X

Recent Posts

LDAP

Configuring logging in OUD

OUD has an extremely sophisticated and efficient way of handling the logging activity of the various type of instances (Directory Server, Directory Proxy, etc.). The 'Policies' feature, comes extremely handy, especially for what it concerns the log rotation and the log retention. These are the default policies:# ./dsconfig list-log-rotation-policies --bindDN <DIRECTORY_MANAGER> --bindPasswordFile <DM_PASSWORD_FILE> --no-prompt --port <OUD_DIR_ADMIN_PORT> --hostname <OUD_HOST_NAME>Log Rotation Policy                 : Type       : file-size-limit : rotation-interval : time-of-day------------------------------------:------------:-----------------:-------------------:------------24 Hours Time Limit Rotation Policy : time-limit : -               : 1 d               : -7 Days Time Limit Rotation Policy   : time-limit : -               : 1 w               : -Fixed Time Rotation Policy          : fixed-time : -               : -                 : 2359Size Limit Rotation Policy          : size-limit : 100 mb          : -                 : - Whereas the ones for on-linelog retention are: # ./dsconfig list-log-retention-policies --bindDN <DIRECTORY_MANAGER> --bindPasswordFile <DM_PASSWORD_FILE> --no-prompt --port <OUD_DIR_ADMIN_PORT> --hostname <OUD_DIR_HOST_NAME>Log Retention Policy             : Type            : disk-space-used : free-disk-space : number-of-files---------------------------------:-----------------:-----------------:-----------------:----------------File Count Retention Policy      : file-count      : -               : -               : 10Free Disk Space Retention Policy : free-disk-space : -               : 500 mb          : -Size Limit Retention Policy      : size-limit      : 500 mb          : -               : - These policies might become a limiting factor in a busy, production environment; therefore, we can define custom policies for log retention, based on the number of files and on the disk space utilization: # ./dsconfig create-log-retention-policy --bindDN <DIRECTORY_MANAGER> --bindPasswordFile <DM_PASSWORD_FILE> --no-prompt --port <OUD_DIR_ADMIN_PORT> --hostname <OUD_DIR_HOST_NAME> --policy-name "MY File Count Retention Policy" --type file-count --set number-of-files:50# ./dsconfig create-log-retention-policy --bindDN <DIRECTORY_MANAGER> --bindPasswordFile <DM_PASSWORD_FILE> --no-prompt --port <OUD_DIR_ADMIN_PORT> --hostname <OUD_DIR_HOST_NAME> --policy-name "MY Size Limit Retention Policy" --type size-limit --set disk-space-used:"5 gb"# ./dsconfig list-log-retention-policies --bindDN <DIRECTORY_MANAGER> --bindPasswordFile <DM_PASSWORD_FILE> --no-prompt --port <OUD_DIR_ADMIN_PORT> --hostname <OUD_DIR_HOST_NAME>Log Retention Policy             : Type            : disk-space-used : free-disk-space : number-of-files---------------------------------:-----------------:-----------------:-----------------:----------------File Count Retention Policy      : file-count      : -               : -               : 10Free Disk Space Retention Policy : free-disk-space : -               : 500 mb          : -Size Limit Retention Policy      : size-limit      : 500 mb          : -               : -MY File Count Retention Policy   : file-count      : -               : -               : 50MY Size Limit Retention Policy   : size-limit      : 5 gb            : -               : - That at this point, we will be able to assign to the various logger types, which, by default, are: # ./dsconfig list-log-publishers --bindDN <DIRECTORY_MANAGER> --bindPasswordFile <DM_PASSWORD_FILE> --no-prompt --port <OUD_DIR_ADMIN_PORT> --hostname <OUD_DIR_HOST_NAME>Log Publisher             : Type              : enabled--------------------------:-------------------:--------File-Based Access Logger  : file-based-access : trueFile-Based Admin Logger   : file-based-access : trueFile-Based Audit Logger   : file-based-access : falseFile-Based Debug Logger   : file-based-debug  : falseFile-Based Error Logger   : file-based-error  : trueOracle Access Logger      : file-based-access : falseOracle Error Logger       : file-based-error  : falseReplication Repair Logger : file-based-error  : true We'll make the case of the File-Based Access Logger, which has by default the following configuration: # ./dsconfig get-log-publisher-prop --bindDN <DIRECTORY_MANAGER> --bindPasswordFile <DM_PASSWORD_FILE> --no-prompt --port <OUD_DIR_ADMIN_PORT> --hostname <OUD_DIR_HOST_NAME> --publisher-name "File-Based Access Logger"Property                       : Value(s)-------------------------------:-----------------------------------------------append                         : trueenabled                        : truelog-file                       : logs/accesslog-file-permissions           : 640log-file-use-local-time        : falsemask-passwords                 : truemasked-attribute               : -masked-suffix                  : -masking-uses-encryption-config : trueoperations-to-log              : synchronization, userretention-policy               : File Count Retention Policyrotation-policy                : 24 Hours Time Limit Rotation Policy, Size                               : Limit Rotation Policy Note that the retention-policy has only a single value ("File Count Retention Policy") and the rotation policy has two values ("24 Hours Time Limit Rotation Policy" and "Size Limit Rotation Policy"); but at this point we can assign the policies we deem fit to our environment: # ./dsconfig set-log-publisher-prop --bindDN <DIRECTORY_MANAGER> --bindPasswordFile <DM_PASSWORD_FILE> --no-prompt --port <OUD_DIR_ADMIN_PORT> --hostname <OUD_DIR_HOST_NAME> --publisher-name "File-Based Access Logger" --set rotation-policy:"Size Limit Rotation Policy" --set retention-policy:"MY File Count Retention Policy"# ./dsconfig set-log-publisher-prop --bindDN <DIRECTORY_MANAGER> --bindPasswordFile <DM_PASSWORD_FILE> --no-prompt --port <OUD_DIR_ADMIN_PORT> --hostname <OUD_DIR_HOST_NAME> --publisher-name "File-Based Access Logger" --add rotation-policy:"Fixed Time Rotation Policy" --add retention-policy:"MY Size Limit Retention Policy" Note, that we first set the multi-valued attribute with the first value, and then we added the second value through the execution of the second command. The final result is: # dsconfigget-log-publisher-prop --bindDN <DIRECTORY_MANAGER> --bindPasswordFile <DM_PASSWORD_FILE> --no-prompt --port <OUD_DIR_ADMIN_PORT> --hostname <OUD_HOST_NAME> --publisher-name "File-Based Access Logger"Property                       : Value(s)-------------------------------:-----------------------------------------------append                         : trueenabled                        : truelog-file                       : logs/accesslog-file-permissions           : 640log-file-use-local-time        : falsemask-passwords                 : truemasked-attribute               : -masked-suffix                  : -masking-uses-encryption-config : trueoperations-to-log              : synchronization, userretention-policy               : MY File Count Retention Policy, MY Size                               : Limit Retention Policyrotation-policy                : Fixed Time Rotation Policy, Size Limit                               : Rotation Policy That's it! ;-)

OUD has an extremely sophisticated and efficient way of handling the logging activity of the various type of instances (Directory Server, Directory Proxy, etc.). The 'Policies' feature,...

