Unix Wear

Blind Administration

2011-09-11T23:26:00.000+02:00

A few weeks ago I've lost the ability to see any output form my MacBook Pro.

It was a second time. For the first time I had lost the embedded led display only.
The DVI output worked fine. Then came the healing power of promise - I have to buy a new one.
But threat without the coverage it's just the bucket of words.
The MBP makes me blind completely and definately. No video output. No remote access.
No working ssh daemon, no firewall access, no future.

I thought the target mode would be the cure.
I have PowerBook Pismo with Tiger onboard. Unfortunately, the data on MBP was encrypted with
a FileVault from Snow Leopard. Either try of target mode connection, or try of manual mount failed.

Collecting of the recipe components took me many hours, often filled with an exasperation.
Hidden typos. Invisible prompts. Lurking daemons.

The recipe.
It's here to remember. It's here to save other souls.

Power On.
Listen to chime and wait a few moments, then log in yourself:
username TAB
password

Open Applications
⌘+Shift+A
and invoke your favourite text terminal by typing its name, followed by CMD+O
i t e r m ⌘+O

Confirm you're in:

$ say ok
$ sudo su
> put your password <

Confirm your personality.

$ whoami | say

Let the dogs out. Select a race, choose wisely.

$ launchctl load -w /System/Library/LaunchDaemons/telnet.plist # enable configuration and
$ launchctl load -w /System/Library/LaunchDaemons/ssh.plist    # set Disable key to false
$ launchctl start com.apple.telnetd
$ launchctl start com.openssh.sshd

Check the locks.

$ defaults read /Library/Preferences/com.apple.alf globalstate | say
2

Firewall states

0 - de-activated
1 - on for specific services
2 - on for essential services

Open the gates.
Pretty enough for older systems (Tiger), where no reboot required:

$ ipfw flush
> 'y' to flush <
$ ipfw list | say # 'any to any' means success

Permanent solution:

$ defaults write /Library/Preferences/com.apple.alf globalstate -int 0
$ reboot

Connect and enjoy it.

Mount USB Disk drive.

sh-3.2# diskutil list| grep SAM
   1:             Windows_FAT_32 SAMSUNG                 2.0 TB     disk2s1
sh-3.2# diskutil mountDisk SAMSUNG
Volume(s) mounted successfully

Rsync your secrets.

db2setup start failure on Debian/Ubuntu

2011-01-03T20:15:00.009+01:00

Two late evenings of life - that was the time cost of the solution discovery.
I had tried to put the DB2 Express-C 9.7.2 on 64-bit Linux system, and I failed either on Ubuntu 8.04 LTS
or on Debian 5.0 (I know it is not recommended/supported solution).

The first and the last problem was related to the db2setup startup error.
It can be seen from the console just like that:


# ./db2setup 
DBI1190I  db2setup is preparing the DB2 Setup wizard which will guide
      you through the program setup process. Please wait.


#

But, there was the trail in the error log:


# cd /tmp
# cat db2setup.err 
Exception in thread "main" java.lang.UnsatisfiedLinkError: awt (An exception was pending after running JNI_OnLoad)
        at java.lang.ClassLoader.loadLibraryWithPath(ClassLoader.java:998)
        at java.lang.ClassLoader.loadLibraryWithClassLoader(ClassLoader.java:962)
        at java.lang.System.loadLibrary(System.java:465)
        at sun.security.action.LoadLibraryAction.run(LoadLibraryAction.java:69)
        at java.security.AccessController.doPrivileged(AccessController.java:202)
        at java.awt.Toolkit.loadLibraries(Toolkit.java:1605)
        at java.awt.Toolkit.(Toolkit.java:1627)
        at java.lang.J9VMInternals.initializeImpl(Native Method)
        at java.lang.J9VMInternals.initialize(J9VMInternals.java:200)
        at java.awt.AWTEvent.(AWTEvent.java:220)
        at java.lang.J9VMInternals.initializeImpl(Native Method)
        at java.lang.J9VMInternals.initialize(J9VMInternals.java:200)
        at java.lang.J9VMInternals.initialize(J9VMInternals.java:167)
        at java.lang.J9VMInternals.initialize(J9VMInternals.java:167)
        at java.lang.J9VMInternals.initialize(J9VMInternals.java:167)
        at sun.misc.Unsafe.ensureClassInitialized(Native Method)
        at sun.reflect.UnsafeFieldAccessorFactory.newFieldAccessor(UnsafeFieldAccessorFactory.java:37)
        at sun.reflect.ReflectionFactory.newFieldAccessor(ReflectionFactory.java:122)
        at java.lang.reflect.Field.acquireFieldAccessor(Field.java:920)
        at java.lang.reflect.Field.getFieldAccessor(Field.java:901)
        at java.lang.reflect.Field.get(Field.java:360)
        at com.ibm.db2.tools.common.support.AssistManager.loadVKeys(Unknown Source)
        at com.ibm.db2.tools.common.support.AssistManager.(Unknown Source)
        at java.lang.J9VMInternals.initializeImpl(Native Method)
        at java.lang.J9VMInternals.initialize(J9VMInternals.java:200)
        at DB2Setup.(Unknown Source)
        at DB2Setup.main(Unknown Source)
#

Let me start from the beginning.


# ./db2setup
WARNING:
   Can't use string to find the version of libstdc++.
   Check the following web site for the up-to-date system requirements
   of IBM DB2 9.7
   http://www.ibm.com/software/data/db2/udb/sysreqs.html
   http://www.software.ibm.com/data/db2/linux/validate  
  The force option "-f sysreq" is used to force the installation ...

DBI1190I  db2setup is preparing the DB2 Setup wizard which will guide
      you through the program setup process. Please wait.



The DISPLAY variable is not set properly.  Ensure that the DISPLAY variable is set properly and that permissions are set properly to open windows on the display specified, then rerun the command.
#

Even with the -f sysreq there was no visible progress.
Before the installation begins I have installed the libaio1 and libstdc++6 as it was mentioned in the online documentation.

The installation was on the remote server, so to verify that X11 session forwarding works fine I had to install xauth and use the ssh -Y option.


# xauth list
digestive.deadsystems.com/unix:10  MIT-MAGIC-COOKIE-1  a957c95c1c862f5314b32e88c5bd9e17
# echo $DISPLAY
localhost:10.0

I have used the xarclock to check that the remote app is being displayed fine on my laptop.

"Can't use string to find the version of libstdc++." -
it was resolved by simple binutils package installation (to get the strings binary).

But, there was no progress yet.


# ./db2setup 
WARNING:
   The 32 bit library file libstdc++.so.6 is not found on the system. 
   32-bit applications may be affected.  
DBI1190I  db2setup is preparing the DB2 Setup wizard which will guide
      you through the program setup process. Please wait.


#

Then I thought that the /tmp/db2setup.err contains the java related exception, but there is no java vm on the machine.


# java -version
-ksh93: java: not found [No such file or directory]

After the sun-java6-jre installation there was still nothing more.


# java -version
java version "1.6.0_22"
Java(TM) SE Runtime Environment (build 1.6.0_22-b04)
Java HotSpot(TM) 64-Bit Server VM (build 17.1-b03, mixed mode)

A few search queries more and I have found a tip:

GUI applications, such as the JConsole monitoring tool, on 64-bit Ubuntu with a 32-bit JVM
When running a 32-bit JVM on a 64-bit Ubuntu system, GUI applications do not start because some AWT libraries are missing. To fix the problem, install the 32-bit libraries using the ia32-libs package:
sudo apt-get install ia32-libs
The following exception is thrown if the libraries are not available:
Exception in thread "main" java.lang.UnsatisfiedLinkError: awt (An exception was pending after running JNI_OnLoad)
at java.lang.ClassLoader.loadLibraryWithPath(ClassLoader.java:993)
at java.lang.ClassLoader.loadLibraryWithClassLoader(ClassLoader.java:962)
at java.lang.System.loadLibrary(System.java:465)
... lines removed for clarity ...
If problems are encountered with DNS name resolution, install the package lib32nss-mdns.

But neither ia32-libs nor lib32nss-mdns installation helped me to go further.
The only benefit was the lack of warning message:


WARNING:
   The 32 bit library file libstdc++.so.6 is not found on the system. 
   32-bit applications may be affected.

Then It looked like:


# ./db2setup 
DBI1190I  db2setup is preparing the DB2 Setup wizard which will guide
      you through the program setup process. Please wait.


#

After the additional few hours of digging through the differences between the library sets on two machines,
on which the first have the fully operational DB2 instances and the second is the reported unlucky node, I have pointed the main responsible for all the evil - there was no libxft2. After the apt-get install libxft2 - db2setup has raised from the ashes.

Enjoy.

Un-monit

2011-01-01T23:38:00.006+01:00

Using the monit to look after the hosts and services, sometimes you need to stop watching a particular check.
The argument for unmonitor option is the process name or host name being monitored, ex.


# monit status
[...]
Remote Host 'eye0.deadsystems.com'
  status                            Connection failed
  monitoring status                 monitored
[...]

# monit unmonitor eye0.deadsystems.com
# monit summary
[...]
Process 'sshd'                      running
Remote Host 'eye0.deadsystems.com'  not monitored
[...]

User passwords may not be provided in pre-encoded form

2010-09-28T15:45:00.003+02:00

One of the very first differences between the OpenDS and DSEE I have noticed
was the possibility of ldapmodifing the userPassword value. In OpenDS this feature is disabled by default.


$ ldapmodify -p 1389 -D cn=dirmgr -j ~/.odspwd
dn: cn=odsmgr,cn=Root DNs,cn=config
changetype: modify
replace: userpassword
userpassword: {SSHA512}1g9Byn7MOZ1TgZCNY8gw4NA6o8UguyYg0b48d89zJS+AyIs9OP2rHfbZ6aaqTluryTh3Ux1ZW5RSWuTjH9wvtBxFXCxJzyt0

Processing MODIFY request for cn=odsmgr,cn=Root DNs,cn=config
MODIFY operation failed
Result Code:  53 (Unwilling to Perform)
Additional Information:  User passwords may not be provided in pre-encoded form

$ ldapsearch -p 1389 -D cn=dirmgr -j ~/.odspwd -b cn=config "cn=Default Password Policy" ds-cfg-allow-pre-encoded-passwords
dn: cn=Default Password Policy,cn=Password Policies,cn=config
ds-cfg-allow-pre-encoded-passwords: false

$ ldapsearch -p 1389 -D cn=dirmgr -j ~/.odspwd -b cn=config "cn=Root Password Policy" ds-cfg-allow-pre-encoded-passwords
dn: cn=Root Password Policy,cn=Password Policies,cn=config
ds-cfg-allow-pre-encoded-passwords: false

I do not know the pro and con voices in this discussion, but for me there is only one disadvantage - the ability to observe
multiple instances of the same encoded password strings. And it is only the risk when the one who would notice this fact is the bad guy.
In contrast I see only the advantages.
So...


dn: cn=Root Password Policy,cn=Password Policies,cn=config
changetype: modify
replace: ds-cfg-allow-pre-encoded-passwords
ds-cfg-allow-pre-encoded-passwords: true

LDIF has been implemented.


$ encode-password -s SSHA512 -f ~/.odspwd
Encoded Password:  "{SSHA512}Gur7YkCGk4oP2sun+KqpXF4rB9wmzUgjhb3P6hBNmNRLBBQgTxSwLR5WuO41yytG9sUzslYc2HyUAM1otujRW+UkAOapbB7c"

$ ldapmodify -p 1389 -D cn=dirmgr -j ~/.odspwd
dn: cn=odsmgr,cn=Root DNs,cn=config
changetype: modify
replace: userpassword
userpassword: {SSHA512}Gur7YkCGk4oP2sun+KqpXF4rB9wmzUgjhb3P6hBNmNRLBBQgTxSwLR5WuO41yytG9sUzslYc2HyUAM1otujRW+UkAOapbB7c

Processing MODIFY request for cn=odsmgr,cn=Root DNs,cn=config
MODIFY operation successful for DN cn=odsmgr,cn=Root DNs,cn=config

$ ldapsearch -p 1389 -D cn=dsmgr -j ~/.dspwd -b cn=config "cn=odsmgr" +
The simple bind attempt failed
Result Code:  49 (Invalid Credentials)
$ ldapsearch -p 1389 -D cn=dsmgr -j ~/.odspwd -b cn=config "cn=odsmgr" +
dn: cn=odsmgr,cn=Root DNs,cn=config
modifiersName: cn=Directory Manager,cn=Root DNs,cn=config
modifyTimestamp: 20100927104857Z
createTimestamp: 20100924124513Z
pwdChangedTime: 20100927104857.435Z
creatorsName: cn=Directory Manager,cn=Root DNs,cn=config
entryDN: cn=odsmgr,cn=root dns,cn=config
entryUUID: 99296ddd-e705-468b-8112-afd19bb38821
hasSubordinates: false
subschemaSubentry: cn=schema
ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies,cn=confi
 g
structuralObjectClass: inetOrgPerson
numSubordinates: 0

Directory Managers. Lots of Directory Managers.

2010-09-26T20:51:00.002+02:00

Last week I have decided to take some OpenDS practise. The practical solving of a problem is better
then hundreds lines of reading about the others activity. At least that's the way I feel.
Task: Multiple the Directory Manager account to delegate administration without providing your secret password.

In theory it is possible without any problems.
The only requirement is the object class of ds-cfg-root-dn-user.
I have copied almost the all attributes from the current "root" account into a new one.


$ ldapsearch -p 1389 -D cn=dirmgr -j ~/.odspwd -b cn=config "cn=Directory Manager"
dn: cn=Directory Manager,cn=Root DNs,cn=config
sn: Manager
ds-cfg-alternate-bind-dn: cn=dirmgr
cn: Directory Manager
givenName: Directory
objectClass: ds-cfg-root-dn-user
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
userpassword: {SSHA512}1g9Byn7MOZ1TgZCNY8gw4NA6o8UguyYg0b48d89zJS+AyIs9OP2rHfbZ6
 aaqTluryTh3Ux1ZW5RSWuTjH9wvtBxFXCxJzyt0


$ ldapmodify -p 1389 -D cn=dirmgr -j ~/.odspwd
dn: cn=odsmgr,cn=Root DNs,cn=config
changetype: add
objectClass: ds-cfg-root-dn-user
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
cn: odsmgr
givenName: ODS
sn: Manager
userPAssword: secret

Processing ADD request for cn=odsmgr,cn=Root DNs,cn=config
ADD operation successful for DN cn=odsmgr,cn=Root DNs,cn=config

For the initial testing I have duplicated also the password.


