Friday Jan 28, 2011

Apache & SSL

I was recently asked about how to set up SSL on Apache. Here are the steps I took to do it.

Setting Up Apache

Install Apache

bleonard@solaris:~$ sudo pkg install apache-22
               Packages to install:     4
           Create boot environment:    No
               Services to restart:     1
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                                  4/4     902/902      4.5/4.5

PHASE                                        ACTIONS
Install Phase                              1145/1145 

PHASE                                          ITEMS
Package State Update Phase                       4/4 
Image State Update Phase                         2/2 

Install the Apache Visual Panel

The Apache visual panel is a management interface for Apache.

bleonard@solaris:~$ sudo pkg install panel-apache
               Packages to install:     5
           Create boot environment:    No
               Services to restart:     2
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                                  5/5     433/433    14.1/14.1

PHASE                                        ACTIONS
Install Phase                                638/638 

PHASE                                          ITEMS
Package State Update Phase                       5/5 
Image State Update Phase                         2/2 

There's a bug that prevents the visual panel from restarting until the desktop is restarted:
bleonard@solaris:~$ sudo svcadm restart gdm

You can then successfully start the visual panel from the System > Administration > Apache Web Server menu.

Start Apache

Select "Enable the Apache web server" and click Apply:

You'll be prompted to authenticate yourself. Enter your Username:


And then select the root role:

Wait while the instance transitions to online. And you're up and running:

Configuring SSL

Getting a Certificate

The key piece needed for secure communication is a certificate. Ideally this certificate would be signed by an authority, such as VeriSign, GoDaddy or Comodo. However, for the purposes of this example, and the fact that I'm not actually setting up a public facing server that can be verified by an authority, we'll be using a self-signed certificate.

O'Reilly has a good article on Configuring SSL Under Apache, which includes a nice explanation of using openssl for creating a self-signed certificate. As well as the steps necessary to get your certificate signed. I won't bother repeating that information here, other than the steps I took to create the self-signed certificate:

oracle@solaris:~$ openssl req -new -x509 -days 365 -sha1 -newkey rsa:1024 -nodes -keyout server.key -out server.crt -subj '/O=Oracle/OU=Solaris/CN=10.0.2.15'
Generating a 1024 bit RSA private key
............++++++
.++++++
writing new private key to 'server.key'
-----

Configure SSL

Return to the Apache visual panel. Highlight the localhost virtual host and select clone. When prompted, set the domain to securelocalhost:

On the General tab select "Enable this virtual host" and then switch to the SSL tab. Enable SSL, set the IP address and select the certificate and key that were just created:

The select Apply and wait while the server is restarted.

Browse Securely

Try an https connection to your configured IP address. You'll be presented with a fairly scary "This Connection is Untrusted" page:

Under the Technical Details you'll see that the certificate is untrusted because it's self-signed, which we've already addressed.

Select Add Exception and you'll be presented with another dialog to add a security exception:


Select Confirm Security Exception and you'll be securely browsing:

Beyond the Apache Visual Panel

You can disable/enable/restart apache through its SMF interface:

bleonard@solaris:~$ sudo svcadm disable apache2

The apache2 SMF service writes its configuration information out to /etc/vpanels/httpd.conf for Apache to read on startup. You can see the changes that were made by the addition of another virtual host:

Listen   10.0.2.15:443
<VirtualHost   10.0.2.15:443>
SSLEngine on
SSLCertificateFile   /export/home/bleonard/server.crt
SSLCertificateKeyFile   /export/home/bleonard/server.key
DocumentRoot  /var/apache2/2.2/htdocs
<Directory  "/var/apache2/2.2/htdocs" >
Options Indexes Includes FollowSymLinks  SymLinksifOwnerMatch ExecCGI MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
ServerName   securelocalhost
</VirtualHost>

It's important to note the differences between using the Apache visual panel GUI and the default Apache command line interface. The Apache visual panel stores all of Apache's configuration information in the SMF repository and writes out the httpd.conf configuration file when the service is started, so you can directly edit httpd.conf. The default Apache SMF service, apache22, reads Apache's configuration information from the configuration file at  /etc/apache2/2.2/httpd.conf. So there are two important considerations here:

  1. Don't attempt to start Apache using both SMF interfaces, apache22 (default) and apache2 (visual panel), as it will just create a conflict.
  2. If you're looking to customize Apache beyond what the visual panel interface allows, I would recommend going with the default interface, apache22, and customizing /etc/apache2/2.2/httpd.conf.

Tuesday Jan 25, 2011

Configuring Automatic Login

If you've ever wondered how the Live CD just boots directly into the desktop, this is easily configured through a couple of settings in your GNOME Display Manager (GDM) configuration file, /etc/gdm/custom.conf.  Just add the following to the daemon section in custom.conf:

[daemon]
AutomaticLoginEnable=true
AutomaticLogin=<user id>
GdmXserverTimeout=30

When AutomaticLoginEnable is set to true, the user given in AutomaticLogin is logged in immediately. The GdmXserverTimeout setting will determine how long the system will try before giving up and presenting the login screen. This could occur, for example, if the supplied user id doesn't exist on the system.

