Migration to wordpress

I needed to refurbish a little bit this blog and it finally happened.

I’ve migrated the software behind the blog to WordPress and imported the posts and categories.

Although, some post have some discrepancies and aren’t displaying properly, this will be fixed soon.

Posted in wildness' Life | Tagged , | Leave a comment

Fuite de données a la SNCB: Géolocalison les entrées

Continue reading

Posted in Leaks | Leave a comment

SNCB Data Leak: Geo-localization of the entries

Continue reading

Posted in Leaks | Leave a comment

SUNWjet: Add a slice 7 to a zpool’s disk

According to Oracle’s documentation, if you want to use SUNWjet to jumpstart a server with a ZFS Root pool and a slice 7 to put metadb on, you must first parition your drives and then launch the jumpstart.

This is particularly annoying as two operations are required.

I’ve found this post while searching on Google to see if it was possible to create a slice 7 automatically during the jumpstart. Unfortunately, it didn’t worked as:

  • Disks were hardcoded
  • Line 321 seemed to be architecture dependant (i86pc)

As I wanted to add this permanently and as every server I jumpstart can possibly one day use either UFS/DiskSuite or metaset, I wanted to have a slice 7 on every server in case of future use.

I wrote then this little patch to adapt the “populate_client_dir” script to add a slice 7 of 100Mb on every disk specified to be used as root pool:

So, to apply the patch, simply run:

 cd /opt/SUNWjet/Utils/solaris patch -p0 < /tmp/solaris-populate_client_dir.patch

Then, run the make_client script against your template, where you would have specified the zpool spec:

base_config_profile_zfs_disk="c0t0d0s0 c1t0d0s0"

Posted in Solaris | Leave a comment

Solaris 11 ISC DHCP: Cannot specify multiple interfaces

While trying to configure the ISC DHCP server on Solaris 11 to serve my local VLANs, I wanted to restrict its usage to only three interfaces, I then issued the following setprop command:

# svccfg -s svc:/network/dhcp/server:ipv4 config/listen_ifnames astring: "vlan100 vlan201 vlan202"
# svcadm refresh -s svc:/network/dhcp/server:ipv4
# svcadm enable svc:/network/dhcp/server:ipv4

But the service was failing to start… after adding some debug echo’s to the /lib/svc/method/isc-dhcp file, I saw that the whitespaces of this property get escaped when retrieved from the method’s script:

# tail -3 /var/svc/log/network-dhcp-server:ipv4.log 
[ Jul 10 13:44:02 Executing start method ("/lib/svc/method/isc-dhcp"). ] IFACES: vlan100\ vlan201\ vlan202 
[ Jul 10 13:44:02 Method "start" exited with status 95. ]
# ggrep -B 4 IFACES /lib/svc/method/isc-dhcp get_dhcpd_options() {
# get listen_ifname property value. LISTENIFNAMES="`get_prop listen_ifnames`" echo "IFACES: ${LISTENIFNAMES}";
# /usr/lib/inet/dhcpd -f -d -4 --no-pid  -cf /etc/inet/dhcpd4.conf -lf /var/db/isc-dhcp/dhcpd4.leases vlan100\ vlan201\ vlan202

vlan100 vlan201 vlan202: interface name too long (is 23)
# /usr/lib/inet/dhcpd -f -d -4 --no-pid  -cf /etc/inet/dhcpd4.conf -lf /var/db/isc-dhcp/dhcpd4.leases vlan100 vlan201 vlan202
Internet Systems Consortium DHCP Server 4.1-ESV-R4

So, to fix this behaviour, edit the /lib/svc/method/isc-dhcp, line 66 should be changed:

LISTENIFNAMES="`get_prop listen_ifnames`"


LISTENIFNAMES="`get_prop listen_ifnames|sed -e 's/,/ /g'`"

Then, you can set the listen_ifnames properties with multiple interfaces separated by commas:

# svccfg -s svc:/network/dhcp/server:ipv4
 svc:/network/dhcp/server:ipv4> setprop config/listen_ifnames = astring: "vlan100,vlan201,vlan202"
 svc:/network/dhcp/server:ipv4> exit
# svcadm refresh svc:/network/dhcp/server:ipv4
# svcadm disable svc:/network/dhcp/server:ipv4
# svcadm enable svc:/network/dhcp/server:ipv4
Posted in Solaris | Leave a comment

Solaris 11 Automated Installer

If you wish to install solaris on multiple machines, consider the installation of an Automated Installer!