$ ldappasswordmodify -p 1389 -D "cn=dirmgr" -j ~/.odspwd \
> -a "dn:cn=odsmgr,cn=Root DNs,cn=config" -c secret -N ~/.odspwd  
The LDAP password modify operation was successful

During the cut'n'copy session of ldapmodify I have omitted ds-cfg-alternate-bind-dn intentionally.
I thought the adjective "alternate" is self-explanatory.
Wrong!


$ ldapsearch -p 1389 -D cn=odsmgr -j ~/.odspwd -b cn=config cn=odsmgr
The simple bind attempt failed
Result Code:  49 (Invalid Credentials)

$ ldapmodify -p 1389 -D "cn=dirmgr" -j ~/.odspwd
dn: cn=odsmgr,cn=Root DNs,cn=config
changetype: modify
add: ds-cfg-alternate-bind-dn
ds-cfg-alternate-bind-dn: cn=odsmgr

Processing MODIFY request for cn=odsmgr,cn=Root DNs,cn=config
MODIFY operation successful for DN cn=odsmgr,cn=Root DNs,cn=config

$ ldapsearch -p 1389 -D cn=odsmgr -j ~/.odspwd -b cn=config cn=odsmgr
dn: cn=odsmgr,cn=Root DNs,cn=config
sn: Manager
ds-cfg-alternate-bind-dn: cn=odsmgr
cn: odsmgr
givenName: ODS
objectClass: top
objectClass: ds-cfg-root-dn-user
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: person
userPassword: {SSHA}gF7nQ6N6gmpuufM1/8FemlwH1/HikScaVOlP3Q==

Why not to test a case with multiple ds-cfg-alternate-bind-dn attibute values.


$ ldapmodify -p 1389 -D "cn=dirmgr" -j ~/.odspwd
dn: cn=odsmgr,cn=Root DNs,cn=config
changetype: modify
add: ds-cfg-alternate-bind-dn
ds-cfg-alternate-bind-dn: cn=dsmgr

Processing MODIFY request for cn=odsmgr,cn=Root DNs,cn=config
MODIFY operation successful for DN cn=odsmgr,cn=Root DNs,cn=config

$ ldapsearch -p 1389 -D cn=dsmgr -j ~/.odspwd -b cn=config cn=odsmgr
dn: cn=odsmgr,cn=Root DNs,cn=config
ds-cfg-alternate-bind-dn: cn=odsmgr
ds-cfg-alternate-bind-dn: cn=dsmgr
sn: Manager
cn: odsmgr
givenName: ODS
objectClass: ds-cfg-root-dn-user
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
userPassword: {SSHA}gF7nQ6N6gmpuufM1/8FemlwH1/HikScaVOlP3Q==

But wait a minute. Why the userPassword value is encoded with a SSHA password scheme, while
the Directory Manager and the default root scheme is pointing to SSHA512.


$ ldapsearch -p 1389 -D cn=dsmgr -j ~/.odspwd -b cn=config cn="Directory Manager" userpassword
dn: cn=Directory Manager,cn=Root DNs,cn=config
userpassword: {SSHA512}1g9Byn7MOZ1TgZCNY8gw4NA6o8UguyYg0b48d89zJS+AyIs9OP2rHfbZ6
 aaqTluryTh3Ux1ZW5RSWuTjH9wvtBxFXCxJzyt0
 
$ ldapsearch -p 1389 -D cn=dsmgr -j ~/.dspwd -b cn=config "cn=Root Password Policy" \
> ds-cfg-default-password-storage-scheme
dn: cn=Root Password Policy,cn=Password Policies,cn=config
ds-cfg-default-password-storage-scheme: cn=Salted SHA-512,cn=Password Storage Sc
 hemes,cn=config

The answer has come with the hint from Ludovic Poitou.
The virtual attribute of ds-pwp-password-policy-dn should be set explicitly.


$ ldapmodify -p 1389 -D cn=dsmgr -j ~/.odspwd
dn: cn=odsmgr,cn=Root DNs,cn=config
changetype: modify
add: ds-pwp-password-policy-dn
ds-pwp-password-policy-dn: cn=Root Password Policy,cn=Password Policies,cn=config

Processing MODIFY request for cn=odsmgr,cn=Root DNs,cn=config
MODIFY operation successful for DN cn=odsmgr,cn=Root DNs,cn=config

$ openssl rand -base64 12 > ~/.dspwd

$ ldappasswordmodify -p 1389 -D cn=dsmgr -j ~/.odspwd -a "cn=odsmgr,cn=Root DNs,cn=config" \
> -C ~/.odspwd -N ~/.dspwd
The LDAP password modify operation was successful

$ ldapsearch -p 1389 -D cn=dsmgr -j ~/.dspwd -b cn=config cn=odsmgr userpassword
dn: cn=odsmgr,cn=Root DNs,cn=config
userpassword: {SSHA512}BxvZzrhuVpwOv6FMc9sI1infjPC7PQ0dXXdry4ZLNgq6FJbjCVfSiLwBO
 A1uzaXAscS7pkNbfkP4hG11L9DTPsRfpusta+4x

Nice.

Custom Service Packages

2010-09-21T21:18:00.007+02:00

During each subsequent comms implementation I forget one or more steps from the following recipe.
So, here comes the milestones to remember.
For the complete documentation refer to the wikis.sun.com.

Template for basic set of packages - da.cos.skeleton.ldif can be found in directory:
/opt/sun/comms/da/lib/config-templates/
on Delegated Administrator default installation path.

Usually I use only the packages for MailUser, MailCalendarUser and MailGroup.
After the customization the file might look like:


dn: cn=wisniosMailUser,o=mailuser,o=cosTemplates,o=root
changetype: add
objectclass: top
objectclass: LDAPsubentry
objectclass: extensibleobject
objectclass: cosTemplate
cn: wisniosMailUser
mailMsgMaxBlocks: 5000
mailAllowedServiceAccess: +imap,imaps,pop,pops,smtp,smtps,http,smime:ALL
daServiceType: mail user

dn: cn=wisniosMailCalendarUser,o=mailcalendaruser,o=cosTemplates,o=root
changetype: add
objectclass: top
objectclass: LDAPsubentry
objectclass: extensibleobject
objectclass: cosTemplate
cn: wisniosMailCalendarUser
mailMsgMaxBlocks: 5000
mailAllowedServiceAccess: +imap,imaps,pop,pops,smtp,smtps,http,smime:ALL
daServiceType: calendar user
daServiceType: mail user

dn: cn=wisniosMailGroup,o=mailgroup,o=cosTemplates,o=root
changetype: add
objectclass: top
objectclass: LDAPsubentry
objectclass: extensibleobject
objectclass: cosTemplate
cn: wisniosMailGroup
mailMsgMaxBlocks: 5000
daServiceType: mail group

Dry run:


# ldapmodify -p 1389 -D cn=dirmgr -j /root/.dspwd -n -f da.cos.wisnios.ldif 
!adding new entry cn=wisniosMailUser,o=mailuser,o=cosTemplates,o=root

!adding new entry cn=wisniosMailCalendarUser,o=mailcalendaruser,o=cosTemplates,o=root

!adding new entry cn=wisniosMailGroup,o=mailgroup,o=cosTemplates,o=root

Wet run:


# ldapmodify -p 1389 -D cn=dirmgr -j /root/.dspwd -f da.cos.wisnios.ldif 
adding new entry cn=wisniosMailUser,o=mailuser,o=cosTemplates,o=root

adding new entry cn=wisniosMailCalendarUser,o=mailcalendaruser,o=cosTemplates,o=root

adding new entry cn=wisniosMailGroup,o=mailgroup,o=cosTemplates,o=root

Check:


# ldapsearch -p 1389 -D cn=dirmgr -j /root/.dspwd -b o=cosTemplates,o=root \
> "(&(cn=wisnios*)(objectclass=LDAPsubentry))" daServiceType
version: 1
dn: cn=wisniosMailUser,o=mailuser,o=cosTemplates,o=root
daServiceType: mail user

dn: cn=wisniosMailCalendarUser,o=mailcalendaruser,o=cosTemplates,o=root
daServiceType: calendar user
daServiceType: mail user

dn: cn=wisniosMailGroup,o=mailgroup,o=cosTemplates,o=root
daServiceType: mail group

To make sure that the changes (packages) will be visible restart the app/web container.

How to automate the SpamAssassin feeding

2010-09-08T20:30:00.007+02:00

This post is my answer to the Sun Wikis' entry about Enabling Anti-Spam functionality in Convergence.

Technologies used:
Messaging Server
SpamAssassin
RBAC - execution profiles

Messaging Server use the two variables to hold the email accounts for feeding anti-spam system
with the positive and false positive spam messages:

service.feedback.spam

service.feedback.notspam

But there is no embedded mechanism to deal with them.
Here comes my solution.

Every time the Convergence user marks the spam (ot not spam), with the appropriate button from its interface,
the mail is being sent to the address provided within the configuration.
The email messages accumulate in the accounts and waiting for the action.

Scenario:

fetching messages from spam account

teaching spamassassin with spam

cleaing INBOX folder

fetching messages from notspam account

teaching SA with ham

cleaning account

Methods:

fetching messages from spam account

imsexport

teaching spamassassin with spam

sa-learn --spam

cleaing INBOX folder

mboxutil -d

mboxutil -c

fetching messages from notspam account

imsexport

teaching SA with ham

sa-learn --ham

cleaning account

mboxutil -d

mboxutil -c

Due to a fact the script will be invoked by root account, to get the access either to imsexport files or sa-learn with valid Bayes DB,
I have decided to use one of the Solaris RBAC mechanisms - profiles.

I would not describe the profile creation step-by-step, because the learning by example is much more valuable.


# /usr/sadm/bin/smexec add -H localhost -u root -- \
-n "SpamAssassin Administration" -t cmd -c /export/home/sa/bin/sa-learn -U 105 -G 102
Authenticating as user: root

Type /? for help, pressing  accepts the default denoted by [ ]
Please enter a string value for: password ::
There is no Solaris Management Console Server running on localhost.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
\
# svcadm enable wbem

# /usr/sadm/bin/smexec add -H localhost -u root -- \
-n "SpamAssassin Administration" -t cmd -c /export/home/sa/bin/sa-learn -U 105 -G 102
Authenticating as user: root

Type /? for help, pressing  accepts the default denoted by [ ]
Please enter a string value for: password ::
Loading Tool: com.sun.admin.usermgr.cli.execs.UserMgrExecCli from localhost
Login to localhost as user root was successful.
Download of com.sun.admin.usermgr.cli.execs.UserMgrExecCli from localhost was successful.
You have entered a non-existent right SpamAssassin Administration.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
\
# cd /usr/lib/help/profiles/locale/C
# cat RtSAAdmin.html
< HTML >
< HEAD >
< TITLE >< /TITLE >
< /HEAD >
< BODY >
SpamAssassin Administration right allows the user or role SA management.
< /BODY >
< /HTML >

^^^^^
Spaces has been added to HTML tags in due to blogspot problems with handling this kind of stuff within the post body.


# /usr/sadm/bin/smprofile add -H localhost -u root -- \
-n "SpamAssassin Administration" -d "Manage SpamAssassin" -m RtSAAdmin.html
Authenticating as user: root

Type /? for help, pressing  accepts the default denoted by [ ]
Please enter a string value for: password ::
Loading Tool: com.sun.admin.usermgr.cli.profile.UserMgrProfCli from localhost
Login to localhost as user root was successful.
Download of com.sun.admin.usermgr.cli.profile.UserMgrProfCli from localhost was successful.

# tail -1 /etc/security/prof_attr
SpamAssassin Administration:::Manage SpamAssassin:help=RtSAAdmin.html
 
# /usr/sadm/bin/smexec add -H localhost -u root -- \
-n "SpamAssassin Administration" -t cmd -c /export/home/sa/bin/sa-learn -U 105 -G 102
Authenticating as user: root

Type /? for help, pressing  accepts the default denoted by [ ]
Please enter a string value for: password ::
Loading Tool: com.sun.admin.usermgr.cli.execs.UserMgrExecCli from localhost
Login to localhost as user root was successful.
Download of com.sun.admin.usermgr.cli.execs.UserMgrExecCli from localhost was successful.

# tail -1 /etc/security/exec_attr
SpamAssassin Administration:solaris:cmd:::/export/home/sa/bin/sa-learn:uid=105;gid=102

So, running sa-learn by the user / role with "SpamAssassin Administration" profile assigned
allow access to bayes DB files with the proper rights.
Examples can be seen in the script code provided below.