When making changes to custom.conf, restart gdm for the changes to take effect:

$ sudo svcadm restart gdm

The GNOME Display Manager is quite customizable. See the gdm man page for more.

Friday Jan 21, 2011

Localizing Solaris 10

This entry is in response to a comment from my previous post, asking how to localize Solaris 10. Most of everything you need is in the localeadm man page, but I'll walk through the steps here.

Step 1: Get the Solaris 10 DVD.

If you installed from the DVD, then you should already have it. However, if you started with the Solaris 10 virtual machine, then you'll need to also download the Oracle Solaris 10 9/10 Full DVD Image (zip), which contains the locales.

Step 2: Mount the DVD.

In the case of VirtualBox, with Solaris 10 running, from the VirtualBox menu select Devices > CD / DVD Devices > Choose a virtual CD / DVD disk file...

And select the Solaris 10 ISO,  sol-10-u9-ga-x86-dvd.iso, in my case. This action will mount the ISO at /cdrom/sol_10_910_x86.

Step 3: View the Available Locales

The available locales are listed by region:

# localeadm -l -d /cdrom/sol_10_910_x86

Checking for installed packages. This could take a while. Checking for Australasia region (aua) (c_solaris packages) |...| All packages found. Checking for Australasia region (aua) (solaris1 packages) |............|

...

Japanese (ja) Korean (korean) Simplified Chinese (china) Traditional Chinese (Hong Kong) (hongkong) Traditional Chinese (taiwan) Thai (th_th) India (india) South East Asia (sea) [ Indonesia, Malaysia, Singapore ] Southern Africa (saf) [ South Africa ] Done.

Step 4: Install the Locale

Once you find the region / locale you want to install, you will pass the value in parentheses to the localeadm command. I'm going to install Simplified Chinese (china) as follows:

# localeadm -a china -d /cdrom/sol_10_910_x86
Log file is /var/sadm/install/logs/localeadmin_install.2011-01-21

locale/region name is china
Adding packages for Simplified Chinese (china)

Region china will be installed.

...

The following regions are installed on unknown on Fri Jan 21 12:30:15 EST 2011

POSIX (C)


Simplified Chinese (china)



One or more locales have been added. To update the list of locales available at the login screen's "Options->Language" menu, please restart the dtlogin daemon (WARNING: this will terminate any active dtlogin sessions)

Please log out and login again to use the new locale(s) at your desktop. If you are not intending to use the new locale(s) with the GUI desktop, you can start using the new locale(s) immediately by setting the LC_\* environment variables

Step 5: Eject the DVD & Reboot

I have found that the machine needs to be rebooted for the new locale to be recognized by the login screen. Before rebooting, eject the DVD, otherwise, the VM will boot from the DVD. The DVD can be ejected by deselecting it under the Devices menu (just like we added it).

# reboot

Step 6: Select the New Language

When the Login Screen appears again, select Options > Language, to get to the Select a language screen:

Then login:

Then enjoy:


At this point I wish I knew Chinese :-).

Wednesday Jan 19, 2011

Solaris 10 9/10 VirtualBox VM

A pre-built VirtualBox virtual machine of Solaris 10 9/10, the latest update, has recently been published. The pre-built VM gets you quickly up and running with Solaris 10. Just follow these steps:

  1. Download the Oracle Solaris 10 9/10 Virtual Machine for Oracle VM VirtualBox. It's 1.8 GBs.

  2. Extract the Archive:
  3. bleonard@solaris:~/Download/$ unzip Solaris10_9-10_VM.zip 
    Archive:  Solaris10_9-10_VM.zip
      inflating: README.txt              
      inflating: Solaris10_9-10.mf       
      inflating: Solaris10_9-10.ovf      
      inflating: Solaris10_9-10.vmdk 
    
  4. Start VirtualBox and select File > Import Appliance. Then select the Solaris10_9-10.ovf file that was just extracted.

  5. On the Appliance Import Wizard, set the Guest OS Type to Solaris modern (S10U8+). Also feel free to bump the RAM from the default of 1024 MB if you have it to spare. I'm setting mine to 1536 MB:



  6. Click Finish and wait a few minutes while the VM is imported (Note, the dialog may initially say something ridiculous like 20 hours remaining. You can safely ignore this.):



  7. Start the Solaris 10_9-10 Virtual Machine. The machine is delivered unconfigured, so on first boot you'll need to select your keyboard layout, network connectivity, security policy, name service, NFSv4 domain name, time zone and root password. Once these settings are selected the system will reboot into the Solaris 10 desktop:



    Note, the VirtualBox Guest Additions are pre-installed:
    # pkginfo -l SUNWvboxguest
       PKGINST:  SUNWvboxguest
          NAME:  Oracle VM VirtualBox Guest Additions
      CATEGORY:  application
          ARCH:  i386
       VERSION:  3.2.8,REV=r64453.2010.08.05.14.52
       BASEDIR:  /
        VENDOR:  Oracle Corporation
          DESC:  Oracle VM VirtualBox Guest Additions for Solaris guests
        PSTAMP:  vboxguest20100805145230_r64453
      INSTDATE:  Sep 14 2010 17:23
       HOTLINE:  Please contact your local service provider
         EMAIL:  info@virtualbox.org
        STATUS:  completely installed
         FILES:       51 installed pathnames
                       3 linked files
                       4 directories
                      19 executables
                   19628 blocks used (approx)
    Also, ZFS is used as the root file system with a 64 GB dynamically expanding hard disk (so it will only consume 64 GBs of your host system if you actually use that much space in the VM):
    # zpool list
    NAME    SIZE  ALLOC   FREE    CAP  HEALTH  ALTROOT
    rpool  63.5G  4.57G  58.9G     7%  ONLINE  -
    
    # zfs list
    NAME                  USED  AVAIL  REFER  MOUNTPOINT
    rpool                5.10G  57.4G  32.5K  /rpool
    rpool/ROOT           3.57G  57.4G    21K  legacy
    rpool/ROOT/s10_0910  3.57G  57.4G  3.57G  /
    rpool/dump           1.00G  57.4G  1.00G  -
    rpool/export           44K  57.4G    23K  /export
    rpool/export/home      21K  57.4G    21K  /export/home
    rpool/swap            544M  57.9G    16K  -
    

Thursday Jan 06, 2011

Chime 1.5

This morning Tom Erickson announced version 1.5 of the Chime Visualization Tool for DTrace.

The update includes many improvements:

  • Total rows can now be included in plots over time.
  • Sparklines now appear on total rows.
  • The aggregate sampling interval is now a saved preference and independent of the DTrace aggregate option.
  • Plots over time now scale with the sampling interval.
  • Individual plot lines can be selected or hidden by clicking or double-clicking on the plot legend.

Besides many other fixes, this update removes all dependence on third party code.

The website has also been updated. In particular, the Command Line page now explains some of the nifty things you can do with Chime on the command line.

See the Installation page to get Chime along with instructions on how to install it.

Thursday Dec 16, 2010

Obsolete Packages

In my previous entry I talked about packages that were not brought forward into the Solaris 11 Express repository. However, those packages are still available and can be installed from the opensolaris.org repository.

There's another category of packages that have technically been brought forward into the Solaris 11 Express repository, but for various reasons are now marked as obsolete. You can read a nice write-up of what it means to obsolete a package, but basically the design is to intentionally mark that a particular package is no longer supplied by the repository.

The primary difference is that a "missing" package is left untouched when the system is updated. An obsolete package will be uninstalled (if possible) when the system is updated.

There are a couple of ways to see the packages that are obsolete. Using pkg search:

bleonard@solaris:~$ pkg search ::pkg.obsolete: 
INDEX        ACTION VALUE PACKAGE
pkg.obsolete set    true  pkg:/SUNWinleu@0.5.11-0.130
pkg.obsolete set    true  pkg:/SUNWsfwhea@0.5.11-0.130
pkg.obsolete set    true  pkg:/SUNWupdatemgr@0.5.11-0.130
pkg.obsolete set    true  pkg:/database/postgres-83/documentation@8.3.11-0.146
pkg.obsolete set    true  pkg:/SUNWcleue@0.5.11-0.130
pkg.obsolete set    true  pkg:/SUNWpostgr-82-client@8.2.15-0.146
...

Or using pkg list with a grep on the o flag:

bleonard@solaris:~$ pkg list -a | grep -e '[-u]-[o]--' FSWfontconfig-devel-docs 0.5.11-0.130 known --o-- FSWxorg-devel-docs 0.5.11-0.130 known --o-- FSWxwpft 0.5.11-0.130 known --o-- OSOLvpanels-hypervisor 0.5.11-0.151 known --o-- OSOLvpanels-mysql 0.5.11-0.130 known --o-- ... 

I mention all of this because packages that are obsolete have some interesting side effects. The highest profile obsolete package is PostgreSQL, and you'll note it's marked Obsolete in the output of pkg info:

bleonard@solaris:~$ pkg info -r pkg://solaris/database/postgres-84
          Name: database/postgres-84
       Summary: 
         State: Not installed (Obsolete)
     Publisher: solaris
       Version: 8.4.4
 Build Release: 5.11
        Branch: 0.146
Packaging Date: October 27, 2010 06:31:28 PM 
          Size: 0.00 B
          FMRI: pkg://solaris/database/postgres-84@8.4.4,5.11-0.146:20101027T183128Z

And if you try to install it, you get a somewhat obscure error message:

bleonard@solaris:~$ sudo pkg install pkg://solaris/database/postgres-84
No updates necessary for this image.

