Thursday Sep 17, 2009

Answering a customer's LDOMs security questions

Recently a customer in the Federal Government asked some fairly straightforward security questions about Logical Domains.  In doing my research, I found it wasn't that straight forward to get the answers from the standard Logical Domains (LDOMs) documentation.  Luckily, our engineering and marketing team stepped up to provide clear, concise answers so that this customer (who prefers to remain anonymous) can move forward and implement their virtualization strategy on Sun's T2 class of processors.

Logical Domains (LDoms) provide built-in and no-cost virtualization capabilities for Sun Chip Multithreading (CMT) Servers. Unlike proprietary virtualization technologies, LDoms can save you up to $10,000 per server. It allows you to create virtual machines that take advantage of the massive thread scale offered by these platforms. Create up to 128 virtual servers on one system... for free!  Customers have used Logical Domains to reduce their costs and consolidate their server farms for significant returns in operations and energy savings. For example, using LDOMs and Solaris containers, the United States Air Force was able to reduce rack space to achieve a 13:1 consolidation ratio, decreased server deployment time by more than 90% and cut datacenter power consumption by more than 25%. Download the software for Solaris 10 or OpenSolaris today.

Logical Domains allow the primary Solaris domain (sometimes known as the control domain) to create virtual disks and assign CPU thread, network, memory and I/O resources to other virtual Solaris machines to run on a single system.  The control domain uses the Logical Domains Manager (LDM) to control, monitor and manage the running domains.  Live migration of domains is supported.

LDoms 1.2 adds a number of new features, including:

  • Improved Network performance with the introduction of support for jumbo frames
  • Reduced power footprint with CPU power management, powering off cores that aren't in use automatically
  • Easier adoption with support for physical-to-virtual migration tool
  • Quick start with support for configuration assistant tools
  • Faster agility with enhancements to Domain Mobility
  • Increased control and response to guest availability with Domain dependencies
  • In-built protection from corruption with Auto-recovery of configurations
And now on to the Q and A:


Q: Can the Control domain access/utilize the CPU threads of a guest without shutting down the guest?

Answer: A Control domain cannot access the CPU threads assigned to a guest domain unless the threads are removed from the guest, and then added to the control domain, such as with CPU Dynamic Reconfiguration, or by rebooting both the guest and control domain after a Static Reconfiguration. LDoms fundamentally partitions CPU resources and there is no sharing of CPU thread resources. Enforcement of this partitioning and separation is done at the Hypervisor level, so it cannot be circumvented by the Control domain.

Virtualization solutions for x86 and IBM Power systems typically time-slice access to threads across multiple guests. This is because IBM and Intel CPU's have very few threads per socket. With SPARC CMT, we have up to 128 threads per socket, and we take advantage of the hardware by using a much safer and simpler partitioning approach in the SPARC Hypervisor and LDoms.

Q: Can a guest domain access the CPU threads of another guest?

Answer: No. LDoms partitions threads and does not share them across logical domain boundaries. See detailed explanation above.

Q: Can a guest domain access the CPU threads of the control domain?

Answer: No. See answers above.


Q: Can the Control domain alter the active memory space of a running guest?

Answer: There are two types of memory “alteration” in a system, first is modifying the contents of existing memory in a guest, and second, is the reconfiguration of memory size within a guest. For LDoms, guests have no knowledge of one another, nor are there any interfaces to allow one guest to gain access to or modify the memory of another guest. Memory separation and partitioning is enforced by the SPARC Hypervisor.

As of LDoms 1.2, Any request to change the memory configuration (i.e. How much memory a guest has allocated to it), through the LDM command line interface on the Control Domain would queue a “Delayed Reconfiguration” operation, which would take effect upon the next reboot of the guest. Beginning in LDoms 2.0, we will support the dynamic reconfiguration of a guest domain's memory configuration.

There are some memory transfer or shared memory access between domains done in order to implement virtual device and domain services. These transfers and sharing are strictly controlled by each domain and by the SPARC hypervisor: a domain will define, with the hypervisor, the memory data it is going to transfer or share with another domain

Q: Can a guest domain access the memory of another guest?

Answer: No. Guests have no knowledge of one another, nor are there any interfaces to allow one guest to gain access to or modify the memory of another guest. Memory separation and partitioning is enforced by the SPARC Hypervisor.

Q: Can a guest domain access the memory of the control domain?

Answer: No. There are no interfaces which allow for a guest to modify the configuration of or gain access to any part of the control domain's memory.

Virtual Network

Q: Can the control domain alter the network traffic of guest domains? The concern is about a compromised Control Domain becoming a man-in-the-middle. How can this condition be identified/reported?

Answer: Yes. The network switching of the packets is done in a software driver(vsw), its harder to alter the network traffic to Guest domains, but a compromised control(or service) domain \*can\* alter the traffic. Our Security model assumes that the domain(s) that host services such as vsw, are trusted, so they need to be secured as per the local security guidelines. Compromising or accessing the network traffic of guest domains from the control domain requires root access on the control domain.

Q: Can a guest domain access the network traffic for another guest? The assumption is yes, since an IP network is being shared. A scenario of interest - or pre condition - is if the physical NIC is disconnected, other than via the physical IP network. The key concern is a guest domain accessing the IP traffic of another guest domain via the virtual switch.

Answer: No. The traffic between the virtual switch(vsw) and the virtual network device(vnet) uses Logical Domain Channels(LDCs) that are a point-to-point type of connection. As a result, the traffic between the virtual switch and a guest domain is not visible to other guest domains. Note, switching is based on mac-addresses and LDoms doesn't allow the change of mac-address of a vnet device in a guest domain, so guest domains cannot spoof by changing their mac-addresses.

Q: Can a guest domain access the network traffic of the control domain?

Answer: No. Guest domains will only see the traffic that fits the following:

  • Unicast traffic that matches the virtual network device's mac-address in the guest domain.

  • Broadcast traffic.

  • Multicast traffic for which the guest domain registered to receive.

No other packets will be seen by the Guest domains.

Virtual Disks

Q: Can a guest domain access virtual disk devices that it has not been allocated, e.g., other guests, Control Domains?

Answer: No. A guest domain can only access virtual disk devices that have been explicitly assigned to it. It will not see, nor can the guest access any other disk.

Virtual Console

Q: Can a guest domain access the virtual console of another guest domain?

Q: Can a guest domain access the console for the control domain?

Answers: A guest domain cannot access the console interface for a different guest domain, nor can a guest domain access the console for the control domain. The only console access is via a privileged user on the control domain itself. There are no interfaces available in any other scenario for access a guest console, including over the general network interface.

Special Interest

Once the LDoms are running in our environment, there is very little need to log into the Control Domain (CD) and this is preferred behavior.

Q: Can a Control Domain be shut down and the LDOMS continue to run? If not, are there other options for maximally restricting access to, e.g., "locking" a CD once the LDoms are configured? An acceptable instance of "locking"is restricting access to the CD from Virtual Console only. Ideally, access via SSH would also be highly restricted. Limited access for maintenance and configuration are also acceptable.

In summary, the primary objective of these features is to secure the CD from a malicious user gaining access and changing LDom configuration without detection.

Answer: one of the architectural principles of LDoms has been that a guest domain can operate independently of the control domain. For example, If a control domain were to fail and reboot, the guests will continue to operate. Extending this logic, yes, you can currently shutdown the control domain and the guest environment will continue to operate. However, this holds only if the guests are using virtual I/O (assuming that I/O is being served from an I/O service domain that's not the control domain) or have been granted direct ownership of one or more PCI-E busses. But with the advent of upcoming projects like direct I/O (the ability to assign individual PCI-E slots to a guest) and SR-IOV (the ability to assign individual PCI-E virtual functions to a guest), it will not be possible to shut down the control domain without impacting guest domains that have been allocated individual PCI-E slots or functions.

In addition, other caveats, or things to consider are:

  • Without a control domain, there is no console access to the guests unless the console service is hosted elsewhere.

  • With no control domain, there's no LDoms Manager, which precludes any monitoring or reconfiguration of the guests. It also precludes capabilities such as domain mobility (i.e. migration) and power management.

  • All IO used by the guest must continue to be available – i.e. If the control domain is also operating as an IO service domain, those IO devices being served by the control domain will cease to be available for the duration that the control domain is down.

  • FMA (the Solaris Fault Management Architecture) will be unavailable

  • Certain Sun as well as third party management tools require access to the control domain, if the control domain goes down, those tools will have degraded capability

In terms of "locking" or severely limiting access to the control domain, that is certainly possible, but would be subject to its own set of constraints:

  • Without control domain access, there is no console access to the guests unless the console service is hosted elsewhere.

  • There's no way to interact with the LDoms Manager directly, which limits the ability to monitor, manage, or reconfigure the guests. The current lack of a suitable standalone LDoms management capability exacerbates this issue.

  • The inability to login to the control domain makes it extremely difficult to discover or manage any I/O (e.g. disks & network interfaces) bound to that domain.

  • Certain Sun as well as third party management tools require access to the control domain, if the control domain is locked down, those tools will have degraded capability

The control domain is usually configured as a service domain. In that case,the control domain needs to be up and running in order to provide service for virtual devices used by guest domains. If the control domain is down then access to virtual devices is suspended until the control domain comes back up.

