I'm submitting this as a Closed-Approved-Automatic case on behalf of
Antonello Cruz. It has been reviewed by the SMF community and I believe
constitutes an obvious extension to an existing piece of architecture. As
always, please let me know if you disagree and wish for me to promote to a
fasttrack.
It requests patch binding, though there are no plans to backport the work.
liane
---
1. Introduction
1.1. Project/Component Working Name:
Allow Property Modification in SMF profiles
1.2. Name of Document Author/Supplier:
Author: Antonello Cruz
1.3 Date of This Document:
26 June, 2009
3. Interfaces
New svccfg apply option:
-n Committed
4. Technical Description
Summary
=======
The Service Management Facility (SMF) [1] doesn't provide
administrators with a way to apply customization to existing
services during deployment. /var/svc/profile/site.xml is available
to site administrators today to customize only the enabled
property. We intend to extend the profile syntax to allow
customization of arbitrary properties.
An example on how this project can facilitate site customization
deployment is the Secure By Default project [2]. In the SBD
project, some services should be enabled in the both of the modes
represented by generic_open.xml and generic_limited_net.xml
profiles, but with different service-specific behavior. Although
the behaviors can be controlled by SCF properties, modifying them
had to be hard-coded into the netservices(1M) command. Specifying
values for these properties in the generic_*.xml profiles would
simplify the netservices command.
Properties specified for services or instances which are not
available at profile application time will continue to be ignored.
Services and instances modified by the profile will be refreshed.
Profiles behavior during upgrade will not change.
This project extends the svccfg apply command to permit profile
files to specify values for arbitrary properties on services and
instances. This project requests a patch release binding, but we
have no current plan to backport it.
References
==========
[1] PSARC 2002/547 Greenline
[2] PSARC 2004/368 Secure By Default, Phase 1
http://arc.opensolaris.org/caselog/PSARC/2004/368/
Manpages diffs
==============
smf(5)
--- smf.man5.original Tue Jun 16 11:24:51 2009
+++ smf.man5 Fri Jun 19 16:32:22 2009
@@ -309,7 +309,10 @@
profiles Files that contain a set of service instances
and values for the enabled property (type
boolean in the general property group) on each
- instance.
+ instance. It can also contain configuration
+ values for properties in services and
+ instances. Template elements cannot be defined
+ in a profile.
Service bundles can be imported or exported from a reposi-
tory using the svccfg(1M) command. See service_bundle(4) for
svccfg(1M)
--- svccfg.man1m.original Tue Jun 16 10:47:31 2009
+++ svccfg.man1m Thu Jun 25 10:33:32 2009
@@ -101,16 +101,25 @@
Turns off verbose mode.
Service Profile Subcommands
- apply file
+ apply [-n] file
- If file is a service profile, then service instances
- specified within the file are enabled or disabled
- according to it. See smf(5) for a description of service
- profiles. This command requires privileges to modify the
- "general/enabled" property of the service instances. See
- smf_security(5) for the privileges required to modify
- properties. If file is not a service profile, the sub-
- command fails.
+ If a file is a service profile, properties, including
+ general/enabled, which are specified in the file are
+ modified in the SMF repository. Non-existing properties
+ and property groups will be created. The type of
+ pre-existing property groups will not be changed by the
+ profile. Existing properties can have their type
+ changed by the profile. Non-existing services and
+ instances are ignored. Services and instances modified
+ by the profile will be refreshed. If -n is used, the
+ profile is processed and no changes are applied to the
+ SMF repository. Any syntax error found will be reported
+ on stderr and an exit code of 1 will be returned. See
+ smf(5) for a description of service profiles. This
+ command requires privileges to modify properties in the
+ service and instance. See smf_security(5) for the
+ privileges required to modify properties. If file is not
+ a service profile, the subcommand fails.
extract [> file]
