Tuesday Apr 17, 2012

Remote Desktop from Solaris to Windows

Building rdesktop on Solaris 10

[Read More]

Sunday Jan 09, 2011


I've upgraded my laptop to the latest Oracle Solaris 11 Express (snv_151a X86) and at a first glance, I've to say that seems a good step forward respect to my previous OpenSolaris... but ... Like all good nerds, I was exploring the new system, playing with configurations and installing the typical nerd software I need, while I stumbled on a process (eating a lot of CPU and RAM): /usr/bin/trackerd that I've never seen on my previous OpenSolaris installation...
Nothing special, is not a virus or an E.T.: is just the default GNOME indexing/tracking tool that from this release is installed and enabled by default:

root-AT-vesuvio:~# pkg info tracker
          Name: library/desktop/search/tracker
       Summary: Desktop search tool
   Description: Desktop search tool
      Category: Applications/System Utilities
         State: Installed
     Publisher: solaris
       Version: 0.5-DOT-11
 Build Release: 5.11
Packaging Date: Fri Nov 05 05:52:57 2010
          Size: 3.09 MB
          FMRI: pkg://solaris/library/desktop/search/tracker@0.5.11,5.11-

Since I'm very conscious about my CPU clock cycles/RAM bits, and my nerd software doesn't like CPU/MEM spikes that could be easily triggered from that software I simply removed the package:

root@vesuvio:~# pkg uninstall tracker
                Packages to remove:     1
           Create boot environment:    No
               Services to restart:     2
PHASE                                        ACTIONS
Removal Phase                                373/373

PHASE                                          ITEMS
Package State Update Phase                       1/1
Package Cache Update Phase                       1/1
Image State Update Phase                         2/2

I admit that this solution may sound a bit 'extreme', but I really don't like/use this piece of software. I do not like that kind of programs running in background, browsing and crawling the directories of your HD to index the content of your documents, pictures, emails etc. This could be a nice feature to have on an average end-user desktop/station, not for a laptop that I mainly use as my nerd-lab test bench ;-)

People interested in using this tool can find plenty of ways of throttling down the CPU/MEM resources, excluding directories or assigning specific paths to monitor, etc...

  • Tracker Project home page on GNOME

  • HOWTO that explains how to customize the tracker daemon behaviour

Wednesday Nov 03, 2010

Oracle Directory Server Enterprise Edition on OpenSolaris b150, with DSCC7 in bundled Tomcat6

Objective: Install Oracle Directory Server Enterprise Edition (ODSEE11g) and DSCC7 on OpenSolaris without using privileged users.

Since we'll run the Directory Server instances unprivileged, let's create a group:

mm206378@vesuvio:~$ pfexec groupadd -g 389 oragrp

and a user with a password, so that it will be able to login:

mm206378@vesuvio:~$ pfexec useradd -u 389 -g oragrp -d /opt/dsee7 oradir
mm206378@vesuvio:~$ pfexec passwd oradir
New Password: \*\*\*\*\*\*\*\*
Re-enter new Password: \*\*\*\*\*\*\*\*
passwd: password successfully changed for oradir

Since this user should be able to manage network services on privileged ports (TCP < 1024), we shall explicitly grant this privilege:

mm206378@vesuvio:~$ pfexec usermod -K defaultpriv=basic,net_privaddr oradir

This test machine (my laptop, hostname 'vesuvio') has only one internal disk, so I won't be creating any dedicated zpool to host binaries and/or Directory Server instances. To insure logical separation, we'll just create the datasets to isolate the deployment:

mm206378@vesuvio:~$ pfexec zfs create -o mountpoint=/opt/dsee7 rpool/dsee7-bin
mm206378@vesuvio:~$ pfexec zfs create -o mountpoint=/opt/dsee7/var rpool/dsee7-var

and change the ownership of these datasets to user oradir:

mm206378@vesuvio:~$ ls -ltRa /opt/dsee7/

total 5
drwxr-xr-x 3 root root 3 2010-11-12 00:12 .
drwxr-xr-x 2 root root 2 2010-11-12 00:12 var
drwxr-xr-x 8 root sys  8 2010-11-11 23:48 ..

