Tuesday, April 17, 2018

11.3.SRU31 - updated pam_list

The just released Solaris 11.3 SRU31 has an updated pam_list module which adds support for '*' and comments. The '*' wildcard is really useful, as it allows common PAM configuration where access to a server can be managed only by an allow file. For example, in /etc/pam.d/XXX you can now have:
account sufficient pam_list.so.1 allow=/etc/security/access.conf
If the access.conf file has only '*' which means all users have access, or you can just list users, netgroups or unixgroups.

To achieve the '*' before one had to modify the PAM configuration or use a different module (for example compile pam_access from Linux).

This is a good example of one of the small but very useful changes.

Tuesday, April 03, 2018

GCC 7 on Solaris 11.4

How to get gcc-7 on Solaris 11.4?
root@solaris:~# pkg install gcc-7
           Packages to install: 14
           Mediators to change:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

DOWNLOAD                      PKGS         FILES    XFER (MB)   SPEED
Completed                    14/14     1822/1822  332.0/332.0  423k/s

PHASE                                          ITEMS
Installing new actions                     2253/2253
Updating package state database                 Done 
Updating package cache                           0/0 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           1/1 
root@solaris:~# 

root@solaris:~# gcc --version
gcc (GCC) 7.3.0
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

root@solaris:~# 
Older versions are available as well.

Friday, March 30, 2018

Golang on Solaris

So what do you do if you want to program in golang on Solaris 11.4? You just type: pkg install golang

Thursday, March 22, 2018

ZFS: Device Removal

As finally publicly presented at Solaris Tech Day in Vienna couple of weeks ago, ZFS in Solaris 11.4 will have the long awaited on-line device removal feature. This is top-level vdev removal only, but still very useful in some scenarios.

Here is an example on how it works.

First, let's create a test pool whish is a mirror of two disks:
root@solaris:~# zpool create test mirror c1t1d0 c1t3d0
root@solaris:~# zpool status test
  pool: test
 state: ONLINE
  scan: none requested
config:

        NAME        STATE      READ WRITE CKSUM
        test        ONLINE        0     0     0
          mirror-0  ONLINE        0     0     0
            c1t1d0  ONLINE        0     0     0
            c1t3d0  ONLINE        0     0     0

errors: No known data errors
Now, let's "accidently" add a single disk to stripe with the mirror and copy some data into the pool:
root@solaris:~# zpool add -f test c1t4d0
root@solaris:~# zpool status test
  pool: test
 state: ONLINE
  scan: none requested
config:

        NAME        STATE      READ WRITE CKSUM
        test        ONLINE        0     0     0
          mirror-0  ONLINE        0     0     0
            c1t1d0  ONLINE        0     0     0
            c1t3d0  ONLINE        0     0     0
          c1t4d0    ONLINE        0     0     0

errors: No known data errors

root@solaris:~# cp -rp /usr/share/doc /test/
^C

root@solaris:~# gdf -h /test
Filesystem      Size  Used Avail Use% Mounted on
test            2.0G  375M  1.6G  19% /test

root@solaris:~# zpool iostat -v test
               capacity     operations    bandwidth
pool        alloc   free   read  write   read  write
----------  -----  -----  -----  -----  -----  -----
test         375M  1.60G      0    181  4.12K  5.04M
  mirror-0   242M   766M      0    173    203  3.23M
    c1t1d0      -      -      0     16  7.73K  3.28M
    c1t3d0      -      -      0     16  7.53K  3.28M
  c1t4d0     132M   876M      0      9  4.91K  2.26M
----------  -----  -----  -----  -----  -----  -----
Now, if we want to remove the accidently added disk drive it is trivial to do so:
root@solaris:~# zpool remove test c1t4d0
And let's check pool status after the device was removed:
root@solaris:~# zpool status test
  pool: test
 state: ONLINE
  scan: resilvered 132M in 1s with 0 errors on Fri Mar 30 01:53:17 2018

config:

        NAME                      STATE      READ WRITE CKSUM
        test                      ONLINE        0     0     0
          mirror-0                ONLINE        0     0     0
            c1t1d0                ONLINE        0     0     0
            c1t3d0                ONLINE        0     0     0

errors: No known data errors

root@solaris:~# zpool iostat -v test
                             capacity     operations    bandwidth
pool                      alloc   free   read  write   read  write
------------------------  -----  -----  -----  -----  -----  -----
test                       378M   630M      2    105  8.66K  1.63M
  mirror-0                 378M   630M      2     80  5.14K  1.21M
    c1t1d0                    -      -      0      8  5.09K  1.22M
    c1t3d0                    -      -      1      7  5.58K  1.22M
------------------------  -----  -----  -----  -----  -----  -----

Friday, February 23, 2018

Thursday, November 02, 2017

OpenZFS ZIL Internals

Very interesting presentation on how ZIL works and on latest improvements in OpenZFS, presented during OpenZFS Developer Summit 2017.

Tuesday, September 12, 2017

Tuesday, July 04, 2017

Sudo and Solaris Privileges

Sudo on Solaris 10 and Solaris 11 allow to specify a privilege set a command will run with. This is very powerful if you want to be more specific in granting only required privileges for a given command, instead of allowing a command to run as root. Although Solaris has additional/different means to achieve the same, which in some cases is better than sudo, but the latter is what most users are familiar with.

For example, the 'fmadm faulty' command requires sys_admin privilege to run.

milek    ALL=()PRIVS="basic,sys_admin" NOPASSWD:/usr/sbin/fmadm faulty
This means that user milek can now run: sudo fmadm faulty
and the command will now work, but it won't run as root - it will execute as user milek with privileges set to basic,sys_admin, which is more secure than allowing the command to run as root.

Tuesday, May 16, 2017

Solaris Open Source bits move to GitHub

Alan Coopersmith blogged about migration of Open Source content available in Solaris from java.net to GitHub. This is definitely an improvement.

The new repositories on GitHub are:


Friday, April 21, 2017

Ebbisland and Extremeparr

Although The Register and others were suggesting Solaris 11 might be affected, it seems not to be the case - according to Oracle Solaris 11 has never been affected be either of them.The Register clarified it as well.

Also if you have a support contract you should have been told this much quicker.

ps. if you have CDE installed on Solaris 10 then there is an IDR available for extremeparr local exploit (again, Solaris 11 is not affected)

Saturday, February 25, 2017

Friday, January 20, 2017

Solaris 11 Continuous Delivery Model

Solaris 11 adopts Continuous Delivery model, which means instead of Solaris 12 there will be Solaris 11.4, 11.5, etc. This is generally a good thing - quicker adoption of new features as most software certified for Solaris 11 should stay certified for the new dot releases, etc. This is also similar to what Microsoft did with Windows.

Oracle also extended Solaris 11 support to 2031.

http://www.oracle.com/us/support/library/lifetime-support-hardware-301321.pdf

Friday, October 21, 2016

AI: Distro Constructor and a Custom Script

When building your own AI images with distro_const it is useful sometimes to add a custom script to modify the resulting image. This is easily achievable by adding a custom script to the xml manifest provided to distro_cons.

For example, to change the default password for user jack, add the following checkpoint to the xml file, just before pre-pkg-img-mode checkpoint. 

<!--
  Set password to user jack, should match root password
  (if hash contains slashed they need to be backslashed)
-->
      <checkpoint name="lock-jack-account"
         desc="Lock the jack account from login"
         mod_path="solaris_install/distro_const/checkpoints/custom_script"
         checkpoint_class="CustomScript">
         <args>/usr/bin/gsed -i -e 's/jack:.[^:]*:/jack:XXXXXX:/g' 
                             {PKG_IMAGE_PATH}/etc/shadow
         </args>
      </checkpoint>