#!/usr/bin/ksh
#------------------------------------
# sa-feed.ksh
#  feed SpamAssassin with {NOT}SPAM
#   from file in mbox format
#====================================
# author: Marcin Wisnios
# e-mail: wisnios at wisnios dot com
#------------------------------------
PATH=$PATH:/opt/sun/comms/messaging64/bin:/export/home/sa/bin

TDIR=$(mktemp -td)                                      # temporary directory
FILE=$TDIR/INBOX                                        # mbox file
MUSR=$(ps -o user -p $(pgrep -nf dispatcher) | tail -1) # messaging server runtime user
SUSR=$(ps -o user -p $(pgrep -nf spamd) | tail -1)      # spamassassin runtime user
SPAM=$(configutil -o service.feedback.spam)             # feedback account for spam
NOTSPAM=$(configutil -o service.feedback.notspam)       # feedback account for not spam
BDBL=/export/home/sa/.spamassassin                      # Bayes DB location
SALEARN="pfexec sa-learn --dbpath $BDBL"                # fixed part of sa-learn invocation

chown $MUSR $TDIR
chmod 0755 $TDIR

imsexport -s INBOX -d $TDIR -u $SPAM


[ -f $FILE ] && {
        chown $SUSR $FILE

        NSPAM_BEFORE=$($SALEARN --dump magic 2> /dev/null | grep nspam | awk '{print $3}')
        $SALEARN --mbox --spam $FILE 2> /dev/null &&\
        NSPAM_AFTER=$($SALEARN --dump magic 2> /dev/null | grep nspam | awk '{print $3}')

        [ $NSPAM_BEFORE -lt $NSPAM_AFTER ] && {
                mboxutil -d user/$SPAM/INBOX
                mboxutil -c user/$SPAM/INBOX
        }

        rm $FILE
}

imsexport -s INBOX -d $TDIR -u $NOTSPAM

[ -f $FILE ] && {
        chown $SUSR $FILE

        NHAM_BEFORE=$($SALEARN --dump magic 2> /dev/null | grep nham | awk '{print $3}')
        $SALEARN --mbox --ham $FILE 2> /dev/null &&\
        NHAM_AFTER=$($SALEARN --dump magic 2> /dev/null | grep nham | awk '{print $3}')

        [ $NHAM_BEFORE -lt $NHAM_AFTER ] && {
                mboxutil -d user/$NOTSPAM/INBOX
                mboxutil -c user/$NOTSPAM/INBOX
        }
}

[ -d $TDIR ] && rm -rf $TDIR

Run the script in a way you like.
I put it directly to a crontab. Root's crontab.

Enjoy.

crle and missing libusb.so.1 library

2010-06-25T19:53:00.007+02:00

Today I have installed SpamAssassin from a tar.gz archive on Solaris 10 10/09.
Though everything looked fine I faced the problem with invocation of sa-update - SpamAssassin rules updater.


$ sa-update
ld.so.1: gpg: fatal: libusb.so.1: open failed: No such file or directory
Killed
ld.so.1: gpg: fatal: libusb.so.1: open failed: No such file or directory
Killed
error: GPG validation failed!
The update downloaded successfully, but the GPG signature verification
failed.
channel: GPG validation failed, channel failed
$ gpg
ld.so.1: gpg: fatal: libusb.so.1: open failed: No such file or directory
Killed

(gnupg has been installed from a package from sunfreeware.com, but it was not a problem)

Quick truss session:


# truss gpg
[...]
stat64("/usr/local/lib/libusb.so.1", 0x080473A0) Err#2 ENOENT
stat64("/usr/local/ssl/lib/libusb.so.1", 0x080473A0) Err#2 ENOENT
stat64("/usr/openwin/lib/libusb.so.1", 0x080473A0) Err#2 ENOENT
stat64("/usr/lib/libusb.so.1", 0x080473A0)      Err#2 ENOENT
stat64("/usr/X11R6/lib/libusb.so.1", 0x080473A0) Err#2 ENOENT
stat64("/usr/local/BerkeleyDB.4.7/lib/libusb.so.1", 0x080473A0) Err#2 ENOENT
stat64("/lib/libusb.so.1", 0x080473A0)          Err#2 ENOENT
stat64("/usr/lib/libusb.so.1", 0x080473A0)      Err#2 ENOENT
ld.so.1: gpg: fatal: libusb.so.1: open failed: No such file or directory
[...]

find lookup:


# find /usr -name libusb.so.1
/usr/sfw/lib/libusb.so.1

...and I had to change the default library path.
The tool - crle - runtime linking environment configurator, was taken as the only fair solution.
Do not want to reproduce the manual pages, so, below is the syntax I had used.
Checking the current options:


# crle

Configuration file [version 4]: /var/ld/ld.config  
  Default Library Path (ELF):   /lib:/usr/lib  (system default)
  Trusted Directories (ELF):    /usr/lib/secure:/opt/sun/comms/calendar/SUNWics5/cal/lib

Command line:
  crle -c /var/ld/ld.config -s /usr/lib/secure:/opt/sun/comms/calendar/SUNWics5/cal/lib

Complementation of default library path:


# crle -c /var/ld/ld.config -l /lib:/usr/lib:/usr/sfw/lib -s /usr/lib/secure:/opt/sun/comms/calendar/SUNWics5/cal/lib

[CHECK]
# crle
Configuration file [version 4]: /var/ld/ld.config  
  Default Library Path (ELF):   /lib:/usr/lib:/usr/sfw/lib
  Trusted Directories (ELF):    /usr/lib/secure:/opt/sun/comms/calendar/SUNWics5/cal/lib

Command line:
  crle -c /var/ld/ld.config -l /lib:/usr/lib:/usr/sfw/lib -s /usr/lib/secure:/opt/sun/comms/calendar/SUNWics5/cal/lib
# exit
$ gpg
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
gpg: directory `/export/home/sa/.gnupg' created
gpg: new configuration file `/export/home/sa/.gnupg/gpg.conf' created
gpg: WARNING: options in `/export/home/sa/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/export/home/sa/.gnupg/secring.gpg' created
gpg: keyring `/export/home/sa/.gnupg/pubring.gpg' created
gpg: Go ahead and type your message ...
^C
gpg: signal 2 caught ... exiting
$ sa-update
gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more information
$

Final notes
The syntax being used could be shortened to a form of:


# crle -u -l /usr/sfw/lib

where -u stands for existing configuration (file /var/ld/ld.config) update.
But be aware that by omitting the -u argument you turn your box into soldered fish tin, until you turn the other directories to the default path.


# crle -l /usr/sfw/lib
# init
ld.so.1: init: fatal: libpam.so.1: open failed: No such file or directory
Killed
# crle -u -l /lib -l /usr/lib -l /usr/sfw/lib
# init
Usage: init [0123456SsQqabc]
#

svclog

2010-06-07T23:13:00.007+02:00

Everytime I have to check the SMF log file quickly I suffer.
I suffer in due to lack of simple method which I would provide you today with.

C'n'P:


#!/usr/bin/ksh
#------------------------------------
# svclog
#  ...run for your logs
#====================================
# author: Marcin Wisnios
# e-mail: wisnios at wisnios dot com
#------------------------------------

svcs $1 > /dev/null 2>&1
if [ $? -eq 1 ]; then
        echo "No match."
        exit
fi

if [ ! -z $1 ]; then
        LOG=$(svcs -l $1 | sed 's/logfile[ ]*\(.*\)/\1/p;d')
        echo "\n\t\t${LOG}\n"
else
        echo "Usage: $0 FMRI [n]"
        echo "n - number of lines to display"
        exit
fi

if [ ! -z $2 ]; then
        tail -$2 ${LOG}
else
        tail -f ${LOG}
fi

Save as, for ex. /usr/local/bin/svclog and... run for your logs:


# svclog ds 3

                /var/svc/log/application-sun-ds:default.log

Waiting for Directory Server instance '/instances/ds1' to start...
Directory Server instance '/instances/ds1' started: pid=434
[ Jun  7 16:53:00 Method "start" exited with status 0 ]
# svclog ms

                /var/svc/log/application-sun-ms:default.log

Stopping dispatcher server 593 ... done
Stopping sched server 591 ... done
Stopping http server 590 ... done
Stopping pop server 589 ...... done
Stopping imap server 588 ... done
Stopping purge server 587 ... done
Stopping store server 584 .... done
Stopping watcher 583 ... done
[ Jun  7 23:40:12 Method "stop" exited with status 0 ]
[ Jun  7 23:40:12 Executing start method ("/opt/sun/comms/messaging64/bin/start-msg") ]
Connecting to watcher ...
Launching watcher ... 1463
Starting store server .... 1464
Checking store server status .....
- CUT -

Enjoy.

fc-fabric(ation) of server's dysfunction

2010-05-25T19:55:00.009+02:00

Do you like minimization? I do.
But sometimes you can go one bridge too far.

Today I have switched off the set of useless services.
One after one...
Do I need... No!
Do I need... No!
Do I need Fibre Channel Fabric device support? No.


$ svcadm disable fc-fabric

Another one bites the dust.

After the couple of hours I decided to reboot the server to check its readiness to serve.
And... it failed.

Of course at the moment of failure I dit not realize it was caused by service unavailability of fc-fabric.
Unnecessary stress.

The solution has been revealed during the dependencies check.

Keep this in mind.

AIX backup / restore

2010-04-29T20:33:00.008+02:00

The commonly used mode of backup utility back up file systems by i-node. It uses the Level param of 0 - for full,
1 to 9 for incremental backups, and takes the predefined fileset as input (/, /home, /opt, /usr, /var, etc.).
If you want to use the ordinary directory, not the one of predefined filesets use the -i switch.
It takes the list of files from the standard input (back up by name), and when used in conjunction with hyphen sign
as the target device, it can be piped directly to dd, to put the output into the file.


$ find /etc | backup -i -f - | dd of=/backup/etc.bak

To list the content of backup archive use restore with the -T switch.


$ restore -Tq -f /backup/etc.bak

To restore the individually named file use -x switch.


# restore -xqf /backup/etc.bak /etc/passwd
x /etc/passwd

...or files (in verbose mode):


# restore -xqvf /backup/etc.bak /etc/passwd /etc/security/passwd
New volume on /backup/etc.bak:
 Cluster 51200 bytes (100 blocks).
    Volume number 1
    Date of backup: Thu Apr 29 12:22:13 2010
    Files backed up by name
    User root
x          560 /etc/passwd
x          288 /etc/security/passwd
    total size: 848
    files restored: 2

And to get back all the content of the specified subdirectory use the force of -d


# restore -xqdf /backup/etc.bak /etc/security
x /etc/security
x /etc/security/.idlck
x /etc/security/.ids
x /etc/security/.kst
x /etc/security/.profile
x /etc/security/acl
x /etc/security/aixpert
x /etc/security/aixpert/bin
x /etc/security/aixpert/bin/ISSServerSensor
x /etc/security/aixpert/bin/audit_report
x /etc/security/aixpert/bin/binaudit
[...]

Be aware that all the above actions has overwritten the original files.

mktemp portability

2010-04-27T21:46:00.006+02:00

If you ever need to create a script, to run in the closest possible way in all the unix flavours -
beware of HP-UX behaviour of mktemp command.

It is the only unix system (I know) where mktemp do not create randomly named file/directory.

The result of its actions is just a display of generated name.

Silence is golden

2010-04-27T21:44:00.000+02:00


$ touch .hushlogin

User interface error

2010-03-09T20:58:00.005+01:00

Have you ever encountered similar problems during the n-time tryout of the SSL signing process?


# openssl rsa -in cakey.pem -out cakey.pem
Enter pass phrase for cakey.pem:
User interface error
unable to load Private Key
26116:error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:403:

or...


# ./CA.pl -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
User interface error
unable to load CA private key
26676:error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:403:
Signed certificate is in newcert.pem

This is a single-echo-pill solution.

ad. 1


# echo | openssl rsa -in cakey.pem -out cakey.pem
Enter pass phrase for cakey.pem:
writing RSA key

ad. 2


# printf "y\ny\n"| ./CA.pl -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
[...]
Sign the certificate? [y/n]:

1 out of 1 certificate requests certified, commit? [y/n]Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

Enjoy.

maximum number of instances of the package

2010-03-03T19:36:00.006+01:00

Sometimes there is a need of existence of concurrent versions of the same package.
It is not a issue why, but how to achieve this behaviour.

During the normal installation procedure of the package, with the same name but different version then already installed one,
there is a chance to see a similar message:


# pkgadd -d somepkg*dstream
[...]
Current administration requires that a unique instance of the
<somepkg> package be created.  However, the maximum number of
instances of the package which may be supported at one time on the
same system has already been met.

No changes were made to the system.

To resolve the conflict change the value of MAXINST variable from inside the pkginfo file
(during the package build process).

For example, to allow the coexistence of maximum number of two packages use the following:


MAXINST=2


# pkgadd -d somepkg*dstream
[...]

Installation of <somepkg.2> was successful.

E.T. call ~home

2010-02-25T20:26:00.003+01:00

After many years of unix systems administration, it is a pure pleasure to discover the trick
as simple as displaying the user home directory with ~username.

Examples:


$ echo ~adm
/var/adm
$ echo ~listen
/usr/net/nls
$ echo ~wisnios
/home/wisnios

digression

2010-02-12T22:40:00.002+01:00

command+shift+L rise a google search window with the results of the selected-piece-of-text query.
Piękne. It's beautiful.

substitute multiple line pattern in sed

2010-01-19T20:13:00.003+01:00

Today I faced a problem with a multiline replacement. I did not want to write a sophisticated regex.
I just wanted to get a copy-pasted block of code and put it in place of the old one. Selected weapon - sed.
I've chosen the /begin/,/end/ matching syntax.


['test' input file]

111
222
333
  if (aaa) {
     bbbbb
  }xxx
  }
444
  while (0) {
     ccccc
  }
666


['change' script]

#!/usr/bin/ksh

sed '
/if (aaa)/,/\   }$/ c\
  CHANGE\
     WAS\
  MADE
' \
test


[session]

$ ./change
111
222
333
  CHANGE
     WAS
  MADE
444
  while (0) {
     ccccc
  }
666

MakeLDIF.jar

2009-12-22T20:14:00.012+01:00

Yesterday I have realized that I do not remember how to prepare the ldif file. But not just a simple ldif with a few lines of add/modify/delete subcommands. I have forgotten how to use the SLAMD project's tool - MakeLDIF. As far as I remember there was the jar - MakeLDIF. It was, but now there is not. It had taken a few moments before I found the solution. Here you go:


$ find . -name *.jar | grep -i make
$ cd tools/MakeLDIF
$ perl -e 's/(^define suffix=).*/\1o=ods/' -pi example.template
$ perl -e 's/(^define numusers)=.*/\1=1000/' -pi exa*         
$ perl -e 's/(^define maildomain)=.*/\1=wisnios\.com/' -pi exa*
$ head -3 exa*
define suffix=o=ods
define maildomain=wisnios.com
define numusers=1000
$ cd ..
$ ./make-ldif.sh -t MakeLDIF/example.template -o ~/ods1k.ldif   
Processed 1000 entries
Processing complete.
1002 total entries written.

