Managing SMF Services

This section includes information on managing SMF services.

Using RBAC Rights Profiles With SMF

You can use RBAC rights profiles to allow users to manage some of the SMF services, without having to give the user root access. The rights profiles define what commands the user can run. For SMF, the following profiles have been created:

Service Management: User can add, delete or modify services.
Service Operator: User can request state changes of any service instance, such as restart and refresh.

For specific information about the authorizations, see the smf_security(5) man page. For instructions to assign a rights profile, see How to Change the RBAC Properties of a User in System Administration Guide: Security Services.

How to Disable a Service Instance

Use the following procedure to disable a service. The service status change is recorded in the service configuration repository. Once the service is disabled, the disabled state will persist across reboots. The only way to get the service running again is to enable it.

Become superuser or assume a role that includes the Service Management rights profile.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC in System Administration Guide: Security Services.
Check the dependents of the service you want to disable.
If this service has dependents that you need, then you cannot disable this service.
```
# svcs -D FMRI
```
Disable the service.
```
# svcadm disable FMRI
```

Example 17-7 Disabling the `rlogin` Service

The output from the first command shows that the rlogin service has no dependents. The second command in this example disables the rlogin service. The third command shows that the state of the rlogin service instance is disabled.

# svcs -D network/login:rlogin
# svcadm disable network/login:rlogin
STATE          STIME    FMRI
# svcs network/login:rlogin
STATE          STIME    FMRI
disabled         11:17:24 svc:/network/login:rlogin

How to Enable a Service Instance

Use the following procedure to enable a service. The service status change is recorded in the service configuration repository. Once the service is enabled, the enabled state will persist across system reboots if the service dependencies are met.

Become superuser or assume a role that includes the Service Management rights profile.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC in System Administration Guide: Security Services.
Determine whether service dependencies are satisfied.
If the service is enabled, then the service dependencies are satisfied. If not, use svcadm enable -r FMRI to recursively enable all dependencies.
```
# svcs -l FMRI|grep enabled
```
Enable a service.
```
# svcadm enable FMRI
```

Example 17-8 Enabling the `rlogin` Service

The second command in this example enables the rlogin service. The third command shows that the state of the rlogin service instance is online.

# svcs -l network/login:rlogin|grep enabled
enabled      false
# svcadm enable network/login:rlogin
# svcs network/login:rlogin
STATE          STIME    FMRI
online         12:09:16 svc:/network/login:rlogin

Example 17-9 Enabling a Service in Single-user Mode

The following command enables rpcbind. The -t option starts the service in temporary mode which does not change the service repository. The repository is not writable in single-user mode. The -r option recursively starts all the dependencies of the named service.

# svcadm enable -rt rpc/bind

How to Restart a Service

If a service is currently running but needs to be restarted due to a configuration change or some other reason, the service can be restarted without you having to type separate commands to stop and start the service. The only reason to specifically disable and then enable a service is if changes need to be made before the service is enabled, and after the service is disabled.

Become superuser or assume a role that includes the Service Management rights profile.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC in System Administration Guide: Security Services.
Restart a service.
```
# svcadm restart FMRI
```

How to Restore a Service That Is in the Maintenance State

Become superuser or assume a role that includes the Service Management rights profile.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC in System Administration Guide: Security Services.
Determine if any process that are dependent to the service have not stopped.
Normally, when a service instance is in a maintenance state, all processes associated with that instance have stopped. However, you should make sure before you proceed. The following command lists all of the processes that are associated with a service instance as well as the PIDs for those processes.
```
# svcs -p FMRI
```
(Optional) Kill any remaining processes.
Repeat this step for all processes that are displayed by the svcs command.
```
# pkill -9 PID
```
If necessary, repair the service configuration.
Consult the appropriate service log files in /var/svc/log for a list of errors.
Restore the service.
```
# svcadm clear FMRI
```

How to Revert to Another SMF Snapshot

If the service configuration is wrong, the problem can be fixed by reverting to the last snapshot that started successfully. In this procedure, a previous snapshot of the console-login service is used.

