Category Archives: computing

El reg on Solaris

The Rgister has a very interesting article on Solarisx86 today
Sun’s Linux killer shows promise

The article is a very good read and points to some things that need working on however in one paragraph the author discussed Solaris Patching, and I’d like to elaborate on that a bit.

    This is an area where Sun’s commitment to the x86 project, and the extent to which it intends to build a community around it, will show. … even its most basic support plan, which involves little more than free online updates, costs money. It’s hardly expensive, certainly, at $120 per year per socket, but Linux vendors give away this level of support for free. If Sun wants hobbyists contributing, then they’ll do well to give very basic support like online updates to non-commercial users. (We note that security patches are available for download and manual installation at no charge, however.)

When Solaris 10 Update 1 is released you will be able to get it the same way you get Solaris 10. That will include all the patches that have been released for Solaris 10. And you can upgrade to that for free.

What you get for $120 is access to those patches once they are created, you don’t have to wait for the next update to get them.

With Suse for example you buy the product and get free updates, with Solaris10 you get the product for free and pay for earlier access to non security updates.

The author mentions hobbyists. I don’t think hobbyists will really be using Solaris 10. They will likely use Solaris Express or even more likely Opensolaris, where they will get access to the latest stuff first, for free.

The article says that security patches are availble for manual installation. Thats true, however they are also available via Suns Update Manager tool for automated and scheduled download. This tool is freely available for Solaris10.

    Online updates should be free for non-commercial users. If you want people to stick with a product, especially early in its development, you can’t have them worrying that some security hole or bug they haven’t heard of has left them open to remote exploitation, or susceptible to some fatal error that might wipe out months of work. (You want me to trust your stuff? Then don’t leave me guessing.)

This paragraph is wrong. Lets be clear about this – Security updates are free. Either downloadable from sunsolve or through Sun Update Manager. Noone is being left without security updates. If you want bugfixes sooner than the next Solaris update then you need to buy support, if you can wait for the next Solaris Update then those fixes are free.

Update:Mike Riley over on the solarisx86 yahoogroup points out that hardware driver patches will be free. As well
as any patches the security or driver patches require.

Technorati Tag:

Replacing sudo

Recently I was installing a machine for someone. One of their requirements was to have sudo installed. Sudo, allows a given set of users to run a given set of commands as root. What this user wanted to use sudo for was so that they could use any command as root except halt, shutdown,reboot & init. So rather than using it as a security device they were using it as a device to stop themselves being shot in the foot.

To implement this they had the following in their sudoers config file:

Adding the ability to run commands as a different user is implemented in Solaris using RBAC [Roles, Rights Profiles, and Privileges doc]. From the users perspective they just type pfexec insead of sudo. What I’ll discuss here is how you set up RBAC to implement the foor saving sudo config above.

pfexec will accept the first match that it finds in a users profile, and execute with those rights. So all we need to do is create a profile which has the commands that we dont want to run as root in it, but not give it any preiveleges.

Firstly lets create the profile in /etc/security/prof_attr

next we list these commands in /etc/security/exec_attr

Note that there is nothing after the final colon. These commands will be executed with the users own id and rights.

Finally we need to assign the profile to the user. In /etc/user_attr add:

The Primary Administrator role is defined as

However when the user runs reboot it will first be matched in the “PSTDisallowed Commands” profile and will be ran with the users own uid.

To shut down the system the user would have to either log in as root or run say ‘pfexec bash’ then issue the reboot. The intention is only to try to avoid accidentally shutting down the wrong machine.

Thanks to Scott Rotondo for being the first to point this out to me!

Technorati Tag:

Finally I have a useable solaris laptop

Some time ago I posted about what I had needed to do to get Solaris installed on my laptop. Well, the install went fine, but rather what extra bits I needed. Some folks in Sun have been working on a driver for the centrino wireless adapter, but up to now I’ve never managed to get it working. This was pissing me off, so I decided to look into the problem properly.

The root of the problem was fairly obvious in the end. The radio wasn’t transmitting. The little radio button at the side didn’t do anything, its mapped to some specific windows driver in xp I imagine. The BIOS however did say that wireless was enabled, but it didn’t work. Snooping around some linux websites I came across the linux fsam7400 kernel module that would turn on the networking. This module is specific to my laptop, an Fjuitsu-Siemens Amilo M 7400. However a linux kernel module is useless to me in Solaris!

The module basically flips some bits in the BIOS. I thought about trying to work out how to port it to solaris. I think I understand what some of the more straightforward commands do, however working out how to do ioremap nevermind ‘__asm__ __volatile__’ was beyond my grasp. And the people that I would usually go and pester had gone home for the weekend! I suppose it would be possible to do this with mdb; I can navigate a bit in mdb, but finding exactly where to poke in the bios would take a lot of learning. Especially without having people around to ask naive questions to!