On appropriate platforms, I/O domains can be created and used as service domains instead of using the control domain as a service domain. That way, guest domains will not depend on the control domain to access their virtual devices.

Monday Sep 14, 2009

Why Oracle wants Solaris

Forbes magazine published a great article on why Oracle wants Solaris.

Some of the highlights include:

  • Virtualization
  • Scalability
  • Security 
  • Reliability
  • Management
  • Flexibility

Also, see my earlier blog entry about 7 things Oracle will love about Sun.

If you have any doubts about Oracle's commitment to Solaris, SPARC and Sun, Just ask them....


Wednesday Jul 22, 2009

Open Source and the US Government

Sun has long been an advocate in the use of Open source software in the government (both US and abroad).  In fact, Sun Federal President and COO Bill Vass has created a series of blog entries about why the government can benefit from open source.  These reasons include:

Now, Sun and a broad array of industry giants have created the Open Source for America Consortium. In addition to Sun, founding members include Oracle, Google, Red Hat, Gnome foundation, Mozilla, Collabnet and others.  The board of advisors includes a number of industry and government luminaries that I've had the pleasure of working with in the past including:

  • Dawn Meyeriecks (formerly of DISA as well as AOL)
  • Marv Langston (former DoD Deputy CIO)
  • Bill Vass
  • Art Money (former DoD CIO)
  • Simon Phipps (Sun's Chief Open Source Officer)
From the OSA web site:

The mission of OSA is to educate decision makers in the U.S. Federal government about the advantages of using free and open source software; to encourage the Federal agencies to give equal priority to procuring free and open source software in all of their procurement decisions; and generally provide an effective voice to the U.S. Federal government on behalf of the open source software community, private industry, academia, and other non-profits. The mission incorporates three goals: (1) to effectuate changes in U.S. Federal government policies and practices so that all the government may more fully benefit from and utilize free and open source software; (2) to help coordinate these communities to collaborate with the Federal government on technology requirements; and (3) to raise awareness and create understanding among federal government leaders in the executive and legislative branches about the values and implications of open source software. OSA may also participate in standards development and other activities that may support its open source mission.

While some consider the "open source" movement to be a religion or political agenda designed to socialize software or kill proprietary vendors, what it really boils down to is simply developing software outside the company firewall so that you can take advantage of the strengths of the community.  To quote Bill Joy (former Sun co-founder), "Innovation often happens elsewhere."

Sun offers a wide variety of supported, enterprise class open source projects including MySQL, OpenSolaris, OpenSSO, Glassfish and more.  Download some open source Sun software today and you too can start experiencing the benefits of open source.

Federal Government customers can contact Sun's sales office in McLean VA by calling 703 204 4100.

Sunday May 31, 2009

Updating to OpenSolaris 2009.06

Update:  See the screencast on how to update at the CommunityOne website.

For What's New in OpenSolaris 2009.06, see this PDF presentation... 

If you have OpenSolaris 2008.11 installed, the repositories have now been updated to include the 2009.06 packages. You do NOT have to do a clean install. Simply update your packages.  The complete download image will be available on Monday June 1st.

However, the Update manager GUI tools will tell you that no new packages are available. You must use the command line tools to update SUNWipkg first. Attempting to run the "pfexec pkg image-update" command will give you a message indicating that you need to run:

pfexec pkg install SUNWipkg

in order to update the package tools. Once this process is complete, you can use the command line or the GUI Update Manager to move to 2009.06. Update manager will create a new boot environment (using ZFS) and make it the default BE. OpenSolaris will be featured prominently during Community One/JavaOne this week.

One more bit of information.  If you have created zones on your opensolaris installation, you may need to uninstall the zones before updating. Otherwise, the update manager will give you an error (for which there is a bugID 8313 )

"Unable to clone current boot environment"

To remove the zones:

pfexec zoneadm -z zonename uninstall

Monday Apr 27, 2009

Why is an airport like a computing cloud?

I recently had the opportunity to speak at FOSE about cloud computing.  I was also stationed at Sun's table in the Cloud section of the exhibit hall and had an unbelievable number of people come up and ask me what I thought cloud computing is.  Sometimes I think they were just polling all the vendors to see how many different answers they could get.  Needless to say, there are a wide variety of opinions as to the meaning of a cloud and the best use of a computing cloud.

While traveling to Anaheim last week for the DISA customer conference, I spent a good amount of time in LAX.  It occurred to me while I was sitting there that the airport is a perfect analogy to a cloud.  It just happens to be a transportation cloud.

What is an airport?

An airport is a shared transportation resource run by a single organization serving a variety of vendors and customers.

How is an airport like a cloud.... Let me count the ways.

  1. Shared common security model that keeps vendors and customers in the right place at the right time.
  2. Shared infrastructure that can be virtualized to a variety of vendors depending upon their needs including:
    1. Runways
    2. Gates
    3. Ticket issuing stations
    4. Baggage handling
    5. Security stations
    6. Customs inspectors
    7. Shopping
  3. Air traffic control to ensure that planes don't crash in the air
  4. Ground traffic control to ensure that planes go to gates they've paid for
  5. A single manager for the shared service (the local airport authority)

Why did airports become clouds?

Imagine if each airline actually had to have it's own airport in each city.  A Delta plane could only fly from one Delta airport to another.  Each would need their own runways, parking lots, security guards and more.  It would clearly be an unsustainable model.

Benefits of the transportation cloud

Clearly the airlines saw the benefits of sharing an infrastructure in a number of ways including:

  • Reduced costs (less real estate, infrastructure and personnel)
  • Reduce training through standardization of tools and process
  • Improved efficiency
  • Less waste (fewer unused resources such as ticket agents, gates, security guards)
  • The ability to scale an airline up or down as economic factors required and pay for only the resources used.

The idea of a cloud is not so new after all and has been around for years in different forms.  It's up to us in the computer industry to take these existing models with manual processes and automate them in a way that provides the same security and flexibility as we find in an airport today.

One of the unique things about the "transportation cloud" is that planes can easily leave one cloud (the LAX cloud) and travel to another cloud (the DCA cloud)  because of agreed upon standards in flight number, communications protocols and a standardization body (the FAA).  Sun is building a cloud infrastructure just as Google, Microsoft, Amazon and other have.  Sun, however, is also focusing on open, interoperable standards for cloud computing so that sometime the future, it will be easy to move an application not just within the Sun cloud from from the Sun cloud to the Amazon  cloud and back again.

Join the community and start to experience the benefits of the cloud.  Learn more and stay up to date on the status of Sun's cloud computing offering.

Hopefully, I'll see you sometime soon in the clouds.

Wednesday Apr 22, 2009

7 things Oracle will love about Sun

Important note

This blog is my opinion only (actually just random musings) and does not represent official Sun policy.  I have no inside knowledge of Oracle or Sun's intentions or plans for the upcoming acquisition of Sun by Oracle

There are a whole host of reasons that Oracle bought Sun, some of which have already been clearly stated by Oracle management. They include Java, MySQL, Sparc, Servers, Storage and Solaris. Listen to the webcast to hear it from Larry Ellison, Safra Catz as well as other Oracle and Sun leaders.  Also, please review the FAQ regarding the acquistion.

I think that there are some specific things that Oracle will love to gain in this acquisition.


As the second largest software company in the world, there is at least one thing that Oracle has NOT had yet that their primary competitor has and that is an office automation suite used by students, grandmas,  and enterprises worldwide.  The ability to have your name in front of millions of users is a powerful tool particularly when they can download it for free and run it on Windows, MacOS, Linux distros and Solaris.  I think we know that Larry is not a great friend of Microsoft and this will give him one more thing to poke in their eye.

xVM VirtualBox

This free and powerful virtualization tool provides an ideal platform to allow customers to test, develop and deploy Oracle software solutions on a variety of platforms in the comfort of a user's own laptop.  Its upcoming ability to upload a virtual machine to the "cloud" will provide a low cost way for Oracle to accelerate adoption of their hosted application services.


The upcoming land grab for rich internet applications (RIAs) will be a fierce competition between Microsoft, Adobe and Oracle with Sun's JavaFX.  JavaFX provides an advanced tool with proven security and programming model to deploy RIAs on billions of devices over the network.  Its open source status will ensure a broad developer acceptance and diverse contributions from industry, academia and government.  In the fight for "eyeballs" JavaFX will provide Oracle with a significant competitive advantage in function as well as wide device support.

Sun Federal

Sun Federal has a broad reach and it an important strategic part of Sun Microsystems.  Our staff works closely with DoD, Intelligence and Civilian agencies to deploy mission critical applications using a complete systems approach of servers, storage, software and services.  With the anticipated new requirements for government IT efficiencies, Sun Federal will be a real asset to Oracle.


This free, open source application server is fast and easy to download and get started.  I can provide a low (no) cost way for new businesses to get started in enterprise datacenters, college dorm rooms or Amazon EC2 appliances.  Owning Glassfish will give Oracle access to a whole class of customer that normally might not consider their enterprise software.

The Sun Modular Datacenter

What better way to deliver a soup to nuts enterprise application service in a can?  Enough said!

