name>
--profile <profile name>

Specify a profile name to export from the specified service.
Multiple -p options may be specified.

Note -

This can be used only with the -n option.

-G
--grub-cfg

Outputs a the GRUB2 menu (grub.cfg) file that is currently in
use for the service or client.

This can be used only with the -n or -e options.

-c
--cert

Outputs the PEM-encoded X.509 certificate for the server, ser‐
vice or client specified.

This can be used with any of the selection options -n, -e, -s
or -c.

-K
--key

Outputs the PEM-encoded X.509 private key for the server, ser‐
vice or client specified.

This can be used with any of the selection options -n, -e, -s
or -c.

-A <hash> ...
--ca-cert <hash> ...

Outputs the PEM-encoded X.509 Certificate Authority (CA) cer‐
tificate with the specified <hash> value.

This option can be repeated to export multiple CA Certificates,
and also can be used with any of the selection options -n, -e,
-s or -c.

installadm validate [options] -n|--service <svcname>

Validates specified profiles or manifests. The validate subcommand
can be used to either validate profiles in the database (-p) or to
validate profiles (-P) or manifests (-M) while they are being
developed before their entry into the database.

The required arguments are:

-n <svcname>
--service <svcname>

Specifies the service with which the profiles or manifests are
associated and to be validated against.

Where [options] is one or more of the following:

-M <manifest_path>
--manifest <manifest_path>

Specifies an external manifest file to validate against the
provided service.

-m <manifest_name>
--manifest <manifest_name>

Specifies the name of an existing manifest to validate against
the provided service.

-P <profile_path>
--profile-file <profile_path>

Specifies an external profile file to validate against the pro‐
vided service.

-P <profile_name>
--profile-file <profile_name>

Specifies the name of an existing profile to validate against
the provided service.

installadm set-criteria [options] -n <svcname>
[-m <manifest>] [-p <profile>]...

Updates criteria of an already published manifests, derived mani‐
fest scripts, or profiles. Criteria can be specified on the command
line or in a criteria XML file.

Valid criteria are described under the create-manifest subcommand.

The required arguments are:

-n <svcname>
--service <svcname>

Specifies the service with which the profiles or manifests are
associated.

And one or more of:

-m <manifest name>
--manifest <manifest name>

Specifies the AI instance name of a manifest or derived mani‐
fest script.

Only one manifest may be specified since it is not possible to
have multiple manifests with the same criteria assigned.

-p <profile_name>
--profile <profile_name>

Specifies the name of a profile.

Then [options] is one of the following variations:

-c <criteria=value|list|range> ...
--criteria <criteria=value|list|range> ...

Specifies criteria to replace all existing criteria for the
manifest, script, or profile. See the "Criteria" section below
for possible values.

It is possible to specify multiple -c options.

-C <criteria.xml>
--criteria-file <criteria.xml>

Specifies the path name of a criteria XML file containing cri‐
teria to replace all existing criteria for the manifest,
script, or profile.

-D
--delete-all-criteria

-a <criteria=value|list|range> ...
--append-criteria <criteria=value|list|range> ...

Specifies criteria to be appended to the existing criteria for
the manifest, script, or profile. See the "Criteria" section
below for possible values. If the criteria specified already
exists, the value|list|range of that criteria is replaced by
the specified value|list|range.

It is possible to specify multiple -a options.

-d <criteria> ...
--delete-criteria <criteria> ...

Specifies criteria to be removed from the existing criteria for
the manifest, script, or profile. See the "Criteria" section
below for possible values.

It is possible to specify multiple -d options.

installadm create-client [options]
-e|--macaddr <macaddr> -n|--service <svcname>

Accomplishes optional setup tasks for a specified client, in order
to provide custom client settings that vary from the default set‐
tings used by the create-service subcommand. Enables the user to
specify a non-default service name and boot arguments or GRUB2 menu
for a client.

An existing client may be modified using the installadm set-client
subcommand.

If the following conditions exist, the client is configured in the
ISC DHCP configuration:

o The client is an x86 system.

o A local ISC DHCP configuration exists.

o The all_services/manage_dhcp property value is true.

The required arguments are:

-n <svcname>
--service <svcname>

Specifies the install service for client installation.

-e macaddr
--macaddr macaddr

Specifies a MAC address for the client.

For x86 clients only, [options] may be either one of the following:

-b <property>=<value>,...
--boot-args <property>=<value>,...

Sets a property value in the client-specific boot configuration
file. Use this option to set boot properties that are specific
to this client. This option can accept multiple property=value
pairs, or be repeated several times.

-G <grub.cfg>
--grub-cfg <grub.cfg>

Specify a custom GRUB2 menu (grub.cfg) file to use when booting
the client.

The required arguments are:

-e macaddr
--macaddr macaddr

Specifies a MAC address for the client.

The following arguments may also be specified:

-n|--service <svcname>

Will move the client to this service if different from the
existing service it is associated with.

-g
--generate-all-certs

Generates a new set of CA Cert, Client Cert and Key, including
an encryption key and hash if they are not already in place.

-x
--delete-security

Deletes the client's security information. This can be further
modified using the following options:

-y|--noprompt

Specifies that no prompting for confirmations should be
done.

--hash <ca-hash>

Limits command to deleting only any CA Cert that matches
that value.

-A <ca-certfile>...
--ca-cert <ca-certfile>...

-C <certfile> -K <keyfile>
--cert <certfile> --key <keyfile>

-C assigns a user-provided PEM-encoded X.509 certificate
located at path <certfile>.

-K assigns a user-provided PEM-encoded X.509 private key
located at path <keyfile>. The <keyfile> must have any
passphrase removed.

The -C option must be used with the -K option. If you specify
just the -C and -K options, the associated CA certificate must
have been previously assigned.

If you also specify -A options then this certificate and key
will be validated against those CA Certificates.

-E
--generate-encr-key

Regenerates a firmware security encryption key. Invalidates any
existing key.

-H
--generate-hmac-key

Regenerates a security hashing firmware key (HMAC). Invalidates
any existing key.

-f <hmac-type>
--hmac-type <hmac-type>

Assigns <hmac-type> as the active signature type for the
client.

If -g is specified in combination with -F|--hmac-type, creden‐
tials with HMAC signature type <hmac-type> will be generated
and the active signature type will not be changed. If -H is
specified in combination with -f|--hmac-type, a firmware key of
HMAC signature type <hmac-type> will be generated, and the
active signature type will not be changed.

The <hmac-type> is a valid and supported HMAC signature type
and can be either hmac-sha1 or hmac-sha256 for SPARC clients
and services and only hmac-sha256 for x86 clients and services.
<hmac-type> is case-insensitive.

For x86 clients only, [options] may be either one of the following:

-b|--boot-args none|<property>=<value>,...

For x86 clients only, sets the boot arguments for the GRUB
menu, or removes them if 'none' is specified, restoring the
service GRUB configuration.

This option will fail if there is a custom GRUB2 menu already
in place for this client.

-G|--grub-cfg none|<grub.cfg>

For x86 clients only, assigns a new GRUB2 menu file, or removes
one if 'none' is specified.

Adding a new GRUB2 menu will replace any existing boot-args
specified for this client.

installadm delete-client -e|--macaddr macaddr

Deletes an existing client's specific service information that was
previously set up using the create-client subcommand. Also deletes
all security credentials for that client.

If the following conditions exist, the client is unconfigured in
the ISC DHCP configuration:

o The client is an x86 system.

o A local ISC DHCP configuration exists.

o The all_services/manage_dhcp property value is true.

The required arguments are:

-e macaddr
--macaddr macaddr

Specifies the MAC address of the client to delete.

installadm set-server [options] [sec_options]

Modifies the server configuration.

Note the following specifications:

o If -i and -c options are used, and a DHCP server is not
yet configured, an ISC DHCP server is configured.

If an ISC DHCP server is already configured, that DHCP
server is updated.