Solaris

Zones with latest Java

Java, Solaris 11 and Solaris ZonesJava is seamlessly integrated in the Solaris 11 IPS packaging system, therefore you can use the repository commands to manage the installation and configuration of Java.Install Java 7 (JRE and JDK)# pkg install jre-7 jdk-7Install Java 8 (JRE and JDK)# pkg install jre-8 jdk-8ConsiderationsThese commands, installs the incorporation version of Java defined within the Solaris 11 base version or SRU (Support Repository Update). This version however doesn't contain all the latest update to Java; to receive the latest updates to Java, you need to specify in the packaging system that for the Java packages you don't want to be limited to the SRU versions:# pkg change-facet version-lock.consolidation/java-8/java-8-incorporation=false# pkg update jre-8 jdk-8# pkg change-facet version-lock.consolidation/java-7/java-7-incorporation=false# pkg update jre-7 jdk-7and this will bring your system up to date, with the latest Java version.FWIW, expanding a bit this concept, if you need to select the latest Java IPS package from your repository when automating the installation of multiple zones, I've found it helpful the following template file: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE auto_install SYSTEM"file:///usr/share/install/ai.dtd.1"> <auto_install>     <ai_instance name="zone_default">         <target>             <logical>                 <zpool name="rpool">                     <filesystem name="export" mountpoint="/export"/>                     <filesystem name="export/home"/>                     <be name="solaris">                         <options>                             <option name="compression" value="on"/>                         </options>                     </be>                 </zpool>             </logical>         </target>         <software type="IPS">             <destination>                 <image>                     <!-- Specify locales to install -->                     <facet set="false">facet.locale.*</facet>                     <facet set="false">facet.locale.de</facet>                     <facet set="false">facet.locale.de_DE</facet>                     <facet set="true">facet.locale.en</facet>                     <facet set="true">facet.locale.en_US</facet>                     <facet set="false">facet.locale.es</facet>                     <facet set="false">facet.locale.es_ES</facet>                     <facet set="false">facet.locale.fr</facet>                     <facet set="false">facet.locale.fr_FR</facet>                     <facet set="false">facet.locale.it</facet>                     <facet set="false">facet.locale.it_IT</facet>                     <facet set="false">facet.locale.ja</facet>                     <facet set="false">facet.locale.ja_*</facet>                     <facet set="false">facet.locale.ko</facet>                     <facet set="false">facet.locale.ko_*</facet>                     <facet set="false">facet.locale.pt</facet>                     <facet set="false">facet.locale.pt_BR</facet>                     <facet set="false">facet.locale.zh</facet>                     <facet set="false">facet.locale.zh_CN</facet>                     <facet set="false">facet.locale.zh_TW</facet>                     <!-- Don't install the documentation -->                     <facet set="false">facet.doc</facet>                     <facet set="false">facet.doc.*</facet>                     <!-- Unlock the latest Java on IPS --> <facetset="false">facet.version-lock.consolidation/java-7/java-7-incorporation</facet>                 </image>             </destination>             <!-- Install required software packages: -->             <software_data action="install">                 <name>pkg:/group/system/solaris-small-server</name>                 <name>pkg:/system/locale</name>                 <name>pkg:/editor/vim</name>                 <name>pkg:/text/gnu-sed</name>                 <name>pkg:/network/telnet</name>                 <name>pkg:/developer/java/jdk-7</name>                 <name>pkg:/system/fault-management/snmp-notify</name>             </software_data>         </software>     </ai_instance> </auto_install> Which allows you to unlock the facet for your Java installation, directly during the zone creation.

Java, Solaris 11 and Solaris Zones Java is seamlessly integrated in the Solaris 11 IPS packaging system, therefore you can use the repository commands to manage the installation and configuration of...