And the process view of similar command execution:


/usr/jdk/instances/jdk1.5.0/bin/java -server -Xms512m -Xmx512m com.slamd.tools.makeldif.MakeLDIF
 -r /export/home/slamd200-20090712/tools/MakeLDIF -t /tmp/ods.template -o /tmp/ods100k.ldif

Merry Xmas!

AIX stat equivalent

2009-12-08T20:46:00.005+01:00


$ istat /usr/sbin/lsuser
Inode 115447 on device 10/5     File
Protection: r-xr-xr-x   Set UID 
Owner: 0(root)          Group: 7(security)
Link count:   1         Length 84080 bytes

Last updated:   Tue Dec  8 14:40:33 CST 2009
Last modified:  Mon Mar 30 00:45:51 CDT 2009
Last accessed:  Tue Dec  8 16:55:55 CST 2009

* lsuser hint
To display the attributes of all the users, use the ALL keyword:


$ lsuser ALL

Solaris ksh variations

2009-11-24T22:27:00.009+01:00

Today i have read, and in the parallel - discovered, that Solaris has got three ksh variants.
Two of them are ksh88, and one ksh93.


$ grep -i ver /usr/bin/ksh /usr/xpg4/bin/sh /usr/dt/bin/dtksh
/usr/bin/ksh:@(#)Version M-11/16/88i
/usr/xpg4/bin/sh:@(#)Version M-11/16/88i
/usr/dt/bin/dtksh:@(#)Version M-12/28/93d
/usr/dt/bin/dtksh:@(#)Version M-12/28/93
/usr/dt/bin/dtksh:@(#)Version 12/28/93

The standard one - /usr/bin/ksh, and a POSIX-compliant veriant of ksh88 - /usr/xpg4/bin/sh.
Both of them are the components of SUNWcsu (Core Solaris (Usr)) package.
dtksh comes from SUNWdtbas.


$ ls -li /usr/bin/ksh /usr/xpg4/bin/sh /usr/dt/bin/dtksh
       489 -r-xr-xr-x   3 root     bin       171412 Aug  7 13:27 /usr/bin/ksh
     26709 -r-xr-xr-x   1 root     bin       620144 Jan 23  2005 /usr/dt/bin/dtksh
      1536 -r-xr-xr-x   1 root     bin       171412 Aug  7 13:27 /usr/xpg4/bin/sh
$ file /usr/bin/ksh /usr/xpg4/bin/sh /usr/dt/bin/dtksh
/usr/bin/ksh:   ELF 32-bit LSB executable 80386 Version 1, dynamically linked, stripped
/usr/xpg4/bin/sh:       ELF 32-bit LSB executable 80386 Version 1, dynamically linked, stripped
/usr/dt/bin/dtksh:      ELF 32-bit LSB executable 80386 Version 1, dynamically linked, not stripped, no debugging information available

As you can already saw (on the ls -li listing) there are also the three brothers-in-inode:


# ls -li /usr/bin/*ksh
       489 -r-xr-xr-x   3 root     bin       171412 Aug  7 13:27 /usr/bin/ksh
       489 -r-xr-xr-x   3 root     bin       171412 Aug  7 13:27 /usr/bin/pfksh
       489 -r-xr-xr-x   3 root     bin       171412 Aug  7 13:27 /usr/bin/rksh

It's the highest inode count from all of the Solaris shells (10u8, SUNWCall), the second place goes to csh with only two file names binded to its inode.

Fascinating.

Make yourself a package

2009-11-22T19:35:00.008+01:00

In the world where the Good Security Practices becomes Science Fiction, there was an Admin who wants to train himself in Solaris Packaging.
He has written down the script, which has made his Lord the Legend ;-)
Now, let's put some light on it.

The script takes .ssh folder files from the specified user of template machine, and turns it into .ssh folder of root user on target host. There are also the configuration changes, inside of either /etc/default/login file, or /etc/ssh/sshd_config one.
Do not try this at (production) home!


# ./rootbox.sh
Generating package files
prototype
pkginfo
checkinstall
postinstall
postremove
login.sed
sshd_config.sed
Making package MMWrootbox.1.0.i386.pkg [/tmp]
success
Translating package format to a datastream
success
# cd /tmp
# pkgadd -d MMWrootbox.1.0.i386.pkg

The following packages are available:
  1  MMWrootbox     Root box
                    (i386) 1.0

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]: 

Processing package instance  from 

Root box(i386) 1.0
Marcin Marian Wisnios
## Executing checkinstall script.
## Processing package information.
## Processing system information.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of  [y,n,?] y

Installing Root box as 

## Installing part 1 of 1.
/root/.ssh/authorized_keys
[ verifying class  ]
Modifying /etc/default/login
Modifying /etc/ssh/sshd_config
[ verifying class  ]
## Executing postinstall script.

Installation of  was successful.
# date;svcs -x ssh| grep -i state
Sun Nov 22 08:50:57 CET 2009
 State: online since Sun Nov 22 08:50:42 2009
# diff /etc/ssh/sshd_config /tmp/rootbox.bak/sshd_config
128c128
< PermitRootLogin without-password
---
> PermitRootLogin no
# diff /etc/default/login /tmp/rootbox.bak/login
18c18
< #CONSOLE=/dev/console
---
> CONSOLE=/dev/console
# pkginfo MMWrootbox
system      MMWrootbox Root box
# pkginfo -l MMWrootbox
   PKGINST:  MMWrootbox
      NAME:  Root box
  CATEGORY:  system
      ARCH:  i386
   VERSION:  1.0
   BASEDIR:  /
    VENDOR:  Marcin Marian Wisnios
      DESC:  Methods and keys to allow remote root user access
    PSTAMP:  20091122085002
  INSTDATE:  Nov 22 2009 08:50
     EMAIL:  wisnios@gmail.com
    STATUS:  completely installed
     FILES:        4 installed pathnames
                   2 shared pathnames
                   1 directories
                   3 blocks used (approx)

# pkgrm MMWrootbox

The following package is currently installed:
   MMWrootbox  Root box
               (i386) 1.0

Do you want to remove this package? [y,n,?,q] y

## Removing installed package instance 

This package contains scripts which will be executed with super-user
permission during the process of removing this package.

Do you want to continue with the removal of this package [y,n,?,q] y
## Verifying package  dependencies in global zone
## Processing package information.
## Removing pathnames in class 
Modifying /etc/ssh/sshd_config
Modifying /etc/default/login
## Removing pathnames in class 
/root/.ssh/authorized_keys
/root/.ssh
## Executing postremove script.
## Updating system information.

Removal of  was successful.
# svcs -x ssh|grep -i state; date
 State: online since Sun Nov 22 08:52:33 2009
Sun Nov 22 08:52:50 CET 2009
# diff /etc/ssh/sshd_config /tmp/rootbox.bak/sshd_config
# diff /etc/default/login /tmp/rootbox.bak/login

http://cs-tools.googlecode.com/files/rootbox.sh

Enjoy.

Paranoid

2009-10-28T10:00:00.010+01:00

So, have you ever seen the Solaris 10 boot process, line by line?
I do not talk about the kernel -m verbose mode, which only shows the particular SMF identifiers.
Have you ever wondered why the boot process has hanged? and what's the cause?

The Wisnios way is as follow.
I've decided to replace the master restarter binary with a shell script.


# mv /lib/svc/bin/svc.startd /lib/svc/bin/svc.startdd
# vi /lib/svc/bin/svc.startd


  #!/bin/sh
  truss -fa -t exec /lib/svc/bin/svc.startdd


# chmod 555 /lib/svc/bin/svc.startd
# chgrp sys /lib/svc/bin/svc.startd

You could also choose the more verbose mode by adding the -e switch to truss command.
Truss -f option follows all fork/vfork children, -a shows the argument strings within the exec() calls and -e shows the environment variables (for ex. SMF_FMRI).

Other traces are limited by imagination only.

rmdom.pl

2009-09-24T22:17:00.016+02:00

I've just started the google code project called cs-tools (Commandline Support Tools).
This will be a container for my set of scripts supporting the administration of Sun Java Communications Suite components.
Project Home: http://code.google.com/p/cs-tools/

There's also the first one perl program - rmdom.pl - you could use to simplify the deletion and purge process of hosted domain.

Sample session:


# perl rmdom.pl 
fe  : frontend.localdomain
be  : backend.localdomain
ldap: ldap.localdomain:389
%%%%%%%%%%%%%%%%%%%%%%%%%%
bind dn: cn=dirmgr
bind passwd: 
domain: rmdom.pl
mail domain ok
cal domain ok
active users: 2
active groups: 1
are you sure (yes to confirm)? yes
domain deleted
domain purged

Enjoy.

DateTime set: Object cannot be written

2009-09-22T00:27:00.003+02:00

Very lately (about fifteen minutes ago) I had to resolve the time issue from the ELOM level of Sun Fire X2200.
It couldn't be done, because:


/SP/AgentInfo -> show 

  /SP/AgentInfo
    Targets:
        PEF
        PET
        SEL
        console
        mail
        SNMP

    Properties:
[...]
        DateTime = 01/03/1970-02:56:23
[...]

/SP/AgentInfo -> set DateTime="09/22/2009-00:22:00"
set: Object cannot be written

So, it's the place where the ipmitool could be used.
Ipmitool need the three kernel modules to be loaded:
* ipmi_si
* ipmi_devintf
* ipmi_msghandler

The time can be adjusted with an argument set of the ipmitool's SEL (System Event Log) subcommand.
Sample Linux command line session:


# ipmitool sel time get
Could not open device at /dev/ipmi0 or /dev/ipmi/0: No such file or directory
Get SEL Time command failed
# lsmod | grep ipmi
# modprobe ipmi_devintf 
# modprobe ipmi_si      
# lsmod | grep ipmi
ipmi_si                57164  0 
ipmi_devintf           20624  0 
ipmi_msghandler        50680  2 ipmi_si,ipmi_devintf
# ipmitool sel time get
01/01/1970 22:07:22

# ipmitool sel time set "09/22/2009 00:22:00"

# ipmitool sel time get
09/22/2009 00:22:03

Arming Messaging Server

2009-07-03T23:00:00.001+02:00

Today I've got the three recipes to tighten the unwanted malicious user activity.
All of them are related to mappings file rules.

First i want to prohibit all the unauthenticated users from sending emails.
It could be achieved with a following line in the FROM_ACCESS table:


TCP|*|25|*|*|SMTP*|*|tcp_local|*@*|*    $C$}$6,_canonical_name_{$N$ -$ Authentication$ required$ when$ sending$ with$ this$ envelope$ sender$ domain$E

The second step is to block attemtps of faking From header, after successful authentication
(for ex. using stolen password, or personal account in a negative manner).
I've prepared the suitable lines, also in FROM_ACCESS table:


*|SMTP*|*|tcp_auth|*@*|*@$4*            $Y
*|SMTP*|*|tcp_auth|*@*|*@*              $N$_Sender$ address$ rejected$ for$ $4

It reject the use of tcp_auth channel when domain of authenticated account is different from the one used within the From header.

The third method take advantage of check_metermaid.so library (included in Messaging Server installation).
MeterMaid could be used to throttle the agressive usage of mail server.
I've used two rules (to block them all ;-) ).
First one restrict the number of connections (15) in a unit of time (60 s.).
It's assigned under PORT_ACCESS table:


*|*|*|*|*      $C$:A$[/opt/sun/comms/messaging64/lib/check_metermaid.so,throttle,ext_throttle,$3]$N421$ Connection$ declined$ at$ this$ time$E

Related thresholds are defined with a configutil command or by edition of msg.conf:


metermaid.config.secret = [your shared secret to authenticate incoming connections]
metermaid.config.serverhost = [host name or ip address of your metermaid server]
metermaid.table.ext_throttle.data_type = string
metermaid.table.ext_throttle.options = nocase
metermaid.table.ext_throttle.quota = 15
metermaid.table.ext_throttle.quota_time = 60

Ex.


# configutil -o metermaid.config.serverhost -v somehost.somedomain
# configutil -o metermaid.config.secret -v somesecret
and so on...

ext_throttle is defined by you throttling table name, and must be the same within the mappings and msg.conf files.

The second rule restrict number of total recipients sent to by a user (i've used the same limit values, but you could add the next throttle table with required thresholds).
It should be addes within the ORIG_SEND_ACCESS mapping tables:


tcp_auth|*|*|*      $C$[/opt/sun/comms/messaging64/lib/check_metermaid.so,throttle,ext_throttle,$0]$NExcessive$ email$ sent$ -$ Please$ try$ again$ later$E

So, run imsimta cnbuild && imsimta restart and...


[...]
235 2.7.0 LOGIN authentication successful.
250 2.5.0 Address Ok.
250 2.1.5 marcin.wisnios@somedomain OK.
354 Enter mail, end with a single ".".
250 2.5.0 Ok.
250 2.5.0 Address Ok.
250 2.1.5 marcin.wisnios@somedomain OK.
354 Enter mail, end with a single ".".
250 2.5.0 Ok.
250 2.5.0 Address Ok.
250 2.1.5 marcin.wisnios@somedomain OK.
354 Enter mail, end with a single ".".
250 2.5.0 Ok.
[...]
250 2.5.0 Address Ok.
250 2.1.5 marcin.wisnios@somedomain OK.
354 Enter mail, end with a single ".".
250 2.5.0 Ok.
250 2.5.0 Address Ok.
550 5.7.1 Excessive email sent - Please try again later: marcin.wisnios@somedomain

Enjoy.

Disable IPv6 in OpenSolaris 2009.06

2009-06-23T23:46:00.009+02:00

I always want the system works in a way I like it. This way comes with running only the things I really need.
I do not want IPv6 protocol stack when it's useless.

Here, it's a short recipe how it could be achieved.

First, remove the IPv6 from network auto-magic interface configuration.
Add the following entry to /etc/nwam/llp file:


e1000g0 noipv6 dhcp

Now, you could permanently disable the ndp with:


svcadm disable ndp

It's no persistant across reboots without the modification of /etc/nwam/llp.