total 3
drwxr-xr-x 3 root root 3 2010-11-12 00:12 ..
drwxr-xr-x 2 root root 2 2010-11-12 00:12 .
mm206378@vesuvio:~$ pfexec chown -R oradir:oragrp /opt/dsee7/
mm206378@vesuvio:~$ ls -ltRa /opt/dsee7/
total 5
drwxr-xr-x 3 oradir oragrp 3 2010-11-12 00:12 .
drwxr-xr-x 2 oradir oragrp 2 2010-11-12 00:12 var
drwxr-xr-x 8 root   sys    8 2010-11-11 23:48 ..

total 3
drwxr-xr-x 3 oradir oragrp 3 2010-11-12 00:12 ..
drwxr-xr-x 2 oradir oragrp 2 2010-11-12 00:12 .

Uncompress the packages:

mm206378@vesuvio:~$ pfexec su - oradir
Oracle Corporation    SunOS 5.11    snv_150    October 2010
oradir@vesuvio:~$ pwd
oradir@vesuvio:~$ ls -tlra
total 11
drwxr-xr-x   8 root     sys            8 Nov 11 23:48 ..
drwxr-xr-x   2 oradir   oragrp         2 Nov 12 00:12 var
drwxr-xr-x   3 oradir   oragrp         4 Nov 12 00:41 .
-rw-------   1 oradir   oragrp        18 Nov 12 00:41 .sh_history
oradir@vesuvio:~$ mkdir inst && cd inst
oradir@vesuvio:~/inst$ unzip -q /tmp/ODSEE11g\\-S10x86.zip
oradir@vesuvio:~$ ls -l /opt/dsee7/ && cd /opt
total 6
drwxr-xr-x   4 oradir   oragrp         7 Nov 12 00:42 inst
drwxr-xr-x   2 oradir   oragrp         2 Nov 12 00:12 var
oradir@vesuvio:/opt$ unzip -q dsee7/inst/ODSEE_ZIP_Distribution/sun\\-dsee7.zip
oradir@vesuvio:/opt$ ls -ltra dsee7/
total 38
drwxr-xr-x   7 oradir   oragrp        12 Apr 26  2010 jre
drwxr-xr-x   3 oradir   oragrp         6 Jun 30 23:09 include
drwxr-xr-x   2 oradir   oragrp         4 Jun 30 23:09 etc
drwxr-xr-x   6 oradir   oragrp         6 Jun 30 23:10 dsrk
drwxr-xr-x   8 root     sys            8 Nov 11 23:48 ..
drwxr-xr-x   4 oradir   oragrp         7 Nov 12 00:42 inst
drwxr-xr-x   4 oradir   oragrp         4 Nov 12 00:46 ext
drwxr-xr-x  10 oradir   oragrp        10 Nov 12 00:46 resources
drwxr-xr-x   3 oradir   oragrp         3 Nov 12 00:47 var
drwxr-xr-x  12 oradir   oragrp        13 Nov 12 00:47 .
drwxr-xr-x   7 oradir   oragrp        18 Nov 12 00:47 lib
drwxr-xr-x   4 oradir   oragrp        23 Nov 12 00:47 bin
-rw-------   1 oradir   oragrp       450 Nov 12 00:50 .sh_history

Now we have to configure CACAO and the DSCC instance:

oradir@vesuvio:~/bin$ dsccsetup initialize

The initialization will start and we'll have to provide the credentials for the admin user, but at the end we'll have both CACAO and the ADS instance up and running:

oradir@vesuvio:~/bin$ ps -aef | grep oradir
  oradir  7936  7934   0 00:54:32 ?           0:08 /opt/dsee7/jre/bin/java -Xmx128M -Dcom.sun.management.jmxremote -Dfile.encoding
  oradir  8007  5002   0 01:00:51 pts/2       0:00 ps -aef
  oradir  8008  5002   0 01:00:51 pts/2       0:00 grep oradir
  oradir  5002  3339   0 00:41:41 pts/2       0:00 -sh
  oradir  7934     1   0 00:54:32 ?           0:00 /opt/dsee7/ext/cacao_2/usr/lib/cacao/lib/tools/launch -w /opt/dsee7/ext/cacao_2
  oradir  7958     1   0 00:54:44 ?           0:04 /opt/dsee7/lib/64/ns-slapd -D /opt/dsee7/var/dcc/ads -i /opt/dsee7/var/dcc/ads/