Sun Ray thin clients

As far back as 1996, Larry Ellison has been talking about a low cost, network computer that draws services from a virtualized desktop environment. Sun introduced the Sun Ray ultra-thin client in 1999, and I can personally vouch for the fact that some of those early revision network appliances are still working on desks in our Sun Federal headquarters in McLean, VA.  The savings in energy, noise, real estate and refresh costs certainly must have helped Sun's bottom line along the way.  We have deployed many tens of thounsands Sun Rays in commercial industry and government over the years.  I feel certain that Oracle will expand the usefulness and applicability of the Sun Ray.

I have only touched the surface of advanced research, development, services and products from which Oracle will benefit.  Both Sun and Oracle have always believed that the customer wants true innovation from their IT vendors.  This is what Sun strives for at all times.

I leave you with a quote from a developer I met at the DISA customer conference this week.

"I love Java.  I wrote my thesis on Java.  I think this merger of Oracle and Sun is a match made in heaven."

What do you think?  Please offer your comments!

DoD uses Solaris Security Toolkit

If you are a part of the US DoD you may remember my earlier blog entry (July 2007) in which I posted customizations to the Solaris Security Toolkit designed to help secure a computer in compliance with DISA Security Guidelines.  Although I haven't done any additional work since that time, Aaron Lippold of DISA took my work and extended it to increase compliance and updated it to more recent versions of DISA STIGs.

Aaron recently notified me that his modifications have now been posted on is a family of services provided to support the DoD's technology development community. The system currently enables the collaborative development and use of open source and DoD community source software. These initial software development capabilities are growing to support the full system life-cycle and enable continuous collaboration among all stakeholders including developers, testers, certifiers, operators, and users.

This is great news because it provides a way for the DoD community to collaborate together to make the tool better for everyone. If you are a DoD employee or contractor with a Common Access Card (CAC) you can access this project at

Join the community, download the tools, contribute changes and make your life generally better by using the Toolkit and DoDSST project to secure your Solaris 10 environment quicker, in an automated and more reproducible fashion.

 I'd like to thank Aaron for the hard work he has done and for his iniative in creating this project for the good of the US Government.

Tuesday Apr 14, 2009

Sun at the DISA Customer Conference in Anaheim CA

Once again Sun will be showing a variety of our products and services at the DISA customer conference this year being held in Anaheim, CA. Come see us in booth #924

Sun's systems and blades based on Intel's new Nehalem processors

Find the fastest, most cost effective and energy efficient Intel processors that can run Solaris 10, Open Solaris, VMware, MS Windows, Red hat and Suse platforms.

Sun ATCA Blade chassis

As a leader it open systems design, it makes sense that Sun would offer a blade chassis compliant with the Advanced Telecommunications Computing Architecture.  Sun offers Intel, AMD and Sparc chip designs in a single blade chassis.

Here's a photo of the traveling exhibit that we will be bringing.  Learn more about Sun's ATCA products as well as our competitive Blade 6000 products now features the new Intel Nehalem family of processors.

Thin Clients

Our Sun Ray Thin client technology allows you to save money, "be green" and reduce operating costs whether you are runing a Solaris, Linux or Windows environment. Read about the many customers who have deployed thin clients successfully replacing existing PC environments.

Identity Management and SOA software

Sun's Identity Management and SOA solutions allow customers to get a handle on their users, data and programs making them more agile, responsive and secure while helping them comply to government regulations.

This popular, open source database can cost as much as 10% of the traditional vendors, reducing your cost while extending your reach to the internet. Download and try MySQL today.  It installs in less than 15 minutes on all the popular OS platforms.

Sun 7000 Unified Storage System

Sun's newest, network attached storage system, the 7000 series provides high performance, low cost storage with the advantages of solid state disk and detailed analytic tools.


Experience the next generation of Solaris technology by downloading OpenSolaris or Solaris 10 today for Sparc, Intel or AMD based platforms.

Dynamic Systems

Dynamic Systems Inc is a Sun partner with the  capability of providing all of Sun's products and service via GSA contract, Enterprise Software Iniative contract or their BPA with DISA known as SSTEW.


CopperEye is a leading provider of enterprise data management solutions that eliminate the economic, technical and operational barriers to storing and accessing massive volumes of data.

And more....

Ask any of our booth personnel (including me) for any information about these or any other Sun products or services in which you are interested.

Tuesday Mar 24, 2009

Sharing Folders in VirtualBox

One of the new features of the recently posted VirtualBox 2.2 beta1 is that you are finally allowed to share folders from an OpenSolaris guest to a MacOS host.  This increases the usability of VBox substantially for me because I've been using a workaround for a while.

It's easy to setup the sharing capability in the Virtualbox GUI. With your VM running:

Devices > Shared Folders

Enter the path of a folder on our Mac and the "Share" name that you will be using to reference it on your OpenSolaris system.  The folder name does not need to be related to the actual folder path.

UPDATE NOTE:  In Solaris 11 express build 151a, the initial user is NOT configured as Primary Administrator by default and the pfexec command listed below will not work until you give the user that role. 

  • System > Adminstration > Users and Groups
  • Click on your username and Properties
  • User Profiles tab, select  Primary Administrator and click OK 

On the OpenSolaris side, you need to mount the file system to make it visible to the user.

bash-3.2$ id
uid=101(jlaurent) gid=10(staff) groups=10(staff)

bash-3.2$ mkdir mac
bash-3.2$ pfexec mount  -F vboxfs -o uid=101,gid=10 jlaurent /export/home/jlaurent/mac

This, however, is annoying to do each time you reboot so it would be nice to have the file system mount on boot up.  Adding a line to /etc/vfstab should help.

 jlaurent    -    /export/home/jlaurent/mac    vboxfs    -    yes    uid=101,gid=10

Unfortunately, in my testing, this prevented the system from booting.  Thanks to Michael, I learned that this is because Solaris process vfstab BEFORE it completes the ZFS mount of my home directory in /export/home.  Changing the line to:

jlaurent    -    /mac    vboxfs    -    yes    uid=101,gid=10

Fixed the problem.  

However, it's not very convenient at /mac.  There are a few other options.

You can also add the line you your .bashrc file but that only takes effect when you start a new terminal window.  The best option for me was to place the line in the Gnome session startup scripts.

System > Preferences > Sessions > Add

There's a little trick, however, that was non-intuitive to me the first time I did this.  My file system was NOT mounting on login and I didn't know why.  I checked into my .xsession-errors file and found the message: mount: command not found.

As you can see in the screen shot above, the absolute pathname is required for commands executed during login.


StarOffice and Gedit do NOT want to save data back into this folder even though cp and vi have no problem with it.  I'm still researching this issue.

Wednesday Mar 11, 2009

OpenSolaris and Cloud Computing at FOSE

If you happen to be attending the Federal Office Systems Exhibition (FOSE) this week at the convention center in Washington D. C. drop in on my OpenSolaris session.  It will be held Thursday at 11:30 in room 158A. Come and see the benefits of ZFS, Dtrace, Zones and other new features in OpenSolaris.

Come visit Sun's booth #2309 to learn more about all of our systems, storage, software and services. 

I also provided a 5 minute "lightning talk" and panel discussion on Cloud Computing on Tuesday. About 120 people attended. Read more about Sun's cloud initiatives at our web site. Stay alert for upcoming announcement about Sun's cloud offerings.

Catch me if you can at Sun's table in the Cloud area of the exhibit hall and play "stump the geek."

 You can download OpenSolaris or Solaris 10 for free usage.  Do it today and get started learning.

Wednesday Feb 25, 2009

HP to Ship the Solaris 10 OS With its ProLiant Systems

 In a resounding endorsement for the Solaris 10 enterprise grade operating system.  Today, Sun and Hewlett-Packard announced an expanded multi-year partnership agreement for HP to distribute and support Sun's Solaris 10 OS. The top five x86/x64 based system vendors (Sun, HP, IBM, Fujitus/Siemens, Dell) now all ship Solaris with their systems.

If you don't happen to have an HP system, feel free to check out Sun's servers based on the Intel, AMD or Sparc processors or download Solaris 10 or OpenSolaris for free and try it out on your laptop or PC.  If you don't like the ugly mess of muti-booting using GRUB, try it in Sun's free and open-source VirtualBox environment.  VBOX allows you to run Solaris 10, OpenSolaris, Red Hat or Windows on top of a variety of hosts such as Windows, Linux, Solaris or Mac OS.

Wednesday Feb 04, 2009

Sun Analysts series of web casts posted

To see what Jonathan, Mike Lehman, Peter Ryan, Dave Douglas an others are telling the analyst community, see the webcasts at:

Thursday Nov 06, 2008

File sharing OpenSolaris guest in VirtualBox on Mac host

Sun's VirtualBox type II hypervisor is a great free tool for running multiple guest OSes on your desktop.  I use VBOX on my Mac to run Solaris 10 and OpenSolaris.

One of the weaknesses of VBOX at this time is that the "guest additions" don't yet support file sharing from a Solaris guest OS.  There are ways around this, however, using SMB protocols.  Here's how....