Become superuser or assume a role that includes the Service Management rights profile.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC in System Administration Guide: Security Services.

Run the svccfg command.

# svccfg
svc:>

Select the service instance that you want to fix.
Note - You must use an FMRI that fully defines the instance. No shortcuts are allowed.
```
svc:> select system/console-login:default
svc:/system/console-login:default>
```

Generate a list of available snapshots.

svc:/system/console-login:default> listsnap
initial
running
start
svc:/system/console-login:default>

Select to revert to the start snapshot.
The start snapshot is the last snapshot in which the service successfully started.
```
svc:/system/console-login:default> revert start
svc:/system/console-login:default>
```

Quit svccfg.

svc:/system/console-login:default> quit
#

Update the information in the service configuration repository.
This step updates the repository with the configuration information from the start snapshot.
```
# svcadm refresh system/console-login
```
Restart the service instance.
```
# svcadm restart system/console-login
```

How to Create an SMF Profile

A profile is an XML file which lists SMF services and whether each should be enabled or disabled. Profiles are used to enable or disable many services at once. Not all services need to be listed in a profile. Each profile only needs to include those services that need to be enabled or disabled to make the profile useful.

Create a profile.
In this example, the svccfg command is used to create a profile which reflects which services are enabled or disabled on the current system. Alternately, you could make a copy of an existing profile to edit.
```
# svccfg extract> profile.xml
```
If you are using JumpStart, if you have large numbers of identical systems, or if you want to archive the system configuration for later restoration, you may want to use this procedure to create a unique version of a SMF profile.
Edit the profile.xml file to make any required changes.
1. Change the name of the profile in the service_bundle declaration.
  In this example the name is changed to profile.
```
# cat profile.xml
  ...
<service_bundle type=`profile` name=`profile`
    xmIns::xi='http://www.w3.org/2003/XInclude'
  ...
```
2. Remove any services that should not be managed by this profile.
  For each service, remove the three lines that describe the service. Each service description starts with <service and ends with </service. This example shows the lines for the LDAP client service.
```
# cat profile.xml
 ...
 <service name='network/ldap/client' version='1' type='service'>
         <instance  name='default' enabled='true'/>
 </service>
```
3. Add any services that should be managed by this profile.
  Each service needs to be defined using the three line syntax shown above.
4. If necessary, change the enabled flag for selected services.
  In this example, the sendmail service is disabled.
```
# cat profile.xml
  ...
  <service  name='network/smtp' version='1' type='service'>
    <instance  name='sendmail' enabled='false'/>
  </service>
  ...
```
When necessary, apply the new profile.
See How to Apply an SMF Profile for instructions.

How to Apply an SMF Profile

Become superuser or assume a role that includes the Service Management rights profile.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC in System Administration Guide: Security Services.
Apply an profile.
In this example, the profile.xml profile is used.
```
# svccfg apply profile.xml
```
Note - For specific instructions for switching between the generic_limited_net.xml and generic_open.xml and the properties that need to be applied when making this switch, please see Changing Services Offered to the Network with generic*.xml

Changing Services Offered to the Network with `generic*.xml`

The netservices command switches system services between minimal network exposure and the traditional network exposure (as in previous Solaris releases). The switch is done with the generic_limited.xml and generic_open.xml profiles. In addition, some services properties are changed by the command to limit some services to a local-only mode or to the traditional mode, as appropriate.

Note - In the Solaris Express 7/06 release, the generic_limited_net profile and the local-mode only service properties are applied by default.

Become superuser or assume a role that includes the Service Management rights profile.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC in System Administration Guide: Security Services.
Run the netservices command.
In this example, the open or traditional network exposure is selected.
```
# /usr/sbin/netservices open
```

Example 17-10 Limiting Network Service Exposure

This command changes properties to run some services in local mode, as well as restricts which services are enabled with the generic_limited_net profile. The command should only be used if the generic_open.xml profile had been applied.

# /usr/sbin/netservices limited