Tuesday Jan 25, 2011

A final suggested read

David Reed (who co-wrote the paper inspiring the name of this blog) passed along a pointer to this paper by Dan Geer:

A Time for Choosing

Please read it, and understand the founding spirit of the Internet. And with that, I say goodbye to Oracle.

Tuesday Jan 18, 2011

I'm leaving, and switching gears for a bit

After 15 years, I'm off to somewhere different.[Read More]

Tuesday Nov 02, 2010

MAC-then-encrypt - also harmful, also hard to do in Solaris

Researchers have discovered that MAC-then-encrypt in IPsec is harmful. Good thing you need to try REALLY HARD to be that dumb with Solaris.[Read More]

Thursday Aug 19, 2010

Thinking about the Birthday Problem on my Birthday, as it applies to my Birthday Present

Thinking about my iPhone, song collisions, and figuring out how to compute the probability of song repeats when you reshuffle.[Read More]

Sunday Feb 07, 2010

Do a "pkg image-update" with multiple zones!!!

Hello you half-dozen readers!

Recently I reinstalled my home server to OpenSolaris, build 130. I used zfs send and zfs recv to recover my relevant bits of data. I also constructed new zones, this time using ipkg zones.

Using ipkg zones takes a bit of acclimation. The biggest thing to note is that if you need a specific software package, you have to use pkg install in the zone you wish to have the software. For example, I have three zones:

  • The Global, internal-only, server zone - My global zone spends most of its time without a default route, serving NFSv4 and anything else I can think of only to my local LAN. If I need a new service, I temporarily add a global route, and pkg install away.
  • The Webserver zone - Just like it says. I needed Apache here, and had to pkg install Apache here.
  • The Router/NAT/IPsec-remote-access/Firewall zone - If you're going to put potential targets on the Internet, why put the global zone there? Especially with Crossbow VNICs and IP Instances!
So I got all of these zones, and the global zone isn't even net-attached most of the time? More interesting still, I need to upgrade all of these zones.

I posed this problem to pkg-discuss@opensolaris.org. Right now, pkg image-update won't upgrade the non-global zones. Worse still, I need to upgrade a zone that's also acting as my NAT and router. Luckily for me, Ed Pilatowicz gave me some good advice:

i do have one other workaround/suggestion you could try. after you do an image-update of your global zone. before rebooting, use beadm to mount the new image on /a. then you can try doing "pkg -R /a/path_to_your_zone/root image-update" for each of your zones. this will probably work as long as your always image-update'ing to the latest bits in the repository (and no new images get pushed to the repository in between all the image-update opreations.) So I took Ed at his word.

Even if you have an ultra-paranoid global zone, you need to get it talking to an IPS repository. Either temporarily add an off-link route like I do, or have a local repository handy. Proceed and pkg image-update your global zone. Make sure you use --be-name to pick a BE name that you'll remember.

Next, you literally beadm mount new-be-name /mnt and for each zone root directory (while still able to reach the repository from your global zone) do pkg -R zone-root-path image-update. For my own example, I did:

  • pkg image-update --be-name 132
  • beadm mount 132 /mnt
  • pkg -R /mnt/export/home/webserver/root image-update
  • pkg -R /mnt/export/home/router/root image-update
  • beadm umount 132
  • reboot

This worked quite well for me moving up from 130 to 132. Just make sure your global zone can reach the repository, and you should be golden.

Wednesday Jan 27, 2010

I, for one, welcome our new database-selling overlords.

In all honesty, I'm glad this regulatory dance is over. We've all been having a little itch in our brains about this. Even if any of us have had real work to do, we've been at least a little distracted by by this whole acquisition uncertainty.

Well, we're finally part of Oracle now, and I think that's pretty cool. Larry E. wants to butt heads with IBM and HP directly, and quite honestly, we at Sun have been doing that on-and-off for at least my not-quite-14-years here. Now that this uncertainty has been removed, we can at least narrow the uncertainty to any internal-to-Oracle decisions, which given certain statements both in the past and yesterday seem pretty encouraging, at least from my engineering perspective.