  • Configure SMB sharing on your Mac
    • Apple Menu > System Preferences > File Sharing pref pane
    • Enable File sharing
    • Click Options
    • Enable Share files and folders using SMB
    • Enable your username account for file sharing. Doing this exposes your home folder on the network as a Windows shared folder. Make sure you have a good password!
  • Install Solaris or OpenSolaris in VirtualBox
  • Configure NAT networking
  • Open a Nautilus file browser
  • Go > Location
  • Enter: smb://<usernameonmac>
  • Enter your password
  • A new file browser should open with your mounted files.
  • Bookmarks > Add Bookmark

This works because when NAT networking is configured the Solaris guest gets an IP address of 10.0.2.xx.  The VBOX hypervisor acts not only as DHCP server but also as gateway and host at IP address

In OpenSolaris, you can also do this using the Places > Connect to server menu item.  Choose Custom Location from the pull-down menu and enter the SMB address.

For more on accessing Windows Sharing check out Brian Leonard's blog entry.

Meanwhile, make sure to get the free downloads of Solaris 10, OpenSolaris or VirtualBox.

Friday Oct 31, 2008

Trip Report: DoD Open Conference sponsored by AFEI

Yesterday I attended the DoD Open Technologies conference sponsored by the Association For Enterprise Integration. The presentation slides have been posted. It was a well attended event at the Reagan building in Washington DC.  The keynote address was provided by Sun Federal's president and COO Bill Vass.  Bill pointed out how, during his time working at OSD (before he came to Sun), the intelligence agencies were beginning to adopt open source software for a number of reasons:

  • More secure
  • Higher quality
  • Lower procurement barriers
  • Faster deployment
  • Lower cost to exit
  • Allows government participation and customization

He also pointed out that software (whether open source or proprietary) is developed in Russia, India and China. He left no doubt that the government is using and should continue to use Open Source software throughout their IT programs.  Feel free to review all of Bill's slides.

Mark Tolliver (formerly of Sun) for Alamida software discussed the importance of software component analysis (SCA).  SCA is the process of auditing your software to determine:

  • What OSS components you are using
  • What licenses apply
  • What vulnerabilities might exist

In one example, he used his company's tools to scan a piece of ISV software and found that 65% of it consisted of OSS software.  His experience shows that the industry average is now up to 50%.  This causes a number of issues because licensing issues and vulnerabilities in OSS software become YOUR issues when you deliver a product to your customer.  If you are not fully aware of all of the components, you may be passing on vulnerabilities from older versions of software that have already been fixed in the community.  SCA is important because you can't secure what you don't know that you have.

His recommendations to the government included:

  • Require vendor to document OSS code contents
  • Audit code acquired
  • create a strategy for application security
  • Enforce ongoing training for engineers on how to get the code, vet the code and integrate the OSS code
  • Document the use of all code for future generations of maintainers
  • Use automated scanning tools (his product, of course)
    • Static Analysis
    • Dynamic Analysis
    • Compositional analysis
    • Anti-virus

John Garing CIO of Defense Information Systems Agency (DISA) described how the Hitler had trouble invading Russion because of differences in the train guage standards between the two.  He drew parallels between this and his current personal problem in the DoD where they have contracted with two different Collaboration solutions (to provide competition).  A person chatting in one community can't "see" or interact with a person in the other community.  To summarize, open standards and open interfaces are key to getting services faster to the warfighter.

A panel of government and industry discussed a variety of topics related to open source.

Dan Risacher of OSD/NII reported that a new OSD guidance memo was expected to be released soon.  Dan is a big advocate of open source in the government.

Bdale Garbee of HP is an open source participant in the industry and suggested that government needs to go further to allow both government employees and system integrators to participate and contribute to OSS projects without running afoul of government property rights, employer policies or patent issues.  They also discussed the issues surrounding license and ITAR export control.

The afternoon panel discussed how tactical approaches to open source are being carried out.

Stu Lewin of BAE systems described their detailed creation of a governance board, processes, documentation and training to ensure that the OSS brought into BAE projects is properly vetted, licensed, documented and maintained.

Allan Hardy of Lockheed Martin described how they audit OSS use and perform risk mitigation.  He noted that OSS touches every stage of the software life cycle from proposal through design, test, documentation and support.  He credited a strong process as well as ongoing training of engineers to a successful use of OSS.

Colin Roufer is a lawyer at Boeing and discussed the legal issues surrounding OSS. Important points include:

  • There is no negotiation of a license such as the GPL.  Get over it
  • The GPL does NOT require that you give the source to everyone in the world, one those who receive the binary
  • The recipients of GPL code are bound by the same requirement to pass source code and license down to second level recipients

Peter Vescuso of Black Duck software described a case study of a small company who provided OSS to Broadcom.  The Broadcom chip was in turned built into a Linksys router. Linksys was in turn bought by Cisco.  At this point, Cisco did not know that there was OSS content as was not properly conveying that information to its customers.  OSS management requires a cross-function team including:

  • legal
  • purchasing
  • export control
  • QA
  • Configuration management
  • engineering


Open source is good for the government.  It can lower costs, improve quality and reduct time to mission accomplishment.  Sun Microsystems is the largest contributor of open source software in the industry.  You can take advantage of OpenSolaris, MySQL, Netbeans, OpenStorage and many other products today at low cost.

 Please join our OpenStorage launch on November 10th to learn more.

Thursday Oct 23, 2008

Comparing Solaris/OpenSolaris/Red Hat and Win2003 server

Many of you have previously seen my comparison chart for Solaris 10, Red Hat Enterprise Linux 5 and MS Windows 2003, all of which can be purchased from Sun running on Sun hardware.  All of the current open source development effort for Solaris is going on in the OpenSolaris community and Sun has produced a binary distribution of OpenSolaris which is available (along with support contracts) at  

Development from Sun's engineers and outside contributors continues at a fast pace on OpenSolaris and there are hundreds of projects and thousands of community members.  Occasionally, features from OpenSolaris get back ported to Solaris 10 when there is sufficient business case, customer demand and engineering determines that the new feature will not reduce the stability of Solaris 10.  Past examples includes Trusted Extensions, ZFS CPU Caps and more.  Eventually, OpenSolaris with form the basis for the next major version of Solaris with long term support.  In the mean time, you can put OpenSolaris binary distrbution into production today and get support for it from Sun.

With that in mind, I have updated my comparison chart to included OpenSolaris in addition to the other OSes.

Why should you care?

OpenSolaris provides significant new features for Sun users for developers as well as infrastructure operators. Examples include:

  • ZFS automatic snapshot
  • Network auto configuration
  • Image Packaging system and update GUI
  • CIFS server in kernel
  • Improved Gnome user interface and accessibility
  • More GNU utilities.

Download it today for Intel and AMD based laptops, workstations or servers.

Try it out with Sun Studio Developer tools, optimized AMP Stack or other open source software in our repository.

Monday Oct 20, 2008

Another one of my customers loves Solaris 10


My previous blog entry attempted to establish the fact that Solaris 10 (including Containers/Zones) is used through the US DoD.  On a related note, I received this direct quote from one of my customers in the US DoD.

Just as a reminder, I'm the DNS guy for all of <Deleted> We're running
zones for our DNS servers (authoritative and recursive) world-wide from
Hawaii to Stuttgart and places in between and they are functioning
beautifully.  Sol 10 is the most versatile OS ever!

Keep the good new coming!

Tuesday Oct 14, 2008

US Air Force Saves money/space with Solaris containers

As an OS Ambassador for Sun Federal, I'm frequently asked the questions:

Are Solaris containers "certified" for use by the US Government or DoD?

  • Short answer: Yes!  Read on for the long answer.
  • Solaris 10 has received the highest commercial level of Common Criteria Certification.  This is known as EAL4+ and we did this using 3 protection profiles:
  • If you review our documentation and security target, you'll find that the "Trusted Extensions" component of Solaris 10 which implements the LSPP is based upon Solaris containers.  We use Solaris containers in a unique manner by providing each container with a security label which cannot be violated by a user inside the container.
  • In addition, you should note that Sun includes the GUI, Multi-level desktop (Gnome and CDE), LDAP server and management tools in our evaluation.  Red Hat's CC evaluation is for a command line installation only.
  • I'm unaware of any other government "certification" which would apply to Solaris containers.  If you know of any, please let me know.

Who is using Solaris containers in the US Government?

Is Solaris 10 (or MySQL or JCAPs other other Sun product) on my federal agency's "approved products list?" 

  • Whenever I get this question I ask my own questions:
    • For which agency?
    • Please show me a public web site that hosts the "approved products list."
    • Whom should I contact to have my product added to the "approved products list?"
    • What are the specific requirements to be on the "approved products list?"
  • In many cases I'm met with blank stares and the person who asked me the question doesn't know where to find the APL. Sometimes it doesn't actually exist.  In other cases there are waiver procedures available to bypass the APL. While I'm not saying that there are no APLs in federal agencies, I believe that a lot of people believe that there is when there isn't.  There most certainly is NOT one big APL for the federal government or DoD.
  • One example of an APL is the DoD's Joint Interoperbility Test Command's IPv6 APL.  There you will find Solaris 10, and we are in the process of adding additional products.


Solaris 10 is in use today in a wide variety of government and DoD applications including many of its advanced features such as containers, ZFS, SMF and much more.

Download Solaris 10 today and try it or look into the future with OpenSolaris.

Wednesday Oct 01, 2008

Solaris: Why it's so successful.