The web container in which will be deployed the Directory Service Control Center should have access at least to the /opt/dsee7/var/dcc/ads/config to fetch the basic informations, so we will switch the runtime user of the 'tomcat6' service to oradir [it's still an unprivileged user, with the only additional right to run servers on privileged ports (<1024/TCP)].

mm206378@vesuvio:~$ svccfg -s tomcat6
svc:/network/http:tomcat6> listprop start/user
start/user  astring  webservd
svc:/network/http:tomcat6> listprop start/group
start/group  astring  webservd
svc:/network/http:tomcat6> refresh
svc:/network/http:tomcat6> end

We can now deploy the Directory Service Control Center manually:

oradir@vesuvio:/var/tomcat6/webapps/dscc7$ unzip -q /opt/dsee7/var/dscc7.war

and enabled the service:

mm206378@vesuvio:~$ svcadm enable tomcat6

now, take a browser, navigate to


et volia' DSCC7 is there. You can now login and create/manage instances.

P.S.: I've 'tied up' this post following the suggestion of the first comment and I've found extremely useful the following post: Locking Down Apache .

The next logical step, would be tuning the TCP/IP stack... but I've already covered this steps on a previous post

Friday Oct 29, 2010

ZFS ARC Cache tuning for a laptop...

I've my laptop (Toshiba Tecra M5 - Intel Core2-Duo@2GHz - 2GB RAM) with OpenSolaris (snv_150) and I've noted that sometimes it becomes slow and unresponsive for a few seconds in which the disk was spinning hardly... a very simple probe showed the problem:

# kstat -m zfs -n arcstats -T d 2

I'll save you all the neverending output, but the interesting numbers were the ones coming from c,c_max, c_min and size.

As I read on the ZFS Evil Tuning Guide :

[...] The ZFS Adaptive Replacement Cache (ARC) tries to use most of a system's
available memory to cache file system data. The default is to use all
of physical memory except 1 GB. As memory pressure increases, the ARC
relinquishes memory. [...]

Mine problem was that when trying to launch many application (typically at the login, when you may start Firefox, Thunderbird, Netbeans, Acrobat Reader and OpenOffice almost sequentially) the laptop was clogged up and was with the disk spinning and almost unresponsive. I know that my laptop has limited performances and is not the latest piece of hardware available on the market, but still when I launch the same applications under other O.S.-es [both Linux Ubuntu 10.10 (64-bit) and WinXP SP3 (32-bit)] I don't have to wait that long and the system looks more responsive.

Monitoring the size parameter of the ARC cache, I've seen that it was always around 1 GB Size, and the applications were instead unable to run with few available memory and swapping on the disk... this was not sane.

First I shrinked the amount of ram allocated for ZFS ARC live (as explained in the "ZFS Guide";), and since the performances and the stability of the machine seemed improved, I set that value into the /etc/system file to make it persistent across reboots:

set zfs:zfs_arc_max = 822083584

Even if the ZFS ARC cache size is more constant now (I've an average that is close to the set value, with limited 'fluctuations'), I'm running without any apparent problem.... So far, so good ;-)

Sunday Oct 24, 2010

Managing users with UAT

In the various Unix/Linux flavours, each user is assigned a numeric UID (Unique IDentifier) that is fundamental for granting privileges and granting access a user to the various system resources.

Even though every distribution still keeps the original command line tools to manage the users (useradd/del/mod, etc.) various tools have been developed to ease the burden of system administration, but I found some restrictions with the UAT (User Administration Tool) that is a component of the GNOME desktop of the Ubuntu distribution.

