– Kamailio SIP Server –

Configuring and Installing OpenSER v1.3.2 on Solaris SPARC(tm)

Main author:
   Sergio Gutierrez <saguti (at) gmail.com>

This document describes some installation tips which where taken present at compiling and installation time of OpenSER on a Solaris SPARC System; these steps are focused in operating System setup and using some free tools provided by Sun Microsystems which can improve the performance of OpenSER. Tips for improving security when installing on this operating system are also presented.
These whole steps have been proven on a real life system, which offers carrier class services to 100K users of a Telco Company.

1. Installation profile

A first step to be performed is the system preparation at installation time. A first choose to be performed is the Operating System Cluster to be installed. From the various options that can be performed, a good starting point would be SUNWCreq, which will offer a relatively minimized system, but keeping basic functionalities at installation time. This cluster is described as Core System Support.

In case that installation be performed from DVD or CD, is easier to avoid the adding of packages listed below at installation time, and install them after installation. If an advanced installation technique as Solaris JumpStart™, the installation profile can be defined to add the listed packages at installation time.

2. Disk Partitioning

The next step to be taken is the disk partitioning. In the event that, besides OpenSER, the SIP Server has also a database installed, it is important to use a reliable File System to store datafiles. Since Solaris 10 11/06, the ZettaByte File System (ZFS) is included. ZFS has native support for features as Striping, Mirroring and Dynamic Resizing, among other. ZFS has unpreceded scalability and it is easier to use than other volume management utilities, as Solaris Volume Manager.
Currently, there is a restriction with filesystems as /, /usr, /var, which can not be created at installation time as ZFS, and they need to be confiugred, for mirroring, by using Solaris Volume Manager, in the conventional way, as explained at http://docs.sun.com/app/docs/doc/816-4520/tasks-mirrors-1?a=view.

A recommended disk partitioning, asuming OpenSER and MySQL for example, could be the following one, for a system with at least two 72 GB disks (similar to the one used for us)

File System Recommended Type Recommended Size Comment
/ UFS 8096 MB Assuming you have /usr as a different File System.
/usr UFS 8096 MB For additional packages to be installed.
/var UFS 20240 MB For system logging, and assuming that error logs are to be kept through syslogd(1M).
/opt ZFS 10240 MB For system local base, where openser and MySQL related files are going to be installed.
/data ZFS 20240 MB For datafiles store. It could be sized according to traffic and information preservation policies.

An implicit advantage of using ZFS is that, because of its architecture, it is possible to take an fdisk partition on disk and to create on it the entity called zpool; on this zpool filesystems are created, and these can be dynamically resized according to particular requirements; The detailed documentation of ZFS is located at Solaris ZFS Administration Guide

3. Complementary Packages

As SUNWCreq offers limited functionality, some packages need to be added to the system to include other ones, and in particular, to include the whole tools which are required to build software from source.

The following table lists the packages to be added. It is recommended to install them from the Solaris Installation Media because in this way, the patches provided for Sun will apply for those packages too, instead of download them from public repositories or other available sources.

^ SUNWGlib | Library for C Programming |

SUNWaccu System Accounting and Reporting - Usr files
SUNWaccr System Accounting and Reporting - Root files
SUNWarc Lint Libraries for Software Development - Usr files
SUNWarcr Lint Libraries for Software Development - Root files
SUNWbash Bourne Again Shell
SUNWbinutils GNU Binary File Utilities
SUNWbtool Software Development Utilities
SUNWflexlex Flex Lexer
SUNWflexruntime Flex Lexer Runtime
SUNWgcc GNU Compiler Suite
SUNWgccruntime GNU Compiler Suite Runtime
SUNWgmake GNU Make
SUNWgzip GNU Zip Utility
SUNWhea SunOS™ C/C++ Header Files for Software Development
SUNWlibm Math and Microtasking Header - Usr files
SUNWlibmr Math Library and Lint Files - Root files
SUNWlibms Math and Microtasking Libraries - Usr Files
SUNWlibmsr Math and Microtasking Libraries - Root Files
SUNWntpr Network Time Protocol Server V3.0 - Root Files
SUNWntpu Network Time Protocol Client V3.0 - Usr Files
SUNWsfwhea OpenSource Header Files
SUNWsshcu Solaris SSH Protocol Common Utilities
SUNWsshdr Solaris SSH Protocol Server - Root Files
SUNWsshdu Solaris SSH Protocol Server - Usr Files
SUNWsshr Secure Shell Protocol Client and Utilities - Root Files
SUNWsshu Secure Shell Protocol Client and Utilities - Usr Files
SUNWtoo Utilities for Software Development

For performing special optimizations and compiling time, is recommended to install the packages GCC For SPARC™ Systems (GCCFSS) and Sun Code Generator for SPARC™ Systems. This packages can be downloaded from https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=GCC-4.2.0-FCS-G-F@CDS-CDS_SMI, both in pkgadd(1M) and tar.gz format. This release is based on GCC 4.2.0 and it is proven not to present problems in OpenSER compilation.

