Wednesday Dec 10, 2008

Congratulations to the OpenSolaris team

As a side effect of being product manager for GlassFish, I've had to give up quite a bit of hands-on Solaris time. However, I've had the time to get OpenSolaris 2008.11 up-and-running in VirtualBox. Good stuff, and great job! I really look forward to trying out Time Slider. In the back of my mind, I'm wondering how this can be utilized for GlassFish configuration version control. In fact, me-thinks I'll try it out.

Friday Mar 30, 2007

Giving NWAM a go

In place of Inetmenu, I've decided to make a go of NWAM using the prototype bits. Thanks to James and Scott for the nudge. So far so good. Works like a charm. Boot my laptop, it automagically get an IP. It's that simple.  Check out the NWAM UI spec.
 

Thursday Mar 29, 2007

Up and running Nevada Build 60

Looks like I'll be running Solaris again as my primary desktop (Yeeee-hawwwww!). More as to why on a future post.

It's been a while since I've done a complete re-install. IIRC, I have live-upgraded from Build 27 to Build 41. I pretty much hosed my install (covered a bit here). Sssooo, I backed up my data and installed Nevada Build 60 from scratch. It seems as if every time I do this, I forget where to download my favorite apps. Through Google, I found that  Stacy has a good newbie-to-Solaris-x86 page that gave me some quick-links.

The next step was to download the pre-bundled mplayer through Blastwave so I can listen to talk radio while I configured the rest of the system :)

Other downloads included the accelerated Qemu  for running Ubuntu, and CentOS via BrandZ. Why both? Because I can :) Actually, I want to run Glassfish under Linux (under Solaris :-) ).

Lots has happened since Build 41. Firefox instead of Mozilla. Thunderbird. StarOffice 8. Flash Player 7 (Flash Player 9 is on its way). Gaim.  To be more accurate, I installed Solaris Express, Developer Edition as a part of build 60, That includes NetBeans 5.5, Sun Studio 11, SAMP, Glassfish, and a boatload of other tools including MySQL.

I'll let you know how things go with build 60. Trying to get up enough courage to install early builds of NWAM. To be honest, I do miss one Windows and Apple feature. Suspend and resume. Yeah, yeah, we know :)

Wednesday Feb 28, 2007

UUASC Virtualization Roundtable

I am a somewhat active member of the UUASC. Tomorrow I will single-handedly lower the average IQ of a panel of experts by 20 points by participating in a roundtable discussion on virtualization. I must say that I love the topic (along with Thin Clients, Java, etc). I may have to pull an IOU for more time or simply get the hook :)

Solaris Container demo ImageAfter the kids hit the sack last night, I was up 'til the weee hours preparing (futzing around). I installed the Solaris Container Demo (right).  I'm working on the demo upgrade to support newer Zone features (such as cloning), but it won't make the deadline for tomorrow. Qemu hosted on Solaris is also ready to go. The attempt to live upgrade from build 41 to build 58 was unsuccessful. I've customized (read: hosed) my Nevada image by installing wwwaayyy too many unsupported bits. Hopefully there will be time to get it installed under Qemu.

 If any of you have anecdotal stories on using Dynamic Reconfiguration / Dynamic System Domains, Solaris on Xen/VMWare/Qemu, LDoms (Sun internal only until it's released), Zones and/or Solaris Resource Management, I'd love to bring it up in the talk. If you can't make the talk, you can always check out our virtualization page.



Gotta go. Since we host the meeting in the Sun office, I have to locate a round table. All of the ones  I know of are either square or oblong. Hrumph.

Monday Feb 19, 2007

10,000 zfs filesystems

Since the zone test is getting a bit long in the tooth, it is refreshing to see something new and different. While I squeezed 190 zones into a 1GB RAM Ultra 10,  Kory is squeezing 10,000 ZFS filesystems into a 1GB RAM v240.  I don't know what Kory is testing or why, but it just doesn't matter to me. I still think it is pretty darn cool.  Hat tip to Tony for the link.

Thursday Feb 08, 2007

There's more than one way to automate zone creation

There's no doubt that zones have captured the interest of many sysadmins and developers. One of the most popular questions is how to automate zone creation.