The second step is not so obvious. Some people in OpenSolaris team want it / like it / need it. I don't care.
I want it to be disabled.
The loopback inet6 interface is being plumbed form inside the /lib/svc/method/net-loopback method of SMF - svc:/network/loopback:default
I replace the original call with an IF condition of IPv6 entry existence inside the /etc/inet/hosts


# IPv6 loopback
if ( egrep "^::1" /etc/inet/hosts ); then
   /sbin/ifconfig lo0 inet6 plumb ::1 up
fi

To polish the final result we should disable the sendmail ipv6 interface binding.
I commented out the relevant line of /etc/mail/sendmail.cf file:


0 DaemonPortOptions=Name=MTA-v4, Family=inet
#0 DaemonPortOptions=Name=MTA-v6, Family=inet6

Enjoy.

Solaris IP shortcuts

2009-05-31T22:28:00.006+02:00

Today, I had to modify my routing table under Solaris 10u7 (5/09), and I made a typo.
Instead of writing 10.0.2.1, I typed 10.0.21... and it has worked.


sol10u7 [~]# route add default 10.0.21
add net default: gateway 10.0.21
sol10u7 [~]# netstat -rn

Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use     Interface
-------------------- -------------------- ----- ----- ---------- ---------
default              10.0.0.21            UG        1          0
10.0.0.0             10.0.2.16            U         1          0 e1000g0
224.0.0.0            10.0.2.16            U         1          0 e1000g0
127.0.0.1            127.0.0.1            UH        1         54 lo0

I've also tried to use 10.1 and 10.1.1, and another success has been met.


sol10u7 [/etc/krb5]# route add default 10.1
add net default: gateway 10.1
sol10u7 [/etc/krb5]# netstat -rn

Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use     Interface
-------------------- -------------------- ----- ----- ---------- ---------
default              10.0.2.2             UG        1          0
default              10.0.0.1             UG        1          0
10.0.0.0             10.0.2.16            U         1         24 e1000g0
224.0.0.0            10.0.2.16            U         1          0 e1000g0
127.0.0.1            127.0.0.1            UH        1         58 lo0
sol10u7 [/etc/krb5]# route add default 10.1.1
add net default: gateway 10.1.1
sol10u7 [/etc/krb5]# netstat -rn

Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use     Interface
-------------------- -------------------- ----- ----- ---------- ---------
default              10.0.2.2             UG        1          0
default              10.0.0.1             UG        1          0
default              10.1.0.1             UG        1          0
10.0.0.0             10.0.2.16            U         1         24 e1000g0
224.0.0.0            10.0.2.16            U         1          0 e1000g0
127.0.0.1            127.0.0.1            UH        1         58 lo0

The deletion works in the same manner.


sol10u7 [~]# route delete default 10.0.21
delete net default: gateway 10.0.21

Nice. Is it a bug, or is it a feature ;-) ?
I know there's a similar IPv6 behaviour - reducing the number of Zeros in address notation, but I didn't know it's also related to IPv4.

Create base64 jpegPhoto attribute

2009-05-29T20:38:00.005+02:00

So, you wanna a picture in your user profile within the Directory Server entry?
Go for it.

Generate base-64 encoded value of the selected picture:


book [/tmp]# ldif -b jpegPhoto < marcin.jpg 
jpegPhoto:: /9j/4AAQSkZJRgABAgAAZABkAAD/7AARRHVja3kAAQAEAAAAMgAA/+4ADkFkb2JlA
 GTAAAAAAf/bAIQACAYGBgYGCAYGCAwIBwgMDgoICAoOEA0NDg0NEBEMDg0NDgwRDxITFBMSDxgYG
 hoYGCMiIiIjJycnJycnJycnJwEJCAgJCgkLCQkLDgsNCw4RDg4ODhETDQ0ODQ0TGBEPDw8PERgWF
 xQUFBcWGhoYGBoaISEgISEnJycnJycnJycn/8AAEQgBVAH0AwEiAAIRAQMRAf/EAK4AAAIDAQEBA
 QAAAAAAAAAAAAMEAAIFAQYHCAEAAwEBAQAAAAAAAAAAAAAAAAECAwQFEAACAQMCBAMFBQUFBwMDB
[...]

Enter output to the ldif file or create the modification by hand:


book [~]$ ldapmodify -D cn=dirmgr
Enter bind password: 
dn: uid=marcin,ou=People,o=wisnios.com,o=isp
changetype: modify
add: jpegPhoto
jpegPhoto:: /9j/4AAQSkZJRgABAgAAZABkAAD/7AARRHVja3kAAQAEAAAAMgAA/+4ADkFkb2JlA
 GTAAAAAAf/bAIQACAYGBgYGCAYGCAwIBwgMDgoICAoOEA0NDg0NEBEMDg0NDgwRDxITFBMSDxgYG
 hoYGCMiIiIjJycnJycnJycnJwEJCAgJCgkLCQkLDgsNCw4RDg4ODhETDQ0ODQ0TGBEPDw8PERgWF
 xQUFBcWGhoYGBoaISEgISEnJycnJycnJycn/8AAEQgBVAH0AwEiAAIRAQMRAf/EAK4AAAIDAQEBA
 QAAAAAAAAAAAAMEAAIFAQYHCAEAAwEBAQAAAAAAAAAAAAAAAAECAwQFEAACAQMCBAMFBQUFBwMDB
[...]
^D

zpool replace problem

2009-05-14T22:38:00.007+02:00

Scenario.
Disk from pool1 failed. It was replaced with a new one, with appropriate cfgadm -c unconfigure and cfgadm -c configure commands. Process of resilvering has been completed, but there's still the unavailable device within a pool status. Any try to take a device offline causes the scrub process to start again.


thumper [~]# zpool status -v pool1
  pool: pool1
 state: DEGRADED
status: One or more devices could not be opened.  Sufficient replicas exist for
        the pool to continue functioning in a degraded state.
action: Attach the missing device and online it using 'zpool online'.
   see: http://www.sun.com/msg/ZFS-8000-D3
 scrub: resilver in progress, 2,32% done, 28h7m to go
config:

        NAME            STATE     READ WRITE CKSUM
        pool1           DEGRADED     0     0     0
          raidz2        DEGRADED     0     0     0
            c7t0d0p0    ONLINE       0     0     0
            c6t0d0p0    ONLINE       0     0     0
            c7t4d0p0    ONLINE       0     0     0
            c6t4d0p0    ONLINE       0     0     0
            c1t0d0p0    ONLINE       0     0     0
            c0t0d0p0    ONLINE       0     0     0
            c1t4d0p0    ONLINE       0     0     0
            c0t4d0p0    ONLINE       0     0     0
            c5t1d0p0    ONLINE       0     0     0
            c4t1d0p0    ONLINE       0     0     0
            c5t5d0p0    ONLINE       0     0     0
            c4t5d0p0    ONLINE       0     0     0
            c7t1d0p0    ONLINE       0     0     0
            c6t1d0p0    ONLINE       0     0     0
            spare       DEGRADED     0     0     0
              c7t5d0p0  UNAVAIL      0     0     0  cannot open
              c1t3d0p0  ONLINE       0     0     0
            c6t5d0p0    ONLINE       0     0     0
            c1t1d0p0    ONLINE       0     0     0
            c0t1d0p0    ONLINE       0     0     0
            c1t5d0p0    ONLINE       0     0     0
            c0t5d0p0    ONLINE       0     0     0
        spares
          c1t3d0p0      INUSE     currently in use
          c0t3d0p0      AVAIL   

errors: No known data errors

Solution
Do exactly the same what has been done with a disk from the system point of view.
Replace it in place.


thumper [~]# zpool replace pool1 c7t5d0p0 c7t5d0p0

After resilver period of time:


thumper [~]# zpool status -v pool1
  pool: pool1
 state: ONLINE
 scrub: resilver completed with 0 errors on Thu May 14 17:08:20 2009
config:

        NAME          STATE     READ WRITE CKSUM
        pool1         ONLINE       0     0     0
          raidz2      ONLINE       0     0     0
            c7t0d0p0  ONLINE       0     0     0
            c6t0d0p0  ONLINE       0     0     0
            c7t4d0p0  ONLINE       0     0     0
            c6t4d0p0  ONLINE       0     0     0
            c1t0d0p0  ONLINE       0     0     0
            c0t0d0p0  ONLINE       0     0     0
            c1t4d0p0  ONLINE       0     0     0
            c0t4d0p0  ONLINE       0     0     0
            c5t1d0p0  ONLINE       0     0     0
            c4t1d0p0  ONLINE       0     0     0
            c5t5d0p0  ONLINE       0     0     0
            c4t5d0p0  ONLINE       0     0     0
            c7t1d0p0  ONLINE       0     0     0
            c6t1d0p0  ONLINE       0     0     0
            c7t5d0p0  ONLINE       0     0     0
            c6t5d0p0  ONLINE       0     0     0
            c1t1d0p0  ONLINE       0     0     0
            c0t1d0p0  ONLINE       0     0     0
            c1t5d0p0  ONLINE       0     0     0
            c0t5d0p0  ONLINE       0     0     0
        spares
          c1t3d0p0    AVAIL   
          c0t3d0p0    AVAIL   

errors: No known data errors

Voila!

AIX software (de)installation

2009-05-14T20:18:00.006+02:00

During my AIX lab works I've accidentally installed all the packages from the /export/aix/lpp_source/xlCv8eval location
(IBM XL C/C++ V8.0 Evaluation).


aix61 [/export/aix]# installp -a -d lpp_source/xlCv8eval all
[...]

+-----------------------------------------------------------------------------+
                   BUILDDATE Verification ...
+-----------------------------------------------------------------------------+
Verifying build dates...done
FILESET STATISTICS 
------------------
  221  Selected to be installed, of which:
       66  Passed pre-installation verification
      146  FAILED pre-installation verification
        9  Already installed (directly or via superseding filesets)
  ----
   66  Total to be installed

+-----------------------------------------------------------------------------+
                         Installing Software...
+-----------------------------------------------------------------------------+

[...]

Finished processing all filesets.  (Total time:  2 mins 17 secs).

[...]

Two minutes and seventeen seconds of sorrow.

Because it was my first installation attempt I wanted to rollback the applied changes.
But, how to uninstall all the filesets together?
I've prepared the handy oneliner. Feel free to provide a better solution.


aix61 [/export/aix/lpp_source/xlCv8eval/installp]# for f in `ls -1 ppc | cut -d . -f 1 | sort | uniq`; \
do installp -u -e /home/wisnios/xlCv8eval.uninstall.log -g $f; \
done

where ls -1 ppc | cut -d . -f 1 | sort | uniq gives:


ibmdebugger
memdbg
vac
vacpp
xlC
xlhelp
xlmass
xlsmp

Mission accomplished.

Solaris IPSec with preshared keys

2009-05-07T19:41:00.019+02:00

To implement transport mode ipsec configuration we have to complete the following steps:

assign ipsec policy (ipsecinit.conf)
configure Internet Key Exchange (IKE) daemon (in.iked) (config)
setup preshared key secret (ike.preshared)

The configuration should be made on both of the communicating nodes.
In below example i've used nodes named sol10u6 (10.0.2.15) and sol10u7 (10.0.2.16).
To generate the password ascii representation i've used a piece of code:

/*
IKE password converter
- Marcin Wisnios [marcin AT wisnios.com]
*/
#include <stdio.h>
#include <string.h>

#define PSIZE 512

int main(int argc, char* argv[])
{
int n;
size_t size;
char pass[PSIZE];

if (argc == 1)
{
fprintf(stderr, "Usage: %s password\n", argv[0]);
}
else
{
size=strlen(argv[1]);
if (size >= PSIZE)
{
fprintf(stderr, "Warning: possibility of buffer overflow on oversized password (>=%d). Exiting.\n", PSIZE);
return -1;
}

strncpy(pass, argv[1], size);

for(n=0; n<size; n++)
{
printf("%d", pass[n]);
}

printf("\n");
}

return 0;
}

I've used sample secret: example-preshared-key-secret-do-not-use-it.


sol10u6 [~]$ ./ikepconv example-preshared-key-secret-do-not-use-it
10112097109112108101451121141011151049711410110045107101121451151019911410111645100111451101111164511711510145105116

Let's start with ipsec policy settings.
Setup is as follows:


sol10u6 [~]# cat /etc/inet/ipsecinit.conf
[...]
{ laddr 10.0.2.15 raddr 10.0.2.16 } ipsec { encr_algs aes encr_auth_algs md5 sa shared }

sol10u7 [~]# cat /etc/inet/ipsecinit.conf
[...]
{ laddr 10.0.2.16 raddr 10.0.2.15 } ipsec { encr_algs aes encr_auth_algs md5 sa shared }

encr_algs aes - Use AES as Encapsulating Security Payload (ESP, IP Protocol: 50) encryption algorithm
encr_auth_algs md5 - Use MD5 as ESP authentication algorithm
sa shared - shared Security Association (SA) means the communication between the two nodes in one direction uses the same channel;
in opposite to "unique" which uses separate SA for each pair of source and destination ports

Apply IPSec policy to the system:


sol10u6 [~]# ipsecconf -a /etc/inet/ipsecinit.conf
sol10u6 [~]# ipsecconf
#INDEX 2
{ laddr 10.0.2.15 raddr 10.0.2.16 } ipsec { encr_algs aes encr_auth_algs md5 sa shared }

From now the communication is broken; IPSec has been instructed to encrypt and authenticate the traffic.
We need to provide the valid SA related to security policy.
To automate the process of key management I've used IKE daemon (in.iked).
It should be configured similary to below output:


sol10u6 [~]# cat /etc/inet/ike/config
[...]
### BEGINNING OF FILE

{
   label "preshared"
   local_id_type ip
   local_addr 10.0.2.15
   remote_addr 10.0.2.16
   
   p1_xform
   { auth_method preshared  oakley_group 5  encr_alg aes  auth_alg md5 }
}

sol10u7 [~]# cat /etc/inet/ike/config
[...]
### BEGINNING OF FILE

{
   label "preshared"
   local_id_type ip
   local_addr 10.0.2.16
   remote_addr 10.0.2.15
   
   p1_xform
   { auth_method preshared  oakley_group 5  encr_alg aes  auth_alg md5 }
}

oakley_group - The Oakley Diffie-Hellman group used for IKE SA key derivation. Acceptable values are currently 1 (768-bit), 2 (1024-bit), or 5 (1536-bit).