Following a common convention, and for further reference on this document, GCCFSS installs at /opt/gcc and SCGFSS installs at /opt/SUNW0scgfss

There are other packages, which are included in the cluster, but in the most of situations they are not required to be installed on the SIP Server itself. These packages are recommended to be deleted, and they should be kept only in case they be explicitely required.

^ SUNWbsr | Boot Server Daemons - Root Files |

SUNWbsu Boot Server Daemons - Usr Files
SUNWftpr FTP Server Configuration Files
SUNWftpu FTP Server and Utilities
SUNWnfsckr Network File System Client Kernel Support - Root Files
SUNWnfscr Network File System Client Support - Root Files
SUNWnfscu Network File System Client Support - Usr Files
SUNWnisr Configuration Files and Directories for Network Information System (NIS and NIS+)
SUNWnisu Utilities for Network Information System (NIS and NIS+)
SUNWrcmdcr Remote Network Server Commands
SUNWrcmds Remote Network Server Commands
SUNWsndmr Sendmail Configuration Files
SUNWsndmu Sendmail Utilities

4. System Hardenning

After installing the packages, a recommended next step is apply the recommended patches delivered by Sun; A good starting point is the Recommended Patches, which are periodically delivered, acumulating several bug fixes, security fixes and Kernel and software updates. The Recommended Patch can be downloaded from http://sunsolve.sun.com/show.do?target=patches/patch-access.

Related to security and minimization, there are automated options as Solaris Security Toolkit (formerly known as JASS), available at http://www.sun.com/software/security/jass/. However, for a finer control of the steps to secure the system, the following tips can be followed:

  • The utilities which are used to compile software from source should be allowed only for specific users; these utilities should not have execution permission for other users:
chmod 550 /usr/sfw/bin
chmod 550 /usr/sfw/bin
chmod 550 /opt/gcc/bin
chmod 550 /opt/SUNW0scgfss/4.0.4/prod/bin
  • The option nosuid should be added to filesystems; whatever, through /etc/vfstab or through zfs(1M) command, the whole filesystems should have this option.
  • The system builtin accounts shoulde be locked up. The following command should be executed:
passwd -l daemon
passwd -l bin
passwd -l sys
passwd -l adm
passwd -l lp
passwd -l uucp
passwd -l nuucp
passwd -l listen
passwd -l gdm
passwd -l webservd
passwd -l nobody
passwd -l noaccess
passwd -l nobody4
passwd -l mysql

The account smmsp, which belongs to Sendmail remains created; it can be safely removed taking care not to use the option -r of userdel(1M) command, because this account is created having / as its home directory!

Finally, if SAR(1M) is going to be used, sys account should not be locked up, but its password should be changed to something different to its default password.

5. Package Installation

The next sections of this document will describe the steps take to compile OpenSER and its supporting packages on Solaris SPARC™ systems.

As for OpenSER 1.3.2, the standard compilation on 32 bits mode produced and installation which generated random crashes; after several tests, an stable binary was got using 64 bit mode; the tips described here assume that the whole run environment of OpenSER is build exclusively and thoroughly on 64 bits; if someone detects or knows any issue with one of the described packages, feel free to report it.

Besides, to make things easier for OpenSER installation, the prefix used for all packages would be pointing to /opt/openser, directory which will be used later as LOCALBASE; this simplifies the detection of prerequisites for several OpenSER modules.

There are two customizations which can be performed before starting to compile the packages, which allow to use the performance tunings ofered by GCCFSS and SCGFSS. For the installation used as reference for this document, the used options are discused below.

  • GCCFSS offers optimizations based on architecture or hardware platform; this options are detailed at http://cooltools.sunsource.net/gcc/flags.html. These options are specified using the command options -xtarget= and -xarch=, defining them into environment variables CFLAGS, LDFLAGS and CXXFLAGS. Next, the optimizations that can be used for most usual SPARC platforms and for getting 64 bit binaries are listed:
For UltraSPARC: -xtarget=ultra -xarch=v9a
For UltraSPARC II: -xtarget=ultra2 -xarch=v9a
For UltraSPARC IIi: -xtarget=ultra2i -xarch=v9a
For UltraSparc III: -xtarget=ultra3 -xarch=v9b
For UltraSPARC IIICu: -xtarget=ultra3cu -xarch=v9b
For UltraSPARC IV: -xtarget=ultra4 -xarch=v9a
For UltraSPARC T1: -xtarget=ultraT1 -xarch=v9a

The main difference between -xarch=v9a and -xarch=v9b is the enabling of extensions specially designed for UltraSPARC III processors, and VIS instruction set; both options produce 64 bits executables.