A few years ago I wrote a script to create zones for the "how many zones in a jar" exercise. I took that script and added multi-CPU support for provisioning many zones simultaneously. I pulled some code from one of Dan's scripts to implement that, but that never say the light of day outside of the v880 follow-on exercise. My bad :)

There is also active development of zonemgr. I spend some cycles updating this tool as needed. In fact, I just submitted to Brad the code to support zone privileges, which I need to support the Solaris Container Demo I am updating.

Recently I was pointed to zonetool, which was written by Marty Kiefer. It's written in perl, so if you want zone functionality and are proficient in perl, you can extend Marty's script or use it as is.

Not stopping there, I decided to keep looking. Fintanr has a jumpstart post-install zone creation script. In a similar vein, Mike talks about JET, which supports zone creation. Sun sells some very capable tools, Solaris Container Manager and N1 SPS, to automate zone creation. I've covered those a few times, as have others.

There may be others, but hopefully by now you have a pretty good selection. If you know of other tools, give me a ping as I'd like to know.

Thursday Feb 01, 2007

Setting up a subversion server

I finally got around to setting up a subversion server on the x2100. For now I am using the svnserve approach. FYI, svn+ssh  has been unsuccessful because I keep getting a "connection closed" error. Googling on "packet length" errors tells me it may be an SSH versioning issue. FWIW, I'm using the cygwin ssh client. Hint: Hints are welcome :)

The subversion server is up and running (without ssh), with the primary role of managing the Container Demo. I have been getting a steady set of requests as of late for features. Once I get the demo "refreshed", I'll post the code and perhaps look into a place to house it (OpenSolaris.org makes sense).

I started my development career with RCS. Loved it's simplicity. Since I developed primarily in a vacuum, it worked out great :) I've also done work with PVCS, CVS, tar, cp -r, zip, and rm -r. Ssssooo, why subversion? Well, it is what my customers are using and I figure it'll help me keep up with them. I am especially interested in how Subversion works with revision numbers and directories. Of course, NetBeans supports Subversion, so my versioning life is greatly simplified.

Tuesday Jan 30, 2007

Updating my Bio to reflect zones

Looks like I have to update my Bio (here and here) for the March 1st  instantiation of the UUASC, where I will participate in a Unix Virtualization roundtable (along with near non-blogging-heathen Matt). I just realized my bio doesn't have much content regarding my involvement with zones.

I started playing with Zones somewhere around the mid-20 builds of Nevada / Solaris Express. One of the things I realized rather quickly is how lightweight zones are. So, to figure out just how lightweight, I leveraged some internal storage and wrote a script (superceded by zonemgr) to find out how many I could squeeze into an Ultra 10 with 1GB RAM. The answer is 190. From Monty Python, it literally couldn't eat another bite.

I later repeated the test with a 1/2 populate v880, capping out at 600, all able to deliver apache's index.html :) I could have squeezed more, but I ran out of time.

When I asked those who read my blog to name it, they chose "The Clingan Zone", based on my zones work. To this day I am very grateful to those who participated and those who read my blog, making my life much more interesting.

I also updated a demo, originally used to demo Solaris 9 resources management, to support Solaris 10 zones. While it works well, it needs an update. When I do that, I'll post the code to OpenSolaris.org.

I also participate with main man Brad Diggs in the development of zonemgr, where I plan to add a GUI front end. Zones are easy to deploy, but zonemgr allows you to do more with less typing, as well as some value-add post-configuration, all from one command (potentially long) line.

Right now I am working with customers to deploy Sun's Application Server and Web Server in Zones.