I just created a documentation that explain everything from start to finish 😉

Comments are welcome!

Solaris 11 Automated Installer

UPDATE: Link adapted to the Espix’s wiki instead of WeSunSolve one.

Posted in Solaris | Leave a comment

WeSunSolve: One year later

More than one year ago, the WeSunSolve website has been launched publicly to address the lack of information available for the Solaris operating system.

Facing it’s success, a lot of improvements, features and stuff were added.. and visitors keeps like it!

Here are some statistics about this past year on the website:


  • 307191 Unique Visits
  • 657270 Page viewed
  • 64% Bouncing Visits
  • 670 Registered Users


  • 1. United States
  • 2. United Kingdom
  • 3. Germany
  • 4. Japan
  • 5. France


  • Number of patches registered: 75928
  • Number of readmes version gathered: 63579
  • Number of checksums registered: 59471
  • Number of BugIDs registered: 365191
  • Total size of the patches repository: 623.57 GBytes
  • Number of Files detected: 1323021
  • Number of Packages: 8639
  • Number of CVE: 438

I would like to thank all the people who have made bugs reports, features requests and comments as well as the ones who have simply put their thumbs up!

If you like WeSunSolve, please spread the word! Talk ’bout it with your colleagues and share your experiences! If you’re achieving a recurrent task using WeSunSolve, why not writing a little Howto?

You’re part of a team of Solaris sysadmin? Did you know that you can know work in collaboration with your colleague on WeSunSolve? Check the documentation for more information 😉

Last but not least, do not hesitate to send me your thoughts on the website! It’s always good to hear from people who are using your work 🙂 Especially when it’s free 😉

Posted in WeSunSolve | Leave a comment

Sending PGP HTML Encrypted e-mail with PHP

While adding the PGP HTML Report feature to WeSunSolve, I first successfully crypted the content of the HTML report to be sent to the user with PGP key. I would have thought that this was gonna be the hardest part, that was without thinking about MIME and HTML support of PGP encrypted mails.

Here is how I finally ended up by creating HTML PGP encrypted Mails using PHP which can be opened using (at least) claws-mail and thunderbird with proper rendering of the HTML report:

Content of the clear message

 To: test@test.com 
 Subject: My HTML crypted report
 X-PHP-Originating-Script: 1000:mlist.obj.php
 From: "We Sun Solve" <admin@wesunsolve.net>
 Reply-to: admin@wesunsolve.net
 X-Sender: WeSunSolve v2.0
 Message-ID: <1335717276@wesunsolve.net>
 Date: Sun, 29 Apr 2012 18:34:36 +0200
 MIME-Version: 1.0
 Content-Type: multipart/encrypted; 

This is an OpenPGP/MIME encrypted message (RFC 2440 and 3156)
 Content-Type: application/pgp-encrypted
 Content-Description: PGP/MIME version identification Version: 1
 Content-Type: application/octet-stream; name="encrypted.asc"
 Content-Description: OpenPGP encrypted message
 Content-Disposition: inline; filename="encrypted.asc"
 Version: GnuPG v1.4.10 (GNU/Linux)
 -----END PGP MESSAGE-----

Content of the PGP encrypted part

Content-Type: multipart/alternative; 
 This is a multi-part message in MIME format.
 Content-Type: text/plain; charset=utf-8
 Content-Transfer-Encoding: quoted-printable
 You need to have a MUA capable of rendering HTML to read the WeSunSolve emails.
 You can consult the website http://wesunsolve.net if you are not able to read this email, the information sent to you should also be on the website...
 Content-Type: text/html; charset="utf-8"
 Content-Transfer-Encoding: quoted-printable

This is the report in cleartext!