Even when -i and -c arguments are provided and DHCP is
configured, no binding exists between the install ser‐
vice being created and the IP range. When -i and -c are
passed and the value of all_services/manage_dhcp is
true, the IP range is set up, a new DHCP server is cre‐
ated if needed, and that DHCP server remains up and run‐
ning for all install services and all clients to use.
The network information provided to the DHCP server has
no specific bearing on the service being created.

o If the IP range requested is not on a subnet that the
install server has direct connectivity to and the
install server is multihomed, the -B option is used to
provide the address of the bootfile server (usually an
IP address on this system). This should only be neces‐
sary when multiple IP addresses are configured on the
install server and DHCP relays are employed. In all
other configurations, the software can determine this
automatically.

Where [options] is at least one of:

-p <port>
--port <port>

Specifies the port that hosts the AI install services web
server. By default, the web server is hosted on port 5555.

If you want to use a different port number from the default,
customize the port property before you create any install ser‐
vices.

-P <secure_port>
--secure-port <secure_port>

Specifies the port that hosts the secure AI install services
web server. By default, the web server is hosted on port 5556.

-d <directory>
--imagepath-basedir <directory>

Specifies the default location for images created by the
installadm create-service command. Images are located at
<directory>/service_name. The default value of this property is
/export/auto_install.

-u|--enable-webui

Enables the AI Manifest Wizard Web UI, and is mutually exclu‐
sive with the -U option.

-U|--disable-webui

Disables the AI Manifest Wizard Web UI, and is mutually exclu‐
sive with the -U option.

-z|--enable-wizard-save

Enables the AI Manifest Wizard to write generated manifests to
a temporary location on the AI server for ease of addition to a
service through installadm. Mutually exclusive with the -Z
option.

-Z|--disable-wizard-save

Disables the AI Manifest Wizard writing generated manifests to
a temporary location on the AI server for ease of addition to a
service through installadm. Mutually exclusive with the -z
option.

-l all|<CIDR>[,...]
--include-networks all|<CIDR>[,...]

Takes a comma-separated list of networks in CIDR format (for
example, 192.168.56.0/24) to allow.

Use this list of networks to specify which clients this install
server serves. Using this option will replace any networks
already configured using -l or -L options.

Using this option will set the AI install server SMF all_ser‐
vices/networks and all_services/exclude_networks values.
Specifically, this sets the all_services/exclude_networks prop‐
erty to false.

By default, the AI install server is configured to serve
install clients on all networks that the server is connected to
if the server is multihomed. To return to this state you can
use the special 'all' value here.

-L none|<CIDR>[,...]
--exclude-networks none|<CIDR>[,...]

Tells the server to exclude these networks when deciding what
to serve out on, mutually exclusive with the -l option. Using
this option will replace any networks already configured using
-l or -L options.

Takes a comma-separated list of networks in CIDR format (for
example, 192.168.56.0/24) to disallow.

-m
--manage-dhcp

Configures the AI server property to manage the DHCP configura‐
tion locally. If set the AI server will automatically update
the local ISC DHCP configuration when client and service con‐
figurations are modified in the install server.

If there is no existing ISC DHCP configuration, then the -i and
-c options must also be specified to define the address range
to manage.

Mutually exclusive with the -M option.

-M
--unmanage-dhcp

Configures the AI server property to not manage the DHCP con‐
figuration locally, so the AI server will not automatically
maintain the ISC DHCP configuration when client or service con‐
figurations are modified.

Mutually exclusive with the -m option.

-i <dhcp_ip_start> -c <count_of_ipaddr>
--ip-start <dhcp_ip_start> --ip-count <count_of_ipaddr>

Changes the DHCP configuration if managing DHCP, the -i and -c
options must be specified together.

If not already managing DHCP, it will be necessary to also
specify the -m option to enable it.

These options are used to specify the starting IP address in a
range to be added to the local DHCP configuration.

The number of IP addresses is provided by the -c option. If a
local ISC DHCP configuration does not exist, and -m is also
specified, an ISC DHCP server is started.

If a local ISC DHCP configuration already exists these
addresses will be added to the existing set of managed
addresses, provided there is no overlap.

-B <server_ipaddr>
--bootfile-server <server_ipaddr>

Used to provide the IP address of the boot server from which
clients should request bootfiles. Only required if this IP
address cannot be determined by other means.

--telemetry-enable | --telemetry-disable

Turns on or off the sending of telemetry data to the AI server
from the AI client.

--telemetry-frequency <number_of_seconds>

Sets the frequency of when the telemetry data should be sent to
the AI server from the AI client. If the frequency is a non-
zero number, then the data will be sent every number_of _sec‐
onds. If the frequency is 0, then the data will be sent immedi‐
ately as it is available. The default is 120 seconds.

Sets what files are sent back to the AI server from the AI
client when the installation completes successfully. A value of
none will effectively turn off the sending of files from the AI
client to the AI server. A value of install_log will send the
install_log file. A value of all_logs will send the install_log
file as well as the relevant SMF service log files. A value of
all_files will send those listed in all_logs as well as the
install service files used to install the system such as mani‐
fest and profile files. A value of <file> will send the fully
qualified file back to the AI server. Shell-style wildcards (*,
? and []) are allowed in the file path. This option can be
specified multiple times. The default is install_log.

--telemetry-success-add
[install_log|all_logs|all_files|<file>|<fmri>],...

Appends to the list of files that are sent back to the AI
server from the AI client when the installation completes suc‐
cessfully. A value of install_log will append theinstall_log
file to the list of files to send to the AI server upon a suc‐
cessful installation. A value of all_logs will append the
install_log file as well as the relevant SMF service log files
to the list of files to send to the AI server upon a successful
installation. A value of all_files will append those files
listed in all_logs as well as the install service files used to
install the system such as manifest and profile files to the
list of files to send to the AI server upon a successful
installation. A value of <file> will append the file to the
list of files to send to the AI server upon a successful
installation. The file must be a fully qualified file and
shell-style wildcards (*, ? and []) are allowed. This option
can be specified multiple times.

--telemetry-success-remove
[install_log|all_logs|all_files|<file>|<fmri>],...

Removes from the list of files that are sent back to the AI
server from the AI client when the installation completes suc‐
cessfully. A value of install_log will remove the install_log
file to the list of files to send to the AI server upon a suc‐
cessful installation. A value of all_logs will remove the
install_log file as well as the relevant SMF service log files
to the list of files to send to the AI server upon a successful
installation. A value of all_files will remove those files
listed in all_logs as well as the install service files used to
install the system such as manifest and profile files from the
list of files to send to the AI server upon a successful
installation. A value of <file> will remove the file from the
list of files to send to the AI server upon a successful
installation. The file must be a fully qualified file and
shell-style wildcards (*, ? and []) are allowed. This option
can be specified multiple times.

Sets what files are sent back to the AI server from the AI
client when the installation fails. A value of none will effec‐
tively turn off the sending of files from the AI client to the
AI server. A value of install_log will send the install_log
file. A value of all_logs will send the install_log file as
well as the relevant SMF service log files. A value of
all_files will send those listed in all_logs as well as the
install service files used to install the system such as mani‐
fest and profile files. A value of <file> will send the fully
qualified file back the AI server. Shell-style wildcards (*, ?
and []) are allowed in the file path. This option can be speci‐
fied multiple times. The default is install_log.

--telemetry-failure-add
[install_log|all_logs|all_files|<file>|<fmri>],...

Adds to the list of files that are sent back to the AI server
from the AI client when the installation completes success‐
fully. A value of install_log will add the install_log file to
the list of files to send to the AI server upon a failed
installation. A value of all_logs will add the install_log file
as well as the relevant SMF service log files to the list of
files to send to the AI server upon a failed installation. A
value of all_files will add those files listed in all_logs as
well as the install service files used to install the system
such as manifest and profile files to the list of files to send
to the AI server upon a failed installation. A value of <file>
will add the file to the list of files to send to the AI server
upon a successful installation. The file must be a fully quali‐
fied file with shell-style wildcards (*, ? and []). This option
can be specified multiple times.

--telemetry-failure-remove
[install_log|all_logs|all_files|<file>|<fmri>],...

Removes from the list of files that are sent back to the AI
server from the AI client when the installation completes suc‐
cessfully. A value of install_log will remove the install_log
file from the list of files to send to the AI server upon a
failed installation. A value of all_logs will remove the
install_log file as well as the relevant SMF service log files
from the list of files to send to the AI server upon a failed
installation. A value of all_files will remove those files
listed in all_logs as well as the install service files used to
install the system such as manifest and profile files to the
list of files to send to the AI server upon a failed installa‐
tion. A value of <file> will remove the file to the list of
files to send to the AI server upon a successful installation.
The file must be a fully qualified file with shell-style wild‐
cards (*, ? and []). This option can be specified multiple
times.