Why is Solaris 10 so successful in the market?  It's all about platforms, developers, OEM providers and application availability.


Solaris 10 runs on the major volume platforms in the industry: Sparc, Intel and AMD.  Contrary to popular opinion (and competitive FUD), the Sparc architecture is NOT a proprietary architecture.  It is an industry standard and open source architecture that anyone can replicate (and have already).  On the other hand, the Intel X86 architecture (while a defacto standard) is propriety and can only be replicated using an expensive and legally difficult clean room reverse engineering process.


Solaris 10 supports developers by being available for free download, being able to run on low-cost x86 laptop and desktop systems and providing a vibrant open source community for developing new enhancements.  Don't forget our great development toolkit.

OEM Vendors

Solaris 10 can be purchased from the major hardware vendors in the industry through OEM agreements: Sun, Dell, IBM, Fujitsu/Siemens and Intel.


Solaris 10 has a larger application catalog than any other Unix or Linux product in the market place.

Solaris Ready Application Catalog
All Results 6620 Apps
SPARC 5653 Apps
X64 3527 Apps

Why should you care?

You don't buy hardware or operating systems because they're cool or keep your data center warm.  You buy for applications.  Choosing a platform that is available from major vendors, runs on a variety of platforms (large and small), supports your developers and has a larger application catalog should be high on your list.

Friday Sep 26, 2008

Back from Grand Canyon rafting vacation

Yes, I know, I promised I wouldn't post my vacation pictures on my blog, but this one was just to good to resist.  I'll be very brief.

Fifteen passengers and 5 boatman put in to the Colorado River at Lee's Ferry about 10 miles south of Lake Powell, named for the brave explorer who first traversed the Grand Canyon in 1869.  We spent five days of perfect weather on the chilly (55 degrees) river enjoying smooth water and rough.  The river was surrounded by cliffs up to 2500 feet high. The food was great and prepared by our boatmen each night.  It included steaks, fish, fettuccine, salad, fruit and nightly dessert. The nights were cool sleeping under the stars on the riverside beaches.  Our sleeping companions included scorpions, tarantulas and at least one rattlesnake that we found four feet from my head one morning.  The valley was also populated with bighorn sheep, deer, ducks, rainbow trout and falcons.

In addition to floating on the big 18 foot rafts, we also got to take turns on a smaller inflatable kayak or a catamaran style inflatable boat called a "shredder."  The waves were great!

We enjoyed daily hikes into side canyons to hunt for indian ruins and petroglyphs, final resting places of long dead river runners as well as hidden waterfalls.  The last day included a 7.8 mile hike from the inner gorge to the south rim (4500 feet up) and back to civilization capped with a few cold beers.  It took 5.5 hours but provided great views of the canyon and wildlife  as well as a few mule trains passing us on the way down.

The staff of Moki Mac took great care of us and there were only a few involuntary dunkings in the cold river.

See the Photos

Also, see the brief Quicktime movie

Friday Sep 12, 2008

Updating your OpenSolaris to the latest build

One of the nicest features of OpenSolaris is the new package management feature.  Using the pkg command you can quickly update your system to the latest bits available in the repository.  It turns out, however, that with OpenSolaris 2008.05 there is a workaround that you must use in order for this to work properly.  It caught me by surprise recently (not reading those forums thoroughly enough).

Like the rest of the world, I downloaded the OpenSolaris 2008.05 ISO image to my MacBook Pro and installed it into (Sun's free and open source hypervisor) VirtualBox 2.0.  The 2008.05 edition is based upon build 86. To get the complete update to the latest build 97, I simply:

time pfexec pkg image-update -v

About 35 minutes later the system has been updated, a ZFS snapshot of my original system has been made and the grub menu automatically updated to add a new boot image.  All I need to do now is reboot.  This is where the pain started.  After the initial Solaris banner, the system simply reset itself repeatedly.

Luckily, thanks to the snapshot, I can still choose the original boot environment from the GRUB menu.

Thanks to the great community of OS Ambassadors within Sun, I had my solution within hours as posted at this forum.

  • beadm list
  • pfexec beadm mount <my boot env> /mnt
  • pfexec /mnt/boot/solaris/bin/update_grub -R /mnt

Final step was getting my favorite Gnome theme to help my Solaris box look more like a Mac and place the close widget in the upper left corner where God and Steve Jobs intended it to be.

Finally, if you are a Linux user and unfamiliar with the "pfexec" command, see Glenn Brunette's blog about the benefits of pfexec vs. sudo.

Monday Sep 08, 2008

Using Virtual Box on MacOS to host a Solaris Sun Ray server

With the release of Virtual Box 2.0, I'm happy to report that VB for Mac now supports "host networking." What does this mean to you?  In the 1.x version of VB for Mac, only NAT support was included which made it extremely difficult for your Solaris OS within VB to actually act as a server on the network.  With the new host networking, the Solaris VM can now assign itself an IP address on your network.

With this in mind, I set about to reproduce the steps I detailed earlier this year for creating a Sun Ray thin client server on my Mac.  After configuring a new Solaris 10 VM with 1 GB of RAM, 8 GB of disk and host network, I installed the Sun Ray server software (using my handy instructions previously posted),  and it worked with no problem.

In case you haven't heard of it, Virtual Box is:

Thursday Aug 14, 2008

Updated: Solaris 10 and OpenSolaris enhanced for Intel XEON

I added some additional YouTube video links to my blog on enhancements for Intel in Solaris 10 and OpenSolaris. 

Monday Aug 11, 2008

Updated: Solaris 10 and OpenSolaris enhanced for Intel XEON

Many of you have heard that Solaris 10 and open-source OpenSolaris runs on both SPARC and X86/X64 architectures.  You probably even know Solaris is available on both AMD and Intel processors in Sun servers as well as non-Sun platforms. In fact, Dell, IBM and Fujitsu/Siemens are Solaris OEMs on their platforms. You may even know that Solaris has set a number of world record benchmarks for scalability and performance on the Intel processor.  But do you really know how we did it? 

Sun and Intel work together on a number of areas in the Solaris OS and development tools including:

  • I/O optimizations
  • Scalability and performance
  • Power Management
  • Compiler optimizations
  • Virtualization enhancements
  • Fault Management

There are a number of resources available where you can learn why Solaris is a great choice on Intel XEON processors.

These are just a few of the projects that make Solaris run better than any other OS on Intel Xeon based processors.  Many more have been completed or are planned in the future including enhancement specifically for the Intel Nehalem microarchitecture

Download Solaris 10 or OpenSolaris today and try it out on your favorite Intel based PC, Server or Virtual Machine.

Tuesday Jul 22, 2008

FAQ: Getting free Solaris security patches

Solaris 10 is free for download and security patches are also free.  Additional patches, however, require a subscription or service contract from Sun.  The question frequently comes up on how to get the free security patches.  In the past, they were built into a bundle, however, I have this information from the Solaris sustaining engineering team.

The patch bundles at contain the recommended patches.
This includes security AND other non-security patches.
- The bundle of patches contains all the patches that fix the Sun Alert issues.
- The Sun Alert categories are defined as security + availability + data_loss
- This is stated in the README for the patch bundle

As the "other" non-security patches are NOT free, the whole bundle of patches
cannot be made free.

Note that as with patches themselves, the README for the bundle is free, just the
actual patches are NOT free.

But assuming that your customer has a service plan, he should be able to get this.

To see which patches are free in the Sol 10 SPARC set, you can go to:-

But you need to view this when logged in as a regular user without a contract.
Then it will show you a red key symbol next to each patch that is NOT free.

The security patches alone, do not appear in any bundle.
You must download any patch individually.
Or you can use PCA - a free non-Sun tool for patch management.

Sun advertises this free PCA tool located at

Wednesday Jul 02, 2008

Using your Mac as a Sun Ray server

Like most System Engineers at Sun, I'm often called upon to demonstrate Sun's technology especially Solaris 10 and Sun Ray thin clients.  In the past, demonstrating Sun Rays meant bringing a customer into our Sun office OR setting up a network server and device at the customer's location. 

To make this much easier, I decided to follow the example of others and turn my Sun issued MacBook Pro into a Sun Ray server.  As a result of this configuration, I can set two devices on my customer's desk with only one ethernet cord and no power cords (have to keep those batteries charged) to display the power of the Sun Ray thin client.  I also have a configuration (thanks to Matt) the provides a multi-level Solaris environment via Solaris 10 Trusted Extensions along with the ability to display an MS Windows desktop using Win2003 running in a separate virtual machine on the same Mac.  Very Cool!