Code Used

$pgpmime = ”;
$mime = ”;
$headers = ”;
$dest = ‘test@test.com’;
$subject = ‘My HTML crypted report’;
$clearContent = ‘<html><p>This is the report in cleartext!</p></html>’;
$clearText = ‘This is the text version of the report’;
/* Prepare the crypted Part of the message */
$bound = ‘————‘.substr(strtoupper(md5(uniqid(rand()))), 0, 25);
$pgpmime .= “Content-Type: multipart/alternative;\r\n boundary=\”$bound\”\r\n\r\n”;
$pgpmime .= “This is a multi-part message in MIME format.\r\n”;
$pgpmime .= “–$bound\r\n”;
$pgpmime .= “Content-Type: text/plain; charset=utf-8\r\n”;
$pgpmime .= “Content-Transfer-Encoding: quoted-printable\r\n\r\n”;
$pgpmime .= $clearText.”\r\n\r\n”;
$pgpmime .= “–$bound\r\n”;
$pgpmime .= “Content-Type: text/html; charset=\”utf-8\”\r\n”;
$pgpmime .= “Content-Transfer-Encoding: quoted-printable\r\n\r\n”;
$pgpmime .= $clearContent.”\r\n”;
$pgpmime .= “–$bound–\r\n”;
$content = GPG::cryptTxt($pgpkey, $pgpmime);
/* Make the email’s headers */
$headers = ”;
$headers = “From: $from\r\n”;
$headers .= “Reply-to: “.$config[‘mailFrom’].”\r\n”;
$headers .= “X-Sender: WeSunSolve v2.0\r\n”;
$headers .= “Message-ID: <“.time().”@”.$_SERVER[‘SERVER_NAME’].”>\r\n”;
$headers .= “Date: ” . date(“r”) . “\r\n”;
$bound = ‘————enig’.substr(strtoupper(md5(uniqid(rand()))), 0, 25);
$headers .= “MIME-Version: 1.0\r\n”;
$headers .= “Content-Type: multipart/encrypted;\r\n”;
$headers .= ” protocol=\”application/pgp-encrypted\”;\r\n”;
$headers .= ” boundary=\”$bound\”\r\n\r\n”;
/* And the cleartext body which encapsulate PGP message */
$mime = ”;
$mime .= “This is an OpenPGP/MIME encrypted message (RFC 2440 and 3156)\r\n”;
$mime .= “–$bound\r\n”;
$mime .= “Content-Type: application/pgp-encrypted\r\n”;
$mime .= “Content-Description: PGP/MIME version identification\r\n\r\n”;
$mime .= “Version: 1\r\n\r\n”;
$mime .= “–$bound\r\n”;
$mime .= “Content-Type: application/octet-stream; name=\”encrypted.asc\”\r\n”;
$mime .= “Content-Description: OpenPGP encrypted message\r\n”;
$mime .= “Content-Disposition: inline; filename=\”encrypted.asc\”\r\n\r\n”;
$mime .= $content.”\r\n”;
$mime .= “–$bound–“;
mail($dest, $subject, $mime, $headers);
Posted in Programming | 1 Comment

WeSunSolve: Site News April

New Features

  • Added wiki to hold the documentation;
  • Added the monitoring of multiple IPS Repositories;
  • User list now allows the user to load multiple patches at once;
  • Added patch timeline
  • Added CVE list affecting Solaris packages
  • Added patch link to CVE when issue is fixed
  • Users can now download a ZIP containing all README of user patch list
  • SSL Signed certificate added to wesunsolve.net https domain
  • User login goes over SSL by default
  • Added support for SRV4 Packages link to patches
  • Modified the structure of patch level to link SRV4 packages
  • Added user setting for API access
  • Added function to API to allow server registration and adding a patch level
  • Added patch/security report based on patch level and PCA execution
  • Added mail report for patch/security based on a patch level and patchdiag.xref automatic selection
  • We added a logo to our Wiki! (thanks to Dagobert Michelsen for the logo 😉

Full listing of changes made can be found here

Patch level report (Using PCA)

PCA has been integrated into WeSunSolve so you can generate patch report on any server registered into your account where at least one patch level is defined.
The report which is created by WeSunSolve is based on the information you are entering when adding a server’s patch level: showrev-p.out and pkginfo-l.out.
Theses two files are generated while running the Explorer or simply gathered by hand with the two corresponding commands. (respectively: /usr/bin/showrev -p and /usr/bin/pkginfo -l).