--telemetry-statistics-retention <number> [d|m|y]

Sets the number of (d)ays, (m)onths or (y)ears that telemetry
statistical data will be retained on the AI server (default is
years). To turn off the removal of telemetry statistical data a
value of 0 may be used. The default is to retain telemetry sta‐
tistics for 2 years.

--telemetry-files-retention <number> [d|m|y]

Sets the number of (d)ays, (m)onths or (y)ears that telemetry
success and failure files will be retained on the AI server
(default is days). To turn off the removal of telemetry success
and failure files a value of 0 may be used. The default is to
retain telemetry files for 7 days.

-s
--enable-security

Mutually exclusive with the -S option.

Re-enables security enforcement server-wide after security was
disabled by using the --disable-security option.

-S
--disable-security

Mutually exclusive with the -s option.

Disables security enforcement server-wide. While security is
disabled, no credentials will be issued to clients, and no cre‐
dentials will be required from clients. While security is dis‐
abled, no HTTPS network protection is provided for any of the
AI files served to an AI client. User-specified secure files
served by the AI web server are not accessible while security
is disabled.

While security is disabled, you can continue to configure secu‐
rity. Any changes are effective when security is re-enabled.

Use caution when disabling security for systems that already
have install services configured: The secured AI service data
will not require authentication to access, and non-authenti‐
cated clients will be able to install Oracle Solaris through
AI.

-D
--default-client-security

Limits the [sec_options] to modifying the default client secu‐
rity only as opposed to the server's security settings.

The [sec_options] can be any of the following. By default they are
applied to the server, unless the -D|--default-client-security
option is specified:

-x [--hash <ca-hash> [-r]]
--delete-security [--hash <ca-hash> [--recursive]]

Delete any configured security. If --hash is specified, only CA
Certificates with that hash will be removed.

Without -r, deletes the CA certificate previously assigned to
the install server (or the default client with -D specified).

With -r, deletes the specified CA certificate for the server
and any clients that use that CA certificate.

Deletes the CA certificate previously assigned to the install
server, the specified client, default clients.

The value of <ca-hash> is the hash value of the certificate's
X.509 subject. Use the list -v subcommand to display the CA
certificate hash.

When the CA certificate is deleted for a client, that client
can no longer be authenticated. If you use the specified CA
certificate to generate certificates, the installadm command
will not be able to generate certificates.

-g
--generate-all-certs

Automatically generates and assigns all X.509 security creden‐
tials and generates firmware keys. The CA certificate and
firmware keys are generated only if they do not already exist.

-A <ca-certfile>...
--ca-cert <ca-certfile>...

-C <certfile> -K <keyfile>
--cert <certfile> --key <keyfile>

-C assigns a user-provided PEM-encoded X.509 certificate
located at path <certfile>.

-K assigns a user-provided PEM-encoded X.509 private key
located at path <keyfile>. The <keyfile> must have any
passphrase removed.

The -C option must be used with the -K option. If you specify
just the -C and -K options, the associated CA certificate must
have been previously assigned.

If you also specify -A options then this certificate and key
will be validated against those CA Certificates.

-E
--generate-encr-key

Regenerates a security encryption firmware key. Invalidates any
existing key.

-H
--generate-hmac-key

Regenerates a firmware security hashing key (HMAC). Invalidates
any existing key.

-F <hmac-type>
--hmac-policy <hmac-type>

Designates a HMAC signature type to be set as the server-wide
policy. The policy will be applied to any new AI clients and
services as well as existing AI clients and services for which
new credentials are assigned.

-f <hmac-type>
--hmac-type <hmac-type>

Assigns <hmac-type> as the active signature type for the server
and default client and generates a HMAC key of that type if it
does not exist.

installadm execute -f <file>

Executes a list of subcommands from <file> in sequence as a batch
job.

Has the added benefit of leaving refresh/restart of SMF services
until the completion of the batch run.

The required arguments are:

-f <file>
--file <file>

The file containing a list of subcommands to be executed, one
line per subcommand.

Blank lines, and those starting with a '#' are ignored.

INTERACTIVE MODE
The interactive mode provides an installadm prompt at which it is pos‐
sible to enter subcommands one after the other. The main benefits of
interactive mode are:

o To input several commands using just the subcommand form,
especially useful if using sudo or pfexec to run installadm
with additional privileges or authorisations.

o Tab-completion of the subcommands.

In interactive mode, there are several other commands available to use
that are not used by the one-command usage:

shell [<command>]

If specified, will execute the <command> in a sub-shell based on
the value of the environment variable SHELL.

Without any parameters will start a sub-shell to be used interac‐
tively.

There is also a short-form of this command '!' that can be used as
"!ls" to execute the ls command.

quit

Quits the interactive prompt.

CRITERIA
Manifests, derived manifest scripts, and profiles can be used to con‐
figure AI clients differently according to certain characteristics, or
criteria. Only one manifest or script can be associated with a particu‐
lar client. Any number of profiles can be associated with a particular
client.

The criteria values are determined by the AI client during startup.

See the "Examples" section to see how to specify criteria on the com‐
mand line. For information about criteria keywords for different AI
clients, see Defining Criteria for Manifests and Profiles in Customiz‐
ing Automated Installations With Manifests and Profiles.

tab(); lw(1.38i) lw(4.13i) lw(1.38i) lw(4.13i) CriteriaDescription
archArchitecture per uname -m. cpuCPU class per uname -p. hostnameAs‐
signed host name. ipv4IP version 4 network address. macT{ Hexadecimal
MAC address with colon (:) separators. T} memMemory size in MB per
prtconf(8). networkIP version 4 network number. platformT{ Platform
name returned by uname -i for x86 systems and prtconf -b for SPARC sys‐
tems. T} zonenameName of a zone per zones(7).

The ipv4, mac, mem, and network specifications can be expressed as
ranged values separated by a hyphen (-). To specify no limit to one end
of a range, use unbounded. Precedence is given to specific value
matches versus range matches when determining a matching manifest.

The arch, cpu, hostname, platform, and zonename specifications can be
expressed as a quoted list of values separated by white space.

INSTALL SERVER CONFIGURATION PROPERTIES
The following properties of the svc:/system/install/server:default SMF
service are used to configure the install server.

The majority of these are configurable using the set-server subcommand
which would be the preferred mechanism for updating them.

all_services/networks

A list of networks in CIDR format (for example, 192.168.56.0/24) to
allow or disallow, depending on how the all_services/exclude_net‐
works property is set.

Use this list of networks to specify which clients this install
server serves. By default, the AI install server is configured to
serve install clients on all networks that the server is connected
to if the server is multihomed.

all_services/exclude_networks

A boolean value. If true, exclude networks specified by the
all_services/networks property from being served by this install
server. If false, include the networks specified by the all_ser‐
vices/networks property.

all_services/port

Specifies the port that hosts the AI install services web server.
By default, the web server is hosted on port 5555.

If you want to use a different port number from the default, cus‐
tomize the port property before you create any install services.

all_services/secure_port

Specifies the port that hosts the secure AI install services web
server. By default, the web server is hosted on port 5556.

all_services/webserver_files_dir

Specifies a directory on the local system that the AI web server
will serve using its standard port (defined by the all_ser‐
vices/port property). This directory will be accessible at the fol‐
lowing location:

http://server:port/files

all_services/webserver_secure_files_dir

Specifies a directory on the local system that the AI web server
will serve using its secure port (defined by the all_ser‐
vices/secure_port property). This directory will be accessible at
the following location:

https://server:secure_port/secure_files

Only authenticated clients can access this directory. For greatest
security, files in the webserver_secure_files_dir directory should
be owned by user webservd and group webservd and have no world
access.

all_services/default_imagepath_basedir

Specifies the default location for images created by the installadm
create-service command. Images are located at all_ser‐
vices/default_imagepath_basedir/service_name. The default value of
this property is /export/auto_install.

all_services/manage_dhcp

A boolean value. If true, automatically update the local ISC DHCP
configuration when client and service configurations are modified
in the install server. If false, does not automatically maintain
the ISC DHCP configuration.