Solaris

Renaming a zone and changing the mountpoint

Zones are great, since they allow you to run and manage in isolated containers all of your application... but sometimes, just at the end of the entire installation, you realize that probably you could have picked up better naming conventions for the zones and of the zpools/datasets. So you start scratching your head repeating yourself that reinstalling everything from scratch, is not an option... So, here's the scenario, my zones are both hosted on a zpool named BADPOOL, which I'm going to rename to ZonesPool: # zpool listNAME    SIZE  ALLOC   FREE  CAP  DEDUP  HEALTH  ALTROOTBADPOOL    15.9G  5.87G  10.0G  36%  1.00x  ONLINE  -rpool  63.5G  16.8G  46.7G  26%  1.00x  ONLINE  -# zfs list |grep BADPOOLBADPOOL                                          5.87G  9.76G    31K  legacyBADPOOL/old                                    2.93G  9.76G    32K  /zones/oldBADPOOL/old/rpool                              2.93G  9.76G    31K  /rpoolBADPOOL/old/rpool/ROOT                         1.93G  9.76G    31K  legacyBADPOOL/old/rpool/ROOT/solaris-15              1.93G  9.76G  1.73G  /zones/old/rootBADPOOL/old/rpool/ROOT/solaris-15/var           206M  9.76G   206M  /zones/old/root/varBADPOOL/old/rpool/VARSHARE                     1.13M  9.76G  1.07M  /var/shareBADPOOL/old/rpool/VARSHARE/pkg                   63K  9.76G    32K  /var/share/pkgBADPOOL/old/rpool/VARSHARE/pkg/repositories      31K  9.76G    31K  /var/share/pkg/repositoriesBADPOOL/old/rpool/app                          1022M  9.76G  1022M  /appBADPOOL/old/rpool/export                        120K  9.76G    32K  /exportBADPOOL/old/rpool/export/home                    88K  9.76G  55.5K  /export/homeBADPOOL/old/rpool/export/home/admin            32.5K  9.76G  32.5K  /export/home/adminBADPOOL/bad                                    2.94G  9.76G    32K  /zones/badBADPOOL/bad/rpool                              2.94G  9.76G    31K  /rpoolBADPOOL/bad/rpool/ROOT                         1.92G  9.76G    31K  legacyBADPOOL/bad/rpool/ROOT/solaris-15              1.92G  9.76G  1.72G  /zones/bad/rootBADPOOL/bad/rpool/ROOT/solaris-15/var           204M  9.76G   204M  /zones/bad/root/varBADPOOL/bad/rpool/VARSHARE                     1.13M  9.76G  1.07M  /var/shareBADPOOL/bad/rpool/VARSHARE/pkg                   63K  9.76G    32K  /var/share/pkgBADPOOL/bad/rpool/VARSHARE/pkg/repositories      31K  9.76G    31K  /var/share/pkg/repositoriesBADPOOL/bad/rpool/app                          1.02G  9.76G  1.02G  /appBADPOOL/bad/rpool/export                        110K  9.76G    32K  /exportBADPOOL/bad/rpool/export/home                  78.5K  9.76G    46K  /export/homeBADPOOL/bad/rpool/export/home/admin            32.5K  9.76G  32.5K  /export/home/admin Current zone names are old and bad, and I'd like to rename them to this and that; first of all, of course the zones should be at least down: # zoneadm list -civ  ID NAME             STATUS      PATH                         BRAND      IP   0 global          running     /                          solaris    shared   - old             installed   /zones/old                 solaris    shared   - bad             installed   /zones/bad                 solaris    shared Now, let's first deal with the zpool part. In ZFS there's no way of renaming a zpool which is already 'imported', the only way to do that is to export the pool and re-import it with the new, correct name: # zpool list BADPOOLNAME   SIZE  ALLOC   FREE  CAP  DEDUP  HEALTH  ALTROOTBADPOOL   15.9G  5.87G  10.0G  36%  1.00x  ONLINE  -# zpool export BADPOOL# zpool import BADPOOL ZonesPool# zpool list ZonesPoolNAME   SIZE  ALLOC   FREE  CAP  DEDUP  HEALTH  ALTROOTZonesPool    15.9G  5.87G  10.0G  36%  1.00x  ONLINE  - And that was easy ;-) But the various dataset are still reflecting the previous naming, with old and bad names and mountpoints: # zfs list |grep ZonesPoolNAME                                          USED  AVAIL  REFER  MOUNTPOINTZonesPool                                           5.87G  9.76G    31K  legacyZonesPool/old                                     2.93G  9.76G    32K  /zones/oldZonesPool/old/rpool                               2.93G  9.76G    31K  /rpoolZonesPool/old/rpool/ROOT                          1.93G  9.76G    31K  legacyZonesPool/old/rpool/ROOT/solaris-15               1.93G  9.76G  1.73G  /ZonesPool/old/rpool/ROOT/solaris-15/var            206M  9.76G   206M  /varZonesPool/old/rpool/VARSHARE                      1.13M  9.76G  1.07M  /var/shareZonesPool/old/rpool/VARSHARE/pkg                    63K  9.76G    32K  /var/share/pkgZonesPool/old/rpool/VARSHARE/pkg/repositories       31K  9.76G    31K  /var/share/pkg/repositoriesZonesPool/old/rpool/app                           1022M  9.76G  1022M  /appZonesPool/old/rpool/export                         120K  9.76G    32K  /exportZonesPool/old/rpool/export/home                     88K  9.76G  55.5K  /export/homeZonesPool/old/rpool/export/home/admin             32.5K  9.76G  32.5K  /export/home/adminZonesPool/bad                                     2.94G  9.76G    32K  /zones/badZonesPool/bad/rpool                               2.94G  9.76G    31K  /rpoolZonesPool/bad/rpool/ROOT                          1.92G  9.76G    31K  legacyZonesPool/bad/rpool/ROOT/solaris-15               1.92G  9.76G  1.72G  /ZonesPool/bad/rpool/ROOT/solaris-15/var            204M  9.76G   204M  /varZonesPool/bad/rpool/VARSHARE                      1.13M  9.76G  1.07M  /var/shareZonesPool/bad/rpool/VARSHARE/pkg                    63K  9.76G    32K  /var/share/pkgZonesPool/bad/rpool/VARSHARE/pkg/repositories       31K  9.76G    31K  /var/share/pkg/repositoriesZonesPool/bad/rpool/app                           1.02G  9.76G  1.02G  /appZonesPool/bad/rpool/export                         110K  9.76G    32K  /exportZonesPool/bad/rpool/export/home                   78.5K  9.76G    46K  /export/homeZonesPool/bad/rpool/export/home/admin             32.5K  9.76G  32.5K  /export/home/admin So we need to rename the datasets: # zfs rename ZonesPool/old ZonesPool/this# zfs rename ZonesPool/bad ZonesPool/that# zfs list |grep ZonesPoolNAME                                          USED  AVAIL  REFER  MOUNTPOINTZonesPool                                           5.87G  9.76G    31K  legacyZonesPool/this                                      2.93G  9.76G    32K  /zones/oldZonesPool/this/rpool                                2.93G  9.76G    31K  /rpoolZonesPool/this/rpool/ROOT                           1.93G  9.76G    31K  legacyZonesPool/this/rpool/ROOT/solaris-15                1.93G  9.76G  1.73G  /ZonesPool/this/rpool/ROOT/solaris-15/var             206M  9.76G   206M  /varZonesPool/this/rpool/VARSHARE                       1.13M  9.76G  1.07M  /var/shareZonesPool/this/rpool/VARSHARE/pkg                     63K  9.76G    32K  /var/share/pkgZonesPool/this/rpool/VARSHARE/pkg/repositories        31K  9.76G    31K  /var/share/pkg/repositoriesZonesPool/this/rpool/app                            1022M  9.76G  1022M  /appZonesPool/this/rpool/export                          120K  9.76G    32K  /exportZonesPool/this/rpool/export/home                      88K  9.76G  55.5K  /export/homeZonesPool/this/rpool/export/home/admin              32.5K  9.76G  32.5K  /export/home/adminZonesPool/that                                      2.94G  9.76G    32K  /zones/badZonesPool/that/rpool                                2.94G  9.76G    31K  /rpoolZonesPool/that/rpool/ROOT                           1.92G  9.76G    31K  legacyZonesPool/that/rpool/ROOT/solaris-15                1.92G  9.76G  1.72G  /ZonesPool/that/rpool/ROOT/solaris-15/var             204M  9.76G   204M  /varZonesPool/that/rpool/VARSHARE                       1.13M  9.76G  1.07M  /var/shareZonesPool/that/rpool/VARSHARE/pkg                     63K  9.76G    32K  /var/share/pkgZonesPool/that/rpool/VARSHARE/pkg/repositories        31K  9.76G    31K  /var/share/pkg/repositoriesZonesPool/that/rpool/app                            1.02G  9.76G  1.02G  /appZonesPool/that/rpool/export                          110K  9.76G    32K  /exportZonesPool/that/rpool/export/home                    78.5K  9.76G    46K  /export/homeZonesPool/that/rpool/export/home/admin              32.5K  9.76G  32.5K  /export/home/admin As well as the mount points: # zfs set mountpoint=/zones/this ZonesPool/this# zfs set mountpoint=/zones/that ZonesPool/that# zfs list |grep ZonesPoolNAME                                          USED  AVAIL  REFER  MOUNTPOINTZonesPool                                           5.87G  9.76G    31K  legacyZonesPool/this                                      2.93G  9.76G    32K  /zones/thisZonesPool/this/rpool                                2.93G  9.76G    31K  /rpoolZonesPool/this/rpool/ROOT                           1.93G  9.76G    31K  legacyZonesPool/this/rpool/ROOT/solaris-15                1.93G  9.76G  1.73G  /ZonesPool/this/rpool/ROOT/solaris-15/var             206M  9.76G   206M  /varZonesPool/this/rpool/VARSHARE                       1.13M  9.76G  1.07M  /var/shareZonesPool/this/rpool/VARSHARE/pkg                     63K  9.76G    32K  /var/share/pkgZonesPool/this/rpool/VARSHARE/pkg/repositories        31K  9.76G    31K  /var/share/pkg/repositoriesZonesPool/this/rpool/app                            1022M  9.76G  1022M  /appZonesPool/this/rpool/export                          120K  9.76G    32K  /exportZonesPool/this/rpool/export/home                      88K  9.76G  55.5K  /export/homeZonesPool/this/rpool/export/home/admin              32.5K  9.76G  32.5K  /export/home/adminZonesPool/that                                      2.94G  9.76G    32K  /zones/thatZonesPool/that/rpool                                2.94G  9.76G    31K  /rpoolZonesPool/that/rpool/ROOT                           1.92G  9.76G    31K  legacyZonesPool/that/rpool/ROOT/solaris-15                1.92G  9.76G  1.72G  /ZonesPool/that/rpool/ROOT/solaris-15/var             204M  9.76G   204M  /varZonesPool/that/rpool/VARSHARE                       1.13M  9.76G  1.07M  /var/shareZonesPool/that/rpool/VARSHARE/pkg                     63K  9.76G    32K  /var/share/pkgZonesPool/that/rpool/VARSHARE/pkg/repositories        31K  9.76G    31K  /var/share/pkg/repositoriesZonesPool/that/rpool/app                            1.02G  9.76G  1.02G  /appZonesPool/that/rpool/export                          110K  9.76G    32K  /exportZonesPool/that/rpool/export/home                    78.5K  9.76G    46K  /export/homeZonesPool/that/rpool/export/home/admin              32.5K  9.76G  32.5K  /export/home/admin Now that we have the filesystems in place, we still need to 'refine' the zones, as in the zones configuration, we still have the old names and definitions: # zoneadm list -civ  ID NAME             STATUS      PATH                         BRAND      IP   0 global           running     /                            solaris    shared   - old             installed   /zones/old                 solaris    shared   - bad             installed   /zones/bad                 solaris    shared # zoneadm -z old rename this# zoneadm -z bad rename that# zoneadm list -civ  ID NAME             STATUS      PATH                         BRAND      IP   0 global           running     /                            solaris    shared   - this             installed   /zones/old                 solaris    shared   - that             installed   /zones/bad                 solaris    shared After changing the names of the zones, we have to change now their PATH, but again, also this operation cannot be done while the zone is in the 'installed' state and it is attached to a live system; therefore we should first forcibly detach the zone (we'll have to use the -F option to force the dismount since the dataset on which the zone was built is not there anymore): # zoneadm -z this detach -F# zoneadm -z that detach -F# zoneadm list -civ  ID NAME             STATUS      PATH                         BRAND      IP   0 global           running     /                            solaris    shared   - this             configured  /zones/old                 solaris    shared   - that             configured  /zones/bad                 solaris    shared Now that both zones are detached, we can change the zone path: # zonecfg -z this info zonepathzonepath: /zones/old# zonecfg -z that info zonepathzonepath: /zones/bad# zonecfg -z this set zonepath=/zones/this# zonecfg -z this set zonepath=/zones/this# zonecfg -z this info zonepathzonepath: /zones/this# zonecfg -z that info zonepathzonepath: /zones/that And verify that the change has been correctly made, but the zones are (of course), still in the 'configured' state: # zoneadm list -civ  ID NAME             STATUS      PATH                         BRAND      IP   0 global           running     /                            solaris    shared   - this configured  /zones/this                 solaris    shared   - that configured  /zones/that                solaris    shared We're now ready to re-attach the zones to the live system: # zoneadm -z this attachProgress being logged to /var/log/zones/zoneadm.20160426T151603Z.this.attach    Installing: Using existing zone boot environment      Zone BE root dataset: FE/this/rpool/ROOT/solaris-15                     Cache: Using /var/pkg/publisher.  Updating non-global zone: Linking to image /.Processing linked: 1/1 done  Updating non-global zone: Auditing packages.No updates necessary for this image. (zone:this)  Updating non-global zone: Zone updated.                    Result: Attach Succeeded.Log saved in non-global zone as /zones/this/root/var/log/zones/zoneadm.20160426T151603Z.this.attach# zoneadm -z that attachProgress being logged to /var/log/zones/zoneadm.20160426T153312Z.that.attach    Installing: Using existing zone boot environment      Zone BE root dataset: FE/that/rpool/ROOT/solaris-15                     Cache: Using /var/pkg/publisher.  Updating non-global zone: Linking to image /.Processing linked: 1/1 done  Updating non-global zone: Auditing packages.No updates necessary for this image. (zone:that)  Updating non-global zone: Zone updated.                    Result: Attach Succeeded.Log saved in non-global zone as /zones/that/root/var/log/zones/zoneadm.20160426T153312Z.that.attach# zoneadm list -civ  ID NAME             STATUS      PATH                         BRAND      IP   0 global           running     /                            solaris    shared   - this             installed   /zones/this                  solaris    shared   - that             installed   /zones/that                  solaris    shared Finally, we need to boot the zones: # zoneadm -z this boot# zoneadm -z that boot# zoneadm list -civ  ID NAME             STATUS      PATH                         BRAND      IP   0 global           running     /                            solaris    shared   6 this             running     /zones/this                  solaris    shared   7 that             running     /zones/that                  solaris    shared# zlogin this zonenamethis# zlogin that zonenamethat And this concludes our journey through zones, zpools and datasets ;-)