The last step is to configure the preshared secrets file.


sol10u6 [~]# cat /etc/inet/secret/ike.preshared
[...]
{
 localidtype IP
 localid 10.0.2.15
 remoteidtype IP
 remoteid 10.0.2.16
 key 10112097109112108101451121141011151049711410110045107101121451151019911410111645100111451101111164511711510145105116
}

sol10u7 [~]# cat /etc/inet/secret/ike.preshared
[...]
{
 localidtype IP
 localid 10.0.2.16
 remoteidtype IP
 remoteid 10.0.2.15
 key 10112097109112108101451121141011151049711410110045107101121451151019911410111645100111451101111164511711510145105116
}

key - continuous ASCII characters decimal representation of the passphrase "example-preshared-key-secret-do-not-use-it" (converted with ikepconv from the beginning of my post).
That's it: e(101)x(120)a(97)m(109)p(112)l(108)e(101)-(45)...

Start IKE daemon:


sol10u6 [~]# /usr/lib/inet/in.iked -d  [debug mode]
sol10u6 [~]# /usr/lib/inet/in.iked

It's time for a simple test.


sol10u7 [~]# ping 10.0.2.15
10.0.2.15 is alive

sol10u6 [~]# snoop -c 1 src host 10.0.2.16
Using device /dev/e1000g0 (promiscuous mode)
     sol10u7 -> sol10u6      ESP SPI=0xc072b272 Replay=6
1 packets captured


sol10u7 [~]# ping 10.0.2.15
10.0.2.15 is alive

sol10u6 [~]# snoop -c 1 -v src host 10.0.2.16
Using device /dev/e1000g0 (promiscuous mode)
ETHER:  ----- Ether Header -----
ETHER:
ETHER:  Packet 1 arrived at 17:46:25.51503
ETHER:  Packet size = 150 bytes
ETHER:  Destination = 8:0:27:ba:19:34, PCS Computer Systems GmbH
ETHER:  Source      = 8:0:27:30:9c:39, PCS Computer Systems GmbH
ETHER:  Ethertype = 0800 (IP)
ETHER:
IP:   ----- IP Header -----
IP:
IP:   Version = 4
IP:   Header length = 20 bytes
IP:   Type of service = 0x00
IP:         xxx. .... = 0 (precedence)
IP:         ...0 .... = normal delay
IP:         .... 0... = normal throughput
IP:         .... .0.. = normal reliability
IP:         .... ..0. = not ECN capable transport
IP:         .... ...0 = no ECN congestion experienced
IP:   Total length = 136 bytes
IP:   Identification = 9596
IP:   Flags = 0x0
IP:         .0.. .... = may fragment
IP:         ..0. .... = last fragment
IP:   Fragment offset = 0 bytes
IP:   Time to live = 255 seconds/hops
IP:   Protocol = 50 (ESP)
IP:   Header checksum = 7da9
IP:   Source address = 10.0.2.16, sol10u7
IP:   Destination address = 10.0.2.15, sol10u6
IP:   No options
IP:
ESP:  ----- Encapsulating Security Payload -----
ESP:
ESP:  SPI = 0xc072b272
ESP:  Replay = 10
ESP:     ....ENCRYPTED DATA....

1 packets captured

INFO:
The IPSec definitions has been added to SMF in Solaris 10 update 7:
svc:/network/ipsec/manual-key:default
svc:/network/ipsec/ike:default
svc:/network/ipsec/ipsecalgs:default
svc:/network/ipsec/policy:default

Remember to enable ipsec/ike daemon service.

Enjoy.

Directory Server SSL Certificate

2009-04-26T22:05:00.004+02:00

Recently, I've added the article about SSL configuration of Sun Java Commmunications Suite components (link).
Today I want to expand its content with Directory Server SSL preparation.

DS comes with self-signed certificate (it's valid for a period of three months). It name's defaultCert, and by defalt allow for secure connections through the port 636.
It's stored in alias directory under the instance path:


book [/]# ls /instances/ds1/alias
certmap.conf    secmod.db       slapd-cert8.db  slapd-key3.db


book [/instances/ds1/alias]# dsconf get-server-prop -D cn=dirmgr ssl-rsa-cert-name
Enter "cn=dirmgr" password:  
ssl-rsa-cert-name  :  defaultCert

book [/]# /opt/SUNWdsee/ds6/bin/dsadm list-certs /instances/ds1/
Alias        Valid from        Expires on        Self-signed?  Issued by                                              Issued to  
-----------  ----------------  ----------------  ------------  -----------------------------------------------------  --------------  
defaultCert  2009/03/18 12:28  2009/06/18 12:28  y             CN=book,CN=636,CN=Directory Server,O=Sun Microsystems  Same as issuer  
1 certificate(s) found

book [/instances/ds1/alias]# /usr/sfw/bin/certutil -L -P slapd- -d .
defaultCert                                                  CTu,u,u

But, I want to use the same one as with other COMMS components - Server-Cert - issued by CA.


book [/instances/ds1/alias]# dsadm import-cert /instances/ds1/ /root/SSL/VeriSign.cert.pkcs12 
Enter the PKCS#12 file password:
The Directory Server will need to be restarted before being able to use the new certificate.
book [/instances/ds1/alias]# dsadm stop /instances/ds1
Directory Server instance '/instances/ds1' stopped
book [/instances/ds1/alias]# dsadm start /instances/ds1
Directory Server instance '/instances/ds1' started: pid=25150
book [/instances/ds1/alias]# /usr/sfw/bin/certutil -L -P slapd- -d .
defaultCert                                                  CTu,u,u
Server-Cert                                                  u,u,u

Now i have to change default rsa certificate name, within the DS configuration:


book [~]# dsconf set-server-prop -p 389 -D cn=dirmgr ssl-rsa-cert-name:Server-Cert
Enter "cn=dirmgr" password:  
Before setting SSL configuration, export Directory Server data. 
Do you want to continue [y/n] ?  y
Directory Server must be restarted for changes to take effect.

Restart DS one more time.

That's all folks.


book [~]# dsconf get-server-prop -p 389 -D cn=dirmgr ssl-rsa-cert-name
Certificate "CN=[...]" presented by the server is not trusted.
Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details: Y
Enter "cn=dirmgr" password:  
ssl-rsa-cert-name  :  Server-Cert

Forward mappings

2009-04-08T20:09:00.008+02:00

The presented configuration allows to gather messages of specified address pattern inside the given mail account.
The below example is based on the destination address, but can be easily changed into source based.

Sun Java Messaging Server allow to use the FORWARD mapping table and FORWARD lookup table.
I will focus on FORWARD Mapping Table. This usage is disabled by default. So, before I can go further I have to enable the USE_FORWARD_DATABASE withing the option.dat file.

USE_FORWARD_DATABASE can take one of three values. The meaning is as follows:

1 - use forward database
8 - use forward database entries with a specified channel
16 - use forward mapping table entries with a specified channel

To get the pieces together I've used 16, so:


[option.dat]
[...]
USE_FORWARD_DATABASE=16

To let the Messaging Server keep all the messages begining with a prefix- on the wisnios@wisnios.com account, add the following to your mappings file:


FORWARD
 
!
! Format for channel specific forward mapping entries
! src-channel|source-address|original-address changed-address
!
  *|*|prefix-*@wisnios.com  $D$H$Ywisnios@wisnios.com

The first * (asterisk) could be tcp_local. I thought so, but it's not true.
Simple test with imsimta test -rewrite -debug prefix-test@wisnios.com shows that message uses the l channel:


[...]
12:41:14.65:     Applying forward mapping to: l|postmaster@book.entic.net|prefix-test@wisnios.com
12:41:14.65:       Matched, result is: wisnios@wisnios.com
[...]

The second field could be used as an additional pattern filter, based on the sender address / domain part.
In my example it's also the asterisk sign.

The third field does the trick.

$D - run rewrite process one more time (without this option mapping will fail)
$H - do not check any other forward lookup table or FORWARD mapping entries (optional with this one entry)
$Y - use specified address as a new one (no comment - required)

So, let's try:


book [/]# imsimta test -mapping -debug
Enter table name: FORWARD
Input string: tcp_local|wisnios@gmail.com|prefix-test@wisnios.com
13:00:03.39: Mapping 6 applied to tcp_local|wisnios@gmail.com|prefix-test@wisnios.com
13:00:03.39:   Entry #1 matched, pattern "*|*|prefix-*@wisnios.com", template "$D$H$Ywisnios@wisnios.com", match #0.
13:00:03.39:   New target "wisnios@wisnios.com"
13:00:03.39:   Exiting...
13:00:03.39:   Final result "wisnios@wisnios.com"
Output string: wisnios@wisnios.com
Output flags: [0, 'D' (68), 'H' (72), 'Y' (89)]
Input string:

The last bastion was the imsimta command itself.
After the configuration changes I've run imsimta cnbuild && imsimta reload.
That was a mistake.
It allows imsimta test -rewrite complete successfully, but rejects the incoming messages to prefix-something with:
550 5.1.1 unknown or illegal alias: prefix-something@wisnios.com

To make everything work smoothly run imsimta restart after job complete.

To test this configuration I've used:


Sun Java(tm) System Messaging Server 6.3-2.01 (built Jun 13 2007; 64bit)
libimta.so 6.3-2.01 (built 00:30:08, Jun 13 2007; 64bit)

Summary of the mail traffic size

2009-04-07T20:25:00.005+02:00

Today I've written a handy oneliner to get a summary of mail traffic size for a current/yesterday period of log time.
Sun Java Messaging Server denotes the size (sz) of every message in kilobytes, accordingly to the (MTA) BLOCK_SIZE variable (default value: 1024 bytes).

For example, to get the yesterday sum of messages being sent to domain.com (single-tiered architecture):


sed '/tcp_local.*ims-ms.*domain.com/p;d' mail.log_yesterday | awk '{ SIZE+=$6 } END { print SIZE/1024 }'

The returned value will be presented in Mb.

To get a similar check for frontend-backend (two-tiered) scenario, with LMTP, and for a current log file:


sed '/tcp_local.*tcp_lmtpcs.*domain.com/p;d' mail.log_current | awk '{ SIZE+=$6 } END { print SIZE/1024 }'

To engage a command for the outbound messages I've used a tcp_auth channel name as a significant mark.


# sed '/tcp_auth.*wisnios.com/p;d;' mail.log_yesterday | awk '{ SIZE+=$6 } END { print SIZE/1024 }'
102.645

MTA log rotation for Messaging Server

2009-04-02T15:12:00.006+02:00

Sun Java System Messaging Server do not rotate the log file of MTA process - mail.log. There is only a two steps of pseudo rotation between the files: mail.log_current, mail.log_yesterday and a mail.log "bucket".

Present activity is being logged into mail.log_current. It's content will be moved into mail.log_yesterday after a day period.
After the next day, it will end its rotation life inside the mail.log file, increasing its content.

To control the mail.log growth process I use the Solaris logadm tool.


book [/]# crontab -l
[...]
# Messaging Server MTA log rotation
0 0 * * 1 /usr/sbin/logadm -c -C 52 -t '$dirname/$basename.$n' /var/opt/sun/comms/messaging64/log/mail.log
book [/]#

Every monday, at 0:00 AM, the logadm rotates the given logfile. It copies the original file (-c) to a next available one, with increased version number ($basename.$n), and truncates the mail.log content to zero (-c). It keeps 52 copies of rotated files (-C 52) and cleans the rest.

Mac OS X ipfw traffic shaping

2009-03-28T22:47:00.011+01:00

It's related to my common problem with images upload. When I start to upload a new set of pictures the rest of traffic on my isp network connection is being reduced almost to zero.

To decrease the available bandwidth to a flickr website, I've used below commands:


% sudo ipfw pipe 1 config bw 256kbit/s

% sudo ipfw pipe show
00001: 256.000 Kbit/s    0 ms   50 sl. 0 queues (1 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000

% sudo ipfw add pipe 1 dst-ip 87.248.121.213 dst-port 80
33400 pipe 1 ip from any to any dst-ip 87.248.121.213 dst-port 80

% sudo ipfw show                            
33300       0          0 deny icmp from any to me in icmptypes 8
33400    1492    2084081 pipe 1 ip from any to any dst-ip 87.248.121.213 dst-port 80

% sudo ipfw pipe show
00001: 256.000 Kbit/s    0 ms   50 sl. 1 queues (1 buckets) droptail
    mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000
BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp
  0 tcp    192.168.1.101/57602  87.248.121.213/80     437   611800 46 64400   0

When the job is completed:


% sudo ipfw delete 33400 

OR /if there's no other pipes/

% sudo ipfw pipe flush
Are you sure? [yn] y

Flushed all pipes.

Monitoring sessions in application server

2009-03-26T21:39:00.005+01:00

The method described below is reated to GlassFish Application Server in Solaris 10 environment.
I've used the example of Convergence application (from Sun Java Communications Suite), but it could be any other app deployed on appsvr.

Before we start let's check the monitoring levels of services:


# /opt/SUNWappserver/bin/asadmin get server.monitoring-service.module-monitoring-levels.*
server.monitoring-service.module-monitoring-levels.connector-connection-pool = OFF
server.monitoring-service.module-monitoring-levels.connector-service = OFF
server.monitoring-service.module-monitoring-levels.ejb-container = OFF
server.monitoring-service.module-monitoring-levels.http-service = OFF
server.monitoring-service.module-monitoring-levels.jdbc-connection-pool = OFF
server.monitoring-service.module-monitoring-levels.jms-service = OFF
server.monitoring-service.module-monitoring-levels.jvm = OFF
server.monitoring-service.module-monitoring-levels.orb = OFF
server.monitoring-service.module-monitoring-levels.thread-pool = OFF
server.monitoring-service.module-monitoring-levels.transaction-service = OFF
server.monitoring-service.module-monitoring-levels.web-container = OFF

The most interesting, in this case, is the last one.
To begin monitor the given service we have to switch its lavel to HIGH (or LOW; it makes no difference from GlassFish v3).