MANIFEST EDITOR CLI
The manifest editor CLI is an interactive interface that presents the
AI manifest content as a set of objects and properties that can be
manipulated using subcommands entered at the interactive interface
prompt. It allows you to interactively edit a manifest during create-
manifest or update-manifest without having to view or understand an XML
document.

The interface provides a visual representation of the objects and prop‐
erties in the manifest. Objects can contain properties that can be set,
deleted, or added, as well as sub-objects (themselves objects) that can
be traversed, added, deleted, or moved.

The following subcommands are available within the interface:

Operations subcommands

set, add, delete, and move

Navigation subcommands

select, cancel, and end

Additional subcommands

help, info, walk, commit, exit, validate, and shell

help [subcommand]

Without any parameters, provides a list of available subcommands.
If a subcommand is specified, help is provided for that specific
subcommand.

info [-v|--verbose]

By default, displays all properties and objects up to one level
down. For objects more than one level down, a summary line is dis‐
played, followed by '...'. Use the -v option to show details of
objects more than one level down. When multiples of a given object
exist, the order is designated by <object>[<position#>],for exam‐
ple, disk[3].

select <object>
select <object>[<position#>]
select <object> <property>=<value>

Selects an object and navigates to that level. The object may be
further specified by position# or by the value of a property.

cancel

Discards any changes made on the current level and navigates up one
level.

end

Validates changes made on the current level and, if no validation
errors occur, navigates up one level. At top level, same as 'exit'.

set <property>=<value>

Sets the value of an object's <property> to <value>.

add [-w|--walk] <object>
add <property>=<value>

Adds an object or a property. If -w is specified for an object, the
object is added and a 'walk' is started. Without -w, the new
object's 'info' is automatically displayed, showing the proper‐
ties/default values of the added object.

delete <property>
delete <property>=<value>
delete <object>
delete <object>[<position#>]
delete <object> <property>=<value>

Deletes an object or property. The property may be specified by
value and the object may be specified by position# or by the value
of a property.

move <object> <old position#> <new position#>

Moves object to a different position. Valid objects to move are
designated in 'info' output by '[<position#>]'.

walk

Prompts for every settable property associated with the current
object. For each property, displays the name and current value and
allows a new value to be entered. Recursively walks down sub
objects and allows addition of new subobjects. Can be interrupted
with Ctrl-D.

validate

Validates settings at the current level. This is an optional sub‐
command. The subcommands, 'end' and 'exit', validate implicitly.

commit

Validates changes, saves manifest, and continues editing. Valid at
top level only. Following a successful commit, a new baseline is
established and cancel can no longer revert any changes made ear‐
lier.

exit

Prompts whether to save manifest and exit (changes are validated),
exit without saving uncommitted changes, or continue editing.

shell <solaris command>
!<solaris command>

Executes the <solaris command> in a sub-shell based on the value of
the environment variable SHELL. Without any parameters, will start
a sub-shell to be used interactively. Can be used to easily execute
a system command or view system information from within the inter‐
face.

Manifest Editor CLI Examples
Example 1 Creating a New Manifest and Changing the Publisher to Point
to a Local Repository

# installadm create-manifest -n sol_11_3 -m mymanifest
Type help to see list of subcommands.
installadm:mymanifest> info
http-proxy: <not specified>
auto-reboot: false
create-swap: true
create-dump: true
software:
type: IPS
name: <not specified>
facet[1]: facet.locale.*=false ...
<other facets removed for brevity>
facet[20]: facet.locale.zh_TW=true ...
publisher: name=solaris ...
pkg-list: action=install ...
disk: Section not specified
pool:
action: create
name: rpool
is-root: true
mountpoint: <not specified>
pool-option: Section not specified
dataset-option: Section not specified
be-option: Section not specified
vdev: Section not specified
filesystem[1]: name=export ...
option: Section not specified
filesystem[2]: name=export/home ...
option: Section not specified
volume: Section not specified
boot-mods: Section not specified
configuration: Section not specified
installadm:mymanifest> select software
installadm:mymanifest:software> select publisher
installadm:mymanifest:software:publisher> set origin=http://myrepo.example.com/solaris
installadm:mymanifest:software:publisher> info
name: solaris
key: <not specified>
cert: <not specified>
ca-cert: <not specified>
origin: http://myrepo.example.com/solaris
mirror: <not specified>
installadm:mymanifest:software:publisher> end
installadm:mymanifest:software> end
installadm:mymanifest> exit
1. Save manifest and exit
2. Exit without saving uncommitted changes
3. Continue editing
Please select choice: 1
100% : Created Manifest: 'mymanifest'
#

Example 2 Creating a Second Manifest for the Install Service Based on a
Previously Created Manifest

The following example creates a second manifest for the install service
based on the manifest created in Example 1, but additionally adds a new
package to the list of packages to be installed.

# installadm
installadm> create-manifest -n sol_11_3 -m newmanifest -M mymanifest -e
Type help to see list of subcommands.
installadm:newmanifest> select software
installadm:newmanifest:software> select pkg-list
installadm:newmanifest:software:pkg-list> add name=pkg:/my/new/pkg
installadm:newmanifest:software:pkg-list> exit
1. Save manifest and exit
2. Exit without saving uncommitted changes
3. Continue editing
Please select choice: 1
Created Manifest: 'newmanifest'
installadm>

Example 3 Replacing the Contents of a Manifest

The following example replaces the contents of a manifest, oldmanifest,
with that of /tmp/replace.xml, and additionally changes the auto-reboot
property from false to true and adds a new publisher, by using walk to
set the publisher properties desired.

# installadm update-manifest -n sol_11_3 -m oldmanifest \
-f /tmp/replace.xml -e
installadm:oldmanifest> select software
installadm:oldmanifest:software> add -w publisher
* To terminate walk, use Ctrl-D *
name [<not specified>]: newpublisher
key [<not specified>]:
cert [<not specified>]:
ca-cert [<not specified>]:
origin [<not specified>]: http://myrepo.example.com/solaris
origin [<not specified>]:
mirror [<not specified>]:
installadm:oldmanifest:software:publisher> end
installadm:oldmanifest:software> end
installadm:oldmanifest> set auto-reboot=true
installadm:oldmanifest> exit
1. Save manifest and exit
2. Exit without saving uncommitted changes
3. Continue editing
Please select choice: 1
Changed Manifest: 'oldmanifest'
#

Example 4 Updating an Existing Manifest

The following example updates an existing manifest, testmanifest, so
that the disk is no longer selected by ctd name, but by size.

# installadm update-manifest -n sol_11_3 -m testmanifest
installadm:testmanifest> select disk
installadm:testmanifest:disk> info
in-zpool: rpool
in-vdev: <not specified>
name:
name: c0t0d0
name-type: ctd
disk-selection-props: Section not specified
keyword: Section not specified
iscsi: Section not specified
gpt-partition: Section not specified
partition: Section not specified
slice: Section not specified
installadm:testmanifest:disk> delete name
Are you sure you want to remove 'name'? [y|N]: y
Object 'name' deleted.
installadm:testmanifest:disk> add disk-selection-props
type: <not specified>
vendor: <not specified>
chassis: <not specified>
size: <not specified>
installadm:testmanifest:disk:disk-selection-props> set size=750gb
installadm:testmanifest:disk:disk-selection-props> end
installadm:testmanifest:disk> info
in-zpool: rpool
in-vdev: <not specified>
name: Section not specified
disk-selection-props:
type: <not specified>
vendor: <not specified>
chassis: <not specified>
size: 750gb
keyword: Section not specified
iscsi: Section not specified
gpt-partition: Section not specified
partition: Section not specified
slice: Section not specified
installadm:testmanifest:disk> end
installadm:testmanifest> end
1. Save manifest and exit
2. Exit without saving uncommitted changes
3. Continue editing
Please select choice: 1
100% : Changed Manifest: 'testmanifest'

EXAMPLES
Example 5 Set Up a New x86 Install Service From a Package Repository

Set up an install server and an x86 install service for the first time.