To do this I needed:

Here's how I did it:

  • Install Solaris 10 using VMware Fusion and these settings.
    • 1024 MB of RAM
    • Bridged networking
  • Install the Solaris 10 Entire Distribution
  • Configur the Solaris IP address as
  • Download the Sun Ray Server Software (it's free)
  • unpack the downloaded tar image, this creates a directory srss_4.0
  • install the apache tomcat server.  In my case:
    • su
    • cd /opt
    • tar xvf /Documents/srss_4.0/Supplemental/Apache_Tomcat/apache-tomcat-5.5.20.tar
    • mv apache-tomcat-5.5.20 apache-tomcat
  • install Sun Ray Server Software

    • cd ~jlaurent/Dcouments/srss_4.0
    • ./utinstall  (installs the Sun Ray server tools in /opt/SUNWut)
  • patchadd 127554-02
  • reboot
  • PATH=$PATH:/opt/SUNWut/sbin
  • Use utadm to add the subnet as a shared Sun Ray network.  Make sure to choose the option to offer IP addresses.
 # utadm -A
### Configuring /etc/nsswitch.conf
### Configuring Service information for Sun Ray
### Disabling Routing
  Selected values for subnetwork ""
    net mask: 
    no IP addresses offered
    auth server list:
    firmware server:
  Accept as is? ([Y]/N): n
  new netmask: []
  Do you want to offer IP addresses for this subnet? (Y/[N]): y
  new first Sun Ray address: []
  number of Sun Ray addresses to allocate: [10]
  auth server list:
To read auth server list from file, enter file name:
Auth server IP address (enter <CR> to end list):
If no server in the auth server list responds,
should an auth server be located by broadcasting on the network? ([Y]/N):
  new firmware server: []
  new router: []
  Selected values for subnetwork ""
    net mask: 
    first unit address:
    last unit address:
    auth server list:
    firmware server:
  Accept as is? ([Y]/N): y
### Configuring firmware version for Sun Ray
### Successfully enabled tftp for firmware downloads
        All the units served by "sunray" on the
        network interface, running firmware other than version
        "4.0_127553-02_2008." will be upgraded at their next power-on.

### Configuring Sun Ray Logging Functions
### Turning on Sun Ray LAN connection

NOTE: utrestart must be run before LAN connections will be allowed

DHCP is not currently running, should I start it? ([Y]/N): y
  • utrestart -c
  • utconfig

Configuration of Sun Ray Core Services Software

This script automates the configuration of the Sun Ray Core Services
software and related software products.  Before proceeding, you should
have read the Sun Ray Core Services 4.0 Installation Guide and filled
out the Configuration Worksheet.  This script will prompt you for the
values you filled out on the Worksheet.  For your convenience, default
values (where applicable) are shown in brackets.

Continue ([y]/n)? y
Enter Sun Ray admin password:
Re-enter Sun Ray admin password:

Configure Sun Ray Web Administration? ([y]/n)?
Enter Apache Tomcat installation directory [/opt/apache-tomcat]:
Enter HTTP port number [1660]:
Enable secure connections? ([y]/n)?
Enter HTTPS port number [1661]:
Enter Tomcat process username [utwww]:
Enable remote server administration? (y/[n])?

Configure Sun Ray Kiosk Mode? (y/[n])? y

Enter user prefix [utku]:

Enter group [utkiosk]:

Enter userID range start [150000]:

Enter number of users [25]:
Configure this server for a failover group? (y/[n])?
About to configure the following software products:

Sun Ray Data Store 3.0
    Hostname: sunray
    Sun Ray root entry: o=utdata
    Sun Ray root name: utdata
    Sun Ray utdata admin password: (not shown)
    SRDS 'rootdn': cn=admin,o=utdata

Sun Ray Web Administration hosted at Apache Tomcat/5.5.20
    Apache Tomcat installation directory: /opt/apache-tomcat
    HTTP port number: 1660
    HTTPS port number: 1661
    Tomcat process username: utwww
    Remote server administration: Disabled

Sun Ray Core Services 4.0
    Failover group: no
    Sun Ray Kiosk Mode: yes

Sun Ray Kiosk Mode 4.0
  User name prefix:   utku
  Base user ID:       150000
  Number of accounts: 25
  Kiosk group name:   utkiosk
  Kiosk group ID:     auto

Continue ([y]/n)? y
Updating Sun Ray Data Store schema ...
Updating Sun Ray Data Store ACL's ...
Creating Sun Ray Data Store ...
Restarting Sun Ray Data Store ...
Starting Sun Ray Data Store daemon .
Wed Jul  2 11:02 : utdsd starting

Loading Sun Ray Data Store ...
Executing '/usr/bin/ldapadd -p 7012 -D cn=admin,o=utdata' ...
adding new entry o=utdata
adding new entry o=v1,o=utdata
adding new entry utname=sunray,o=v1,o=utdata
adding new entry utname=desktops,utname=sunray,o=v1,o=utdata
adding new entry utname=users,utname=sunray,o=v1,o=utdata
adding new entry utname=logicalTokens,utname=sunray,o=v1,o=utdata
adding new entry utname=rawTokens,utname=sunray,o=v1,o=utdata
adding new entry utname=multihead,utname=sunray,o=v1,o=utdata
adding new entry utname=container,utname=sunray,o=v1,o=utdata
adding new entry utname=properties,utname=sunray,o=v1,o=utdata
adding new entry cn=utadmin,utname=sunray,o=v1,o=utdata
adding new entry utname=smartCards,utname=sunray,o=v1,o=utdata
adding new entry utordername=probeorder,utname=smartCards,utname=sunray,o=v1,o=utdata
adding new entry utname=policy,utname=sunray,o=v1,o=utdata
adding new entry utname=resDefs,utname=sunray,o=v1,o=utdata
adding new entry utname=prefs,utname=sunray,o=v1,o=utdata
adding new entry utPrefType=resolution,utname=prefs,utname=sunray,o=v1,o=utdata
adding new entry utPrefClass=advisory,utPrefType=resolution,utname=prefs,utname=sunray,o=v1,o=utdata

Added 18 new LDAP entries.

Creating Sun Ray Core Services Configuration ...
Adding user account for 'utwww' (ut admin web server user) ...done
Sun Ray Web Administration enabled to start at system boot.
Starting Sun Ray Web Administration...
See /var/opt/SUNWut/log/utwebadmin.log for server logging information.

Unique "/etc/opt/SUNWut/gmSignature" has been generated.

Restarting Sun Ray Data Store ...
Stopping Sun Ray Data Store daemon
Sun Ray Data Store daemon stopped
Starting Sun Ray Data Store daemon .
Wed Jul  2 11:02 : utdsd starting
Adding user admin ...
User(s) added successfully!

Creating new Sun Ray Kiosk Mode configuration ...

Validating new user ids.
Validating new user accounts.
Creating kiosk group utkiosk
Configuring new kiosk user accounts:
25 users configured

The current policy has been modified.  You must restart the
authentication manager to activate the changes.
Configuration of Sun Ray Core Services has completed.  Please check
the log file, /var/adm/log/utconfig.2008_07_02_11:01:42.log, for errors.

In MacOS

  • Apple Menu > System Preferences > Network
  • Location > Edit Locations
  • Click the '+' Sign to create a new location and name it.
  • Click on Ethernet
  • Configure Manually
  • IP address
  • Netmask
  • Click Apply
  • Turn your Airport Wireless connection OFF. (This appears to interfere with the networking path to Solaris)

Connect the Sun Ray device directly to the Mac with a single ethernet cord.  No hub required.

If you have done this correctly, when you power on the Sun Ray device it will get an IP address from Solaris and display a login screen.

Access the Sun Ray web based management tool by pointing your browser to http://localhost:1660

Thursday May 15, 2008

Importing Solaris VMDK image into Virtual Box

Virtual Box 1.6 has been released and is no longer in beta for MacOS X.  One of the advertised features is the ability to import VMDK image files from VMware into Virtual Box.  Being the eternal optimist, I decided to try it.  How long could it take?  A few minutes maybe?  I have quite a few different VMs in Fusion and did this with Solaris 10 08/07.

Virtual Box is:

  • a type 2 hypervisor
  • Free
  • Open Source
  • supported on a variety of host OSes (Windows, Linux, Macintosh and OpenSolaris)
  • capable of running a variety of guest OSes
  • now owned and being developed by Sun Microsystems as part of the open source xVM family of virtualization products

The first part was easy. Extract the VMDK file and import it into Virtual Box

  • Right click on your chosen VM.  Choose "Show Package Contents"
  • Find a file with a .vmdk suffix.  Click once to select
  • Command-D (duplicate it) Wait a few minutes while Mac OS copies the multi-GB file
  • Drag the copied file to another location
  • Start Virtual Box
  • File > Virtual Disk Manager
  • Click Add.  Locate and select the copied .vmdk file. Click OK.
  • Create a New VM as usual using the added vmdk file
  • Boot the VM

That should have been it, right?  Unfortunately, after seeing the grub screen and attempting to boot Solaris, I entered an infinite loop of rebooting OS.  Obviously, it's mostly working but something is still wrong.  Luckily, inside of Sun, we archive our mail aliases and Rudolf Kutina had already posted a solution to the problem.

The rebooting sequence resulted from the fact that VMware Fusion emulates SCSI disks (c0t0d0s0) while VBox emulates IDE disks (c0d0s0).  Because of this, the Solaris device trees and vfstab mount entries are not correct.  Rudolf's solution is not for the weak of heart but DOES work.  After all, it's all just a virtual machine and if I screw it up, I just make another copy.  What have you got to lose?