Zones are great, since they allow you to run and manage in isolated containers all of your application... but sometimes, just at the end of the entire installation, you realize that probably you could...

Solaris

Sendmail SMF services in Solaris

Sendmail SMF services in Solaris With the latest versions of Solaris (10u6 and 11.x) the classic sendmail program has been split in two separate daemons root@host1 # svcs -a |grep sendmailonline         20:31:17 svc:/network/smtp:sendmailonline         20:33:53 svc:/network/sendmail-client:default root@host1 # svcs -p smtp:sendmail sendmail-client:defaultSTATE          STIME    FMRIonline         20:31:17 svc:/network/smtp:sendmail               20:31:18    24564 sendmailonline         20:33:53 svc:/network/sendmail-client:default               20:33:53    24574 sendmailroot@host1 # ps -aef|grep sendmail    root 24595 24233   0 21:01:37 pts/1       0:00 grep sendmail    root 24564     1   0 20:31:18 ?           0:00 /usr/lib/inet/sendmail -bd -q15m   smmsp 24574     1   0 20:33:54 ?           0:00 /usr/lib/inet/sendmail -Ac -q15m The first one is the real Message Transfer Agent (MTA), whereas the second one handles the client queues used by the local Message Submission Programs (MSP). In an ideal world, with all the internet hosts up and running, and with all the connections between them working properly, the difference by these two instances won't be so immediate, but what happens in the real world? In the real world, it could simply happen that the MTA program could be down for some reason (scheduled maintenance or unexpected issues): root@host1 # svcadm disable smtp:sendmail sendmail-clientroot@host1 # svcs -a |grep -i sendmaildisabled       21:27:33 svc:/network/smtp:sendmaildisabled       21:27:33 svc:/network/sendmail-client:default but a generic MSPs (like mail or mailx) could still be allowed to submit the email: root@host1 # mailq -Ac/var/spool/clientmqueue is empty                Total requests: 0root@host1 # echo "Test message with mailx." | mailx -s "Test with both DOWN" user1@host1user1@host1... Connecting to [127.0.0.1] via relay...user1@host1... Deferred: Connection refused by [127.0.0.1]root@host1 # echo "Test message with mailx." | mailx -s "Test with both DOWN" user2@host2user2@host2... Connecting to [127.0.0.1] via relay...user2@host2... Deferred: Connection refused by [127.0.0.1] But in this case, since the MTA cannot deliver the message, the email is kept in the MTA-client queues: root@host1 # mailq -Ac                /var/spool/clientmqueue (2 requests)-----Q-ID----- --Size-- -----Q-Time----- ------------Sender/Recipient-----------u3CJUgsu024771       25 Tue Apr 12 21:30 root                 (Deferred: Connection refused by [127.0.0.1])                                         user1@host1u3CJTMqr024760       25 Tue Apr 12 21:29 root                 (Deferred: Connection refused by [127.0.0.1])                                         user2@host2                Total requests: 2 At this point, even if we enable the MTA and check again the queues, we will still see the same messages queued: root@host1 # svcadm enable smtp:sendmailroot@host1 # svcs -a | grep sendmaildisabled       21:27:33 svc:/network/sendmail-client:defaultonline         21:32:54 svc:/network/smtp:sendmailroot@host1 # mailq -Ac                /var/spool/clientmqueue (2 requests)-----Q-ID----- --Size-- -----Q-Time----- ------------Sender/Recipient-----------u3CJUgsu024771       25 Tue Apr 12 21:30 root                 (Deferred: Connection refused by [127.0.0.1])                                         user1@host1u3CJTMqr024760       25 Tue Apr 12 21:29 root                 (Deferred: Connection refused by [127.0.0.1])                                         user2@host2                Total requests: 2 The difference is that if now we try to send email messages, these will be immediately delivered, both locally, and remotely: root@host1 # echo "Test message with mailx." | mailx -s "Test smtp:sendmail UP and sendmail-client DOWN" user1@host1root@host1 # echo "Test message with mailx." | mailx -s "Test smtp:sendmail UP and sendmail-client DOWN" user2@host2 user1@host1 will see: user1@host1 $ mailFrom root@host1 Tue Apr 12 22:20:33 2016Date: Tue, 12 Apr 2016 22:20:32 +0200 (CEST)From: Super-User <root@host1>Message-Id: <201604122020.u3CKKWP5024867@host1>To: user1@host1Subject: Test smtp:sendmail UP and sendmail-client DOWNContent-Length: 25Test message with mailx.? duser1@host1 $ and same thing will happen for user2@host2: user2@host2 $ mailFrom root@host1 Tue Apr 12 22:20:39 2016Date: Tue, 12 Apr 2016 22:20:38 +0200 (CEST)From: Super-User <root@host1>Message-Id: <201604122020.u3CKKcmI024873@host1>To: user2@host2Subject: Test smtp:sendmail UP and sendmail-client DOWNContent-Length: 25Test message with mailx.? duser2@host2 $but the messages submitted previously will still be in the client mail queues: root@host1 # mailq -Ac                /var/spool/clientmqueue (2 requests)-----Q-ID----- --Size-- -----Q-Time----- ------------Sender/Recipient-----------u3CJUgsu024771       25 Tue Apr 12 21:30 root                 (Deferred: Connection refused by [127.0.0.1])                                         user1@host1u3CJTMqr024760       25 Tue Apr 12 21:29 root                 (Deferred: Connection refused by [127.0.0.1])                                         user2@host2                Total requests: 2 Only if we enable the service which is taking care of the client queues, these emails will be delivered: root@host1 # svcadm enable sendmail-clientroot@host1 # svcadm refresh sendmail-clientroot@host1 # mailq -Ac/var/spool/clientmqueue is empty                Total requests: 0root@host1 # And we can get a confirmation from the two users; user1@host1 $ mailFrom root@host1 Tue Apr 12 21:31:48 2016Date: Tue, 12 Apr 2016 21:29:22 +0200 (CEST)From: Super-User <root@host1>Message-Id: <201604121930.u3CJUgsu024771@host1>To: user1@host1Subject: Test with both DOWNContent-Length: 25Test message with mailx.? and: user2@host2 $ mailFrom root@host1 Tue Apr 12 21:31:48 2016Date: Tue, 12 Apr 2016 21:29:22 +0200 (CEST)From: Super-User <root@host1>Message-Id: <201604121929.u3CJTMqr024760@host1>To: user2@host2Subject: Test with both DOWNContent-Length: 25Test message with mailx.?... Piece of cake ;-)

Sendmail SMF services in Solaris With the latest versions of Solaris (10u6 and 11.x) the classic sendmail program has been split in two separate daemons root@host1 # svcs -a |grep sendmailonline        ...