Monday Jan 22, 2007

Zonemgr 1.8 released

Brad Diggs sent out the notice that zonemgr 1.8 has been released. Zonemgr is a script to facilitate zone creation. In one readable command line (with no semicolons but a boatload of backslashes for readability), you can create a zone and apply some zone-candy. Here is an example:

# zonemgr \\
-a add \\ # Add zone
-n clingan \\ # Name the zone (Clingan Zone :) )
-z /zones \\ # Base zone directory, will create /zones/clingan
-E /tmp/password \\ # Point to a file with the zone's root password
-t s \\ # Make it a sparse zone
-I "10.10.10.10|e1000g0|255.255.255.0|clingan|" \\
\\ # That'll plumb e1000g0 with the host name of "clingan"
-r "/opt/csw|/opt/csw" \\
\\ # That'll read-only mount the blastwave bits to the local zone
-N "mynfsserver|/export/install|/mnt|ro" \\
# That'll mount nfsserver:/export/install to /mnt read-only

Creating zones with zonecfg and zoneadm is straightforward. As you can see, zonemgr makes creating zones a bit more convenient.

For what its worth, I added the BrandZ support in 1.7 and updated the support in 1.8. I did test the code but I'll admit it's not thorough enough. Feel free to test. My plans now are to write a GUI to front end the script.

Wednesday Jan 10, 2007

Testing Solaris distributions under VMWare

I spent a couple of days toying around with Solaris distributions under VMWare over the holiday. Parse that as 1.5 days of downloading and .5 days of installing :) In particular Nexenta, Nevada b55 and Solaris 10. I'm old hat at Nevada and Solaris 10, but a complete newbie to Nexenta. Nexenta uses the Debian/Ubuntu packaging/distribution mechanisms on top of the OpenSolaris kernel. Note, I've only toyed with Ubuntu but others I know and respect endorse it. I thought i would give it a try.

On the surface Nexenta looks rather simple, but I haven't had time to dig very deep. I toyed around with package management, which is what Ubuntu/Nexenta are touted most for. Java SE 6 doesn't yet ship with Nexenta I was quite disappointed when I couldn't install the file-based Java SE 6 build on Nexenta:

Unpacking ...
Checksumming ...
The download file appears to be corrupted.

There is additional verbage telling me how screwed I am, but you get the point :) I also ran into a problem with java tools bundle (with NetBeans), although that also required an additional Nexenta package install (can't recall which - sorry). At some point I'll debug the problem (I'll start with sh -x).

In addition to Nexenta, I downloaded Nevada build 55 with a boatload of developer tools. More on that in a future blog entry. The goal with this VM is to test out some new NetBeans functionality, install the NetBeans 6 daily builds, help beta test zonemgr 1.8. FYI, the JDK install works in the Nevada VM, so the downloaded bits are not corrupted.

I'll also be updating my container demo in the Nevada VM. Once I get the installation a bit cleaner, I'll think about where to take the darn thing. Put it up on OpenSolaris.org? Keep it a demo? Make it a tool? Dunno. Thoughts are welcome.

VMWare is a great product for just these situations. It may seem odd to some of you that I am running Solaris containers under VMWare, but the two technologies complement each other. VMWare enables multiple Operating System versions (or different Operating Systems altogether) to run on the same server, and Solaris Containers keep applications under Solaris isolated.

Friday Sep 15, 2006

Simplify zone administration using the global zone: Packages



Following up an earlier post, this post covers Solaris packages. I will reiterate that from an administration perspective, zones provide a unique balance between application isolation and shared administration when compared with other virtualization technologies. From a zones perspective, Solaris packages and patches are handled similarly. You have options. A package can be installed in the global zone only, in a non-global (aka, local zone) only or, as in the example below, in all zones in one fell swoop.

root@globalzone:/> # Loopback mount the Solaris 10 Companion CD ISO file
root@globalzone:/> # which contains precompiled and pre-packaged open source software
root@globalzone:/> lofiadm -a /path/to/sol-10-u2-companion-ga.iso
/dev/lofi/1
root@globalzone:/> mount -F hsfs -o ro /dev/lofi/1 /mnt
root@globalzone:/> cd /mnt/Solaris_Software_Companion/Solaris_i386/Packages
root@globalzone:/mnt/Solaris_Software_Companion/Solaris_i386/Packages> /bin/yes | pkgadd -d . SFWexpct
## Verifying package  dependencies in zone 
## Verifying package  dependencies in zone 
## Verifying package  dependencies in zone 
## Verifying package  dependencies in zone 
## Booting non-running zone  into administrative state
## Verifying package  dependencies in zone 
## Restoring state of globalzone zone 
## Booting non-running zone  into administrative state
## Verifying package  dependencies in zone 
## Restoring state of globalzone zone 

Dependency checking issues for package  on zone .