For reference purposes, a UltraSPARC T1 processor is assumed in the compilation examples, and /opt/openser is defined as LOCALBASE.

  1. MySQL installation

Although MySQL can be installed from Operating System sources, for a customized server, and for obtaining the performance improvements, is prefered to install it from sources.

The sources of MySQL can be downloaded from: http://dev.mysql.com/downloads/mysql/5.0.html#source

The recommended environment for compilation is:

CFLAGS="-xtarget=ultraT1 -xarch=v9a"
LDFLAGS="-xtarget=ultraT1 -xarch=v9a"
CXXFLAGS="-xtarget=ultraT1 -xarch=v9a"

After defining these enviromental variables, configure should be run like this:

MAKE=gmake ./configure --prefix=/opt/openser --with-big-tables --enable-thread-safe-client

In case that, for some reason, the openser database be installed in other location, the compilation of server could be disable, because openser only needs client libraries. In that case, configure would be run as:

MAKE=gmake ./configure --prefix=/opt/openser --enable-thread-safe-client --without-server

After configuration, compilation can be performed with:


Or, if machine has more than one processor, an extra option could be passed to make, so that it executes in parallel. For a UltraT1 system with 6 cores, for instance, gmake could be invoked like:

gmake -j 6

When compilation finishes, testing of the just compiled binary is recommended to confirm it generated correctly. This can be performed by excuting:

gmake test;

After tests finishes, MySQL can be installed by running the following commands:

groupadd mysql;
useradd -m -d /opt/openser/var -c "MySQL Database Server" -g mysql -s /bin/false mysql
passwd -l mysql;
cd scripts
sh mysql_install_db --user=mysql
cd ..

A master configuration file for MySQL should be installed from one of the templates located at support-files subdirectory in MySQL source directory, according to host resources, my-small.cnf or my-large.cnf can be used; this file should be installed as my.cnf at data directory of MySQL installation. For this example, it would be /opt/openser/var.

Finally, a template should be installed for MySQL start at boot time; the template which appears below could be installed at /etc/init.d/mysql, and linked from /etc/rc2.d, with a relative start order of 10 (S10mysql), and from /etc/rc1.d with a relative stop order of 90 (K90mysql); this particular template should be installed with very restrictive permissions, because it contains the mysql root user password for a gracefully stop, so it is recommended to be owned by root, group sys, and with 500 mode permission:


# Template script to start MySQL


# To find libraries installed at non-standar locations, avoinding to perform crle(1M) execution
# to define these paths

# Defines preloading of the implementation of Memory Allocation which is included with Solaris, specially
# designed for Multithread applications.

case $1 in
                echo "Starting MySQL" > /dev/console
                cd $dirMySql/bin
                LD_PRELOAD_64=/usr/lib/sparcv9/libmtmalloc.so ./mysqld_safe --user=mysql --log-warnings --log-slow-queries &
                sleep 10;

                cd $dirMySql/bin
                ./mysqladmin -u $usuarioMySql -p$passwordMySql shutdown

                ps -ef | grep mysql | grep -v grep
                echo "Network:"
                echo "----"
                netstat -an | grep 3306
  1. OpenLDAP installation

In the installation used as reference for this document, OpenSER was installed with LDAP support for authentication and authorization. Although Solaris has LDAP libraries included in Operating System installation, these are not useful for the OpenSER module, so that, OpenLDAP libraries are required to compile it. For the compilation, to avoid a current conflict between a header file included with OpenLDAP and a Solaris System header file, an extra parameter should be included in CFLAGS. For OpenLDAP compilation, the package SUNWdoc (Documentation tools) needs to be installed.