  1. Boot into Solaris Safeboot mode. You can get access at the Grub menu, usually is the 2nd or 3rd option.
  2. Mount the found Solaris partition on /a , Safeboot will usually find the slice on the disk with Solaris and ask if you want it to mount on /a. Select Yes.
  3. Move /a/dev, /a/devices, and /a/etc/path_to_inst to another name (I just append .orig) and then create new directories, (mkdir) /a/dev and /a/devices, and touch file /a/etc/path_to_inst.
  4. Run "devfsadm -r /a" to rebuild the device tree
  5. set TERM so we can use 'vi', TERM=vt100; export TERM
  6. Now we need to fix boot disk patch changes Edit /a/boot/solaris/bootenv.rc and fix the line with "setprop bootpath '/pci@0,0....' to match the path you'll find mounted for /a (i.e. run a 'df -k' command, and you should see /a mounted from /dev/dsk/c1d0s0 or something, then run 'ls -l /dev/dsk/c1d0s0' or whatever your device listed was, and you should see the actual link point to ../../devices/pci@0,0/...ide..)
  7. Fix also disk naming in /a/etc/vfstab to match IDE "c0d0sx" scheme. Change each instance of c1t0d0s0 to c0d0s0 etc.
  8. Recreate archive "bootadm update-archive -v -R /a" to rebuild the boot-archive on /a
  9. Force to reconfigure on next boot with 'touch /a/reconfigure'
  10. Delete /etc/dhcp.e1000g0 /etc/hostname.e1000g0 create /etc/dhcp.pcn0.
  11. Run "cd /; sync; sync; sync; umount /a"
  12. reboot with 'init 6'

Enjoy your new Virtual Box machine.

Instructions are also available for importing a Windows XP .vmdk file to Virtual Box.

Wednesday May 14, 2008

FAQ: Using ZFS for Swap

You may have seen my earlier blog entry on myths and facts about swap space in which I mentioned that ZFS file systems cannot be used for swap files.

# cd /zpool1
# mkfile 10g swapfile
# swap -a /zpool1/swapfile
"/zpool1/swapfile" may contain holes - can't swap on it.

You can, however, use zvols to add swap space onto a ZFS pool:

# Add swap partition in the /export/home zfs partition
echo "adding zfs swap"
if [ ! -L /dev/zvol/dsk/export/swap ]
       echo "creating swap area"
       zfs create -V 1gb export/swap
echo "/dev/zvol/dsk/export/swap -  -  swap  -  no   -" >> /etc/vfstab
/usr/sbin/swap -a /dev/zvol/dsk/export/swap

 Thanks to Jim Litchfield for pulling this info from the documentation for zpool


Thursday Apr 24, 2008

Sun at the DISA Customer Conference

Each year the Defense Information Systems Agency hosts a customer conference all their customers.  DISA is responsible for hosting, designing and operating DoD datacenters, networks and critical command and control programs. The DISA customer conference is attended each year by 3000-4000 IT professionals throughout the US DoD and other countries. This year's conference is in sunny Orlando and Sun Federal will again be attending to demonstrate some of our advanced technologies for desktop virtualization, security, identity management and more. Here's a preview of what you will see when you visit our booth (or in case you can't come to the conference).  The Sun team at the booth will be happy to answer any questions you have about this or any of Sun's products and services.  Among the things you need to know about Sun is that we are the largest commercial contributor to the open source software communities. Come visit us May 5-8 at booth # 331.

Sun Ray Ultra-Thin Client Technology

This innovative solution to current desktop cost and management issues can significantly reduce costs while increasing user flexibility, mobility and security.  Weighing less than a pound and with no moving parts Sun Ray is ecologically better than a PC.  It last longer, uses less energy, makes less noise and fills fewer landfills. The Sun Ray DTU can be used to display a Solaris, Windows, Linux or mainframe desktop environment. 

Trusted, multi-level Operating System 

Do you need to share confidential data while knowing exactly who has access? Sun's award winning open source Solaris 10 operating system with Trusted Extensions provides a robust, scalable security solution for customers with multiple levels or compartments of data access.  Sun, HP, IBM and Dell platforms (Sparc or X64) are fully supported.  Dell, Fujitsu and IBM are OEMs for Solaris on their platforms. Solaris 10 is Common Criteria evaluated.

Screenshot: Solaris 10 displaying MS Windows and Red Hat 5 in windows of different classifications on the same screen.

Identity management implementing the DoD 2875 process

The 2875 demonstration was created to show the feasibility of using the Sun Java Systems Identity Manager Suite to manage the SYSTEM AUTHORIZATION ACCESS REQUEST (SAAR) process. This process is used through out the Federal Government as a method for end users requesting access to systems. Sun IDM automates, audits and simplifies the process.

Sun Modular DataCenter

The Sun Modular Datacenter is a low cost, quick deploying solution for those who are running out of data center space and need additional computing power quickly with lower real estate, power and cooling costs.  Although the actual Modular Datacenter truck will not be here, we will have a scale model for you to enjoy.

Photo: The Sun Modular Datacenter on tour at the Pentagon in April with a small contingent of the Sun Federal Sales and Marketing team. 

Windows/Linux interoperability

Sun is a full OEM for MS Windows and Red Hat operating systems.  We sell and support both OSes on our market leading Intel and AMD based servers.  As a licensee of MS technologies, Solaris interoperates well with your existing desktop infrastructure. 

Capacity based computing

Sun is one of the winners in the DISA Capacity Computing contract awarded in 2006.  Using this contract, DISA purchases Solaris computing cycles as a managed service based upon actual metered utilization. Sun provides systems and capacity management in DISA datacenters while speeding procurement cycles, reducing capital expenditures and consolidating applications. Ask us about how this contract can work for you.

Partners joining Sun in our booth include:

Mitel is a leading provider of communications solutions for a range of organizations.  Their integration of Sun's Ultra-thin client with a VOIP telephone handset can significantly reduce desktop device costs while increasing flexibility, security and user mobility.  This intelligent phone ties your phone session and you desktop computing session to your identity and smart card for increased convenience.

BlueSpace - sponsored by Sterling Computers. BlueSpace is an enterprise software company based in Austin, Texas, that provides electronic messaging and mail software as well as multi-level secure (MLS) middleware to enable MLS applications. TransMail Trusted Edition is a version of TransMail specifically designed for the defense and intelligence communities. It integrates with Solaris 10 with Trusted Extensions to provide label security support, while providing the user with a single, multi-level inbox. TransMail Trusted Edition is the first commercial-off-the-shelf (COTS) end user, multi-level secure application.

Dynamic Systems is an information technology infrastructure expert and Sun Microsystems Value Added Reseller.  Dynamic Systems holds the SSTEW contract which offers extended warranty, maintenance, education, and professional services for all Sun Microsystems® products. The extended warranty and maintenance covered in this contract includes flexible and comprehensive hardware and software support ranging from basic to mission-critical service.This 8(a) set aside Blanket Purchase Agreement that offers time and money saving options through order consolidation and volume discounts. SSTEW is an Enterprise Software Agreement (ESA) under the DoD Enterprise Software Initiative (ESI).

We're looking forward to seeing you in Orlando. 

Wednesday Apr 23, 2008

What's new in Solaris 10 5/08 video

Solaris 10 5/08 is now available on the Sun Download center.  It's free for commercial use and based on an open source development project. Watch this video by Larry Wake of Solaris Marketing team to learn what's new.


Wednesday Apr 09, 2008

Mac Tips from Sun Mac Users

I recently had a problem. It was actually good news!  My niece decided to get a Mac Book Pro and convert from Windows.  My problem?  How to collect all the knowledge that Sun Mac users have collected and make it available to her.

There is quite an active Mac community at Sun.  Perhaps it's because we don't like MS Windows or perhaps it's because Mac OS is Unix-based and shares a number of Solaris technologies such as DTrace and ZFS.  Perhaps it's just because it's easier to use and easy on the eyes.  Regardless of the reason, we have built quite a bit of knowledge internally on the Sun network.  I've taken a bunch of it, stripped it of Sun specific content and made it available here.  It consists of some "getting started" tips, frequently used software and FAQs.