If you are not using the SPARC OBP's network-boot-arguments variable to
configure an AI client, then a DHCP server must be configured to supply
the AI service configuration. If you already have the OBP or DHCP
server configured, this step may be skipped. Otherwise, installadm can
setup and manage a local ISC DHCP server for AI clients to boot from.
To configure this you can use the set-server subcommand:

The set-server subcommand is used to set a starting IP address and
total count of IP addresses, in order to configure the DHCP server.

# installadm set-server -i 172.0.0.10 -c 10

The starting IP address of 172.0.0.10 and 10 IP addresses are added to
the local ISC DHCP configuration. If a local ISC DHCP configuration
does not exist, an ISC DHCP server is started.

If you do not specify a source for the net image, an IPS package is
used, for example:

# installadm create-service -y

On an x86 install server, this command sets up an x86 net image and
install service with a default name in a directory at the image loca‐
tion specified by the value of the all_ser‐
vices/default_imagepath_basedir property. For the default value of this
property, see "Install Server Configuration Properties." The -y option
confirms that the default location is acceptable. Since the architec‐
ture is not specified, the service created is of the same architecture
as the install server. This command assumes that a package repository
on the pkg publisher list for the install server contains the install-
image/solaris-auto-install package.

The command sets up a net image and an install service using the
default image path and the service name,
/export/auto_install/sol-11_1-i386.

Because this is the first x86 service created, the default-i386 service
is automatically created and aliased to this service. The default-i386
alias is operational, and a client booted through PXE will boot and
install from the default-i386 service if not specifically configured
using create-client.

Example 6 Set Up a New SPARC Install Service From a Package Repository

To specify the creation of a SPARC service on an x86 install server,
use the -a option:

# installadm create-service -y -a sparc

If you do not specify a source for the net image, an IPS package is
used by default.

This net image enables SPARC client installations.

Because this is the first SPARC service created, the default-sparc ser‐
vice is automatically created and aliased to this service. The default-
sparc alias is operational, and a SPARC client will boot and install
from the default-sparc service.

Example 7 Set Up an x86 Install Service From a Different Package Repos‐
itory

By default, the solaris-auto-install package is obtained from the sys‐
tems configured publishers.

To specify an alternative package repository for the solaris-auto-
install package, use the -p option. For example, use the following com‐
mand to specify the ai-image publisher located at http://example.exam‐
ple.com:4281 as the publisher of the solaris-auto-install package:

# installadm create-service -y \
-p ai-image=http://example.example.com:4281

Example 8 Set Up a New x86 Install Service From an ISO File

An x86 install service can be created from an ISO image using:

# installadm create-service -n sol-11_1-i386 \
-s /export/isos/sol-11_1-ai-x86.iso \
-y

The AI ISO image is at /export/auto_install/sol-11_1-sparc. The command
sets up a net image and an install service at
/export/images/sol-11_1-i386 that is based on the AI ISO image. This
net image enables client installations.

Example 9 Set Up a New SPARC Install Service From an ISO File

A SPARC install service from an ISO image can be created using the com‐
mand:

# installadm create-service -n sol-11_1-sparc \
-s /export/isos/sol-11_1-ai-sparc.iso \
-d /export/images/sol-11_1-sparc

The AI ISO image is at /export/isos/sol-11_1-ai-sparc.iso. The command
sets up a net image and an install service at
/export/images/sol-11_1-sparc that is based on the AI ISO image. This
net image enables client installations.

Example 10 Associate a Client With an Install Service

Use the following sample command to associate a client with a specific
install service. The install service must already exist.

# installadm create-client -b "console=ttya" \
-e 0:e0:81:5d:bf:e0 -n sol-11_1-i386

In this example, the command creates a client-specific setup for the
system with MAC address 0:e0:81:5d:bf:e0. This client will use the
install service previously set up, named sol-11_1-i386, and that ser‐
vice's associated net image. The command sets the boot property con‐
sole=ttya in the client-specific boot configuration file in /etc/net‐
boot.

Example 11 Add a New Install Service Without Modifying the Default Ser‐
vice

Use the following sample command to add a new service named
sol-11-sparc, retaining existing services, and leaving the existing
default unchanged.

# installadm create-service -n sol-11-sparc \
-s /export/isos/sol-11-1111-ai-sparc.iso \
-d /export/ai/sol-11-sparc

Example 12 Update the default-i386 Service

Use the following sample command to update the default-i386 alias ser‐
vice to be associated with the latest available image. The installadm
list command shows the service before and after the command. The exam‐
ple assumes that an updated net image package is available from the
publisher that was originally used to create the default-i386 service
alias.

# installadm list
Service Name Base Service Status Arch Type Ali Cli Man Pro
------------ -------- ------ ---- ---- --- --- --- ---
default-i386 solaris11-i386 on i386 pkg 0 1 1 0
solaris11-i386 - on i386 pkg 1 0 1 0
# installadm update-service default-i386
...
Creating new i386 service: solaris11_1-i386
Aliasing default-i386 to solaris11_1-i386 ...
...
# installadm list
Service Name Base Service Status Arch Type Ali Cli Man Pro
------------ -------- ------ ---- ---- --- --- --- ---
default-i386 solaris11_1-i386 on i386 pkg 0 1 1 0
solaris11-i386 - on i386 pkg 0 0 1 0
solaris11_1-i386 - on i386 pkg 1 0 1 0

Example 13 Add a New Install Service and Update the default-sparc Ser‐
vice

Use the following two sample commands to add a new service named my-
sparc-service, retaining existing services, and making the new service
the default for SPARC clients.

# installadm create-service -n solaris11_1-sparc \
-s /export/isos/sol-11_1-ai-sparc.iso \
-d /export/ai/solaris11_1-sparc
# installadm set-service \
--aliasof=solaris11_1-sparc default-sparc

Example 14 Add a Custom Default AI Manifest to an Install Service

Use the following sample command to add a new manifest to the
sol-11_1-i386 install service, and make it the service's default mani‐
fest. The manifest data is in my_default.xml. Future installadm com‐
mands will refer to this manifest as my_default. The -d option makes it
the default manifest for the service.

# installadm create-manifest -d -f my_default.xml \
-m my_default -n sol-11_1-i386

Example 15 Add a Derived Manifests Script to an Install Service

Use the following sample command to add a derived manifests script
named my_script to an existing install service named solaris11_1-i386.
Scripts are added in the same way that manifests are added.

# installadm create-manifest -f my_script.py \
-m my_script -n solaris11_1-i386

See Automatically Installing Oracle Solaris 11.4 Systems for informa‐
tion about how to create derived manifest scripts.

Example 16 Replace the Default AI Manifest for an Install Service

Use the following sample command to replace the default manifest for an
existing install service, sol-11_1-sparc, with a custom manifest that
has already been added to the service as custom_manifest. The manifest
was added to the service by specifying -m custom_manifest to the cre‐
ate-manifest subcommand.

# installadm set-service \
--default-manifest=custom_manifest sol-11_1-sparc

Example 17 List Install Services

Use the following sample command to list the install services on a
local server.

# installadm list
Service Name Base Service Status Arch Type Ali Cli Man Pro
------------ -------- ------ ---- ---- --- --- --- ---
default-i386 solaris11_1_6_2_0-i386 on i386 pkg 0 1 1 0
default-sparc solaris11_1_6_2_0-sparc on sparc pkg 0 0 1 0
solaris11_1_6_2_0-i386 - on i386 pkg 1 0 1 0
solaris11_1_6_2_0-sparc - on sparc pkg 1 0 1 0

Example 18 List Clients Associated With an Install Service

Use the following sample command to list the clients of a specific
install service on a local server.

$ installadm list -c -n default-i386
Service Name Client Address Arch Secure Custom Args Custom Grub
------------ -------------- ---- ------ ----------- -----------
default-i386 00:11:22:33:44:55 i386 no yes no
AA:BB:CC:DD:EE:FF i386 no no no

Example 19 List Manifests Associated With an Install Service

Use the following sample command to list the manifests and derived man‐
ifest scripts associated with a specific install service on a local
server.