The build environment would be:

CFLAGS="-xtarget=ultraT1 -xarch=v9a -D_AVL_H"
LDFLAGS="-xtarget=ultraT1 -xarch=v9a"
CXXFLAGS="-xtarget=ultraT1 -xarch=v9a"

Supposing that LDAP server is located at other location, the configure file would disable building of OpenLDAP server:

MAKE=gmake ./configure --prefix=/opt/openser --disable-slapd

When configure finishes, the following sequence of commands would be run to build OpenLDAP:

gmake depend;
gmake tests;
gmake install;
  1. libConfuse

Another package that was installed for this sample installation was libConfuse, which is required for the carrierroute module. libConfuse can be downloaded from http://www.nongnu.org/confuse/

This library, at compilation time, requires an extra option in CFLAGS and LDFLAGS, because of the default behaviour that GCCFSS exhibits when generating shared libraries. According to this, the compilation environment needs to be adjusted as follows:

CFLAGS="-xtarget=ultraT1 -xarch=v9a -xcode=pic32"
LDFLAGS="-xtarget=ultraT1 -xarch=v9a -xcode=pic32"
CXXFLAGS="-xtarget=ultraT1 -xarch=v9a -xcode=pic32"

The registration which makes mandatory the inclusion of this option is discused at http://cooltools.sunsource.net/gcc/flags.html, at the section describing the option -xcode=

After configuring the environment, the building and compilation can be run as usual:

MAKE=gmake ./configure --prefix=/opt/openser;
gmake install;
  1. CURL

CURL Library needs to be installed to fulfill further dependencies for OpenSER modules.

The compilation environment is the following:

CFLAGS="-xtarget=ultraT1 -xarch=v9a"
LDFLAGS="-xtarget=ultraT1 -xarch=v9a"
CXXFLAGS="-xtarget=ultraT1 -xarch=v9a"

Compilation and installation are performed as usual:

gmake install
  1. libxml

Solaris has a preinstalled version of libxml, but it is quite old for most of the applications related to install external packages on the system. For that reason, it is better to compile a more recent version of it; libxml sources can be downloaded from:http://xmlsoft.org/downloads.html

The compilation environment is the following:

CFLAGS="-xtarget=ultraT1 -xarch=v9a"
LDFLAGS="-xtarget=ultraT1 -xarch=v9a"
CXXFLAGS="-xtarget=ultraT1 -xarch=v9a"

Compilation and installation are performed as usual:

gmake install

XMLRPC is required to install mi_xmlrpc module of OpenSER.

The compilation environment is defined as follows:

CFLAGS="-xtarget=ultraT1 -xarch=v9a"
LDFLAGS="-xtarget=ultraT1 -xarch=v9a"
CXXFLAGS="-xtarget=ultraT1 -xarch=v9a"

In this case, /opt/openser/bin is put at first place in PATH, so that xml2-config be called from libxml just compiled, instead the one which is built in with the system.

Compilation and installation are performed as usual, but for XMLRPC, the build flags have to be passed in a different way:

CADD="$CFLAGS" LDADD="$LDFLAGS"  LADD="$LDFLAGS" ./configure --prefix=/opt/openser --enable-curl-client=/opt/openser --enable-libxml2-backend
gmake install

Net-SNMP is a good option for system monitoring, and is a prerequisite to be able to compile the snmpstats module, very useful to monitor OpenSER.

Compilation environment can be configured as follows:

CFLAGS="-xtarget=ultraT1 -xarch=v9a"
LDFLAGS="-xtarget=ultraT1 -xarch=v9a"
CXXFLAGS="-xtarget=ultraT1 -xarch=v9a"

At configuration time, some extra mib modules can be installed, which offer extra functionality on Solaris SPARC Systems:

MAKE=gmake ./configure --prefix=/opt/openser --with-mib-modules="ucd-snmp/diskio smux ucd-snmp/lmSensors tcp-mib udp-mib" --enable-mfd-rewrites
gmake install;

The following template can be used for the startup script of NET-Snmp:



case $1 in
                /opt/openser/sbin/snmpd -Lsd -x tcp:localhost:705

                pkill -TERM snmpd

                ps -ef | grep snmp | grep -v grep
                echo "     ";
                echo "Network:";
                echo "----";
                netstat -an | grep 161

This template should be installed at /etc/init.d/net-snmpd and linked from /etc/rc2.d with a relative start order of 20 (S20net-snmpd) and from /etc/rc1.d with a relative stop order of 80 (K80net-snmpd). Recommended permissions are 550, owned by root, and group sys.

5. OpenSER Installation

After the whole support packages have been installed, compilation of OpenSER can be performed.

The compilation environment is defined as follows:

In the installation used as reference for this document, the features which will be added to OpenSER are: Carrierroute, MySQL support, LDAP Support. Other modules which require other not fulfilled dependencies are not compiled.

There is a couple of issues detected at compilation of OpenSER 1.3.2, which are even reported and fixed at Bug Tracker, but not yet released.

