SUNWjet: Add a slice 7 to a zpool’s disk

According to Oracle’s documentation, if you want to use SUNWjet to jumpstart a server with a ZFS Root pool and a slice 7 to put metadb on, you must first parition your drives and then launch the jumpstart.

This is particularly annoying as two operations are required.

I’ve found this post while searching on Google to see if it was possible to create a slice 7 automatically during the jumpstart. Unfortunately, it didn’t worked as:

  • Disks were hardcoded
  • Line 321 seemed to be architecture dependant (i86pc)

As I wanted to add this permanently and as every server I jumpstart can possibly one day use either UFS/DiskSuite or metaset, I wanted to have a slice 7 on every server in case of future use.

I wrote then this little patch to adapt the “populate_client_dir” script to add a slice 7 of 100Mb on every disk specified to be used as root pool:

So, to apply the patch, simply run:

Then, run the make_client script against your template, where you would have specified the zpool spec:

base_config_profile_zfs_disk="c0t0d0s0 c1t0d0s0"

Solaris 11 ISC DHCP: Cannot specify multiple interfaces

While trying to configure the ISC DHCP server on Solaris 11 to serve my local VLANs, I wanted to restrict its usage to only three interfaces, I then issued the following setprop command:

But the service was failing to start… after adding some debug echo’s to the /lib/svc/method/isc-dhcp file, I saw that the whitespaces of this property get escaped when retrieved from the method’s script:

So, to fix this behaviour, edit the /lib/svc/method/isc-dhcp, line 66 should be changed:

by

Then, you can set the listen_ifnames properties with multiple interfaces separated by commas:

WeSunSolve: One year later

More than one year ago, the WeSunSolve website has been launched publicly to address the lack of information available for the Solaris operating system.

Facing it’s success, a lot of improvements, features and stuff were added.. and visitors keeps like it!

Here are some statistics about this past year on the website:

Visitors

  • 307191 Unique Visits
  • 657270 Page viewed
  • 5500 Downloads
  • 64% Bouncing Visits
  • 670 Registered Users

Countries

  • 1. United States
  • 2. United Kingdom
  • 3. Germany
  • 4. Japan
  • 5. France

Website

  • Number of patches registered: 75928
  • Number of readmes version gathered: 63579
  • Number of checksums registered: 59471
  • Number of BugIDs registered: 365191
  • Total size of the patches repository: 623.57 GBytes
  • Number of Files detected: 1323021
  • Number of Packages: 8639
  • Number of CVE: 438

I would like to thank all the people who have made bugs reports, features requests and comments as well as the ones who have simply put their thumbs up!

If you like WeSunSolve, please spread the word! Talk ’bout it with your colleagues and share your experiences! If you’re achieving a recurrent task using WeSunSolve, why not writing a little Howto?

You’re part of a team of Solaris sysadmin? Did you know that you can know work in collaboration with your colleague on WeSunSolve? Check the documentation for more information 😉

Last but not least, do not hesitate to send me your thoughts on the website! It’s always good to hear from people who are using your work 🙂 Especially when it’s free 😉

Sending PGP HTML Encrypted e-mail with PHP

While adding the PGP HTML Report feature to WeSunSolve, I first successfully crypted the content of the HTML report to be sent to the user with PGP key. I would have thought that this was gonna be the hardest part, that was without thinking about MIME and HTML support of PGP encrypted mails.

Here is how I finally ended up by creating HTML PGP encrypted Mails using PHP which can be opened using (at least) claws-mail and thunderbird with proper rendering of the HTML report:

Content of the clear message

Content of the PGP encrypted part

This is the report in cleartext!

Code Used

$pgpmime = ”;
$mime = ”;
$headers = ”;
$dest = ‘test@test.com’;
$subject = ‘My HTML crypted report’;
$clearContent = ‘<html><p>This is the report in cleartext!</p></html>’;
$clearText = ‘This is the text version of the report’;
/* Prepare the crypted Part of the message */
$bound = ‘————‘.substr(strtoupper(md5(uniqid(rand()))), 0, 25);
$pgpmime .= “Content-Type: multipart/alternative;\r\n boundary=\”$bound\”\r\n\r\n”;
$pgpmime .= “This is a multi-part message in MIME format.\r\n”;
$pgpmime .= “–$bound\r\n”;
$pgpmime .= “Content-Type: text/plain; charset=utf-8\r\n”;
$pgpmime .= “Content-Transfer-Encoding: quoted-printable\r\n\r\n”;
$pgpmime .= $clearText.”\r\n\r\n”;
$pgpmime .= “–$bound\r\n”;
$pgpmime .= “Content-Type: text/html; charset=\”utf-8\”\r\n”;
$pgpmime .= “Content-Transfer-Encoding: quoted-printable\r\n\r\n”;
$pgpmime .= $clearContent.”\r\n”;
$pgpmime .= “–$bound–\r\n”;
$content = GPG::cryptTxt($pgpkey, $pgpmime);
/* Make the email’s headers */
$headers = ”;
$headers = “From: $from\r\n”;
$headers .= “Reply-to: “.$config[‘mailFrom’].”\r\n”;
$headers .= “X-Sender: WeSunSolve v2.0\r\n”;
$headers .= “Message-ID: <“.time().”@”.$_SERVER[‘SERVER_NAME’].”>\r\n”;
$headers .= “Date: ” . date(“r”) . “\r\n”;
$bound = ‘————enig’.substr(strtoupper(md5(uniqid(rand()))), 0, 25);
$headers .= “MIME-Version: 1.0\r\n”;
$headers .= “Content-Type: multipart/encrypted;\r\n”;
$headers .= ” protocol=\”application/pgp-encrypted\”;\r\n”;
$headers .= ” boundary=\”$bound\”\r\n\r\n”;
/* And the cleartext body which encapsulate PGP message */
$mime = ”;
$mime .= “This is an OpenPGP/MIME encrypted message (RFC 2440 and 3156)\r\n”;
$mime .= “–$bound\r\n”;
$mime .= “Content-Type: application/pgp-encrypted\r\n”;
$mime .= “Content-Description: PGP/MIME version identification\r\n\r\n”;
$mime .= “Version: 1\r\n\r\n”;
$mime .= “–$bound\r\n”;
$mime .= “Content-Type: application/octet-stream; name=\”encrypted.asc\”\r\n”;
$mime .= “Content-Description: OpenPGP encrypted message\r\n”;
$mime .= “Content-Disposition: inline; filename=\”encrypted.asc\”\r\n\r\n”;
$mime .= $content.”\r\n”;
$mime .= “–$bound–“;
mail($dest, $subject, $mime, $headers);