$ installadm list -m -n default-sparc
Service Name Manifest Name Type Status Criteria
------------ ------------- ---- ------ --------
default-sparc mem xml active mem = 4086 MB
custom_manifest xml default / active mem = 512 -
1024 MB
orig_manifest xml inactive none
test_derived derived inactive none

This example shows the following output:

o A non-default manifest with criteria (mem)

o A default manifest with criteria indicating it is still
active (custom_manifest)

o A non-default manifest (orig_default) that is marked inac‐
tive because it has no criteria and it is not the default

o A non-default derived manifest that is marked inactive
because it has no criteria and it is not the default

Example 20 List Profiles

Use the following sample command to list the system configuration pro‐
files for all install services on a local server.

$ installadm list -p
Service Name Profile Name Criteria
------------ ------------ --------
solaris11_1_6_2_0-i386 sc_all-i386.xml none
solaris11_1_6_2_0-sparc sc_all-sparc.xml none
sc_network.xml ipv4 = 10.0.2.100 - 10.0.2.199
network = 10.0.0.0

Example 21 Add a Custom AI Manifest With No Name to an Install Service

Use the following sample command to add the manifest in /export/my_man‐
ifest.xml to sol-11_1-i386 with a criterion of MAC address equaling
aa:bb:cc:dd:ee:ff.

# installadm create-manifest \
-f /export/my_manifest.xml -n sol-11_1-i386 \
-c mac="aa:bb:cc:dd:ee:ff"

In this example, the manifest does not contain a name attribute, so the
manifest name is taken from the file name.

$ installadm list -m -n sol-11_1-i386
Service Name Manifest Name Type Status Criteria
------------ ------------- ---- ------ --------
sol-11_1-i386 my_manifest.xml xml active mac = AA:BB:CC:DD:EE:FF
orig_default xml default none

Example 22 Add a Custom AI Manifest With a Custom Name to an Install
Service

Use the following sample command to add the manifest in /export/my_man‐
ifest.xml to sol-11_1-i386 with the criterion of IPv4 range from
10.0.2.100 and 10.0.2.199.

# installadm create-manifest \
-f /export/my_manifest.xml \
-n sol-11_1-i386 -m custom_name \
-c ipv4="10.0.2.100-10.0.2.199"

In this example, the manifest name is taken from the -m option.

$ installadm list -m -n sol-11_1-i386
Service Name Manifest Name Type Status Criteria
------------ ------------- ---- ------ --------
sol-11_1-i386 custom_name xml active ipv4 = 10.0.2.100 - 10.0.2.199
orig_default xml default none

Example 23 Add a Custom AI Manifest With Name Specified In the Manifest

Use the following sample command to add the manifest in /export/mani‐
fest3.xml to sol-11_1-i386 with criteria of 2048 MB memory or greater
and an architecture of i86pc.

# installadm create-manifest \
-f /export/manifest3.xml -n sol-11_1-i386 \
-c mem="2048-unbounded" -c arch=i86pc

In this example, the manifest name is taken from the name attribute of
the ai_instance element in the manifest, as shown in the following par‐
tial manifest:

<auto_install>
<ai_instance name="my_name" />
</auto_install>

$ installadm list -m -n sol-11_1-i386
Service Name Manifest Name Type Status Criteria
------------ ------------- ---- ------ --------
sol-11_1-i386 my_name xml active arch = i86pc
mem = 2048 - unbounded
orig_default xml default none

Example 24 Add a System Configuration Profile To an Install Service

Use the following sample command to add the profile in /export/pro‐
file4.xml to sol-11_1-i386 with criteria of any of the host names
myhost1, host3, or host6.

# installadm create-profile \
-f /export/profile4.xml -n sol-11_1-i386 -p profile4 \
-c hostname="myhost1 host3 host6"
$ installadm list -p -n sol-11_1-i386
Service Name Profile Name Criteria
------------ ------------ --------
sol-11_1-i386 profile4 hostname = myhost1, host3, host6

Example 25 Add a System Configuration Profile For All Clients

If you do not specify criteria, then the profile is used by all clients
that use the specified install service. In the following example, the
created profile is used by all clients that use the sol-11_1-i386 ser‐
vice.

# installadm create-profile -f /export/locale.xml \
-n sol-11_1-i386
$ installadm list -p -n sol-11_1-i386
Service Name Profile Name Criteria
------------ ------------ --------
sol-11_1-i386 profile4 hostname = myhost1, host3, host6
locale.xml none

Example 26 Apply a System Configuration Profile to the Installation
Environment

Use the following sample command to specify that a system configuration
profile be applied to the installation environment.

# installadm set-profile -p profile4 -e install -n sol-11_1-i386
# installadm list -p -n sol-11_1-i386
Service Name Profile Name Environment Criteria
------------ ------------ ----------- --------
sol-11_1-i386 profile4 install hostname = myhost1, host3, host6
locale.xml system none

Example 27 Add a System Configuration Profile With Variables

A profile can use variables that are replaced with custom client con‐
figuration information at client installation time. Using such vari‐
ables, a profile file can be reused for any number of different sys‐
tems.

This example uses one system configuration profile file to assign each
install client a unique host name. The hostname.xml file contains the
following line:

At installation time, {{AI_HOSTNAME}} is replaced with the actual host
name of that system. For example, when hostname.xml is used to config‐
ure the client with host name myhost1, the hostname.xml profile con‐
tains the following line:

For more information about using replacement tags with profiles, see
Using System Configuration Profile Templates in Customizing Automated
Installations With Manifests and Profiles.

Example 28 Add Criteria To an Existing Manifest

Use the following sample command to append the criterion of 4096 MB
memory or greater to the criteria of manifest2 of sol-11_1-i386.

# installadm set-criteria -m manifest2 \
-n sol-11_1-i386 -a mem="4096-unbounded"

Example 29 Replace the Criteria for an Existing Manifest

Use the following sample command to replace the criteria of manifest2
of sol-11_1-i386 with the criteria specified in the file /tmp/crite‐
ria.xml.

# installadm set-criteria -m manifest2 \
-n sol-11_1-i386 -C /tmp/criteria.xml

See Automatically Installing Oracle Solaris 11.4 Systems for informa‐
tion about the contents of the criteria XML file.

Example 30 Validate Profile Files Under Development

Use the following sample command to validate the profiles stored in the
files myprofdir/myprofile.xml and yourprofdir/yourprofile.xml during
their development.

# installadm validate -P myprofdir/myprofile.xml \
-P yourprofdir/yourprofile.xml -n sol-11_1-i386

Example 31 Export Profile Contents

Use the following sample command to export the profile myprofile.xml in
the service sol-11_1-i386.

# installadm export -p myprofile -n sol-11_1-i386

Example 32 Replace the Contents of an Existing AI Manifest

Use the following sample command to update the manifest in service
sol-11_1-i386 that has the manifest name, or AI instance name, spec
with the contents of the manifest in the file /home/admin/new_spec.xml.

# installadm update-manifest -n sol-11_1-i386 \
-f /home/admin/new_spec.xml -m spec

Example 33 Export and Update an Existing AI Manifest

Use the following sample commands to export the data of an existing
manifest named spec in service sol-11_1-i386, and then update the mani‐
fest with modified content.

# installadm export -n sol-11_1-i386 -m spec \
-o /home/admin/spec.xml

Make changes to /home/admin/spec.xml.

$ pfexec installadm update-manifest -n sol-11_1-i386 \
-f /home/admin/spec.xml -m spec

Example 34 Export and Update an Existing Profile

Use the following sample commands to export the data of an existing
profile named prof1 in service sol-11_1-i386, and then update the pro‐
file with modified content.

# installadm export -n sol-11_1-i386 -p prof1 \
-o /home/admin/prof1.xml

Make changes to /home/admin/prof1.xml.

# installadm update-profile -n sol-11_1-i386 \
-f /home/admin/prof1.xml -p prof1

Example 35 Set Initial Server Authentication

The first step in configuring security is to assign server credentials.
Use the following command to generate all server security credentials
automatically:

# installadm set-server --generate-all-certs
Generating server credentials...
The root CA certificate has been generated.
The CA signing certificate request has been generated.
The signing CA certificate has been generated.
A new certificate key has been generated.
A new certificate has been generated.
Generating new encryption key...
Generated client encryption (AES) firmware key:
ac6b6f68019007506662b09ad662e29f
Generating new hashing key (HMAC)...
Generated client hashing (HMAC SHA-256) firmware key:
aed0b58d149794a8611a4797b6f434475774ec965900df74afdf08862894cb57
Configuring web server security.
Changed Server
Refreshing SMF service svc:/system/install/server:default
Configuring web server security.