Do you want to continue with the installation of  [y,n,?]
The package  contains scripts which will be executed on
zones  with
super-user permission during the process of installing this package.

Do you want to continue with the installation of  [y,n,?]
Processing package instance  from 
## Installing package  in globalzone zone

expect - Programmed dialogue with other interactive programs(i386) 5.39,REV=2006.03.26.16.24

        Written by: Don Libes, NIST, 3/23/93

        Design and implementation of this program was paid for by U.S. tax
        dollars.  Therefore it is public domain.  However, the author and NIST
        would appreciate credit if this program or parts of it are used.

YOU MUST OBSERVE ANY AUTHORS' CONDITIONS WITH RESPECT TO
INDIVIDUAL COMPONENTS PROVIDED WITHIN THIS CODE.  SUPPORT
FOR THE TECHNOLOGIES AND DOCUMENTATION IS NOT PROVIDED
BY SUN MICROSYSTEMS, INC.

THE TECHNOLOGIES AND DOCUMENTATION ARE PROVIDED "AS IS" WITHOUT TECHNICAL
SUPPORT OR WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, OR NON-INFRINGEMENT.

Using  as the package base directory.
## Processing package information.
## Processing system information.
   6 package pathnames are already properly installed.
## Verifying package dependencies.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of  [y,n,?]
Installing expect - Programmed dialogue with other interactive programs as 

## Installing part 1 of 1.
1960 blocks

Installation of  was successful.
## Installing package  in zone 

expect - Programmed dialogue with other interactive programs(i386) 5.39,REV=2006.03.26.16.24
Using  as the package base directory.
## Processing package information.
## Processing system information.

Installing expect - Programmed dialogue with other interactive programs as 

## Installing part 1 of 1.
1960 blocks

Installation of  on zone  was successful.
## Installing package  in zone 

expect - Programmed dialogue with other interactive programs(i386) 5.39,REV=2006.03.26.16.24
Using  as the package base directory.
## Processing package information.
## Processing system information.

Installing expect - Programmed dialogue with other interactive programs as 

## Installing part 1 of 1.
1960 blocks

Installation of  on zone  was successful.
## Installing package  in zone 

expect - Programmed dialogue with other interactive programs(i386) 5.39,REV=2006.03.26.16.24
Using  as the package base directory.
## Processing package information.
## Processing system information.

Installing expect - Programmed dialogue with other interactive programs as 

## Installing part 1 of 1.
1960 blocks

Installation of  on zone  was successful.
## Installing package  in zone 

expect - Programmed dialogue with other interactive programs(i386) 5.39,REV=2006.03.26.16.24
Using  as the package base directory.
## Processing package information.
## Processing system information.

Installing expect - Programmed dialogue with other interactive programs as 

## Installing part 1 of 1.
1960 blocks

Installation of  on zone  was successful.
## Booting non-running zone  into administrative state
## Installing package  in zone 

expect - Programmed dialogue with other interactive programs(i386) 5.39,REV=2006.03.26.16.24
Using  as the package base directory.
## Processing package information.
## Processing system information.
   52 package pathnames are already properly installed.

Installing expect - Programmed dialogue with other interactive programs as 

## Installing part 1 of 1.

Installation of  on zone  was successful.
## Restoring state of globalzone zone 
## Booting non-running zone  into administrative state
## Installing package  in zone 

expect - Programmed dialogue with other interactive programs(i386) 5.39,REV=2006.03.26.16.24
Using  as the package base directory.
## Processing package information.
## Processing system information.
   52 package pathnames are already properly installed.

Installing expect - Programmed dialogue with other interactive programs as 

## Installing part 1 of 1.

Installation of  on zone  was successful.
## Restoring state of globalzone zone 
root@globalzone:/mnt/Solaris_Software_Companion/Solaris_i386/Packages> cd /
root@globalzone:/> umount /mnt
root@globalzone:/> lofiadm -d /dev/lofi/1
root@globalzone:/>

Solaris package management resources:

Tuesday Sep 12, 2006

Simplify zone administration using the global zone: Patches



The global zone rules. It sees everything. It is all knowing. Among other things, the global zone is responsible for non-global zone (aka: local zone) lifecycle management. That includes create, install, boot, halt, destroy and everything in between. The global zone has access to everything a local zone has access to. The file system. Network interfaces. Users. Packages. Patches. Everything.