If you intend to manage the users with this tool, be aware that by default settings it 'masks' all the users whose UID is smaller than 1000 and bigger than 60000; so if you assign such UIDs to your users and restart the UAT, they simply vanish in the haze: you're not able to manage them anymore with this tool... unless... you change the shadow password suite configuration file: /etc/logins.defs. In this file, you can find the following definitions:

# Min/max values for automatic uid selection in useradd
UID_MIN                  1000
UID_MAX                 60000
# System accounts
#SYS_UID_MIN              100
#SYS_UID_MAX              999

# Min/max values for automatic gid selection in groupadd
GID_MIN                  1000
GID_MAX                 60000
# System accounts
#SYS_GID_MIN              100
#SYS_GID_MAX              999

That prevent you to create and manage users and groups outside the interval 1000-60000. Once you change these values to a more reasonable number according to your needs, restart the UAT... et voila' your users and groups are back in the tool.

P.S.: For the full story and historical reasons of UIDs, please consult the related UID Wiki page

Monday May 31, 2010

Sun ... set.

I had a dream. It has been great, it has been fun: it has been SUN.

Now the Oracle says: ... ibis ... redibis ... non ... morieris in bello

[... you shall go ... you shall return ... not ... die in the war]

Our job will to place a comma in the right place be to have the correct sentence.

Kick butts and have fun!

Sunnies! ;-)

Large groups...

Sometimes ACIs evaluation on large (static) groups can play a significant role in Directory Server performances, especially when there are applications that makes massive and frequent queries to evaluate group membership.

Directory Server (since 5.2patch3) has a nice feature to handle the behavior of these queries, since ACIs are generally small instructions, they are cached into the for a faster access... but to avoid having too much space


maximum number of
members in a group during acl evaluation ( there is a parameter for that
(forgot which one but I could search )

    acl would be rejected and not kept in cache in that case ...

cacao and cacao_2

[root@cnode ~]# netstat -naf inet | grep 11162       \*.\*                0      0 49152      0 LISTEN
[root@cnode ~]#

[root@cnode ~]# ps -aef | grep cacao
    root  1817     1   0 14:53:28 ?           0:00 /usr/lib/cacao/lib/tools/launch -w /var/cacao/instances/default -L 16384 -P /va
[root@cnode ~]# pargs 1817
1817:   /usr/lib/cacao/lib/tools/launch -w /var/cacao/instances/default -L 16384 -P /va
argv[0]: /usr/lib/cacao/lib/tools/launch
argv[1]: -w
argv[2]: /var/cacao/instances/default
argv[3]: -L
argv[4]: 16384
argv[5]: -P
argv[6]: /var/run/cacao/instances/default/run/hb.pipe
argv[7]: -f
argv[8]: -U
argv[9]: root
argv[10]: -G
argv[11]: sys
argv[12]: --
argv[13]: /usr/jdk/jdk1.5.0_18/bin/java
argv[14]: -Xms4M
argv[15]: -Xmx128M
argv[16]: -Dcom.sun.management.jmxremote
argv[17]: -Dfile.encoding=utf-8
argv[18]: -Djava.endorsed.dirs=/usr/lib/cacao/lib/endorsed
argv[19]: -classpath
argv[20]: /usr/share/lib/jdmk/jdmkrt.jar:/usr/share/lib/jdmk/jmxremote_optional.jar:/usr/lib/cacao/lib/cacao_cacao.jar:/usr/lib/cacao/lib/cacao_j5core.jar:/usr/lib/cacao/lib/bcprov-jdk14.jar
argv[21]: -Djavax.management.builder.initial=com.sun.jdmk.JdmkMBeanServerBuilder
argv[22]: -Dcacao.print.status=true
argv[23]: -Dcacao.config.dir=/etc/cacao/instances/default
argv[24]: -Dcacao.monitoring.mode=smf
argv[25]: -Dcom.sun.cacao.ssl.keystore.password.file=/etc/cacao/instances/default/security/password
argv[26]: com.sun.cacao.container.impl.ContainerPrivate
[root@cnode ~]#