Example 36 Set Initial Default Client Authentication

Assign default client credentials so that the identity of clients can
be verified to the server. Use the following command to generate a set
of default client credentials. These credentials will be used for any
AI client that does not have credentials assigned by specifying the
client's MAC address or by specifying the install service that client
will use.

$ installadm set-server --default-client-security \
--generate-all-certs
Generating default client credentials...
A new certificate key has been generated.
A new certificate has been generated.
Generating new encryption key...
Generated client encryption (AES) firmware key:
ac6b6f68019007506662b09ad662e29f
Generating new hashing key (HMAC)...
Generated client hashing (HMAC SHA-256) firmware key:
aed0b58d149794a8611a4797b6f434475774ec965900df74afdf08862894cb57
Changed Server

Example 37 Set Client Authentication for a Specific SPARC Client

Generate and assign unique X.509 credentials and firmware keys to a
SPARC client:

$ installadm set-client -e 2:0:0:0:0:0 \\
--generate-all-certs
Generating credentials for client 02:00:00:00:00:00...
A new certificate key has been generated.
A new certificate has been generated.
Generating new encryption key...
Generated client encryption (AES) firmware key:
ac6b6f68019007506662b09ad662e29f
Generating new hashing key (HMAC)...
Generated client hashing (HMAC SHA-256) firmware key:
aed0b58d149794a8611a4797b6f434475774ec965900df74afdf08862894cb57
Changed Client : '02:00:00:00:00:00'

Example 38 Display the Firmware Keys for a Specific Client

Some time after the client has been configured, you need to know how to
set the security keys for that client in the firmware. Use the instal‐
ladm list -e <macaddr> command with the --verbose option to display the
required firmware keys:

# installadm list -e 2:0:0:0:0:0 -v
Service Name Client Address Arch Secure Custom Args Custom Grub
------------ -------------- ---- ------ ----------- -----------
solaris11_2 02:00:00:00:00:00 sparc yes no no

Client Credentials? yes
Security Key? ...... yes
Security Cert:
Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=CID 01020000000000
Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA
Valid from: May 20 10:20:00 2013 GMT
to: May 18 10:20:00 2023 GMT
CA Certificates:
d09051e4 Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA
Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA
Valid from: May 20 09:50:00 2013 GMT
to: May 18 09:50:00 2023 GMT
FW Encr Key (AES) . f6c6bc503ea9ea0f7805ca7fd1d157f2
FW HMAC-SHA1 Key (inactive)
685417240dba5ae12986e10d750ec6b1b36dc862
FW HMAC-SHA256 Key (active)
bfa514e1f1c11e1e769d954b11600a9660c6ee0d9aca82f9be66d0880751dc44
Boot Args .......... -

For SPARC clients, the displayed Key and Hash can be set by using the
OBP set-security-key commands at the ILOM or ALOM system console at the
ok prompt, for example:

set-security-key wanboot-aes 42a04f73ee6950859febb96d97b7d2bd
set-security-key wanboot-hmac-sha1 7fbed772b69bf104e5e2f72a4c47d42b62bf074b

For x86 clients, the displayed Key and Hash can be set by using the
BIOS user interface. First enable WAN Boot for network boot, then enter
the firmware keys in the fields indicated in the BIOS UI.

Example 39 Enforce Client Authentication for All Clients of an AI Ser‐
vice

The following command requires client and server authentication for all
clients of the sol-11_2-sparc install service. The 'optional' security
policy value is the default value.

# installadm set-service -p require-client-auth -n
sol-11_2-sparc
Security policy for service sol-11_2-sparc changing
from 'optional' to 'require-client-auth'.
Changed Service : 'sol-11_2-sparc'
Refreshing SMF service svc:/system/install/server:default

All clients of the sol-11_2-sparc install service must be assigned and
must supply valid security X.509 client and server authentication cre‐
dentials. Firmware security keys must be entered for all clients.

Example 40 Generate Default Credentials for All Clients of a Specified
Install Service

The following command generates credentials that will be attributed to
any client of the solaris11_2-sparc install service that does not have
custom client credentials. See Example 30, "Set Client Authentication
for a Specific SPARC Client," for an example of assigning custom client
credentials.

# installadm set-service -n sol-11_1-sparc \
--generate-all-certs
Generating credentials for service sol-11_1-sparc...
A new certificate key has been generated.
A new certificate has been generated.
Generating new encryption key...
Generated client encryption (AES) firmware key:
ac6b6f68019007506662b09ad662e29f
Generating new hashing key (HMAC)...
Generated client hashing (HMAC SHA-256) firmware key:
aed0b58d149794a8611a4797b6f434475774ec965900df74afdf08862894cb57
Changed Service : 'sol-11_1-sparc'

These credentials are also attributed to any clients that are subse‐
quently assigned to the solaris11_2-sparc install service by using the
create-client subcommand.

When you use default credentials, multiple clients are assigned identi‐
cal credentials and can view each other's installation data.

Example 41 Produce a Security Summary Listing

When "installadm list" is run with sufficient authorisations, it will
by default list a summary of the security of the server, service and/or
client:

# installadm list -s
AI Server Parameter Value
------------------- -----
Hostname ........... ai-server
Architecture ....... i386
Active Networks .... 10.0.0.1
Image Path Base Dir . /export/auto_install
Managing DHCP? ..... yes
Security Enabled? .. yes
Server Credentials? .. yes
Number of Services . 12
Number of Clients .. 4
Number of Manifests 19
Number of Profiles . 5

# installadm list
Service Name Base Service Status Arch Type Secure Ali Cli Man Pro
------------ -------- ------ ---- ---- ------ --- --- --- ---
default-i386 solaris11_2-i386 on i386 pkg no 0 1 4 0
default-sparc solaris11_2-sparc on sparc pkg no 0 0 3 0
solaris11_1_6_2_0-i386 - on i386 pkg no 1 0 2 2
solaris11_1_6_2_0-sparc - on sparc pkg no 1 0 1 2
solaris11_2-i386 - on i386 pkg yes 0 0 1 0
solaris11_2-sparc - on sparc pkg yes 0 2 2 0

# installadm list -c
Service Name Client Address Arch Secure Custom Args Custom Grub
------------ -------------- ---- ------ ----------- -----------
default-i386 00:11:22:33:44:55 i386 yes yes no
solaris11_1_6_2_0-sparc AA:BB:CC:DD:EE:FF sparc yes no no
solaris11_2-sparc 02:00:00:00:00:00 sparc yes no no
03:00:00:00:00:00 sparc yes no no

Example 42 Produce a Security Verbose Listing

When "installadm list -v" is run with sufficient authorisations, ver‐
bose output of the security configuration of the server, service and/or
client (some output omitted for brevity):

# installadm list -sv
AI Server Parameter Value
------------------- -----
...
Security Enabled? ...... yes
Server Credentials? .... yes
Security Key? .......... yes
Security Cert:
Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=ai-server
Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA
Valid from: May 20 09:50:00 2013 GMT
to: May 18 09:50:00 2023 GMT
CA Certificates:
d09051e4 Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA
Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA
Valid from: May 20 09:50:00 2013 GMT
to: May 18 09:50:00 2023 GMT
f9d73b41 Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA
Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA
Valid from: May 20 09:50:00 2013 GMT
to: May 18 09:50:00 2023 GMT
Def Client Credentials? yes
Def Client Sec Key? .... yes
Def Client Sec Cert:
Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Client default
Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA
Valid from: May 20 09:52:00 2013 GMT
to: May 18 09:52:00 2023 GMT
Def Client CA Certs .... none
Def Client FW Encr Key (AES) f6c6bc503ea9ea0f7805ca7fd1d157f2
Def Client FW HMAC-SHA1 Key (inactive)
685417240dba5ae12986e10d750ec6b1b36dc862
Def Client FW HMAC-SHA256 Key (active)
bfa514e1f1c11e1e769d954b11600a9660c6ee0d9aca82f9be66d0880751dc44
HMAC Policy ............ HMAC-SHA256
...