# /opt/SUNWappserver/bin/asadmin set server.monitoring-service.module-monitoring-levels.web-container=HIGH
Please enter the admin user name>admin
Please enter the admin password>
server.monitoring-service.module-monitoring-levels.web-container = HIGH

Let's look at all the session counters related lines.

All appliacations:


# /opt/SUNWappserver/bin/asadmin get --user admin --passwordfile /your/favourite/path/to/password/file \
--monitor=true server.applications.*.server.*session*count

Convergence only:


# /opt/SUNWappserver/bin/asadmin get --user admin --passwordfile /your/favourite/path/to/password/file \
--monitor=true server.applications.Convergence.server.*session*count

Sample command to get the current value of Convergence active sessions:


# /opt/SUNWappserver/bin/asadmin get --user admin --passwordfile /your/favourite/path/to/password/file \
--monitor=true server.applications.Convergence.server.activesessionscurrent-count
server.applications.Convergence.server.activesessionscurrent-count = 99

Sun Java System Directory Server Platform Support

2009-03-14T20:15:00.007+01:00

SJSDSPS... nice title ;-)

Since yesterday I've been looking forward for the Directory Server installator for AIX (6.1) system. I know, there is still the OpenDS, but I want the same solution I know from Solaris. The last possible download of DS for AIX (5.2), available on the official Sun Microsystems web site, is Directory Server 5.2 P4 Full Distribution and Directory Server 5.2 P6 Patch. There's no opportunity to get the Directory Server Enterprise Edition (DSEE).

I thought I missed something. Maybe Sun guys do not like IBM guys.
Than, I've found this - http://docs.sun.com/app/docs/doc/820-2759/eof-platform-support :

In future releases of Directory Server Enterprise Edition, support for Windows 2000, Red Hat Advanced Server 3.0, and J2SE platform 1.4 may be removed. Support for the native install package releases for platforms other than the Solaris operating system might be removed. Support for 32–bit versions of the software might be discontinued for some platforms. To be prepared, plan the transition to 64–bit versions of the software and to newer versions of the supported operating systems.

"Might be" or "has been" makes a difference.

And one more quotation - http://docs.sun.com/source/819-1815/index.html :

Directory Server 5.2 Patch 6 is available on the following platforms:
[...]
· IBM AIX 5.2 (Power PC) (32 bit)

The original release of Directory Server 5.2 has not been validated on IBM AIX 5.2. However, this update is validated on IBM AIX 5.2. The original release of Directory Server 5.2 has been validated on IBM AIX 5.1, but IBM AIX 5.1 is no longer supported by IBM.

So, the guilty of lack of AIX support for Directory Server is IBM itself. Am I wrong or right?
But, it's related to AIX 5.2. What about AIX 5.3, AIX 6.1? I don't know the answer. Anybody?

Linux stuff in the AIX neighbourhood

2009-03-13T19:56:00.007+01:00

When I logged in into the AIX system for a very first time I had experienced the beauty of IBM system, and helplessness. I had known only the four AIX specific commands, and a bunch of experiences from Sun Solaris system.

The first stonghold was the ksh system shell. No history. No command completion. "No" in a way I used to use it. It took me a while to find out the fc cmd.
So, the fist thought was to bring in the zsh.

But... in order to make it possible, I have to know - HOW and FROM.
The Solaris has got it's sunfreeware.com and blastwave.org. AIX - rpm database of ppc packages.

Here it is: http://www-03.ibm.com/systems/power/software/aix/linux/toolbox/alpha.html
How to get the rpm itself: http://www-03.ibm.com/systems/power/software/aix/linux/toolbox/altlic.html

The rest is as simple as:


# rpm -i zsh*rpm

... after installing the dependencies ;-) (rpm packages: coreutils, grep)

SSL: be prepared

2009-03-10T21:26:00.019+01:00

Before you could start with SSL changes on application level of configuration, you have to prepare certificate and its database.
First the certificate should be converted from PEM to PKCS#12 format.


# openssl pkcs12 -export -in cert.pem -inkey key.rsa -out cert.pkcs12 -name Server-Cert

cert.pem - certificate taken from Certificate Authority (CA), either local or public (Thawte, Verisign, other)
key.rsa - private key used to sign the Certificate Signing Request (CSR)
cert.pkcs12 - pkcs#12 output file
Server-Cert - you could use any other, but in the most cases it's a default certificate name (alias) used within SSL configuration, ex.

 
# configutil -o encryption.rsa.nssslpersonalityssl
Server-Cert

Messaging Server

Initialize certificate database:


# msgcert generate-certDB
Choose the Certificate Database password:
Confirm the Certificate Database password:

It lead to creation of database files: cert8.db, key3.db, secmod.db and sslpassword.conf - plain text file, used to store software token (password provided during the generation process).
Initialization has created the self-signed certificate, with Server-Cert alias name.
Before we start the import, we have to remove it unless different cert name will be used.


# msgcert remove-cert Server-Cert
Enter the certificate database password:
book [/opt/sun/comms/messaging64/config]# msgcert list-certs
Enter the certificate database password:
Alias  Valid from  Expires on  Self-signed?  Issued by  Issued to  
-----  ----------  ----------  ------------  ---------  ---------  
0 certificates found

Now, let's eat some certificates.


# msgcert import-cert /root/SSL/cert.pkcs12
Enter the PKCS#12 file password:
Enter the certificate database password:

Voile!

If there's a need of rollback to self-signed certificate or renew the expired one, use the similar commads:


# msgcert add-selfsign-cert -S "CN=mail.wisnios.com" Server-Cert

# msgcert renew-selfsign-cert Server-Cert

Errors:

· Internal error: NSS error (SEC_PKCS12DecoderUpdate) in importCert:
security library: improperly formatted DER-encoded message. (-8183)
Failed to import the certificate

The certificate file has not been converted from PEM to PKCS#12
(use openssl pkcs12 -export)

· A certificate with the same alias already exists in the database.
Failed to import the certificate

The previously created (self-signed) certificate has not been removed
(use msgcert remove-cert)

Web Server

We could use the same converted file to feed the web server database.


[/var/opt/SUNWwbsvr7/https-mail.wisnios.com/config]
# /opt/SUNWwbsvr7/bin/pk12util -i /root/SSL/cert.pkcs12 -d .
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password: 
Re-enter password: 
Enter password for PKCS12 file: 
pk12util: PKCS12 IMPORT SUCCESSFUL

[/var/opt/SUNWwbsvr7/https-mail.wisnios.com/config]
# certutil -L -d .
Server-Cert                                                  u,u,u

The triple 'u' means that certificate could be used for authentication (SSL, email) and object signing.

The self-signed cert could be generated with wadm administration command:


wadm> create-selfsigned-cert --config=mail.wisnios.com --server-name=mail.wisnios.com \
--nickname=Server-Cert --token=internal
CLI201 Command 'create-selfsigned-cert' ran successfully

Application Server (Glassfish)

The same trick with appsvr.


[/opt/SUNWappserver/domains/domain1/config]
# pk12util -i /root/SSL/cert.pkcs12 -d .

[/opt/SUNWappserver/domains/domain1/config]
# certutil -L -n Server-Cert -d .

To change the default instance ssl configuration, follow those steps:


[https://appserver:4848]

Configurations:
    default-config:
        HTTP Service:
            http-listener-2: (switch to right panel)

[right panel]
SSL:
    Certificate NickName: Server-Cert (replace the default s1as entry)

Good luck.

port to pid / pid to port mapper

2009-02-25T23:12:00.005+01:00

Finally, I've developed the mutual pid/port mapper.

Here it is. Feel free to use.


#!/bin/bash
#
# The mutual pid/port mapper
# - Marcin Wisnios [marcin AT wisnios.com]
#
case "$1" in
'')
        echo "Usage: $0 PORT | -p PID | -n NAME | -a (ALL)"
        exit 1
        ;;
'-p')
        # pid search
        P_ID=$2
        ;;
'-n')
        # name search
        P_ID=`pgrep $2`
        ;;
'-a')
        # list all
        P_ID=`ps -e -o pid,comm | sed '/PID/d; /ps/d; /sed/d; /bash/d; s/\([0-9]\{1,5\}\).*/\1/p;d'`
        ;;
*)
        # port search
        P_ID=`ps -e -o pid,comm | sed '/PID/d; /ps/d; /sed/d; /bash/d; s/\([0-9]\{1,5\}\).*/\1/p;d'`
        PORT=$1
        ;;
esac

for P in $P_ID; do

        N=`ps -o comm -p $P | sed '/COMMAND/d'`
        N=`basename $N`

        pfiles $P | sed 's/.*sockname:\ AF_INET[6]\{0,1\} \(.*\)\ \ port:\ \(.*\)/\1:\2/p;d' | while read L; do
                if [ -z $PORT ]; then
                        echo "$L $P/$N"
                else
                        echo "$L $P/$N" | sed "/:$PORT/p;d"
                fi
        done

done

Examples of use:


book [/home/wisnios]# ./ppm.sh 22
:::22 6963/sshd
::ffff:208.64.63.178:22 13491/sshd
::ffff:208.64.63.178:22 13507/sshd

book [/home/wisnios]# ./ppm.sh -n ns-slapd
:::389 7128/ns-slapd
:::636 7128/ns-slapd

book [/home/wisnios]# ./ppm.sh -p 20623
0.0.0.0:80 20623/cherokee-worker

Core system support - the journey begins

2008-11-27T19:12:00.012+01:00

OK, I've installed 'core system support' software group. Solaris has started.
What now? There's for ex. no ssh service, no bash or zsh shell.
So I've decided to mount dvd image and install additional packages.

But... which dsk device is the right one?
No mounted device, no vfstab entry, no cdrom life marks on planet Solaris.

I've found it finally with:


for d in `ls /dev/dsk/*s2`;  do prtvtoc $d; sleep 2; done

The right one is that with only one slice, with sector count of 4509440 (dvd image size):


*                          First     Sector    Last
* Partition  Tag  Flags    Sector     Count    Sector  Mount Directory
       0      5    01          0   4509440   4509439
       2      5    01          0   4509440   4509439

Mount:


mount -F hsfs -o ro /dev/dsk/c1t0d0s2 /cdrom

and install desired software:


pkgadd -R /a -d /cdrom/Solaris_10/Product
[...]

Select package(s) you wish to process  (or 'all' to process all packages).
(default: all) [?,??,q]: SUNWsshcu,SUNWsshr,SUNWsshu,SUNWsshdr,SUNWsshdu,SUNWbash,SUNWzsh

I've used the -R switch because I've done the work inside the shell session invoked from the Installation menu.
The root system has been mounted at /a directory.

libcrypt_d.so.1: open failed: No such file or directory

2008-11-17T19:16:00.005+01:00

During the rubygems installation process I've encountered the following problem:


thumper [/export/install/sources/rubygems-1.3.1]# ruby setup.rb 
ld.so.1: ruby: fatal: libcrypt_d.so.1: open failed: No such file or directory
Killed

Because of a cryptographic technology export restrictions there's no build-in support for some of the algorithms.

To accomplish the task you should download and install 'Solaris 10 Encryption Kit for Sparc / x86'.
Enjoy the screener:



thumper [/export/install]# unzip sol-10-encrypt-GA-iso.zip
thumper [/export/install]# lofiadm -a /export/install/sol-10-encrypt-GA.iso 
/dev/lofi/1
thumper [/export/install]# mount -F hsfs -o ro /dev/lofi/1 /mnt
thumper [/export/install]# mount -p | tail -1
/dev/lofi/1 - /mnt hsfs - no ro,noglobal,maplcase,rr,traildot
thumper [/export/install]# pkgadd -d /mnt/Encryption_10/i386/Packages

The following packages are available:
  1  SUNWcrman     Encryption Kit On-Line Manual Pages
                   (i386) 10.0,REV=52.0
  2  SUNWcry       Crypt Utilities
                   (i386) 11.10.0,REV=2005.01.21.16.34
  3  SUNWcryr      Solaris Root Crypto
                   (i386) 11.10.0,REV=2005.01.21.16.34

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]: all
[...]

thumper [/export/install]# umount /mnt
thumper [/export/install]# lofiadm -d /dev/lofi/1
thumper [/export/install]# find /usr/lib -name libcrypt_d*
/usr/lib/amd64/libcrypt_d.so
/usr/lib/amd64/libcrypt_d.so.1
/usr/lib/libcrypt_d.so
/usr/lib/libcrypt_d.so.1

To make your ruby/gem environment fully usable don't forget to install coreutils and make sunfreeware packages.
I've also linked the ginstall to install command:


thumper [/usr/local/bin]# ln -s install ginstall

It's a solution for the gem package builder error messages.

Random password generator

2008-11-12T13:23:00.002+01:00


openssl rand 8 -base64 | tr -d '='

On which partition?

2008-11-08T21:01:00.004+01:00

Last time I wrote the script for Messaging Server backups I faced the problem with proper partition selection. It's easy to achieve with a mboxutil utility... but I only need the names of the account and a corresponding partition.

Up to today I've used the solution with sed & awk. But I hate using many tools where the swiss army knife is available.
So...


# mboxutil -l -x| sed 's/.*user\/\(.*\)\/INBOX.*partition\/\(.*\)\/\=user\/.*/\1 \2/p;d'
admin primary
marcin.wisnios@somedomain.com secondary

disable solaris services

2008-09-25T22:56:00.008+02:00

Solaris installation comes with wide range of exposed net services. You could reduce it by using netservices limited command or by applying Generic Limited Networking profile of services.