The message is a little more clear if you try to install a package that depends on a package that's been marked as obsolete (I'm not aware of any such packages currently in the solaris release repository, so this example's using the opensolaris.org repository):

bleonard@solaris:~$ sudo pkg install amp-dev
Creating Plan \\pkg: No version of amp-dev can be installed:
pkg://opensolaris.org/amp-dev@0.5.11,5.11-0.86:20080424T113414Z: Required dependency pkg:/SUNWphp524-pgsql@5.2.4,5.11-0.86 is obsolete
...

I already mentioned an obsolete package will be uninstalled (if possible) when the system is updated. The if possible part is key, and it did trip up several folks trying to upgrade from OpenSolaris to Solaris 11 Express. The assumption is made that if you have a package installed that has not been marked as obsolete (such as amp-dev) that depends on a package that's been marked as obsolete (such as SUNWphp52-pgsql), you still depend on the functionality provided by the dependent package and the update is prevented.

I don't have insight as to why a particular package is marked as obsolete, however, I would assume most of it has to do with support (everything in the solaris release repository is supported). My primary point here was to shed some additional light on the concept of an obsolete package.

Wednesday Dec 15, 2010

Left Behind

Those of you familiar with OpenSolaris before the release of Solaris 11 Express may have noticed that certain applications have not found their way into the Solaris 11 Express repository - most notably OpenOffice.org.

Out of curiosity, I set up the opensolaris.org repository on Solaris 11 Express:

bleonard@solaris:~$ sudo pkg set-publisher -g http://pkg.opensolaris.org/release --non-sticky opensolaris.org

And then ran this awk script to find out exactly what was missing:

bleonard@solaris:~$ pkg list -a | awk -f pkg.awk 
SUNWlibnb-apisupport1
SUNWlibnb-cnd1
SUNWlibnb-enterprise4
SUNWlibnb-gsf1
SUNWlibnb-ide8
SUNWlibnb-java1
SUNWlibnb-platform7
SUNWlibnb-profiler2
SUNWlibnb-ruby1
SUNWlibnb-visualweb1
SUNWlibnb-xml1
SUNWnetbeans-cpp
SUNWnetbeans-desktop
SUNWnetbeans-ide
SUNWnetbeans-javaee
SUNWnetbeans-javase
SUNWnetbeans-ruby
amp-dev
clustertools
clustertools_7.1
clustertools_8.1
clustertools_8.2.1
developer/clustertools
developer/clustertools-821
developer/gcc/gcc-432
developer/gcc/gcc-dev-4
developer/gcc/gcc-runtime-432
developer/netbeans/plugin/nb-dtrace
developer/sunstudio
developer/sunstudio12u1
developer/sunstudioexpress
developer/tool/exuberant-ctags
dtrace-gui-plugin
eclipse
glassfishv2
hpc-dev
java-dev
libnb-apisupport
libnb-cnd
libnb-dlight
libnb-enterprise
libnb-ergonomics
libnb-groovy
libnb-gsf
libnb-ide
libnb-identity
libnb-java
libnb-php
libnb-platform
libnb-profiler
libnb-ruby
libnb-soa
libnb-visualweb
libnb-webcommon
libnb-websvccommon
libnb-xml
mq41
netbeans
netbeans-cpp
netbeans-desktop
netbeans-full
netbeans-ide
netbeans-incorporation
netbeans-java
netbeans-javase
netbeans-php
netbeans-ruby
opends
openoffice
openoffice-de
openoffice-es
openoffice-fr
openoffice-hu
openoffice-it
openoffice-ja
openoffice-ko
openoffice-nl
openoffice-pl
openoffice-pt
openoffice-pt-BR
openoffice-ru
openoffice-sdk
openoffice-sv
openoffice-zh-CN
openoffice-zh-TW
ruby-dev
service/network/ldap/opends
service/network/message-queue-41
slim_cd
ss-dev
sunstudio
sunstudio12u1
sunstudioexpress
web/glassfish-2
web/webstack-ui
webstackui

As you can see, the major applications missing are OpenOffice, Sun Studio, NetBeans, Eclipse, GlassFish, OpenDS, Message Queue and the development bundles that depend on these tools (amp-dev, hpc-dev, java-dev, ruby-dev, ss-dev and webstack)

I don't know the details of why these particular pieces of software have yet to find their way into the Solaris 11 Express repository. However, to get them, you can either install (a slightly stale version) from the opensolaris.org repository, or download and install the non-IPS version. Here are some pointers:

If I get more information on the status of these software packages, I'll be sure to post it here.

Friday Dec 03, 2010

File Based Repo

It was always possible to mount an ISO and use it as the package repository, but you also had to configure and run a local package server. With Solaris 11 Express, it is now possible to serve the packages directly from the local repository files, bypassing the server.