[root@cnode ~]# cacaoadm status
default instance is DISABLED at system startup.
Smf monitoring process:
Uptime: 0 day(s), 1:13
[root@cnode ~]# cacaoadm list-params
java-flags=-Xms4M -Xmx128M -Dcom.sun.management.jmxremote -Dfile.encoding=utf-8 -Djava.endorsed.dirs=/usr/lib/cacao/lib/endorsed
[root@cnode ~]#

[root@cnode ~]# cacaoadm stop
[root@cnode ~]# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet netmask ff000000
hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        inet netmask fffffe00 broadcast
        ether 8:0:20:c3:cf:b8
[root@cnode ~]# cacaoadm set-param network-bind-address=
[root@cnode ~]# cacaoadm list-params
java-flags=-Xms4M -Xmx128M -Dcom.sun.management.jmxremote -Dfile.encoding=utf-8 -Djava.endorsed.dirs=/usr/lib/cacao/lib/endorsed
[root@cnode ~]# cacaoadm start
[root@cnode ~]# netstat -naf inet | grep 11162       \*.\*                0      0 49152      0 LISTEN
[root@cnode ~]#

Solaris and core files

[mm206378-AT-sr1-emln03-04 /net/cores.central/cores/dir27/71037750/20090516]$ grep "conn=121227 op=2 msgId=141" access
[16/May/2009:00:42:19 -0500] conn=121227 op=2 msgId=141 - MOD dn="uid=mammy22g, ou=RegisteredUsers, ou=People, o=nextel.com"
[16/May/2009:02:37:44 -0500] conn=121227 op=2 msgId=141 - RESULT err=0 tag=103 nentries=0 etime=6925.169930 csn=4a0e6ee1000000670000