Jonathan said we should light a candle for Sun. As a prank gift for my 40th birthday, I got a 40-ounce bottle of Olde English. I think instead I will pour that 40 for Sun.

Wednesday Jan 20, 2010

Wanna help your Girl Scouts? Not unless you have Windows. :-P

My wife is the "cookie mom" for our twin girls who are in Daisy Scouts. She was very surprised when she logged in to the regional Girl Scouts cookie site (URL withheld in case any rabid fanboys do something stupid), and discovered that apparently, she needs to use Windows and Internet Explorer.

Their user documentation says: "We do not provide Mac support," and "Use any (non-Mac) computer at home or at work or at the local library." Does this mean they support OpenSolaris, Linux, or \*BSD? Naaah, didn't think so.

We're a no-Windows household. We have three Macs, one work-issued OpenSolaris laptop, and a homebuilt OpenSolaris server. Especially in this age of people understanding vendor lock-in as a Bad Idea (TM), I'm shocked and appalled.

I'm going to forward this to a few Mac sites, and maybe slashdot. I'm sure nothing's going to change, but at least this should be discussed a bit, no?

Tuesday Jan 05, 2010

IKEv2 project page updated

The IKEv2 project page on opensolaris.org now has links to both an early-revision design document, and a webrev pointer.

Wednesday Dec 02, 2009

OpenSolaris works out of the box with Amazon Virtual Private Cloud

Glenn Brunette asked me if OpenSolaris could access the Amazon Virtual Private Cloud or not. I told him it had better, or else there was a bug. He then did some scripting work, got some BGP help from Sowmini, and consulted Sebastien on some tunneling details. It's now up, running, and in a nice package, ready to use.

Monday Nov 30, 2009

IKEv2 project now on OpenSolaris

The IKEv2 project page is now available here on OpenSolaris. There's mailing-list information and a brief hello. We are working on design-level issues right now and some larval code, so c'mon over as we start to fire this up.

Monday Nov 23, 2009

End-to-end Research Group is ending

Let me quote BBN's Craig Partridge on the Internet Research Task Force's end2end-interest mailing list:

Dear Friends and Colleagues:

After 26 years, the End-to-End Research Group has decided to cease existence
as of January 1st, 2010.  While there is certainly still end-to-end research
to be done, the group had ceased to effectively serve as a forum for those

The E2E group had a great run, serving as a place where many researchers
could bring their ideas for initial, informal, airing.  The meetings could be
bruising.  (At one meeting, a member tried to encourage a speaker by saying
"We're all friends here" only to pause and say, "No, I'm sorry, actually we
eat our young, but proceed anyway").  But the meetings usually also brought

Ideas that were tested in E2E meetings include slow start and improved
round-trip time estimation, Random Early Drop, Integrated and Differentiated
Services, Weighted Fair Queuing, PAWS, and Transaction TCP.

When I learned about the group (and their enlightening e-mail list), my networking professor described it as covering, "End to end, and everything in between..." Now you half-dozen readers know the exact origin of this blog's name.

Luckily, the mailing alias will still be around. Still, the cliche, "End of an era," really applies here. It's yet another sign of the Internet's maturity, and that the really new places for research are probably somewhere not a lot of people are examining.

Anyone else have something to say about the End-to-End Research Group going away?

Sunday Jul 12, 2009

FiOS vs. Comcast?

I'm moving, and now I have a choice. Which do I chose?[Read More]

Thursday Jun 18, 2009

Endian-independence -- NOT just for kernel hackers

If you are not considering that your code will run on a different-architecture machine, you're making a newbie mistake. [Read More]

Friday May 29, 2009

New IPsec goodies in S10u7

There are a few new things in Solaris 10 Update 7 in the IPsec department.[Read More]

Monday Mar 09, 2009

DOH! Ekiga.net MAILS your password back to you

Make sure you don't pick a good password for ekiga.net -- they mail it back to you IN THE CLEAR in an e-mail message.

I'm so furious, I can't even begin to describe it. Did I miss fine-print on their page saying they'd do something this stupid?

UPDATE: They also store your password in the clear on-disk. Check out ~/.gconf/apps/ekiga/protocols/%gconf.xml if you wanna see it in all of its cleartext glory!



« December 2016