Step 1: Download the Repository Image

The repository image comes in two 2 GB chunks and they're available on the Solaris 11 Express Downloads page. After downloading parts A & B, unzip and concatenate them as follows:

bleonard@solaris:~$ cd Download/
bleonard@solaris:~/Download$ unzip sol-11-exp-201011-repo-full-iso-a.zip 
Archive:  sol-11-exp-201011-repo-full-iso-a.zip
  inflating: sol-11-exp-201011-repo-full.iso-a  
bleonard@solaris:~/Download$ unzip sol-11-exp-201011-repo-full-iso-b.zip 
Archive:  sol-11-exp-201011-repo-full-iso-b.zip
  inflating: sol-11-exp-201011-repo-full.iso-b  
bleonard@solaris:~/Download$ cat sol-11-exp-201011-repo-full.iso-a sol-11-exp-201011-repo-full.iso-b > sol-repo-full.iso

Note, I kept the ISO name generic, as this allows me to upgrade to a newer version of the repository by simply replacing the underlying ISO.

Step 2: Mount the Repository Image

Create a directory at which to mount the ISO:

 bleonard@solaris:~$ sudo mkdir /repo

Mount the ISO to the /repo directory:

bleonard@solaris:~$ sudo mount -F hsfs ~/Download/sol-repo-full.iso /repo

Step 3: Make the Mount Persistent

The mount will not survive a reboot. You have a couple of approaches to make it persist:

The Quick and Dirty Way

Add the following file to /etc/rc3.d:

# cat /etc/rc3.d/S99mountiso
#!/bin/sh
#
mount -F hsfs /export/home/bleonard/Download/sol-repo-full.iso /repo 

The SMF Way

Save the following repo.xml SMF manifest to /var/svc/manifest/system/filesystem, which defines a new service, repo.

Install the repo service:

bleonard@opensolaris:~$ svccfg import /var/svc/manifest/system/filesystem/repo.xml

Start the repo service:

bleonard@opensolaris:~$ svcadm enable repo 
bleonard@opensolaris:~$ svcs -l repo
fmri         svc:/system/filesystem/repo:default
name         Solaris ISO repository mounter
enabled      true
state        online
next_state   none
state_time   Mon Oct 11 09:40:07 2010
logfile      /var/svc/log/system-filesystem-repo:default.log
restarter    svc:/system/svc/restarter:default
dependency   require_all/none svc:/system/filesystem/local (online)

Step 4: Add the Local Repository as a Publisher

This is the new part in that a publisher can now point to a local file, bypassing the need to set up a local package server.

You can either set up the local file as a mirror or on its own. Use the following syntax to set it up as a mirror:

bleonard@solaris:~$ sudo pkg set-publisher -m file:///repo/repo/ -P solaris
bleonard@solaris:~$ pkg publisher
PUBLISHER                             TYPE     STATUS   URI
solaris                  (preferred)  origin   online   http://pkg.oracle.com/solaris/release/
solaris                  (preferred)  mirror   online   file:///repo/repo/

To remove the mirror:

bleonard@solaris:~$ sudo pkg set-publisher -M file:///repo/repo/ solaris

To set it up on its own:

bleonard@solaris:~$ sudo pkg set-publisher -G http://pkg.oracle.com/solaris/release -g file:///repo/repo/ -P solaris
bleonard@solaris:~$ pkg publisher
PUBLISHER                             TYPE     STATUS   URI
solaris                  (preferred)  origin   online   file:///repo/repo/

In the above we're removing the default remote repository and replacing it with the new local repository. You can see the status of the repository as follows:

bleonard@solaris:~$ pkgrepo info -s /repo/repo
PUBLISHER PACKAGES STATUS           UPDATED
solaris   3941     online           2010-11-11T00:04:39.171739Z

At this point, the repository is ready for use.

However, one minor limitation is that the repository doesn't include a search index (this was done to reduce the initial size of the repository):

bleonard@solaris:~$ pkg search hex
pkg: Some repositories failed to respond appropriately:
solaris:
file protocol error: code: 11 reason: Search temporarily unavailable.
Repository URL: 'file:///repo/repo'. (happened 4 times)

And since the ISO is mounted directly (and therefore, read-only), one can't be built. If you happen to extract the ISO, a search index could be build with the following command:

sudo pkgrepo -s /repo/repo refresh

Conclusion

I like this approach because when a new repository becomes available, I simply need to replace the ISO file and I'm all set. For further details, including how to set up a local repository server, see the article How To Copy an Oracle Solaris 11 Express Software Package Repository.

Thursday Dec 02, 2010

sudo?

We here in Solaris land have expended a lot of energy in the past explaining pfexec. In the simplest case it was described as an alias for sudo (and when I first come to Solaris, I'm somewhat embarrassed to admit I did just that, created an alias for sudo to pfexec). But having an alternative to sudo was one of those things that made Solaris "different". When OpenSolaris was first released we tracked unsuccessful searches against our package repository - and sudo was as the top of that list.

As part of the modernization effort for Solaris, sudo eventually found its way into OpenSolaris (beginning with the 2008.11 release). However, by that time I was pretty comfortable with pfexec and never looked back - until now that is.