# installadm list -v -n solaris11_2-sparc
Service Name Base Service Status Arch Type Secure Ali Cli Man Pro
------------ -------- ------ ---- ---- ------ --- --- --- ---
sol-11_2-sparc - on sparc iso yes 0 2 1 0

...
Supports Security? .. yes
Security Enabled? ... yes
Security Policy ..... require-client-auth
Service Credentials? yes
Security Key? ....... yes
Security Cert:
Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=AI Service sol-11_2-sparc
Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA
Valid from: May 20 10:33:00 2013 GMT
to: May 18 10:33:00 2023 GMT
CA Certificates ..... none
FW Encr Key (AES) f6c6bc503ea9ea0f7805ca7fd1d157f2
FW HMAC-SHA1 Key (inactive)
685417240dba5ae12986e10d750ec6b1b36dc862
FW HMAC-SHA256 Key (active)
bfa514e1f1c11e1e769d954b11600a9660c6ee0d9aca82f9be66d0880751dc44

Example 43 Add a New CA Certificate for Validating Client Certificates

The following command adds a CA certificate in a file named cert.pem:

$ installadm set-server --default-client-security --ca-cert cert.pem
Assigning default client credentials...
A new CA certificate has been filed.
Changed Server

This CA certificate will be available to authenticate any client cer‐
tificates that require it.

Example 44 Assign New X.509 Credentials

The following command assigns a new X.509 certificate and private key
and a new CA certificate for the install server:

$ installadm set-server -A cacert.pem -K server.key -C server.crt
Assigning server credentials...
The key has been replaced.
The certificate has been replaced
A new CA certificate has been filed.
Configuring security for user-specified server cert
Configuring web server security.
Changed Server
Refreshing SMF service svc:/system/install/server:default

Example 45 Delete a CA Certificate by Hash Value

The following command deletes the specified CA certificate for all
clients that use that CA certificate. The value of the --ca-cert option
argument is the hash value of the certificate's X.509 subject. Use the
-y option to suppress the prompt to confirm that you want to delete the
CA certificate.

$ installadm set-server --delete-security \
--recursive --hash d09051e4
Identifier hash: d09051e4
Subject: C=US, O=Oracle, OU=Solaris Deployment, CN=Root CA
Issuer: C=US, O=Oracle, OU=Solaris Deployment, CN=Root CA
Valid from May 20 11:09:00 2013 GMT to May 18 11:09:00 2023 GMT
This CA has the following uses:
Note: this is the server CA certificate
Client default
Note: this is the root CA certificate
Deleting this Certificate Authority certificate can prevent
credentials from validating.
Do you want to delete this Certificate Authority certificate [y|N]: y
Identifier hash: d09051e4
Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA
Issuer: /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA
Valid from May 20 09:50:00 2013 GMT to May 18 09:50:00 2023 GMT
This CA has the following uses:
Note: this is the server CA certificate
Client default
Note: this is the root CA certificate
Deleting all references to Certificate Authority with hash value d09051e4
Changed Server

Example 46 View AI Server Configuration Parameters

To see the current values for the AI server's most common parameters
and a summary of some, you can use the list -s command:

# installadm list -s
AI Server Parameter Value
------------------- -----
Hostname ........... ai-server
Architecture ....... i386
Active Networks .... 10.0.0.1
Default Image Path . /export/auto_install
Managing DHCP? ..... yes
Security Enabled? .. yes
Server Credentials? .. yes
Number of Services . 12
Number of Clients .. 4
Number of Manifests 19
Number of Profiles . 5

To view more detailed information, and some of the less common parame‐
ters, use verbose mode:

# installadm list -sv
AI Server Parameter Value
------------------- -----
Hostname ...................... ai-server
Architecture .................. i386
Active Networks ............... 10.0.0.1
Http Port ..................... 5555
Secure Port ................... 5556
Default Image Path ............ /export/auto_install
Multi-Homed? .................. yes
Managing DHCP? ................ yes
DHCP IP Range ................. none
Boot Server ................... -
Web UI Enabled? ............... yes
Wizard Saves to Server? ....... no
Security Enabled? ............. yes
Server Credentials? ........... yes
Security Key? ................. yes
Security Cert:
Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=ai-server
Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA

Valid from: May 20 11:09:00 2013 GMT
to: May 18 11:09:00 2023 GMT
CA Certificates:
f9d73b41 Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA
Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Root CA
Valid from: May 20 11:09:00 2013 GMT
to: May 18 11:09:00 2023 GMT
Def Client Credentials? ....... yes
Def Client Sec Key? ........... yes
Def Client Sec Cert:
Subject: /C=US/O=Oracle/OU=Solaris Deployment/CN=Client default
Issuer : /C=US/O=Oracle/OU=Solaris Deployment/CN=Signing CA
Valid from: May 20 11:09:00 2013 GMT
to: May 18 11:09:00 2023 GMT
Def Client CA Certs ........... none
Def Client FW Encr Key (AES) f6c6bc503ea9ea0f7805ca7fd1d157f2
Def Client FW HMAC-SHA1 Key (inactive)
685417240dba5ae12986e10d750ec6b1b36dc862
Def Client FW HMAC-SHA256 Key (active)
bfa514e1f1c11e1e769d954b11600a9660c6ee0d9aca82f9be66d0880751dc44
HMAC Policy ................... HMAC-SHA256
Number of Services ............ 12
Number of Clients ............. 4
Number of Manifests ........... 19
Number of Profiles ............ 5
Telemetry Enabled? ............ yes
Telemetry Success:
install_log
Telemetry Failure:
all_logs
/system/volatile/telemetry_archive
/system/volatile/telemetry_config
Telemetry Frequency ........... 5 seconds
Telemetry Files Retention ..... 10 day(s)
Telemetry Statistics Retention 1 year(s)

Example 47 Invoke Interactive Mode

Interactive mode is entered by just issuing the installadm command
without any parameters. For example:

# installadm
installadm> create-service -n s11-1-i386 -a i386 -y
...
installadm> create-profile -n s11-1-i386 -f initial_profile.xml
...
installadm> quit

Similarly, interactive mode can be useful when wishing to invoke sev‐
eral commands interactively using a root role through su:

$ su root -c /usr/sbin/installadm
installadm> create-manifest -n s11-2-sparc -f /tmp/manifest.xml
...
installadm> create-profile -n s11-2-sparc -f /tmp/static_net.xml
...

Example 48 Execute Several Commands In Batch

Running several commands in batch mode has the benefit of delaying the
refreshing of the SMF services until all commands have completed.

To run several subcommands you must first populate the file:

$ cat >> /tmp/batch <<_EOF
create-service -n my_sparc -a sparc
create-service -n my_i386 -a i386
create-manifest -n my_sparc -f /tmp/new_default.xml -d
create-manifest -n my_i386 -f /tmp/new_default.xml -d
...
_EOF
# installadm execute -f /tmp/batch
...

Example 49 Turn on Telemetry and Send Data at 5 Minute Intervals

Tuning when to send telemetry data will help in reducing network traf‐
fic between the AI client and the AI server.

The following example demonstrates how to turn on the sending of
telemetry data from the AI client to the AI server at 5 minute inter‐
vals.

# installadm set-server --telemetry-enable --telemetry-frequency 300
Automated Installer telemetry has been enabled.
Automated Installer telemetry is now set to send data at 300 second intervals.

EXIT STATUS
The following exit values are returned:

0 The command was processed successfully.

1 An error occurred.

2 Invalid command line options were specified.

3 A service's version is not supported by installadm.

4 No changes were made - nothing to do.

ATTRIBUTES
See attributes(7) for descriptions of the following attributes:

tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Availabilityinstall/installadm _ Interface Stability‐
Committed

SEE ALSO
ai_manifest(5), service_bundle(5), dhcp(7), environ(7), smf(7), aimani‐
fest(8), ickey(8), sysconfig(8)

Customizing Automated Installations With Manifests and Profiles

Oracle Solaris 11.4 24 Mar 2020 installadm(8)

RSS ATOM XHTML 5 CSS3

섹션
맨 페이지 이름
검색(S)