Since the global zone has access to everything a local zone has access to, how can we leverage the global zone to simplify administration of the whole server? Note, use "server" loosely as Solaris may be installed in a dynamic system domain or VMWare instance for example. From an administration perspective, zones provide a unique balance between application isolation and shared administration when compared with other virtualization technologies. One example covered earlier was leveraging the global zone to audit local zones using BART.

The next topic is operating system patches. Most virtualization technologies, such as VMWare, \*PARS and Dynamic System Domains, each running instance of the operating system must be patched individually. If, for example, you have 10 domains/VMWare OS images, then a patch is applied 10 times. It's no surprise that tools exist to address patch management across many servers. Keep in mind that zones are complementary to Dynamic System Domains and VMWare.

With zones, administrative flexibility exists with how patches are applied. Patches can be applied on a zone-by-zone basis, or to all zones in one fell swoop. For example, I installed an Sun Application Server 8.1 patch the other day in just one of 3 potential zones. On the other hand, I wanted the Fault Manager patch to apply to all zones, so I simply installed it in the global zone and all zones were patched automagically (example below). There are exceptions, such as a kernel or device driver patches, which are applied to the global zone and more likely than not require a reboot to take effect.

Below is an example of installing the fault manager patch in the global zone and having the patch apply to the global zone and to all non-global zones as well. All in one fell swoop. The zones have been renamed to protect the innocent. The fact that the server has a mix of sparse and whole root zones is accurate. However, since the sparse root zones loopback mount the fault manager files, no files are actually installed in the sparse root zones. However, the patch database in the sparse root zone is updated. Patching the fault manager isn't the best example as the fault manager daemon runs only in the global zone, but hey, that's the patch I needed :) Any other patch is applied in a similar manner.

root@globalzone:~> # Download Patch
root@globalzone:~> smpatch download -i 118344-13
root@globalzone:~> 
root@globalzone:~>
root@globalzone:~> # Add patch. This patch defaults to installing in all zones.
root@globalzone:~> ####################
root@globalzone:~> smpatch add -i 118344-13
add patch 118344-13
Validating patches...
Loading patches installed on the system...
Done!
Loading patches requested to install.
Done!
Checking patches that you specified for installation.
Done!
Approved patches will be installed in this order:
118344-13
Preparing checklist for non-global zone check...
Checking non-global zones...
Restoring state for non-global zone sparsezone1...
Restoring state for non-global zone sparsezone2...
This patch passes the non-global zone check.
118344-13
Summary for zones:
Zone wholezone1
Rejected patches:
None.
Patches that passed the dependency check:
118344-13
Zone sparsezone1
Rejected patches:
None.
Patches that passed the dependency check:
118344-13
Zone sparsezone2
Rejected patches:
None.
Patches that passed the dependency check:
118344-13
Zone sparsezone3
Rejected patches:
None.
Patches that passed the dependency check:
118344-13
Zone wholezone2
Rejected patches:
None.
Patches that passed the dependency check:
118344-13
Zone wholezone3
Rejected patches:
None.
Patches that passed the dependency check:
118344-13
Patching global zone
Adding patches...
Temporarily disabling fmd(1M)
Patch 118344-13 has been successfully installed.
Re-enabling fmd(1M)
Done!
Patching non-global zones...
Patching zone wholezone1
Adding patches...
Patch 118344-13 has been successfully installed.
Done!
Patching zone sparsezone1
Booting non-global zone sparsezone1 for patching...
Adding patches...
Patch 118344-13 has been successfully installed.
Done!
Restoring state for non-global zone sparsezone1...
Patching zone sparsezone2
Booting non-global zone sparsezone2 for patching...
Adding patches...
Patch 118344-13 has been successfully installed.
Done!
Restoring state for non-global zone sparsezone2...
Patching zone sparsezone3
Adding patches...
Patch 118344-13 has been successfully installed.
Done!
Patching zone wholezone2
Adding patches...
Patch 118344-13 has been successfully installed.
Done!
Patching zone wholezone3
Adding patches...
Patch 118344-13 has been successfully installed.
Done!
root@globalzone:~>