A big change in the Solaris 11 Express release is that pfexec has been rendered relatively toothless out of the box. The "Primary Administrator" profile is no longer assigned to the user created during installation. If you've upgraded from an earlier release of OpenSolaris, you are unaffected by this change. However, on a fresh installation of Solaris 11 Express, commands that used to work will no longer. For example:

bleonard@solaris:~$ pfexec zfs create rpool/myfs
cannot create 'rpool/myfs': permission denied

However, sudo now works just fine:

bleonard@solaris:~$ sudo zfs create rpool/myfs
Password: 

One big difference you'll notice is that sudo requires a password - and this your password, not the root password (which I'll address in a moment). The lack of a password prompt was the whole reason for the "Primary Administrator" role being dropped in the first place - although sudo can be configured to behave the same.

If you've upgraded to Solaris 11 Express, you have the opposite problem, pfexec still works as you're accustomed, however, sudo reports you to the sudo police.

bleonard@solaris:~$ sudo zfs create rpool/myfs

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

Password: 
bleonard is not in the sudoers file.  This incident will be reported. 

The report actually shows up in the /var/adm/messages file:

Dec  2 11:21:57 solaris sudo: [ID 702911 auth.alert] bleonard : user NOT in sudoers ; TTY=pts/2 ; PWD=/export/home/bleonard ; USER=root ; COMMAND=/usr/sbin/zfs create rpool/myfs

I'll address setting up sudo at the end of this entry.

The root Password

In the continued simplification of the Solaris 11 Express installer, it now only asks for one password, which is used as the password for both the root account and the initial user account:

However, the root password is immediately expired, as you'll see if you try to switch to root:

bleonard@solaris:~$ su
Password: 
su: Password for user 'root' has expired
New Password: 

As you no longer have Primary Administrator privileges, GUI tools requiring administrator privileges will now also prompt you for the root password. For example, if you try to start the Package Manger GUI, you'll first be presented with:

There is one little glitch to be aware of - if you attempt to run a GUI that prompts for the root password, and the root password is expired, the GUI just exits. No warning or prompt for a new password is provided. This issue is being addressed: Gksu does not report expired password. So just make sure you attempt an su from the command, and set a new root password, before trying to use the GUI tools that require the root password.

The root Role

If you look at the installer screen capture above, you'll see that the initial user is assigned administrative privileges. Although this is not in the form of the "Primary Administrator" profile, the user created at installation time does have the root role assigned to them.

bleonard@solaris:~$ roles
root

Some people mistakingly think that having the root role allows them to use pfexec. pfexec stands for Profile Execute, and executes commands against your assigned profiles - not your assigned roles. The root role simply allows you to su to the root user account.

The etc/sudoers file

Now to the reason why sudo works on a fresh install of Solaris 11 Express, but not on a version upgraded from OpenSolaris.  When a command is prefixed with pfexec, it first checks to see if the user executing the command has a profile which allows the execution of that command. Very similarly, when a command is prefixed with sudo, the /etc/sudoers files is first consulted to see the user is allowed to execute that command.

The /etc/sudoers file is well documented and you can defined very fine grained rules as to what a particular user is allowed to do. In the case of the user created during installation, the user is allowed to do everything (just as if they were root). Here's what the entry for my user, bleonard, looks like:

bleonard ALL=(ALL) ALL

The entry above is stating that user bleonard can run any command on any host as any user. For further details on how to fine tune a user's privileges, see the sudoers man page.

So, to configure an instance of Solaris 11 Express upgraded from OpenSolaris to operate like a freshly installed instance, you need to add a line like the above to the /etc/sudoers file. Note that the file is read-only and should be edited using the visudo editor - I hope you like vi :-).

One last note, if you want sudo to behave like pfexec (sans password), make the following tweak to your entry:

bleonard ALL=(ALL) NOPASSWD: ALL

Finally, if you're on a fresh install of Solaris 11 Express and want to continue using pfexec, you can add the "Primary Administrator" profile as follows:

bleonard@solaris:~$ sudo usermod -P "Primary Administrator" bleonard
Password: 
UX: usermod: bleonard is currently logged in, some changes may not take effect until next login.

Now creating that file system works just fine:

bleonard@solaris:~$ pfexec zfs create rpool/myfs

Happy sudoing or pfexecing, whichever you prefer.

Tuesday Nov 30, 2010

Upgrading ZFS

Upgrading to the latest release of Solaris doesn't automatically upgrade your existing ZFS pools and datasets. So if you're trying to take advantage of cool new features like dedup and crypto on those datasets, you'll have to update ZFS first.

Upgrading Your ZFS Pools

Beware - upgrading your root ZFS pool will essentially invalidate your prior boot environments as you will no longer be able to boot into them.

The version property will tell where you're currently at:

bleonard@opensolaris:~$ zpool get version rpool
NAME   PROPERTY  VALUE    SOURCE
rpool  version   14       local

And the -v (lower case) option will tell you what's available:

bleonard@opensolaris:~$ zpool upgrade -v
This system is currently running ZFS pool version 31.