[mm206378-AT-sr1-emln03-04 /net/cores.central/cores/dir27/71037750/20090516]$ head access
[15/May/2009:22:57:53 -0500] conn=107402 op=1 msgId=9079 - SRCH base="ou=registeredusers,ou=people,o=nextel.com" scope=2 filter="(uid=heatherwilson1983)" attrs="uid cn sn givenName reggender reghintquestion reghintanswer mail reginoutemailoption postalCode st ppcity c ppbirthdate nxtptn nxtimei nxtindustrycode nxtbusinessrole nxtincome nxtbusinesscust nxtmanagedaccount nxtupsubscriberaddressid nxtaccount regnickname pplangpreference ppregion regstreetaddress1 regstreetaddress2 accountadmins objectClass nxtphonetype regcompanyname userPassword nxtconfirmationcode nxtemailverified"
[15/May/2009:22:57:53 -0500] conn=107403 op=-1 msgId=-1 - fd=87 slot=87 LDAP connection from to (allowed by  rule: ALL:10.214.117.)
[15/May/2009:22:57:53 -0500] conn=107403 op=0 msgId=39348 - BIND dn="uid=6LN, ou=Special Users, o=nextel.com" method=128 version=3
[15/May/2009:22:57:53 -0500] conn=107403 op=0 msgId=39348 - RESULT err=0 tag=97 nentries=0 etime=0.000780 dn="uid=6ln,ou=special users,o=nextel.com"
[15/May/2009:22:57:53 -0500] conn=107403 op=1 msgId=39349 - SRCH base="ou=registeredusers,ou=people,o=nextel.com" scope=2 filter="(nxtptn=9193521611)" attrs="uid givenName sn regstreetaddress1 regstreetaddress2 ppcity st postalCode mail nxtemailverified reginoutemailoption nxtptn nxtupsubscriberaddressid nxtimei nxtphonetype"
[15/May/2009:22:57:53 -0500] conn=107403 op=1 msgId=39349 - RESULT err=0 tag=101 nentries=0 etime=0.000390
[15/May/2009:22:57:53 -0500] conn=107403 op=2 msgId=39350 - UNBIND
[15/May/2009:22:57:53 -0500] conn=107403 op=2 msgId=-1 - closing from - U1 - Connection closed by unbind client -
[15/May/2009:22:57:53 -0500] conn=107403 op=-1 msgId=-1 - closed.
[15/May/2009:22:57:53 -0500] conn=107404 op=-1 msgId=-1 - fd=87 slot=87 LDAP connection from to (allowed by  rule: ALL:10.214.117.)
[mm206378-AT-sr1-emln03-04 /net/cores.central/cores/dir27/71037750/20090516]$ tail access
[16/May/2009:02:37:49 -0500] conn=137659 op=2 msgId=3 - UNBIND
[16/May/2009:02:37:49 -0500] conn=137659 op=2 msgId=-1 - closing from - U1 - Connection closed by unbind client -
[16/May/2009:02:37:49 -0500] conn=137659 op=-1 msgId=-1 - closed.
[16/May/2009:02:37:49 -0500] conn=137657 op=1 msgId=2624 - RESULT err=0 tag=101 nentries=1 etime=0.626520
[16/May/2009:02:37:49 -0500] conn=137657 op=2 msgId=2625 - UNBIND
[16/May/2009:02:37:49 -0500] conn=137657 op=2 msgId=-1 - closing from - U1 - Connection closed by unbind client -
[16/May/2009:02:37:49 -0500] conn=137657 op=-1 msgId=-1 - closed.
[16/May/2009:02:37:51 -0500] conn=137660 op=-1 msgId=-1 - fd=87 slot=87 LDAP connection from to (allowed by  rule: ALL:10.214.117.)
[16/May/2009:02:37:51 -0500] conn=137660 op=0 msgId=2629 - BIND dn="uid=6JN, ou=Special Users, o=nextel.com" method=128 version=3
[16/May/2009:02:37:51 -0500] conn=137660 op=0 msgId=2629 - RESULT err=0 tag=97 nentries=0 etime=0.000880 dn="uid=6jn,ou=special users,o=nextel.com"
[mm206378@sr1-emln03-04 /net/cores.central/cores/dir27/71037750/20090516]$ grep -c "BIND dn="uid=6JN" access
[mm206378@sr1-emln03-04 /net/cores.central/cores/dir27/71037750/20090516]$ grep -c "BIND dn=\\"uid=6JN" access
[mm206378@sr1-emln03-04 /net/cores.central/cores/dir27/71037750/20090516]$ grep -c MOD access
[mm206378@sr1-emln03-04 /net/cores.central/cores/dir27/71037750/20090516]$



(2:18:04 PM) Marco Milo: and what's the output of coreadm <DS_PID> so we have the exaxt settings also for the specific process...
(2:18:51 PM) ft96309@im.sun-DOT-com/SUN-N52RZ0V6L0W:        ahhhh, we have been doing $gcore -o <file.out> <pid>    
(2:19:51 PM) ft96309@im.sun-DOT-com/SUN-N52RZ0V6L0W:        should i do the command as you list it above?    
(2:20:15 PM) Marco Milo: yes, just to see what are the settings of coreadm for our Directory Server process
(2:20:51 PM) ft96309@im.sun-DOT-com/SUN-N52RZ0V6L0W:
/tmp: ps -ef|grep slapd
dsee 20491     1   0   May 08 ?          18:40 /ldap/dsee61/ds6/lib/64/ns-slapd -D /ldap/slapd-smps -i /ldap/slapd-smps/logs/p
dsee  5515 13942   0 07:19:27 pts/4       0:00 grep slapd
dsee 23348     1   2 15:53:09 ?        1216:42 /ldap/dsee61/ds6/lib/64/ns-slapd -D /ldap/dsee6-nol -i /ldap/dsee6-nol/logs/pid
/tmp: coreadm 23348                                                                                                                  23348:  core    default 
(2:22:26 PM) Marco Milo: what was the output of coreadm?