Solaris

Remote Desktop from Solaris to Windows

I needed to reach a Windows machine from my Solaris 10 box via the Remote Desktop protocol, so I started downloaded the latest version (1.7.1 at the time this article is being written), from the main site:http://www.rdesktop.org/Once uncompressed the zip file in a new directory and started with the "usual" ./configure; make; make install series of command, I found that the OpenSSL libraries were not under the default location:# ./configurechecking build system type... sparc-sun-solaris2.10checking host system type... sparc-sun-solaris2.10checking for gcc... gccchecking whether the C compiler works... yes[...]checking for OpenSSL directory... Not foundERROR: Could not find OpenSSL headers/libraries.To specify a path manually, use the --with-openssl option.#Basically this error message was generated from the configure and configure.ac scripts, because with this configuration, the 'make' command is not able to find the ssl.h header file: checkssldir() { :    if test -f "$1/include/openssl/ssl.h"; then        ssldir="$1"        return 0    fi    return 1}On my machine the ssl.h is provided by the SUNWopenssl package:# grep openssl\/ssl.h /var/sadm/install/contents/usr/sfw/include/openssl/ssl.h f none 0644 root bin 78675 16429 1331248219 SUNWopenssl-includeSo I just need to pass the /usr/sfw/include directory to the configure command: /Software/dev/rdesktop-1.7.1 # ./configure --prefix=/usr/sfw --with-openssl=/usr/sfw/Software/dev/rdesktop-1.7.1 # make/Software/dev/rdesktop-1.7.1 # make installAnd it worked like a charme!

I needed to reach a Windows machine from my Solaris 10 box via the Remote Desktop protocol, so I started downloaded the latest version (1.7.1 at the time this article is being written), from the main...

Solaris

trackerd

I've upgraded my laptop to the latest Oracle Solaris 11 Express (snv_151a X86) and at a first glance, I've to say that seems a good step forward respect to my previous OpenSolaris... but ... Like all good nerds, I was exploring the new system, playing with configurations and installing the typical nerd software I need, while I stumbled on a process (eating a lot of CPU and RAM): /usr/bin/trackerd that I've never seen on my previous OpenSolaris installation...Nothing special, is not a virus or an E.T.: is just the default GNOME indexing/tracking tool that from this release is installed and enabled by default: root@vesuvio:~# pkg info tracker          Name: library/desktop/search/tracker       Summary: Desktop search tool   Description: Desktop search tool      Category: Applications/System Utilities         State: Installed     Publisher: solaris       Version: 0.5.11 Build Release: 5.11        Branch: 0.151.0.1Packaging Date: Fri Nov 05 05:52:57 2010          Size: 3.09 MB          FMRI: pkg://solaris/library/desktop/search/tracker@0.5.11,5.11-0.151.0.1:20101105T055257Zroot@vesuvio:~# Since I'm very conscious about my CPU clock cycles/RAM bits, and my nerd software doesn't like CPU/MEM spikes that could be easily triggered from that software I simply removed the package: root@vesuvio:~# pkg uninstall tracker                Packages to remove:     1           Create boot environment:    No               Services to restart:     2PHASE                                        ACTIONSRemoval Phase                                373/373 PHASE                                          ITEMSPackage State Update Phase                       1/1 Package Cache Update Phase                       1/1Image State Update Phase                         2/2 root@vesuvio:~# I admit that this solution may sound a bit 'extreme', but I really don't like/use this piece of software. I do not like that kind of programs running in background, browsing and crawling the directories of your HD to index the content of your documents, pictures, emails etc. This could be a nice feature to have on an average end-user desktop/station, not for a laptop that I mainly use as my nerd-lab test bench ;-) People interested in using this tool can find plenty of ways of throttling down the CPU/MEM resources, excluding directories or assigning specific paths to monitor, etc... Tracker Project home page on GNOME HOWTO that explains how to customize the tracker daemon behaviour

I've upgraded my laptop to the latest Oracle Solaris 11 Express (snv_151a X86) and at a first glance, I've to say that seems a good step forward respect to my previous OpenSolaris... but ... Like...

LDAP

Oracle Directory Server Enterprise Edition on OpenSolaris b150, with DSCC7 in bundled Tomcat6

Objective: Install Oracle Directory Server Enterprise Edition (ODSEE11g) and DSCC7 on OpenSolaris without using privileged users. Since we'll run the Directory Server instances unprivileged, let's create a group:mm206378@vesuvio:~$ pfexec groupadd -g 389 oragrpand a user with a password, so that it will be able to login:mm206378@vesuvio:~$ pfexec useradd -u 389 -g oragrp -d /opt/dsee7 oradirmm206378@vesuvio:~$ pfexec passwd oradirNew Password: \*\*\*\*\*\*\*\*Re-enter new Password: \*\*\*\*\*\*\*\*passwd: password successfully changed for oradirmm206378@vesuvio:~$Since this user should be able to manage network services on privileged ports (TCP < 1024), we shall explicitly grant this privilege:mm206378@vesuvio:~$ pfexec usermod -K defaultpriv=basic,net_privaddr oradirThis test machine (my laptop, hostname 'vesuvio') has only one internal disk, so I won't be creating any dedicated zpool to host binaries and/or Directory Server instances. To insure logical separation, we'll just create the datasets to isolate the deployment:mm206378@vesuvio:~$ pfexec zfs create -o mountpoint=/opt/dsee7 rpool/dsee7-binmm206378@vesuvio:~$ pfexec zfs create -o mountpoint=/opt/dsee7/var rpool/dsee7-varand change the ownership of these datasets to user oradir: mm206378@vesuvio:~$ ls -ltRa /opt/dsee7/ /opt/dsee7/:total 5drwxr-xr-x 3 root root 3 2010-11-12 00:12 .drwxr-xr-x 2 root root 2 2010-11-12 00:12 vardrwxr-xr-x 8 root sys  8 2010-11-11 23:48 ../opt/dsee7/var:total 3drwxr-xr-x 3 root root 3 2010-11-12 00:12 ..drwxr-xr-x 2 root root 2 2010-11-12 00:12 .mm206378@vesuvio:~$ pfexec chown -R oradir:oragrp /opt/dsee7/mm206378@vesuvio:~$ ls -ltRa /opt/dsee7//opt/dsee7/:total 5drwxr-xr-x 3 oradir oragrp 3 2010-11-12 00:12 .drwxr-xr-x 2 oradir oragrp 2 2010-11-12 00:12 vardrwxr-xr-x 8 root   sys    8 2010-11-11 23:48 ../opt/dsee7/var:total 3drwxr-xr-x 3 oradir oragrp 3 2010-11-12 00:12 ..drwxr-xr-x 2 oradir oragrp 2 2010-11-12 00:12 .mm206378@vesuvio:~$ Uncompress the packages:mm206378@vesuvio:~$ pfexec su - oradirOracle Corporation    SunOS 5.11    snv_150    October 2010oradir@vesuvio:~$ pwd/opt/dsee7oradir@vesuvio:~$ ls -tlratotal 11drwxr-xr-x   8 root     sys            8 Nov 11 23:48 ..drwxr-xr-x   2 oradir   oragrp         2 Nov 12 00:12 vardrwxr-xr-x   3 oradir   oragrp         4 Nov 12 00:41 .-rw-------   1 oradir   oragrp        18 Nov 12 00:41 .sh_historyoradir@vesuvio:~$ mkdir inst && cd instoradir@vesuvio:~/inst$ unzip -q /tmp/ODSEE11g\\-S10x86.ziporadir@vesuvio:~$ ls -l /opt/dsee7/ && cd /opttotal 6drwxr-xr-x   4 oradir   oragrp         7 Nov 12 00:42 instdrwxr-xr-x   2 oradir   oragrp         2 Nov 12 00:12 varoradir@vesuvio:/opt$ unzip -q dsee7/inst/ODSEE_ZIP_Distribution/sun\\-dsee7.ziporadir@vesuvio:/opt$ ls -ltra dsee7/total 38drwxr-xr-x   7 oradir   oragrp        12 Apr 26  2010 jredrwxr-xr-x   3 oradir   oragrp         6 Jun 30 23:09 includedrwxr-xr-x   2 oradir   oragrp         4 Jun 30 23:09 etcdrwxr-xr-x   6 oradir   oragrp         6 Jun 30 23:10 dsrkdrwxr-xr-x   8 root     sys            8 Nov 11 23:48 ..drwxr-xr-x   4 oradir   oragrp         7 Nov 12 00:42 instdrwxr-xr-x   4 oradir   oragrp         4 Nov 12 00:46 extdrwxr-xr-x  10 oradir   oragrp        10 Nov 12 00:46 resourcesdrwxr-xr-x   3 oradir   oragrp         3 Nov 12 00:47 vardrwxr-xr-x  12 oradir   oragrp        13 Nov 12 00:47 .drwxr-xr-x   7 oradir   oragrp        18 Nov 12 00:47 libdrwxr-xr-x   4 oradir   oragrp        23 Nov 12 00:47 bin-rw-------   1 oradir   oragrp       450 Nov 12 00:50 .sh_historyoradir@vesuvio:/opt$Now we have to configure CACAO and the DSCC instance:oradir@vesuvio:~/bin$ dsccsetup initializeThe initialization will start and we'll have to provide the credentials for the admin user, but at the end we'll have both CACAO and the ADS instance up and running: oradir@vesuvio:~/bin$ ps -aef | grep oradir  oradir  7936  7934   0 00:54:32 ?           0:08 /opt/dsee7/jre/bin/java -Xmx128M -Dcom.sun.management.jmxremote -Dfile.encoding  oradir  8007  5002   0 01:00:51 pts/2       0:00 ps -aef  oradir  8008  5002   0 01:00:51 pts/2       0:00 grep oradir  oradir  5002  3339   0 00:41:41 pts/2       0:00 -sh  oradir  7934     1   0 00:54:32 ?           0:00 /opt/dsee7/ext/cacao_2/usr/lib/cacao/lib/tools/launch -w /opt/dsee7/ext/cacao_2  oradir  7958     1   0 00:54:44 ?           0:04 /opt/dsee7/lib/64/ns-slapd -D /opt/dsee7/var/dcc/ads -i /opt/dsee7/var/dcc/ads/oradir@vesuvio:~/bin$The web container in which will be deployed the Directory Service Control Center should have access at least to the /opt/dsee7/var/dcc/ads/config to fetch the basic informations, so we will switch the runtime user of the 'tomcat6' service to oradir [it's still an unprivileged user, with the only additional right to run servers on privileged ports (<1024/TCP)].mm206378@vesuvio:~$ svccfg -s tomcat6svc:/network/http:tomcat6> listprop start/userstart/user  astring  webservdsvc:/network/http:tomcat6> listprop start/groupstart/group  astring  webservdsvc:/network/http:tomcat6> refreshsvc:/network/http:tomcat6> endmm206378@vesuvio:~$We can now deploy the Directory Service Control Center manually:oradir@vesuvio:/var/tomcat6/webapps/dscc7$ unzip -q /opt/dsee7/var/dscc7.warand enabled the service:mm206378@vesuvio:~$ svcadm enable tomcat6now, take a browser, navigate to http://vesuvio:8080/dscc7 et volia' DSCC7 is there. You can now login and create/manage instances. P.S.: I've 'tied up' this post following the suggestion of the first comment and I've found extremely useful the following post: Locking Down Apache . The next logical step, would be tuning the TCP/IP stack... but I've already covered this steps on a previous post