You can see there a full example of such generated report.
To generate a report like this, you must Add a server and an associated patch level, you can achieve this by following steps pointed in the documentation.

Please, give us feedback if you feel something is missing inside this report!

Mail reports

You can also get the previous report being sent to you by mail regularly, everything can be configured to fit your needs… You can:

  • Choose the server and the patch level on which the report will be generated;
  • Choose the interval between two reports being sent to you: every day, every week, every month ?
  • You can decide which patchdiag.xref delay you want to have, this is the best if you always want to have a delay between what’s out and what you will actually install.

This way, you can get a report of what patches are to be installed on your server based on an up-to-date baseline every day…

To create a report, simply follow the steps at our documentation.

API Access

As of now, you can enable the API access inside your panel and take advantage of the function we have recently implemented, like:

  • Add a server easily;
  • Upload a patch level directly from command line;

We plan to add more feature to the API very soon…

Least known features: Window size

If you are browsing WeSunSolve regularly, you can greatly enhance your browsing by fitting the size of the website to your resolution.
We’ve implemented three size of screen:

  • 960px
  • 1200px
  • 1600px

By default, the website is rendering in 960px, which is fine to cope with most of our visitors but certainly not the best one if you have a 22″ screen 😉
See our documentation to know how to change your settings.

Like it? Spread it!

Please, if you do like WeSunSolve, spread it over your fellow sysadmin! Write a blog post ’bout it and send it over to get a backlink 🙂

You found a cool way of doing something with WeSunSolve that spared you hours of work? Please, tell us how! Don’t hesitate to write a Howto on our wiki

Finally, if you want to thank me personally, you can simply connect through LinkedIN and let a little recommendation on the WeSunSolve job…

Posted in WeSunSolve | Leave a comment

SSH connection to Solaris 11 is sometimes slow…

Today at work, we migrated the first box to Solaris 11 and we experienced the first bug as soon as we needed to log in onto the server.

As theses delays are quite common when the SSHd is configured by default, I quickly added theses lines to remove GSSAPI and DNS common issues:


LookupClientHostnames no VerifyReverseMapping no GSSAPIAuthentication no

Although, theses settings didn’t fixed the problem.

I added some verbosity to both ssh client and server and tracked down the delay to happen at this stage of the connection:

On the client:

$ ssh -v -p 2222 s11box -l adminifm OpenSSH_5.8p1-hpn13v10lpk, OpenSSL 1.0.0c 2 Dec 2010
 debug1: Reading configuration data /home/wildcat/.ssh/config
 debug1: Reading configuration data /etc/ssh/ssh_config
 debug1: Connecting to admblockum04 port 2222.
 debug1: Connection established. debug1: identity file /home/wildcat/.ssh/id_rsa type -1
 debug1: identity file /home/wildcat/.ssh/id_rsa-cert type -1
 debug1: identity file /home/wildcat/.ssh/id_dsa type 2
 debug1: identity file /home/wildcat/.ssh/id_dsa-cert type -1
 debug1: identity file /home/wildcat/.ssh/id_ecdsa type -1
 debug1: identity file /home/wildcat/.ssh/id_ecdsa-cert type -1
 debug1: Remote protocol version 2.0, remote software version Sun_SSH_2.0
 debug1: no match: Sun_SSH_2.0
 debug1: Enabling compatibility mode for protocol 2.0
 debug1: Local version string SSH-2.0-OpenSSH_5.8p1-hpn13v10lpk
 debug1: SSH2_MSG_KEXINIT sent
 *** HANG ***