It then occurred to me that the BIOS setting for wireless being enabled was plainly lying. Perhaps where was a BIOS patch? Typical… Ten minutes later I had a little wireless light on the box running solaris and was able to get to connect to my access point! Success!

The next lesson I learnt today was ‘don’t half apply patch 118919-06’. If you do you’ll end up with an unreadable pkcs11.conf file. To reapply the patch you need to go back to old style patching with ‘patchadd -t’. The patch removal was initially aborted (I was testing something), and so only the SUNWcsu package was patched, you need to invoke patchadd with the -t option so that it will check all the packages in the patch to see if the patch is applied and if not apply the patch to them. The patch itself is fine by the way!

After getting the crypto stuff sorted out, I was able to log in to Sun through our Ipsec based secure login secure access service. Now thankfully I no longer have to use windows and Vpn to log onto SWAN. But its Friday night, and time to stop working.


Technorati Tag:

Solaris 10 patches and SunUpdate

Are downloadble from http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/zos-s10

As was pointed out on comp.unix.solaris there are no clusters available yet.

One tool that you might like to try for patch management on Solaris 10 is the new Sun Update tool. It will check for the latest updates and can be used on all your solaris boxes to keep them up to date or to keep them up to a state defined by sets of rules. It is maintained from a single tool and handles all necessary dependency checking. Give it a try and be sure to report back any issues!

Solaris

Updating Software in the Open World

Opensolaris.org is go. Go register! Although I don’t write code for solaris I can share Bryan’s sentiments about it feeling like your hometown getting flooded by tourists. And wasn’t there a good job done of making the town nice for you all!

I work in patch testing, and over the past few years I have seen a lot of ‘interesting’ problems with updating products. As such I thought I would have my first opensolaris post be some food for thought regarding package/patch management.

Eric Boutilier has started some interesting discussion on how package management should be done with opensolaris.

Let me dive ahead and share some thoughts on supporting a distro you have made. This I would argue should be the basis of a package management discussion.

The options that Eric lists deal with packages. Pkg-get for example deals only with packages, if there is a bug in the application you are using and a new version is released you will get the entire package re-installed and the version number incremented. Where dependencies are concerned, if the new bugfixed package has a dependency on another package, for say a new feature it will be downloaded also, and so on. For what might be a fairly trivial bugfix you could end up needing to upgrade many packages. This was one of my personal annoyances with Debian.

Solaris package and patch management is different. All packages in a version of Solaris have the same version sting. If there is a bug, the package is rebuilt but only the differing files are distributed with the patch. If there are other requirements patches can depend on other patches which again only distribute the changes from the initial release. In some cases the patches need to merge with other patches to accomplish this correctly, and in other cases the requirement is not that strict at all and you will see note in the patch readme telling you to ‘get patch xxxxx-xx for the complete fix of Bug xxxxx’. There are many other cool things that can be done with patches, for example Interim Diagnostic Relief ; with this a special ‘patch’ is created by an engineer to give to customers to get more diagnostic information on a problem or to provide a test fix before the tpatch is made. Using this system the administrator cannot apply any patches to the affected package until the IDR has been removed. More importantly the information about this IDR is stored in the package database; so you never have the problem of not knowing whether any test binaries are left on the system.

The advantages of patches only comes into play once the OS is stable. For example each build of opensolaris will (I expect) have different version string for each package. At some point you decide to take the image that you will use as the base for your distribution. At this point your version strings should stay static for the lifetime of supporting your distribution. Once the opensolaris build continue more fixes and features will go in, so you may not be able to just grab the latest bits and hope they work with your distribution, you will need to take the code changes and merge them back into the version you made your stable release, and presumably tested all your other software against.

Once this is done you have a choice to make regarding patches or new packages. It is this decision that most thought should be devoted to.

Some other considerations that any alternative to patches need to address:

  • How will they upgrade zones in open solaris?
  • How will they support diskless client (if you support it)?
  • What control will you give for the management of user editable files, for restarting services, for unexpected things that may need to be done before and after the service is restarted?
  • How do you define what ‘level’ your system is at?

I would advocate the use of patches for updating packages. But I would be very interested in seeing the things that people don’t like about patches and patch management and what enhancements folks think should be added.

As yet the patch utilities are not released in opensolaris, but nevertheless its something to think about.

Technorati Tag:


Technorati Tag:

Minor gotcha for creating multiple zones

I recieved a new test machine on Friday, and being too lazy to set any particular tests running on it to burn it in I decided to just leave it running over the weekend creating as many zones as it could. Today I came in to discover that only 255 zones were created. The error message on booting the 256th was

Sure enough, trying to bring up another virtual interface on eri0 resulted in

To allow more interfaces you need to tweak /dev/ip ip_addrs_per_if. E.g. ndd -set /dev/ip ip_addrs_per_if 8192 . The new value takes effect immediately.
The only place I can see this mentioned in the docs is in the script to configure multiple zones, but I wasn’t using that script.