Objective: Install Oracle Directory Server Enterprise Edition (ODSEE11g) and DSCC7 on OpenSolaris without using privileged users. Since we'll run the Directory Server instances unprivileged, let's...

OpenSolaris

ZFS ARC Cache tuning for a laptop...

I've my laptop (Toshiba Tecra M5 - Intel Core2-Duo@2GHz - 2GB RAM) with OpenSolaris (snv_150) and I've noted that sometimes it becomes slow and unresponsive for a few seconds in which the disk was spinning hardly... a very simple probe showed the problem: # kstat -m zfs -n arcstats -T d 2 I'll save you all the neverending output, but the interesting numbers were the ones coming from c,c_max, c_min and size. As I read on the ZFS Evil Tuning Guide : [...] The ZFS Adaptive Replacement Cache (ARC) tries to use most of a system's available memory to cache file system data. The default is to use all of physical memory except 1 GB. As memory pressure increases, the ARC relinquishes memory. [...] Mine problem was that when trying to launch many application (typically at the login, when you may start Firefox, Thunderbird, Netbeans, Acrobat Reader and OpenOffice almost sequentially) the laptop was clogged up and was with the disk spinning and almost unresponsive. I know that my laptop has limited performances and is not the latest piece of hardware available on the market, but still when I launch the same applications under other O.S.-es [both Linux Ubuntu 10.10 (64-bit) and WinXP SP3 (32-bit)] I don't have to wait that long and the system looks more responsive. Monitoring the size parameter of the ARC cache, I've seen that it was always around 1 GB Size, and the applications were instead unable to run with few available memory and swapping on the disk... this was not sane. First I shrinked the amount of ram allocated for ZFS ARC live (as explained in the "ZFS Guide"), and since the performances and the stability of the machine seemed improved, I set that value into the /etc/system file to make it persistent across reboots: set zfs:zfs_arc_max = 822083584 Even if the ZFS ARC cache size is more constant now (I've an average that is close to the set value, with limited 'fluctuations'), I'm running without any apparent problem.... So far, so good ;-)

I've my laptop (Toshiba Tecra M5 - Intel Core2-Duo@2GHz - 2GB RAM) with OpenSolaris (snv_150) and I've noted that sometimes it becomes slow and unresponsive for a few seconds in which the disk was...

Linux

Managing users with UAT

In the various Unix/Linux flavours, each user is assigned a numeric UID (Unique IDentifier) that is fundamental for granting privileges and granting access a user to the various system resources. Even though every distribution still keeps the original command line tools to manage the users (useradd/del/mod, etc.) various tools have been developed to ease the burden of system administration, but I found some restrictions with the UAT (User Administration Tool) that is a component of the GNOME desktop of the Ubuntu distribution. If you intend to manage the users with this tool, be aware that by default settings it 'masks' all the users whose UID is smaller than 1000 and bigger than 60000; so if you assign such UIDs to your users and restart the UAT, they simply vanish in the haze: you're not able to manage them anymore with this tool... unless... you change the shadow password suite configuration file: /etc/logins.defs. In this file, you can find the following definitions: ## Min/max values for automatic uid selection in useradd#UID_MIN                  1000UID_MAX                 60000# System accounts#SYS_UID_MIN              100#SYS_UID_MAX              999## Min/max values for automatic gid selection in groupadd#GID_MIN                  1000GID_MAX                 60000# System accounts#SYS_GID_MIN              100#SYS_GID_MAX              999 That prevent you to create and manage users and groups outside the interval 1000-60000. Once you change these values to a more reasonable number according to your needs, restart the UAT... et voila' your users and groups are back in the tool. P.S.: For the full story and historical reasons of UIDs, please consult the related UID Wiki page

In the various Unix/Linux flavours, each user is assigned a numeric UID (Unique IDentifier) that is fundamental for granting privileges and granting access a user to the various system resources. Even...

O.S.