The following versions are supported:

VER  DESCRIPTION
---  --------------------------------------------------------
 1   Initial ZFS version
 2   Ditto blocks (replicated metadata)
 3   Hot spares and double parity RAID-Z
 4   zpool history
 5   Compression using the gzip algorithm
 6   bootfs pool property
 7   Separate intent log devices
 8   Delegated administration
 9   refquota and refreservation properties
 10  Cache devices
 11  Improved scrub performance
 12  Snapshot properties
 13  snapused property
 14  passthrough-x aclinherit
 15  user/group space accounting
 16  stmf property support
 17  Triple-parity RAID-Z
 18  Snapshot user holds
 19  Log device removal
 20  Compression using zle (zero-length encoding)
 21  Deduplication
 22  Received properties
 23  Slim ZIL
 24  System attributes
 25  Improved scrub stats
 26  Improved snapshot deletion performance
 27  Improved snapshot creation performance
 28  Multiple vdev replacements
 29  RAID-Z/mirror hybrid allocator
 30  Encryption
 31  Improved 'zfs list' performance

For more information on a particular version, including supported releases,
see the ZFS Administration Guide.

You can move to any version you'd like using the -V (upper case) option, however, I'm just going to move the the latest and greatest:
bleonard@opensolaris:~$ pfexec zpool upgrade rpool
This system is currently running ZFS pool version 31.

Successfully upgraded 'rpool' from version 14 to version 31

Just to verify the upgrade:

bleonard@opensolaris:~$ zpool get version rpool
NAME   PROPERTY  VALUE    SOURCE
rpool  version   31       default

Upgrading Your ZFS Datasets

The process is very similar. First, if you're interested in the version you're current at:

bleonard@opensolaris:~$ zfs get version rpool
NAME   PROPERTY  VALUE    SOURCE
rpool  version   3        -

Then to see what's available:

bleonard@opensolaris:~$ zfs upgrade -v
The following filesystem versions are supported:

VER  DESCRIPTION
---  --------------------------------------------------------
 1   Initial ZFS filesystem version
 2   Enhanced directory entries
 3   Case insensitive and File system unique identifier (FUID)
 4   userquota, groupquota properties
 5   System attributes

For more information on a particular version, including supported releases,
see the ZFS Administration Guide.

I'm going to upgrade all the file systems at once. However, there is the option to upgrade just a particular file system, for example:

bleonard@opensolaris:~$ pfexec zfs upgrade rpool/export/home
1 filesystems upgraded 

Or a file system and its descendants:

bleonard@opensolaris:~$ pfexec zfs upgrade -r rpool/export
1 filesystems upgraded
1 filesystems already at this version

But to simply upgrade all:

bleonard@opensolaris:~$ pfexec zfs upgrade -a
25 filesystems upgraded
2 filesystems already at this version

This process may take several minutes to complete, depending of the number file systems that need to be upgraded.

Thursday Nov 18, 2010

Upgrading from OpenSolaris 2009.06 to Solaris 11 Express 2010.11

In this entry I document my experience of upgrading from OpenSolaris 2009.06 to Solaris 11 Express 2010.11. I selected to include lots of output, in case you want to compare your experience to mine.[Read More]

Tuesday Nov 16, 2010

Video Tutorial: Installing Solaris 11 Express in VirtualBox

Jim Laurent has put together a nice 12 minute screencast on installing Solaris 11 Express in VirtualBox, including how to setup shared folders with the host OS.

The video also covers an important tip, which is that the root password is expired at install time and must be immediately changed. Otherwise, GUI tools prompting for the root password will not work. You can read the details in the release notes: Gksu Does Not Report Expired Password.

Wednesday Nov 03, 2010

FMA

I was about to write a new blog on Solaris' Fault Management Architecture when I realized my friend Bob Netherton has beaten to it by almost 3 years.

We like to tout the benefits of FMA a lot, but it's often hard to demonstrate because you don't want to go around destroying CPUs and memory modules just to see FMA in action. However, by creating a ZFS pool with files as disks, it's quite easy to demonstrate and that's exactly what Bob does in his blog ZFS and FMA - Two great tastes ......

Note, there's also an FMA Demo Kit that you can use to simulate faults to other hardware components, but I haven't played with that myself yet. Other resources I found helpful:

Friday Oct 15, 2010

Associating a PID with a Service

The question of how to associate a process id with a SMF service recently came across an internal alias and I thought it was worth sharing.