Some Web resources for new Mac users

Getting Started

  • Power on
  • Complete the user name creation and network configuration wizard
  • Log in
  • (optional if required) Configure network location and proxies
      • Apple Menu > Location > Network Preferences
      • Select your network device (built-in or AirPort)
      • Click Configure
      • Location Pull down > New Location
      • Enter a name such as SWAN
      • Show > Select your network device to configure
      • Click on Proxies Tab
      • For each protocol (FTP, HTTP, HTTPS) Click the check box and enter proxy name and port
      • Click Apply Now
  • Get the latest MacOS X software updates
    • Apple menu > Software updates
    • Reboot as requested
    • Repeat until no software updates are available (some updates are dependent on earlier updates.)
  • Configuration settings
    • FileVault (enable FileVault per security recommendations below or use encrypted disk images for protection of  proprietary or government data)
  • Download NeoOffice for Intel Macs and run the installer
  • Download the most recent NeoOffice patch for Intel Macs and run the installer
  • Set up Apple Mail or Thunderbird to access your mail account
  • Review all the other System Preference panels and configure as desired
Recommend Security settings for Mac OS X
  •  Apple menu > System preferences
    • Security Panel
      • Turn on Filevault 
      • Require password to wake this computer from sleep
      • Disable automatic login
      • Require password to unlock each secure system preference
      • In Leopard (10.5) the firewall settings are also here.
    • Desktop and screen saver panel
      • Start screensaver after xx minutes
    • Energy Saver panel
      • Put computer to sleep after xx minutes
      • Put Display to sleep after xx minutes
    • Sharing panel
      • Firewall Tab (in Sharing for 10.4 and Security for 10.5)
        • Click the lock and enter admin password to make changes
        • Click the Start button
        • Enable only services that are required.
        • Apple Remote Desktop must be enabled
      • Services Tab (10.4)
        • Only enable services that are required
        • Apple Remote Desktop must be enabled.
      • 10.5 Sharing panel
        • Only enable service that are required
        • If you enable file, sharing, you may wish todelete the users "Public" folders from being shared.
    • Accounts panel
      • Uncheck "allow user to adminster the computer" for non admin users
      • Delete or disable unused or guest accounts
      • Login Options tab
        • Uncheck "Automatically login"
        • Check  "Enable fast user switching"
    • Finder > Preferences > Advanced (NOTE: This does NOT appear to work)
      • Click "Empy Trash Securely" checkbox
      • Use: Finder > Secure Empty Trash when emptying trash.
    • See also: NSA Security Guidelines for OS X

Popular software tools (alphabetically) Random Tips from the Mac Masters
  • Drag Applications, Utilities, Documents, Desktop and other frequently used folders to the right side of the dock.  You can now access them with a single right mouse click using a heirarchical menu.  Dragging your Hard Disk icon provides complete access to everything.
  • Use Applications > Utilities > Disk Utility to:
    • Repair permissions after an upgrade or software install
    • Check the file system integrity (must boot from install DVD to repair)
    • Burn ISO images to DVD or CD
    • Erase R-W media
    • Build your own Disk Image files
  • MacOS Keyboard Shortcuts
  • Set your default browser using the Safari Preferences.  Set you default Mail reader using Apple Mail preference
  • Monitor and kill processes using Applications > Utilities > Activity Monitor
  • Apple equivalent to CTL-ALT-DEL
    • Command-Option-Escape to bring up a dialog to kill a hung process.
    • Apple Menu > Force Quit
    • Right click on the dock icon and select Force Quit
    • Option-Right Click on the dock icon and select Force Quit if force quit does NOT show in the contextual menu
  • Buy a 3-button wheelie mouse (wireless bluetooth enabled is supported)
    • Right click works in many applications to bring a contextual menu
    • Wheel click in Safari works to open a new tab
    • Control-Click or Click and hold are one button (touchpad) alternatives to right-click
  • Drag frequently used applications to the left side of the dock.
  • Turn on Dock hiding and adjust the size of the dock.  Apple menu > System preferences > Dock
  • Put less frequently used applications in your "Utilities" folder rather than Applications
  • Learn to use Expose and Dashboard widgets  Apple menu > System preferences > Expose
  • Create an "Installers" folder on your desktop to keep all those xxx.dmg files that you download.
  • Move your iTunes, iPhoto, and Solaris images files OUT of your home directory, the large files slows down FileVault substantially.
MacOS X 10.5 (Leopard)
  •  Leopard is now shipping with all new Mac
  • Detailed Leopard review at ArsTechnica
  • Application compatibility notes (when available)
    • NeoOffice reported to work on Leopard
    • VMware Fusion latest version is reported to work on Leopard
    • Classic mode (OS 9 app support) will NOT work on Leopard
    • Disk utilities such as Disk Warrior, etc will require an update from vendor
    • Java 6 is not available in Leopard.
    • Unsanity APE apparently causes problems in performing an upgrade to Leopard.
    • Partial list of apps that don't work with Leopard at MacRumors
    • Time Machine and File Vault are apparently incompatible with each other. See this tip.
    • MacBooks and MacBook Pros keyboard becoming non-responsive has been fixed with an update.
    • When using Mail 3.1 Mail downloads go to  ~/Library/Mail Downloads folder regardless of what the mail preferences report. This can result in many megabytes of stuff (and potentially Sun or customer proprietary data) piling up in a folder that is generally "invisible" to the casual user.
  • User changes
    • Make a backup before upgrading.
      • Suggested freely available full disk backup solutions include:
      • Choose the upgrade option rather than clean install.    
  • Security Changes
    • There is currently a reported issue with the Leopard Firewall.  A SunIT warning has come out about it.
    • Enable "Stealth IP Mode"
      • Apple > System Preferences > Security > Firewall
      • Click Advanced
      • Click Enable Stealth Mode
    • Firewall Settings are now in the Security system preference instead of the Sharing preference
    • Sharing system preference for File Sharing now has an "Options" button to enable AFP, Windows or FTP file sharing separately.
  • Resources
    • Sam's Teach Yourself Mac OS X Leopard All in One at Safari Books
Apple's Boot Camp software
  •  Boot Camp is a part of MacOS X 10.5 which allows you to create a separate partition for a native OS to be installed.  Windows, Solaris and Linux variants are supported. It has advantages and disadvantages when compared to virtualized solutions
  • Advantages
    • OS runs natively on the hardware for higher performance and able to use all of memory.
    • Simplifies troubleshooting by eliminating the effects of MacOS and virtual machine
    • Allows you to claim you are running Solaris directly on the MacOS Intel based HW
  • Disadvantages
    • Requires a separate hard partition and boot loader
    • Requires a reboot to switch between MacOS X and Solaris
    • Cannot run both MacOS and Solaris simultaneously
    • More difficult to keep multiple images and take backups of images.
    • Cannot take advantage of canned VMs, cut and paste, file sharing, sleep/suspend etc.
  • See this blog entry for tips on using BootCamp with Solaris
Resources MS Windows
  • MS Windows can also be installed directly on the hardware using Apple's beta BootCamp package.  BootCamp is built into Leopard.
  • Where to I change my computer's name?
  • How do I find my MacBook's serial number?
  • How do I create an encrypted disk image
  • How do I change the Keyboard shortcuts.
  • How do I make applications start when I login?
  • How do I add/remove/change items on my dock?
  • How do I use my Apple remote to control NeoOffice presentations
  • How do I force my screen saver to start manually with hot corners?
  • Should I "Shut Down" my Mac or put it to sleep.
    • Unlike Windows, the MacOS is remarkably reliable and we know users with "uptimes" exceeding two months.  Just close the lid and go.
  • How do I change the icon on a file or folder?
  • How do I add the date to my menubar clock?
    • in the terminal type: defaults write -g AppleICUTimeFormatStrings -dict-add 2 "MMMM d, hh':'mm':'ss' 'a"
    • then: killall SystemUIServer  (to restart menubar)
    • Alternate Solution using the GUI
  • How do I take a screen shot?
  • How do I type a "forward-delete" characters on the laptop.  Use FN-DELETE
  • How do I extend my MacBook display to other monitors?
    • Open System Preferences and click Displays.
    • Click Arrangement and follow the onscreen instructions.
  • How do I change the desktop login background image?
    • The login screen is a file located at /System/Library/CoreServices/DefaultDesktop.jpg.  Just replace that file with something you like.
  • How to I eliminate the transparent menubar in Leopard?
    • With the release of 10.5.2, there is a system preference to control this
      • Apple menu > System Preferences > Desktop and screensaver > Desktop tab
      • Uncheck the "Translucent menu bar" box.
    • If usiing 10.5 or 10.5.1:
      • Open a terminal:
      • sudo defaults write /System/Library/LaunchDaemons/ 'EnvironmentVariables' -dict 'CI_NO_BACKGROUND_IMAGE' 1
      • Then reboot.
  • What is Mac OS "Safe Sleep" or Why won't my Mac wake up and what is that funny progress bar?
  • How many ways can I quickly lock my screen?
  • What is a "Sparse Bundle" disk image?
  • How do I sync my Palm using Bluetooth with Mac OS?
  • How do I reduce the size of my PDF documents?
  • How do I auto-hide the main menu bar of an application?
  • How do I add a "Recent Applications" item to my dock?
    • In a terminal (I use iTerm), type:
    • defaults write persistent-others -array-add  '{ "tile-data" = { "list-type" = 1; }; "tile-type" = "recents-tile"; }'
    • killall Dock
  • What happened to my Dashboard Widgets?
  • How do I remove language support from applications to save disk space?
    • Choose an application (iPhoto for example)
    • Click once.
    • File > Get Info
    • Open the Languages triangle
    • Select the languages you don't need (shift click to select multiple contiguous items)
    • Click the - sign
    • Close the window.
    • Repeat until you get bored.
  • Why doesn't Time Machine backup my VMware Fusion VM images?
    • Fusion sets the "exclusion flag" on images because the entire image will be backed up with every change.  See this discussion thread more more information.  Back them up manually.
  • How do I get rid of those horrible "stacks" in Leopard and revert to menus as in 10.4?
    • Drag a folder to the right side of the Dock
    • Right-click (control-click)
    • Select "Display as Folder"
    • Right-Click
    • Select "View Content as List"

Jim Laurent is an Oracle Sales consultant based in Reston, Virginia. He supports US DoD customers as part of the North American Public Sector hardware organization. With over 17 years experience at Sun and Oracle, he specializes in Solaris and server technologies. Prior to Oracle, Jim worked 11 years for Gould Computer Systems (later known as Encore).


« July 2016