cacao and cacao_2

[root@cnode ~]# netstat -naf inet | grep 11162127.0.0.1.11162       \*.\*                0      0 49152      0 LISTEN[root@cnode ~]#[root@cnode ~]# ps -aef | grep cacao    root  1817     1   0 14:53:28 ?           0:00 /usr/lib/cacao/lib/tools/launch -w /var/cacao/instances/default -L 16384 -P /va[root@cnode ~]# pargs 18171817:   /usr/lib/cacao/lib/tools/launch -w /var/cacao/instances/default -L 16384 -P /vaargv[0]: /usr/lib/cacao/lib/tools/launchargv[1]: -wargv[2]: /var/cacao/instances/defaultargv[3]: -Largv[4]: 16384argv[5]: -Pargv[6]: /var/run/cacao/instances/default/run/hb.pipeargv[7]: -fargv[8]: -Uargv[9]: rootargv[10]: -Gargv[11]: sysargv[12]: --argv[13]: /usr/jdk/jdk1.5.0_18/bin/javaargv[14]: -Xms4Margv[15]: -Xmx128Margv[16]: -Dcom.sun.management.jmxremoteargv[17]: -Dfile.encoding=utf-8argv[18]: -Djava.endorsed.dirs=/usr/lib/cacao/lib/endorsedargv[19]: -classpathargv[20]: /usr/share/lib/jdmk/jdmkrt.jar:/usr/share/lib/jdmk/jmxremote_optional.jar:/usr/lib/cacao/lib/cacao_cacao.jar:/usr/lib/cacao/lib/cacao_j5core.jar:/usr/lib/cacao/lib/bcprov-jdk14.jarargv[21]: -Djavax.management.builder.initial=com.sun.jdmk.JdmkMBeanServerBuilderargv[22]: -Dcacao.print.status=trueargv[23]: -Dcacao.config.dir=/etc/cacao/instances/defaultargv[24]: -Dcacao.monitoring.mode=smfargv[25]: -Dcom.sun.cacao.ssl.keystore.password.file=/etc/cacao/instances/default/security/passwordargv[26]: com.sun.cacao.container.impl.ContainerPrivate[root@cnode ~]#[root@cnode ~]# cacaoadm statusdefault instance is DISABLED at system startup.Smf monitoring process:18171818Uptime: 0 day(s), 1:13[root@cnode ~]# cacaoadm list-paramssnmp-adaptor-port=11161snmp-adaptor-trap-port=11162jmxmp-connector-port=11162commandstream-adaptor-port=11163rmi-registry-port=11164secure-webserver-port=11165java-flags=-Xms4M -Xmx128M -Dcom.sun.management.jmxremote -Dfile.encoding=utf-8 -Djava.endorsed.dirs=/usr/lib/cacao/lib/endorsedmicro-agent=falsejava-home=/usr/jdk/jdk1.5.0_18jdmk-home=/usr/share/lib/jdmknss-lib-home=/usr/lib/mps/secv1nss-tools-home=/usr/sfw/binretries=4log-file-limit=1000000log-file-count=3log-file-append=trueenable-instrumentation=falseuser=rootgroup=sysnetwork-bind-address=127.0.0.1watchdog-heartbeat-timeout=60[root@cnode ~]#[root@cnode ~]# cacaoadm stop[root@cnode ~]# ifconfig -alo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1        inet 127.0.0.1 netmask ff000000hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2        inet 129.157.108.81 netmask fffffe00 broadcast 129.157.109.255        ether 8:0:20:c3:cf:b8[root@cnode ~]# cacaoadm set-param network-bind-address=129.157.108.81[root@cnode ~]# cacaoadm list-paramssnmp-adaptor-port=11161snmp-adaptor-trap-port=11162jmxmp-connector-port=11162commandstream-adaptor-port=11163rmi-registry-port=11164secure-webserver-port=11165java-flags=-Xms4M -Xmx128M -Dcom.sun.management.jmxremote -Dfile.encoding=utf-8 -Djava.endorsed.dirs=/usr/lib/cacao/lib/endorsedmicro-agent=falsejava-home=/usr/jdk/jdk1.5.0_18jdmk-home=/usr/share/lib/jdmknss-lib-home=/usr/lib/mps/secv1nss-tools-home=/usr/sfw/binretries=4log-file-limit=1000000log-file-count=3log-file-append=trueenable-instrumentation=falseuser=rootgroup=sysnetwork-bind-address=129.157.108.81watchdog-heartbeat-timeout=60[root@cnode ~]# cacaoadm start[root@cnode ~]# netstat -naf inet | grep 11162129.157.108.81.11162       \*.\*                0      0 49152      0 LISTEN[root@cnode ~]#

[root@cnode ~]# netstat -naf inet | grep 11162 127.0.0.1.11162       \*.\*                0      0 49152      0 LISTEN [root@cnode ~]# [root@cnode ~]# ps -aef | grep cacao    root  1817     1   0...

O.S.

Solaris and core files

[mm206378@sr1-emln03-04 /net/cores.central/cores/dir27/71037750/20090516]$ grep "conn=121227 op=2 msgId=141" access[16/May/2009:00:42:19 -0500] conn=121227 op=2 msgId=141 - MOD dn="uid=mammy22g, ou=RegisteredUsers, ou=People, o=nextel.com"[16/May/2009:02:37:44 -0500] conn=121227 op=2 msgId=141 - RESULT err=0 tag=103 nentries=0 etime=6925.169930 csn=4a0e6ee1000000670000[mm206378@sr1-emln03-04 /net/cores.central/cores/dir27/71037750/20090516]$ head access[15/May/2009:22:57:53 -0500] conn=107402 op=1 msgId=9079 - SRCH base="ou=registeredusers,ou=people,o=nextel.com" scope=2 filter="(uid=heatherwilson1983)" attrs="uid cn sn givenName reggender reghintquestion reghintanswer mail reginoutemailoption postalCode st ppcity c ppbirthdate nxtptn nxtimei nxtindustrycode nxtbusinessrole nxtincome nxtbusinesscust nxtmanagedaccount nxtupsubscriberaddressid nxtaccount regnickname pplangpreference ppregion regstreetaddress1 regstreetaddress2 accountadmins objectClass nxtphonetype regcompanyname userPassword nxtconfirmationcode nxtemailverified"[15/May/2009:22:57:53 -0500] conn=107403 op=-1 msgId=-1 - fd=87 slot=87 LDAP connection from 10.214.117.27:17547 to 144.226.242.7 (allowed by  rule: ALL:10.214.117.)[15/May/2009:22:57:53 -0500] conn=107403 op=0 msgId=39348 - BIND dn="uid=6LN, ou=Special Users, o=nextel.com" method=128 version=3[15/May/2009:22:57:53 -0500] conn=107403 op=0 msgId=39348 - RESULT err=0 tag=97 nentries=0 etime=0.000780 dn="uid=6ln,ou=special users,o=nextel.com"[15/May/2009:22:57:53 -0500] conn=107403 op=1 msgId=39349 - SRCH base="ou=registeredusers,ou=people,o=nextel.com" scope=2 filter="(nxtptn=9193521611)" attrs="uid givenName sn regstreetaddress1 regstreetaddress2 ppcity st postalCode mail nxtemailverified reginoutemailoption nxtptn nxtupsubscriberaddressid nxtimei nxtphonetype"[15/May/2009:22:57:53 -0500] conn=107403 op=1 msgId=39349 - RESULT err=0 tag=101 nentries=0 etime=0.000390[15/May/2009:22:57:53 -0500] conn=107403 op=2 msgId=39350 - UNBIND[15/May/2009:22:57:53 -0500] conn=107403 op=2 msgId=-1 - closing from 10.214.117.27:17547 - U1 - Connection closed by unbind client -[15/May/2009:22:57:53 -0500] conn=107403 op=-1 msgId=-1 - closed.[15/May/2009:22:57:53 -0500] conn=107404 op=-1 msgId=-1 - fd=87 slot=87 LDAP connection from 10.214.117.27:52005 to 144.226.242.7 (allowed by  rule: ALL:10.214.117.)[mm206378@sr1-emln03-04 /net/cores.central/cores/dir27/71037750/20090516]$ tail access[16/May/2009:02:37:49 -0500] conn=137659 op=2 msgId=3 - UNBIND[16/May/2009:02:37:49 -0500] conn=137659 op=2 msgId=-1 - closing from 10.214.117.6:37222 - U1 - Connection closed by unbind client -[16/May/2009:02:37:49 -0500] conn=137659 op=-1 msgId=-1 - closed.[16/May/2009:02:37:49 -0500] conn=137657 op=1 msgId=2624 - RESULT err=0 tag=101 nentries=1 etime=0.626520[16/May/2009:02:37:49 -0500] conn=137657 op=2 msgId=2625 - UNBIND[16/May/2009:02:37:49 -0500] conn=137657 op=2 msgId=-1 - closing from 10.214.117.23:21280 - U1 - Connection closed by unbind client -[16/May/2009:02:37:49 -0500] conn=137657 op=-1 msgId=-1 - closed.[16/May/2009:02:37:51 -0500] conn=137660 op=-1 msgId=-1 - fd=87 slot=87 LDAP connection from 10.214.117.21:21294 to 144.226.242.7 (allowed by  rule: ALL:10.214.117.)[16/May/2009:02:37:51 -0500] conn=137660 op=0 msgId=2629 - BIND dn="uid=6JN, ou=Special Users, o=nextel.com" method=128 version=3[16/May/2009:02:37:51 -0500] conn=137660 op=0 msgId=2629 - RESULT err=0 tag=97 nentries=0 etime=0.000880 dn="uid=6jn,ou=special users,o=nextel.com"[mm206378@sr1-emln03-04 /net/cores.central/cores/dir27/71037750/20090516]$ grep -c "BIND dn="uid=6JN" access>[mm206378@sr1-emln03-04 /net/cores.central/cores/dir27/71037750/20090516]$ grep -c "BIND dn=\\"uid=6JN" access12830[mm206378@sr1-emln03-04 /net/cores.central/cores/dir27/71037750/20090516]$ grep -c MOD access5579[mm206378@sr1-emln03-04 /net/cores.central/cores/dir27/71037750/20090516]$----------------------------------shshCOREADM_GLOB_PATTERN=COREADM_GLOB_CONTENT=defaultCOREADM_INIT_PATTERN=coreCOREADM_INIT_CONTENT=defaultCOREADM_GLOB_ENABLED=noCOREADM_PROC_ENABLED=yesCOREADM_GLOB_SETID_ENABLED=noCOREADM_PROC_SETID_ENABLED=noCOREADM_GLOB_LOG_ENABLED=no   (2:18:04 PM) Marco Milo: and what's the output of coreadm <DS_PID> so we have the exaxt settings also for the specific process...(2:18:51 PM) ft96309@im.sun.com/SUN-N52RZ0V6L0W:        ahhhh, we have been doing $gcore -o <file.out> <pid>     (2:19:51 PM) ft96309@im.sun.com/SUN-N52RZ0V6L0W:        should i do the command as you list it above?     (2:20:15 PM) Marco Milo: yes, just to see what are the settings of coreadm for our Directory Server process(2:20:51 PM) ft96309@im.sun.com/SUN-N52RZ0V6L0W:/tmp: ps -ef|grep slapddsee 20491     1   0   May 08 ?          18:40 /ldap/dsee61/ds6/lib/64/ns-slapd -D /ldap/slapd-smps -i /ldap/slapd-smps/logs/pdsee  5515 13942   0 07:19:27 pts/4       0:00 grep slapddsee 23348     1   2 15:53:09 ?        1216:42 /ldap/dsee61/ds6/lib/64/ns-slapd -D /ldap/dsee6-nol -i /ldap/dsee6-nol/logs/pid/tmp: coreadm 23348                                                                                                                  23348:  core    default  (2:22:26 PM) Marco Milo: what was the output of coreadm?  coreadm global core file pattern: global core file content: default init core file pattern: core init core file content: default global core dumps: disabled per-process core dumps: enabled global setid core dumps: disabled per-process setid core dumps: disabled global core dump logging: disabledgcore -c all -o <OUT_FILE> <PID>ACI debugging on:# dsconf set-log-prop -p 6330 error level:err-aclACI debugging off:# dsconf set-log-prop -p 6330 error level:default5-digit:  x44403passcode: 8765762  866-545--5227     (12:16:43 PM) vt98645-muppets:        pin 2486862