WeSunSolve: Site News April

New Features

  • Added wiki to hold the documentation;
  • Added the monitoring of multiple IPS Repositories;
  • User list now allows the user to load multiple patches at once;
  • Added patch timeline
  • Added CVE list affecting Solaris packages
  • Added patch link to CVE when issue is fixed
  • Users can now download a ZIP containing all README of user patch list
  • SSL Signed certificate added to wesunsolve.net https domain
  • User login goes over SSL by default
  • Added support for SRV4 Packages link to patches
  • Modified the structure of patch level to link SRV4 packages
  • Added user setting for API access
  • Added function to API to allow server registration and adding a patch level
  • Added patch/security report based on patch level and PCA execution
  • Added mail report for patch/security based on a patch level and patchdiag.xref automatic selection
  • We added a logo to our Wiki! (thanks to Dagobert Michelsen for the logo 😉

Full listing of changes made can be found here

Patch level report (Using PCA)

PCA has been integrated into WeSunSolve so you can generate patch report on any server registered into your account where at least one patch level is defined.
The report which is created by WeSunSolve is based on the information you are entering when adding a server’s patch level: showrev-p.out and pkginfo-l.out.
Theses two files are generated while running the Explorer or simply gathered by hand with the two corresponding commands. (respectively: /usr/bin/showrev -p and /usr/bin/pkginfo -l).

You can see there a full example of such generated report.
To generate a report like this, you must Add a server and an associated patch level, you can achieve this by following steps pointed in the documentation.

Please, give us feedback if you feel something is missing inside this report!

Mail reports

You can also get the previous report being sent to you by mail regularly, everything can be configured to fit your needs… You can:

  • Choose the server and the patch level on which the report will be generated;
  • Choose the interval between two reports being sent to you: every day, every week, every month ?
  • You can decide which patchdiag.xref delay you want to have, this is the best if you always want to have a delay between what’s out and what you will actually install.

This way, you can get a report of what patches are to be installed on your server based on an up-to-date baseline every day…

To create a report, simply follow the steps at our documentation.

API Access

As of now, you can enable the API access inside your panel and take advantage of the function we have recently implemented, like:

  • Add a server easily;
  • Upload a patch level directly from command line;

We plan to add more feature to the API very soon…

Least known features: Window size

If you are browsing WeSunSolve regularly, you can greatly enhance your browsing by fitting the size of the website to your resolution.
We’ve implemented three size of screen:

  • 960px
  • 1200px
  • 1600px

By default, the website is rendering in 960px, which is fine to cope with most of our visitors but certainly not the best one if you have a 22″ screen 😉
See our documentation to know how to change your settings.

Like it? Spread it!

Please, if you do like WeSunSolve, spread it over your fellow sysadmin! Write a blog post ’bout it and send it over to get a backlink 🙂

You found a cool way of doing something with WeSunSolve that spared you hours of work? Please, tell us how! Don’t hesitate to write a Howto on our wiki

Finally, if you want to thank me personally, you can simply connect through LinkedIN and let a little recommendation on the WeSunSolve job…

SSH connection to Solaris 11 is sometimes slow…

Today at work, we migrated the first box to Solaris 11 and we experienced the first bug as soon as we needed to log in onto the server.

As theses delays are quite common when the SSHd is configured by default, I quickly added theses lines to remove GSSAPI and DNS common issues:

/etc/ssh/sshd_config

Although, theses settings didn’t fixed the problem.

I added some verbosity to both ssh client and server and tracked down the delay to happen at this stage of the connection:

On the client:

And on the server:

Adding truss of the server process is helping us a lot:

The lock is happening just after the connect() syscall. We can now check the pfiles of this process together with a netstat to identify which connection is causing trouble to be established:

The port 30003 is the default port of tcsd daemon, which is managing physical cryptography (through /dev/tpm). If there is no hardware crypto devices, this daemon is disabled. It seems though that cryptoadm is linking tpm crypto mechanism by default, enabling ssh to trying to access this daemon.

Workaround found (just to confirm slowliness is caused by tcsd):

Run this command on the server:

and try to ssh the box, it should be fast.

Permanent workaround:

Simply remove the pcks11_tpm provider from the crypto framework:

Other references:

One Liner: Ifstat

Recently I tried ifstat on a freshly updated linux box with a 3.2 kernel, it was reporting nothing (0kb) although the network was heavily used.

A quick one-liner confirmed this and I decided to keep it here for later use:

export IFACE=eth0 ; while(:); do cat /proc/net/dev;sleep 1;done|nawk -W interactive -v iface=${IFACE} 'BEGIN{ cnt = 0 } $1 ~ iface { if (cnt) { print iface ":",(($2 - cnt)/1024),"Kbytes/sec"; } cnt=$2; }'