Here's a collection of resources on Solaris 10 patching you may find useful:

Thursday Aug 31, 2006

Securing a zone using the Solaris Security Toolkit



Yep. Still looking over my shoulder. Until recently, I was using a script I wrote to customize a zone. I had two reasons in mind. The first was to disable unnecessary services to conserve RAM, the second to secure the server. However, there is a better way. I've recently adopted the Solaris Security Toolkit (SST) thanks in part to Glenn.

The Solaris Security Toolkit is a configurable tool to harden a system. While best applied during a jumpstart (secure early & repeatably), it can also be applied to a newly installed system. Of course, a newly created zone is a great target for SST. My first application of the SST was to a zone created specifically for the purpose of understanding what the SST does to a host/zone. I have the ability to customize the SST via a driver file to enable or disable the hardening of various OS functions. In fact, while learning about the SST, I was rolling back the zone to repeatedly test out my customizations.

What is equally nice about the SST is that it not only hardens a system, it also enables the administrator to run an audit to detect modifications that stray from the SST hardening. There is one modification I would like, and that is for the SST to be zone aware. What I mean by that is the ability to run the SST from the global zone, and have the SST harden a specified list of non-global zones as well as the global zone. Right now, I have to install the SST into each and every local zone of interest. I'd like to leverage potential the economy of scale of the zones model. Then again, I want to get a bit smarter on "secure by default" to see how it plays with the SST.

If you are serious about security, consider utilizing SST.

Tuesday Aug 29, 2006

Rolling back a zone to a known state



As mentioned earlier,  BART is a tool that is used to help detect filesystem modifications, whether they be intentional, unintential or malicious. So far, the script is working out well with one exception. I'm still mucking with my system so much that wwwaayyyy too many files are changing. On my "core" zones, I'll be reviewing the results before creating a new control file. The remaining zones will be removed as they are temporary.

So what does one do if a zone is compromised? Step #1 is to shut down the zone. No need to be nice as there is no "People for the Ethical Treatment of Zones" (PETZ).  Halt the zone (zoneadm -z zone_name halt). The next step is post-mortem analysis. This is where the BART audit comes in. Execute bart and create a report. That will help to understand how the system was compromised if, and only if, the filesystem was modified. What now? Fixing the problem in a compromised zone and re-booting sure sounds like trouble. The natural thing to do is to restore from tape. Which tape? If BART is run regularly, you'll restore from the last backup prior to the security breach, which BART will hopefully help you find. But tape backup is sssoooo last quarter century. Besides, I don't have a tape drive for my system on the 'Net. I'm on the cheap. The closest thing I have to tape is a read-only DVD drive. Sigh.

To solve this problem, I've mounted my zones on ZFS filesystems as follows:

# zfs create mypool/myzone
# zfs set mountpoint=/zones/myzone mypool/myzone
# zonecfg -z myzone
[ set zonepath=/zones/mypool ]

After creating and configuring the zone, run BART. Next, create a snapshot of the zone:

# zfs snapshot myzone@`date '+%m_%d_%y__%H:%M:%S'`

In fact, put the above in a cron job and run it at regular intervals. The cron job should also remove old snapshots (greater than N days old) or else zfs filesystem management gets a bit unwieldy - not to mention ever-shrinking disk space.  By creating nightly, weekly or monthly snapshots, a compromised system can be restore to a healthy state by running:

# zfs rollback myzone@08_30_06.....

Before actually booting the zone, fix the security hole (duh). Create a new BART control file. Your set.


Thursday Aug 24, 2006

OpenSolaris.org needs a new graphic



OpenSolaris is looking for a new graphic. With the cosmic theme in mind, I hear Pluto is looking for a new home. How about this?

Ok, sometimes I try too hard ..
About

John Clingan

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today