[mm206378@sr1-emln03-04 /net/cores.central/cores/dir27/71037750/20090516]$ grep "conn=121227 op=2 msgId=141" access[16/May/2009:00:42:19 -0500] conn=121227 op=2 msgId=141 - MOD dn="uid=mammy22g,...

Solaris

Make X listen on external TCP ports (Solaris and OpenSolaris)

In Solaris 10 and OpenSolaris X Server is enabled per default and controlled via SMF (Service Management Facility): # ps -aef | grep Xsun root 4767 4764 0 15:10:44 ? 0:01/usr/openwin/bin/Xsun :0 -defdepth 24 -nolisten tcp -nobanner -auth/var/dt/A:0 # svcs -xv cde-loginsvc:/application/graphical-login/cde-login:default (CDE login) State: online since Thu May 07 15:10:43 2009 See: man -M /usr/dt/share/man -s 1 dtlogin See: /var/svc/log/application-graphical-login-cde-login:default.logImpact: None.# The default installation doesn't makes the X Server listen on the TCP port: # netstat -naf inet | grep 6000# and this is indeed a noticeable security feature, but sometimes it'salso useful having the X Server available and responsive on TCP. X properties are defined in the /application/x11/x11-server service;and we can see all the properties with the following command: # svccfg -s /application/x11/x11-server listpropoptions                       applicationoptions/default_depth         integer  24options/server                astring  /usr/openwin/bin/Xsunoptions/server_args           astringoptions/stability             astring  Evolvingoptions/value_authorization   astring  solaris.smf.manage.x11options/tcp_listen            boolean  falsefs-local                      dependencyfs-local/entities             fmri     svc:/system/filesystem/localfs-local/grouping             astring  require_allfs-local/restart_on           astring  nonefs-local/type                 astring  servicenetwork-service               dependencynetwork-service/entities      fmri     svc:/network/servicenetwork-service/grouping      astring  require_allnetwork-service/restart_on    astring  nonenetwork-service/type          astring  servicename-services                 dependencyname-services/entities        fmri     svc:/milestone/name-servicesname-services/grouping        astring  require_allname-services/restart_on      astring  refreshname-services/type            astring  servicegeneral                       frameworkgeneral/action_authorization  astring  solaris.smf.manage.x11general/entity_stability      astring  Evolvingstart                         methodstart/exec                    astring  "/lib/svc/method/x11-server -d 0 -c %i %m"start/timeout_seconds         count    0start/type                    astring  methodstop                          methodstop/exec                     astring  ":kill -TERM"stop/timeout_seconds          count    10stop/type                     astring  methodtm_common_name                templatetm_common_name/C              ustring  "X Window System server"tm_man_Xserver                templatetm_man_Xserver/manpath        astring  /usr/openwin/share/mantm_man_Xserver/section        astring  1tm_man_Xserver/title          astring  Xservertm_man_Xsun                   templatetm_man_Xsun/manpath           astring  /usr/openwin/share/mantm_man_Xsun/section           astring  1tm_man_Xsun/title             astring  Xsuntm_man_Xorg                   templatetm_man_Xorg/manpath           astring  /usr/X11/share/mantm_man_Xorg/section           astring  1tm_man_Xorg/title             astring  Xorg In particular the switch that controls whether or not the X server has to listen on the TCP is: # svccfg -s /application/x11/x11-server listprop options/tcp_listenoptions/tcp_listen boolean false# So in this case we would like to enable with the following command: # svccfg -s svc:/application/x11/x11-server setprop options/tcp_listen = true# svccfg -s /application/x11/x11-server listprop options/tcp_listenoptions/tcp_listen boolean true# and stop/start the cde-login service to make the change effective: # svcadm disable cde-login# svcadm enable cde-login and now we see the different behaviour: # ps -aef | grep Xsun root 4844 4834 1 15:22:07 ? 0:00 /usr/openwin/bin/Xsun :0 -defdepth 24 -nobanner -auth /var/dt/A:0-N_aqCj# and also that the service is listening on the tcp port: # netstat -naf inet | grep 6000 \*.6000 \*.\* 0 0 49152 0 LISTEN \*.6000 \*.\* 0 0 49152 0 LISTEN# now it displays that the server is listening also on the TCP port 6000, and we can connect to X from outside.

In Solaris 10 and OpenSolaris X Server is enabled per default and controlled via SMF (Service Management Facility): # ps -aef | grep Xsun root 4767 4764 0 15:10:44 ? 0:01/usr/openwin/bin/Xsun :0...

Personal

Walking on SUN-SHINE

Today is my first year @Sun!I can sharply remember the good old college days (and nights!!!) spent in front of VT100 terminals: compiling (...hmmm, to be sincere: mostly debugging!!! :-( ) my first C programs, with K&R as Bible, and dreaming to be a "System Manager", dreaming to join SUN. And what's happened?Well, a lot of interesting things: I've become that System Manager and maybe I've even moved some steps forward ("if" and "how far", you will decide ;-) ). But not exactly all that I was dreaming of became true, you know, it's Life :-) Joys and sorrows in-between are all steps of the same path. While, all of a sudden...November, 13th 2006: hired by SUN! \*GREAT\*!!!The thing is that I'm so very happy because of this great opportunity that was given to me.I'm not making a balance, it would be clearly in favor of SUN.It was not simple, because of the challenging activities.It was not trivial, sometimes I felt discouraged.It was not even easy, since I did not disliked my previous jobs.But then what makes those "things" such a great experience? I like thinking it was all up to the wonderful people with whom I exchanged experiences, ideas, thoughts, built relationships.Working with them "under the SUN", I always felt ready to take harder challenges, to dare something more... I felt like I'll never walk alone.So, thank you very much, to every colleague/people I met.

Today is my first year @Sun!I can sharply remember the good old college days (and nights!!!) spent in front of VT100 terminals: compiling (...hmmm, to be sincere: mostly debugging!!! :-( ) my first C...