Take this generic looking Java process:

bleonard@opensolaris:/system$ ps -fp 949
     UID   PID  PPID   C    STIME TTY         TIME CMD
    root   949   947   0   Oct 11 ?           3:46 /usr/jdk/jdk1.6.0_13/bin/java -Xms4M -Xmx128M -Dcom.sun.management.jmxremote -D

If I'd like to trace back to which SMF service started this process, I start by getting the process' contract ID:

bleonard@opensolaris:/system$ ps -o ctid -p 949
 CTID
   59

I can then use the ctstat command to cross reference the contract ID to the SMF service:

bleonard@opensolaris:/system$ ctstat -vi 59
CTID    ZONEID  TYPE    STATE   HOLDER  EVENTS  QTIME   NTIME   
59      0       process owned   7       0       -       -       
	cookie:                0x20
	informative event set: none
	critical event set:    core signal hwerr empty
	fatal event set:       none
	parameter set:         inherit regent
	member processes:      947 949
	inherited contracts:   none
	service fmri:          svc:/application/management/common-agent-container-1:default
	service fmri ctid:     59
	creator:               svc.startd
	aux:                   start

And just to go full circle:

bleonard@opensolaris:/system$ svcs -lp  common-agent-container-1
fmri         svc:/application/management/common-agent-container-1:default
name         Cacao, a common Java container for JDMK/JMX based management solution
enabled      true
state        online
next_state   none
state_time   Mon Oct 11 12:54:59 2010
logfile      /var/svc/log/application-management-common-agent-container-1:default.log
restarter    svc:/system/svc/restarter:default
contract_id  59 
dependency   require_all/none svc:/system/filesystem/local (online)
dependency   require_all/none svc:/network/initial (online)
process      947 /usr/lib/cacao/lib/tools/launch -w /var/run/cacao/instances/default/run -L 1638
process      949 /usr/jdk/jdk1.6.0_13/bin/java -Xms4M -Xmx128M -Dcom.sun.management.jmxremote -D

For a nice little tutorial on contracts, check out this Contract Subsystem Lab.

Wednesday Oct 06, 2010

IPS Search and Actions

When searching for an IPS package, I usually type something quick and simple like:

bleonard@opensolaris:~$ pkg search netbeans
INDEX      ACTION    VALUE                     PACKAGE
description set       NetBeans                  pkg:/libnb-php@6.5.1-0.111
description set       NetBeans                  pkg:/libnb-groovy@6.5-0.86
description set       NetBeans                  pkg:/netbeans-java@6.5.1-0.111
..

And scroll through the result list hoping to find what I'm looking for. However, in my example above, that's 437 lines!

bleonard@opensolaris:~$ pkg search netbeans | wc -l
437

Often times I'll shorten the list by grepping for my build:

bleonard@opensolaris:~$ pkg search netbeans | grep 111
description set       NetBeans                  pkg:/libnb-php@6.5.1-0.111
description set       NetBeans                  pkg:/netbeans-java@6.5.1-0.111
description set       NetBeans                  pkg:/libnb-visualweb@6.5.1-0.111
...

Which reduces the list down to 134 for this example:

bleonard@opensolaris:~$ pkg search netbeans | grep 111 | wc -l
134

However, I generally tend to ignore the first two columns, INDEX and ACTION. Actions, in the case of IPS, are actually nouns and not verbs as the name would lead you to expect. Actions are the things that get installed (files, directories, links, drivers, licenses, users, groups, etc). Here's a nice description of the Actions in IPS.

When you perform a search, the search string is checked against all of these actions types, which as seen above, can produce a lot of results. For example, 5 of the 134 results above all refer to the same package, pkg:/sunstudioexpress@0.2009.3.1:

bleonard@opensolaris:~$ pkg search netbeans | grep 111 | grep pkg:/sunstudioexpress@0.2009.3.1
basename   dir       opt/SunStudioExpress/prod/nb-dbxtool/ide10/docs/org/netbeans pkg:/sunstudioexpress@0.2009.3.1-0.111
basename   dir       opt/netbeans-6.5ss/ide10/docs/org/netbeans pkg:/sunstudioexpress@0.2009.3.1-0.111
basename   file      opt/SunStudioExpress/prod/nb-dbxtool/bin/netbeans pkg:/sunstudioexpress@0.2009.3.1-0.111
basename   file      opt/netbeans-6.5ss/bin/netbeans pkg:/sunstudioexpress@0.2009.3.1-0.111
basename   link      opt/SunStudioExpress/netbeans pkg:/sunstudioexpress@0.2009.3.1-0.111

That's because the search results are returning 3 directories, 2 files and 1 link, all in the same package, that contain the search string "netbeans".

If you just want to see a list packages that match the search string, use the -p option.

bleonard@opensolaris:~$ pkg search -p netbeans | grep 111 
pkg:/amp-dev@0.5.11-0.111 (opensolaris.org)
pkg:/developer/netbeans/plugin/nb-dtrace@1.0-0.111 (opensolaris.org)
pkg:/developer/sunstudio12u1@12.1.1-0.111 (opensolaris.org)
...

This returns a much more reasonable 60 results with just the package names, making the result list much more easier to read through. I wish -p was the default option, rather than the -a (which shows the matching actions).

About

The Observatory is a blog for users of Oracle Solaris. Tune in here for tips, tricks and more as we explore the Solaris operating system from Oracle.

Search

Categories
Archives
« May 2015
SunMonTueWedThuFriSat
     
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
      
Today