# cd /var/svc/profile 
# mv generic.xml _generic.xml
# ln -s generic_limited_net.xml generic.xml 
# svccfg apply /var/svc/profile/generic_limited_net.xml

Unfortunately there are still some of them left, ex. webconsole, rpc/bind.
I like plain environment, with only ssh service exposed. It could be simply done with this litte piece of code:


#!/bin/bash

SERVICES='autofs cde fc-cache ktkt_warn management ogl-select print rpc sendmail stfsloader stosreg webconsole'

netservices limited 

for S in $SERVICES; do
        for SVC in `svcs |sed "/$S/!d;s/.*\ svc/svc/"`; do
                svcadm disable $SVC
        done
done

Sun Web Server autostart

2008-09-24T10:25:00.002+02:00

To disable - modify /etc/init.d/webserver7-4cfd5aeb.

-WS_START_ONBOOT=1
+WS_START_ONBOOT=0

primary label corrupt

2008-09-15T10:12:00.003+02:00

During the ZFS testing process I've used dd command to erase the disk fragment with /dev/urandom (testing the ability of raidz crash handling). After resilvering there was still information on my console and dmesg log:


Sep 15 07:42:00 thumper scsi: [ID 107833 kern.warning] WARNING: /pci@0,0/pci1022,7458@1/pci11ab,11ab@1/disk@0,0 (sd2):
Sep 15 07:42:00 thumper         primary label corrupt; using backup

I've resolved this with a format command.
It could be done in the following way.


thumper [/]# format
Searching for disks...done


AVAILABLE DISK SELECTIONS:
       0. c0t0d0 
          /pci@0,0/pci1022,7458@1/pci11ab,11ab@1/disk@0,0
[...]

Specify disk (enter its number): 0
selecting c0t0d0
[disk formatted]
Reading the primary EFI GPT label failed.  Using backup label.
Use the 'backup' command to restore the primary label.

format> backup
Restoring primary label.
format> label
Ready to label disk, continue? y

format> quit

init_htent: error parsing IP address for host

2008-07-04T15:05:00.005+02:00


# imsimta run tcp_intranet
init_htent: error parsing IP address for host #1

You have to check your /etc/inet/hosts entries.
At the first line (#1), ignoring the comment lines, there was IPv6 entry for localhost.


::1     localhost

After removal the problem has gone.

oneliner

2008-06-30T09:27:00.005+02:00

I use sed delete negation to remove lines that do not match the pattern.
In the following example I want to delete the improper ssh-key entries from an authorized_keys file.
Ex.


sed -e '/^environment.*USER.*/!d' .ssh/authorized_keys

I do not allow usage of ssh session without set USER environment variable.

Registering Solaris System from the command line

2008-06-27T14:38:00.002+02:00


bladerunner [/usr/lib/breg/data]# cp RegistrationProfile.properties /tmp/
bladerunner [/usr/lib/breg/data]# cd /tmp
bladerunner [/tmp]# vim RegistrationProfile.properties 
[...]
#
# Sun Online account information.  A new account can be created by visiting
# http://updates.sun.com
#
userName=wisnios
password=MySunOnlinePassword

#
# Name (label) of this machine as you would like it to appear on the Sun Connection
# portal.  If left blank hostname will be used
#
hostName=bladerunner

[...]
:wq

bladerunner [/tmp]# /usr/sbin/sconadm register -a -r /tmp/RegistrationProfile.properties 
sconadm is running
Authenticating user ...
finish registration!

How to determine the Sun Java System Directory Server version

2008-06-26T14:24:00.003+02:00

Ex.


# /opt/SUNWdsee/ds6/lib/ns-slapd -v
Sun Microsystems, Inc.
Sun-Java(tm)-System-Directory/6.0 B2007.025.1834 32-bit
[...]

ver. 6.0

It could also be accomplished by:


# dsadm --version
[dsadm]
dsadm               : 6.0                  B2007.025.1834

[slapd 32-bit]
Sun Microsystems, Inc.
Sun-Java(tm)-System-Directory/6.0 B2007.025.1834 32-bit
ns-slapd            : 6.0                  B2007.025.1834
Slapd Library       : 6.0                  B2007.025.1834
Front-End Library   : 6.0                  B2007.025.1834

[slapd 64-bit]
Sun Microsystems, Inc.
Sun-Java(tm)-System-Directory/6.0 B2007.025.1834 64-bit
ns-slapd            : 6.0                  B2007.025.1834
Slapd Library       : 6.0                  B2007.025.1834
Front-End Library   : 6.0                  B2007.025.1834

Call to undefined function pg_connect()

2008-05-22T21:52:00.005+02:00

When using coolstack and trying to connect to postgresql database from php script the following error appear:


Call to undefined function pg_connect() in somescript.php on line XX

The reason is default php configuration; php.ini doesn't know anything about postgresql extension, only mysql (finally, it's Solaris AMP - Apache MySQL PHP). To resolve the undesirable behaviour add:


extension="pgsql.so"

to php.ini configuration.

Cool Stack 1.2
Default file location:
/opt/coolstack/php5/lib/php.ini
/opt/coolstack/php5/lib/php/extensions/no-debug-non-zts-20060613/pgsql.so

ZFS dataset inside a non-global zone

2008-05-04T19:49:00.002+02:00

To achieve the usage of global ZFS dataset inside a non-global zone you have to set the zoned attribute to on. It could be done during the dataset creation (zfs create -o zoned=on DATASET) or after the creation process:


zfs set zoned=on DATASET

Without this option the zone startup process will fail, ex.


sunflower [/]# zoneadm -z samba boot
zoneadm: zone 'samba': These file-systems are mounted on subdirectories of /export/zones/samba/root:
zoneadm: zone 'samba':   /export/zones/samba/root/export/vol1
zoneadm: zone 'samba': call to zoneadmd failed

Disable Solaris GUI

2008-04-20T22:14:00.002+02:00

It could be done by using one of the two methods.
The first one does its job immediate.


# svcadm disable cde-login

(You could also use the full FMRI, svc:/application/graphical-login/cde-login:default)

The second one takes place during the next startup.


# /usr/dt/bin/dtconfig -d

(Use -e switch to enable auto-start)

OpenSolaris on MacBook Pro

2008-04-13T16:17:00.006+02:00

The purpose of this post is not to give the recipe for an overall installation.
I've written down a few notes about the network configuration.

I've used the Parallels virtualization and OpenSolaris b79b. Parallels emulates the Realtek 8029(AS) network card but there's no support inside the OS.
To complete this task perform the following steps:

1. Mount vmtools.iso as CD/DVD-ROM (/Library/Parallels/Tools/vmtools.iso)
2. Turn off the eeprom DMA property (atapi-cd-dma-enabled) - before the boot process edit the grub menu list (press 'e') and add the following to the kernel line:


grub edit> kernel$ /platform/i86pc/kernel/$ISADIR/unix -B atapi-cd-dma-enabled=0

Boot with a 'b' key.
3. Install the requested driver:


# cd /cdrom/prltools/Drivers/Network/RTL8029/SOLARIS
# ./network.sh
[...]
Will you receive IP address from DHCP server (Y/N)

If you've chosen the answer 'N', enter the requested values:


Enter IP address of the virtual machine:
Enter network address:
Enter network mask:
Enter default gateway IP address:

The script will modify the following files:
/etc/inet/hosts
/etc/hostname.ni0
/etc/netmasks
/etc/defaultrouter
or
/etc/dhcp.ni0
/etc/hostname.ni0
(if the 'Y' have been chosen)

Now, reboot the system.

During the boot process you could see the information:


WARNING: ni0: niattach: SA_eeprom is funny, assuming byte-mode

but everything should be just fine.

oneliner

2007-09-17T11:54:00.000+02:00

Task: Remove user1, user2 and user3 ssh keys from multiple machines for both home users and root account,
for ssh protocol 1 as well as protocol 2 files.

To accomplish this task I've used sed and DSH (Dancer's Shell / Distributed Shell) on Debian GNU/Linux.

I've defined the redpool host group:


# cat /etc/dsh/group/redpool
root@red1
root@red2
[...]
root@red99
root@red100

and I've done:


dsh -g redpool "sed -i '/^.*user1\|user2\|user3.*$/d' /{root,home/*}/.ssh/authorized_keys*"

But... you could sue me: "You're guilty of using multiple commands to perform your job."
So, let's ride:


for i in {1..100}; do ssh root@red$i "sed -i '/^.*user1\|user2\|user3.*$/d' /{root,home/*}/.ssh/authorized_keys*"; done

Above option is only usable with hostnames / addresses counted sequentially.
In case of various name schemes it's easier to use the dsh command.

Solaris hostname

2007-08-13T20:52:00.000+02:00

Setting the hostname - one of the most basic installation procedure. Unlike other operating systems a few places to visit. A few places to forget at least one of them.

Ex. setting the sunshine hostname on the machine with a bge0 interface and IP address 10.0.0.1


# echo -e "10.0.0.1\tsunshine" >> /etc/inet/hosts
# echo "sunshine" > /etc/hostname.bge0
# echo "sunshine" > /etc/nodename

There's one more file with the hostname and IP address information - /etc/inet/ipnodes. In Solaris 11 it's a symlink to /etc/inet/hosts file. So, you could leave it alone.

The change of the running system's name is as simple as:


# hostname sunshine

oneliner

2007-08-03T16:08:00.000+02:00

Remove asterisks only from the lines beginning with a specified TAG:


sed '/^TAG.*/!p; s/\*//g; n'

turn into mirror

2007-08-03T00:02:00.000+02:00

In below example i've used single volume zfs pool to convert it into mirror zpool.
To show the possibilities of zfs in more extensive way it's based on file volumes instead of drives.


# mkfile -nv 1g mud
mud 1073741824 bytes
# zpool create pond /export/mud

I've created the pond pool based on a mud file.
Now, using the attach method of zpool command, I'll turn it into mirror with water (second file volume).


# mkfile -nv 1g water
water 1073741824 bytes
# zpool attach pond /export/mud /export/water
# zpool status pond
  pool: pond
 state: ONLINE
 scrub: resilver completed with 0 errors on Wed Apr 11 09:43:22 2007
config:

        NAME               STATE     READ WRITE CKSUM
        pond               ONLINE       0     0     0
          mirror           ONLINE       0     0     0
            /export/mud    ONLINE       0     0     0
            /export/water  ONLINE       0     0     0

errors: No known data errors

quick snapshot tour

2007-08-02T23:58:00.000+02:00

To take a snapshot of zfs pool pool/aqua you have to run an example command:
# zfs snapshot pool/aqua@cold
where the cold is the name of a newly created shot.

You could find it in (pool/aqua/) .zfs/snapshot directory. By default it's hidden.
You can change this behaviour by setting snapdir variable on pool/aqua to visible:
# zfs set snapdir=visible pool/aqua

To take advantage of snapshots in another way, use it to quickly reproduce the filesystems with clone method.
The clone is functional fs instead of snapshot which cannot be modified (ro mode).
# zfs clone pool/aqua@cold pool/ice

It's a good habit to name the snapshop in a way enabling you to remember the creation time.
In a case of memory leak do the following:
# zfs get creation pool/aqua@cold

To destroy snapshot simply run:
# zfs destroy pool/aqua@cold

VMware command line handling

2007-08-02T09:56:00.000+02:00

No more 'VMware Server Console' to power on the virtual system. Sometimes I need only to turn it on from command line over the ssh session. Now, I know how.

Ex. starting Solaris Express 'Nevada' system.


$ vmware-cmd /var/lib/vmware-server/Virtual\ Machines/sol-nv-b69/sol-nv-b69.vmx start

To get state simply run:


$ vmware-cmd /var/lib/vmware-server/Virtual\ Machines/sol-nv-b69/sol-nv-b69.vmx getstate

When I've installed the first Solaris system under VMware I choosed wrong architecture of guest OS. The process of making correct entry is as simple as:


$ cd /var/lib/vmware-server/Virtual\ Machines/sol-nv-b69/
$ sed -i'' -e 's/solaris10/solaris10-64' sol-nv-b69.vmx

Remember to change this value while the virtual is down. After changing it's state to up the 32-bit architecture will be replaced by 64-bit.

Sadly, it's generating the error message (VMware Server 1.0.3 build-44356) and user action is required. You can still pass over the graphical frontend using the answer subcommand.


$ vmware-cmd /var/lib/vmware-server/Virtual\ Machines/sol-nv-b69/sol-nv-b69.vmx start   
VMControl error -16: Virtual machine requires user input to continue
$ vmware-cmd /var/lib/vmware-server/Virtual\ Machines/sol-nv-b69/sol-nv-b69.vmx answer

Question (id = 49294347) :The vlance NIC is not supported for 64-bit guests in this release.
Please consult the documentation for the appropriate type of NIC to use with 64-bit guests.
Failed to configure ethernet0.

        0) OK
Select choice. Press enter for default <0> :
$ vmware-cmd /var/lib/vmware-server/Virtual\ Machines/sol-nv-b69/sol-nv-b69.vmx getstate
getstate() = off
$ sed -i'' -e 's/solaris10-64/solaris10/' /var/lib/vmware-server/Virtual\ Machines/sol-nv-b69/sol-nv-b69.vmx
$ vmware-cmd /var/lib/vmware-server/Virtual\ Machines/sol-nv-b69/sol-nv-b69.vmx start
start() = 1
$ vmware-cmd /var/lib/vmware-server/Virtual\ Machines/sol-nv-b69/sol-nv-b69.vmx getstate
getstate() = on

I couldn't leave it as it was resolved. A few minutes later the solution has been found - the Source

You are at the crossroad.
You can force the usage of older adapters by setting .vmx configuration options:


ethernet0.allow64bitVlance = "TRUE"
ethernet0.allow64bitVmxnet = "TRUE"

...or take a step into the future. I've choosed that one. To take advantages of 64-bit guest os you have to change the network adapter driver from vlance to e1000. It could be achieved by enforcing the usage of correct driver.

Ex. from my sol-nv-b69.vmx file.:

ethernet0.virtualDev = "e1000"

Hint:
Remember to update your Solaris network configuration:

* plumb a new interface
$ ifconfig e1000g0 plumb

* add /etc/hostname.e1000g0 file

* replace the file /etc/dhcp.pcn0 with a new one - /etc/dhcp.e1000g0