1. MySQL autodetection does not work right; For a right compilation of mysql module, cross compilation has to be enabled; to enable it, the Makefile of mysql module should be edited to uncomment the following line (line 11 at Makefile):


2. libradiusclient-ng does not work when compiled on 64 bits; although library compiles without errors, there is an issue in the generation of hash at authorization tasks.

3. Solaris has LDAP libraries built it, but those libraries are not useful to build ldap module; In case of installing OpenLDAP libraries as shown previously, at the directory defined as LOCALBASE, lines 17 and 18 of Makefile should be edited so that libraries and headers be found at LOCALBASE

LIBS=-L$(LOCALBASE)/lib -lldap

4. In compilation of mi_xmlrpc module, the constant HAVE_SYS_FILIO_H is not defined, so compilation files. There is a patch published on tracker which fixes this for Solaris. The patch for module Makefile is:

--- Makefile    Thu Dec 13 18:38:50 2007
+++ Makefile.saguti     Thu Jul 31 14:43:17 2008
@@ -74,7 +74,14 @@
        exclude_files=$(wildcard abyss_*.c)

+#Solaris has filio.h

+ifeq ($(OS),solaris)
+               MY_DEFS+=-DHAVE_SYS_FILIO_H

5. No one of the perl related modules can be built with the perl interpreter provided with Solaris; this perl has compilation flags used by Sun proprietary compiler, which are not supported by OpenSER, and this perl interpreter is not compiled in 64 bits mode. If perl modules are required, an independent perl version should be compiled from source.

The build environment, for the installation used as reference for this document is defined as follows:

CFLAGS="-xtarget=ultraT1 -xarch=v9a"
LDFLAGS="-xtarget=ultraT1 -xarch=v9a"

And the build command is:

gmake PREFIX=/opt/openser" exclude_modules="auth_radius avp_radius db_berkeley group_radius osp perl perlvdb postgres tlsops unixodbc uri_radius" all 

In this way, OpenSER is compiled with all modules, except those listed at command line.

6. Post Installation Steps

After OpenSER has been compiled and installed, a few final steps should be followed for ending successfully the installation:

1. The script for system startup of OpenSER can be installed at /etc/init.d/openser, linked from /etc/rc2.d with relative start order of 50 (S50Openser) and from /etc/rc1.d with relative stop order of 50 (K50openser). The recommended permissions of this template are 500, owned by root and group sys.


# Template for starting up OpenSER


#The primary IP address of the SIP Server

case $1 in
                # 9 process and 256 MB for Shared Memory                                
                $base/sbin/openser -n 9 -m 256 -f $base/etc/openser/$cfg > $log 2>&1 &

                pkill -TERM openser
                kill -TERM `ps -ef | grep -v grep | awk '{print $2}'`

                check=`ps -ef | grep openser | grep -c -v grep`

                if [ $check -lt 9 ]
                        echo "OpenSER stopped or not running right. Check Logs"
                        echo "---------------------------------------------"
                        ps -ef | grep openser | grep -c -v grep
                        echo "Openser Active"
                        echo "--------------"
                        $base/sbin/openserctl ps
                        echo "--------------"
                        echo "Network:";
                        netstat -an | grep $ip.5060



2. After installing OpenSER, the structure of Database is created by invoking the create option of the openserdbctl script:

/opt/openser/sbin/openserdbctl create

This, in the case that MySQL database be located at the same server. If this is not the case, the structure shoul be installed manually on the server.
It is important to apply a more restrictive permissions, because in the default configuration, openser user can connect to database from any location.

3. It is important to apply more restrictive permissions to etc subdirectory at localbase. It is possible that configuration files contain sensitive information as username or passwords of database and/or LDAP directory. A mode of 500 would be desirable.

7. Summary

This documented presented a guide to install OpenSER on a Solaris SPARC System. It contains tips which can be used from Operating System install until the compilation of software itself, to increase the security of system, and to boost performace of OpenSER by using specialized tools available from Sun to be used on these platforms.

Although it has been written for a very particular set of modules and features in OpenSER, it offers a very complete solution, and it is near to a solution which is currently operative for a carrier class telephony system of a Telco Company.

In the mid term, it is expected to include a more complete set of tips, for other features and modules, and to adapt itself to new releases of OpenSER.

Any feedback about style, clarity or accuracy is more than welcome.

Feel free to contact the author through the email address saguti at gmail dot com

Jumpstart, Solaris, SunOS are Trademarks of Sun Microsystems. SPARC, UltraSPARC are trademarks of SPARC International Inc.