And on the server:

 debug1: Reloading X.509 host keys to avoid PKCS#11 fork issues.monitor
 debug1: reading the context from the   child
 debug1: use_engine is 'no'
 debug1: list_hostkey_types: ssh-rsa,ssh-dss
 debug1: My KEX proposal before adding the GSS KEX algorithm:
 debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-  group1-sha1
 debug2: kex_parse_kexinit: ssh-rsa,ssh-dss debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour
 debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour128,arcfour256,arcfour debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
 debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96
 debug2: kex_parse_kexinit: none,zlib
 debug2: kex_parse_kexinit: none,zlib
 debug2: kex_parse_kexinit: de-DE,en-US,es-ES,fr-FR,it-IT,ja-JP,ko-KR,pt-BR,zh-CN,zh-TW,i-default
 debug2: kex_parse_kexinit: de-DE,en-US,es-ES,fr-FR,it-IT,ja-JP,ko-KR,pt-BR,zh-CN,zh-TW,i-default
 debug2: kex_parse_kexinit: first_kex_follows 0
 debug2: kex_parse_kexinit: reserved 0
 *** HANG ***

Adding truss of the server process is helping us a lot:

  17477:  so_socket(PF_INET, SOCK_STREAM, IPPROTO_IP, 0, SOV_DEFAULT) = 3
  17469:  pollsys(0x080451C0, 1, 0x00000000, 0x00000000) (sleeping...)
  17477:  connect(3, 0x08047030, 16, SOV_DEFAULT) (sleeping...)

The lock is happening just after the connect() syscall. We can now check the pfiles of this process together with a netstat to identify which connection is causing trouble to be established:

  root@admblockum04:/local/home/ucc# pfiles 16585
 16585:  /usr/lib/ssh/sshd -f /etc/ssh/sshd_config -p 2222 -ddd -D
 Current rlimit: 256 file descriptor 0: S_IFCHR mode:0620 dev:532,0 ino:3502445063 uid:60004 gid:7 rdev:221,8 O_RDWR|O_NOCTTY|O_LARGEFILE /dev/pts/8 offset:43267 1: S_IFCHR mode:0620 dev:532,0 ino:3502445063 uid:60004 gid:7 rdev:221,8 O_RDWR|O_NOCTTY|O_LARGEFILE /dev/pts/8 offset:43267 2: S_IFCHR mode:0620 dev:532,0 ino:3502445063 uid:60004 gid:7 rdev:221,8 O_RDWR|O_NOCTTY|O_LARGEFILE /dev/pts/8 offset:43267 3: S_IFSOCK mode:0666 dev:540,0 ino:34566 uid:0 gid:0 size:0 O_RDWR SOCK_STREAM SO_SNDBUF(49152),SO_RCVBUF(131072) sockname: AF_INET  port: 55867 congestion control: newreno 4: S_IFSOCK mode:0666 dev:540,0 ino:5714 uid:0 gid:0 size:0 O_RDWR|O_NONBLOCK SOCK_STREAM SO_REUSEADDR,SO_KEEPALIVE,SO_SNDBUF(49152),SO_RCVBUF(128872) sockname: AF_INET6 ::ffff:  port: 2222 peername: AF_INET6 ::ffff:  port: 43575 congestion control: newreno 5: S_IFIFO mode:0000 dev:529,0 ino:70783 uid:0 gid:0 size:0 O_RDWR 6: S_IFIFO mode:0000 dev:529,0 ino:70783 uid:0 gid:0 size:0 O_RDWR 8: S_IFIFO mode:0000 dev:529,0 ino:70784 uid:0 gid:0 size:0 O_RDWR FD_CLOEXEC
 # netstat -an|grep 55867          0      0 131072      0 SYN_SENT

The port 30003 is the default port of tcsd daemon, which is managing physical cryptography (through /dev/tpm). If there is no hardware crypto devices, this daemon is disabled. It seems though that cryptoadm is linking tpm crypto mechanism by default, enabling ssh to trying to access this daemon.

Workaround found (just to confirm slowliness is caused by tcsd):

Run this command on the server:

 # nc -e 'cat /dev/null' localhost 30003

and try to ssh the box, it should be fast.

Permanent workaround:

Simply remove the pcks11_tpm provider from the crypto framework:

cryptoadm disable provider=/usr/lib/security/\$ISA/pkcs11_tpm.so mechanism=all
cryptoadm uninstall provider=/usr/lib/security/\$ISA/pkcs11_tpm.so

Other references:

Posted in Solaris | 1 Comment