 global core file pattern:
 global core file content: default
 init core file pattern: core
 init core file content: default
 global core dumps: disabled
 per-process core dumps: enabled
 global setid core dumps: disabled
 per-process setid core dumps: disabled
 global core dump logging: disabled

gcore -c all -o <OUT_FILE> <PID>

ACI debugging on:
# dsconf set-log-prop -p 6330 error level:err-acl

ACI debugging off:
# dsconf set-log-prop -p 6330 error level:default

5-digit:  x44403
passcode: 8765762

(12:16:43 PM) vt98645-muppets:        pin 2486862

Friday May 15, 2009

etime in microseconds

To set the etimes in the access log in microseconds, we need to set the following:

# ldapmodify -D <DIRECTORY_MANAGER> -w <PASSWORD> -p <PORT> -h <HOST>
dn: cn=config
changetype: modify
replace: nsslapd-accesslog-level
nsslapd-accesslog-level: 131328

Thursday May 07, 2009

Make X listen on external TCP ports (Solaris and OpenSolaris)

In Solaris 10 and OpenSolaris X Server is enabled per default and controlled via SMF (Service Management Facility):

# ps -aef | grep Xsun
root 4767 4764 0 15:10:44 ? 0:01
/usr/openwin/bin/Xsun :0 -defdepth 24 -nolisten tcp -nobanner -auth

# svcs -xv cde-login

svc:/application/graphical-login/cde-login:default (CDE login)

State: online since Thu May 07 15:10:43 2009

See: man -M /usr/dt/share/man -s 1 dtlogin

See: /var/svc/log/application-graphical-login-cde-login:default.log

Impact: None.


The default installation doesn't makes the X Server listen on the TCP port:

# netstat -naf inet | grep 6000


and this is indeed a noticeable security feature, but sometimes it's
also useful having the X Server available and responsive on TCP.

X properties are defined in the /application/x11/x11-server service;
and we can see all the properties with the following command:

# svccfg -s /application/x11/x11-server listprop
options                       application
options/default_depth         integer  24
options/server                astring  /usr/openwin/bin/Xsun
options/server_args           astring
options/stability             astring  Evolving
options/value_authorization   astring  solaris.smf.manage.x11
options/tcp_listen            boolean  false
fs-local                      dependency
fs-local/entities             fmri     svc:/system/filesystem/local
fs-local/grouping             astring  require_all
fs-local/restart_on           astring  none
fs-local/type                 astring  service
network-service               dependency
network-service/entities      fmri     svc:/network/service
network-service/grouping      astring  require_all
network-service/restart_on    astring  none
network-service/type          astring  service
name-services                 dependency
name-services/entities        fmri     svc:/milestone/name-services
name-services/grouping        astring  require_all
name-services/restart_on      astring  refresh
name-services/type            astring  service
general                       framework
general/action_authorization  astring  solaris.smf.manage.x11
general/entity_stability      astring  Evolving
start                         method
start/exec                    astring  "/lib/svc/method/x11-server -d 0 -c %i %m"
start/timeout_seconds         count    0
start/type                    astring  method
stop                          method
stop/exec                     astring  ":kill -TERM"
stop/timeout_seconds          count    10
stop/type                     astring  method
tm_common_name                template
tm_common_name/C              ustring  "X Window System server"
tm_man_Xserver                template
tm_man_Xserver/manpath        astring  /usr/openwin/share/man
tm_man_Xserver/section        astring  1
tm_man_Xserver/title          astring  Xserver
tm_man_Xsun                   template
tm_man_Xsun/manpath           astring  /usr/openwin/share/man
tm_man_Xsun/section           astring  1
tm_man_Xsun/title             astring  Xsun
tm_man_Xorg                   template
tm_man_Xorg/manpath           astring  /usr/X11/share/man
tm_man_Xorg/section           astring  1
tm_man_Xorg/title             astring  Xorg

In particular the switch that controls whether or not the X server has to listen on the TCP is:

# svccfg -s /application/x11/x11-server listprop options/tcp_listen

options/tcp_listen boolean false


So in this case we would like to enable with the following command:

# svccfg -s svc:/application/x11/x11-server setprop options/tcp_listen = true

# svccfg -s /application/x11/x11-server listprop options/tcp_listen

options/tcp_listen boolean true


and stop/start the cde-login service to make the change effective:

# svcadm disable cde-login

# svcadm enable cde-login

and now we see the different behaviour:

# ps -aef | grep Xsun

root 4844 4834 1 15:22:07 ? 0:00 /usr/openwin/bin/Xsun :0 -defdepth 24 -nobanner -auth /var/dt/A:0-N_aqCj


and also that the service is listening on the tcp port:

# netstat -naf inet | grep 6000

\*.6000 \*.\* 0 0 49152 0 LISTEN

\*.6000 \*.\* 0 0 49152 0 LISTEN


now it displays that the server is listening also on the TCP port 6000, and we can connect to X from outside.

Monday Apr 06, 2009

Basic TCP/IP Tuning

These are only some tips about the TCP/IP stack tuning suggested for Directory Server:

ndd -set /dev/tcp tcp_conn_req_max_q 1024
ndd -set /dev/tcp tcp_keepalive_interval 600000
ndd -set /dev/tcp tcp_ip_abort_cinterval 10000
ndd -set /dev/tcp tcp_ip_abort_interval 60000
ndd -set /dev/tcp tcp_strong_iss 2
ndd -set /dev/tcp tcp_smallest_anon_port 8192
ndd -set /dev/tcp tcp_naglim_def 1

In any case tuning is NEVER a one-shot. It's an iterative process in which you apply and measure the changes, possibly once per time.

Wednesday Mar 18, 2009

Rumors in my mind...

Today has been very busy. I realized it from the rumors I heard since I wake up.
Plenty of perspectives, ideas, dichotomies: ying and yang, good and bad, heaven and hell, antinomies, synesthesies...

Almost everything came to my mind.

But after a nice dinner I realize, no matter what happens and you don't have to be Scarlett O'Hara to say that "After all, tomorrow is another day!".

There will always be a Sun shining up in the sky and lighting my way... The sky may be clean, rainy, cloudy, overcast... maybe even more "blue"... whatever, who cares: Sun will always be Sun.

It's a matter of fact.

For me it's a state of mind; it's like throwing your heart through the hurdle; not only trying harder: but succeeding better!

And for the moment it's enough for me.

Thursday Nov 13, 2008

Two years @Sun.COM

After our new product launch, I believe this wonderful system is another tool added to our already vast portfolio of products we can sell to customers. But I'm still convinced that customers would better buy not only wonderful products (hopefully ours). Product themselves may not be enough.

Sun may have the very best the market can offer at a given moment in time, but sooner or later there could always be someone else with a better idea: that's life, that's part of the game.

So, we (SUN) must make the difference!

This difference could be providing customers with complete solutions, bottom-up services. We should not only provide the hardware bricks, but also expertise, skills, guidance and leadership to build Customer's infrastructure... I don't wanna be only "another brick in the wall". I would like that Customers, before making their own decisions ask Sun for ideas, because they trust us as technological partners and as people.

Tuesday Nov 27, 2007

Awakening in Finland

6.30: alarm is ringing, where am I? Turku, Finland. Yes, now I remember ;-) Outside the sky is black as tar pitch and temperature is -5°C, but this morning I've something different to do... No delays, let's go for it! I take the lift to the last floor, where the Finnish Sauna is located and after a cold shower, you can spend a some time in a warm room (+90°C), ladling some water from a bowl onto some hot cobblestones. Steam puffs starts wrapping you like a warm soft blanket: the relaxing part starts. After 5-10 min spent in this room, you must find your way out; but as long as you get out, Finnish tradition advices you another cold shower, and now the most incredible part... Only with a towel around your hips, barefoot, you can step out onto the balcony and feel the snow melting under your feet, the icy air starts shaking you from the bones. Only a minute or a few more and you feel completely restored, still bringing the warm inside you're ready to start facing the dawn of a new day. You can feel far echoes of Viking's strength...

Marco Milo


« April 2014