Monday, June 18, 2018

ZFS Raw Send

This got finally integrated into 11.3 SRU 11.3.33.5.0 zfs send compressed data (Bug 15387669)

Tuesday, June 12, 2018

Extracting ZFS Wrapping Key

Thanks to Victor Latushkin, below is a procedure on how to extract ZFS wrapping key for a given dataset. Notice that key length is encoded in number of bits so it needs to be converted.
# cat /tmp/p
aaaaaaaaaabbbbbbbbbbccccccccccz

# zfs create -o encryption=aes-256-ccm -o keysource="raw,file:///tmp/p" test-0/testp
# zfs get objsetid test-0/testp
NAME                              PROPERTY  VALUE  SOURCE
test-0/testp  objsetid  192    -
# mdb -k
Loading modules: [ unix genunix specfs dtrace mac cpu.generic uppc apix zvpsm scsi_vhci iommu zfs lsc sd ip hook neti arp usba kssl stmf stmf_sbd sockfs lofs random idm nvme sata ufs cpc crypto fcip fctl fcp smbsrv nfs zvmm logindmux
nsmb ptm sppp ipc ]
> ::spa
ADDR                 STATE NAME                   REALNAME
ffffa1c13a33b000    ACTIVE test-0 -
ffffa1c13a38b000    ACTIVE test-1 -
ffffa1c13a097000    ACTIVE rpool                  -
> ffffa1c13a33b000::spa |::print spa spa_keystore->sk_dslkeys|::walk avl|::if zcrypt_keystore_node_t skn_os = 0t192|::print zcrypt_keystore_node_t skn_wrapkey->zk_key.cku_data.cku_key_value.cku_v_length
skn_wrapkey->zk_key.cku_data.cku_key_value.cku_v_length = 0x100
> 0x100 % 8 = X
                20
> ffffa1c13a33b000::spa |::print spa spa_keystore->sk_dslkeys|::walk avl|::if zcrypt_keystore_node_t skn_os = 0t192|::print zcrypt_keystore_node_t skn_wrapkey->zk_key.cku_data.cku_key_value.cku_v_data|::dump -un 0x20
                    0 1 2 3  4 5 6 7  8 9 a b  c d e f  0123456789abcdef
ffffa1c149dcdd20:  61616161 61616161 61616262 62626262  aaaaaaaaaabbbbbb
ffffa1c149dcdd30:  62626262 63636363 63636363 63637a0a  bbbbccccccccccz.

Friday, June 08, 2018

Utilizing CTF in MDB from a binary

Having CTF compiled into binaries is very useful for debugging. Recently I wanted to print some structures by utilizing mdb and ctf from a binary which is not running and I didn't have a core file either. Helpful folks from Oracle suggested the below nice workaround:
# mdb /path/to/bin
> main:b
> ::run
> ::print -at rx_call
...
It sets a breakpoint at main(), then executes it but it stops when calling main(), at this stage CTF data is already loaded by linker.

Support for CTF in Userland in DTrace

I wish Solaris 11 supported CTF in DTrace in user-land in a similar manner as Illumos does.

Tuesday, April 17, 2018

11.3.SRU31 - updated pam_list

The just released Solaris 11.3 SRU31 has an updated pam_list module which adds support for '*' and comments. The '*' wildcard is really useful, as it allows common PAM configuration where access to a server can be managed only by an allow file. For example, in /etc/pam.d/XXX you can now have:
account sufficient pam_list.so.1 allow=/etc/security/access.conf
If the access.conf file has only '*' which means all users have access, or you can just list users, netgroups or unixgroups.

To achieve the '*' before one had to modify the PAM configuration or use a different module (for example compile pam_access from Linux).

This is a good example of one of the small but very useful changes.

Tuesday, April 03, 2018

GCC 7 on Solaris 11.4

How to get gcc-7 on Solaris 11.4?
root@solaris:~# pkg install gcc-7
           Packages to install: 14
           Mediators to change:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

DOWNLOAD                      PKGS         FILES    XFER (MB)   SPEED
Completed                    14/14     1822/1822  332.0/332.0  423k/s

PHASE                                          ITEMS
Installing new actions                     2253/2253
Updating package state database                 Done 
Updating package cache                           0/0 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           1/1 
root@solaris:~# 

root@solaris:~# gcc --version
gcc (GCC) 7.3.0
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

root@solaris:~# 
Older versions are available as well.

Friday, March 30, 2018

Golang on Solaris

So what do you do if you want to program in golang on Solaris 11.4? You just type: pkg install golang

Thursday, March 22, 2018

ZFS: Device Removal

As finally publicly presented at Solaris Tech Day in Vienna couple of weeks ago, ZFS in Solaris 11.4 will have the long awaited on-line device removal feature. This is top-level vdev removal only, but still very useful in some scenarios.

Here is an example on how it works.

First, let's create a test pool whish is a mirror of two disks:
root@solaris:~# zpool create test mirror c1t1d0 c1t3d0
root@solaris:~# zpool status test
  pool: test
 state: ONLINE
  scan: none requested
config:

        NAME        STATE      READ WRITE CKSUM
        test        ONLINE        0     0     0
          mirror-0  ONLINE        0     0     0
            c1t1d0  ONLINE        0     0     0
            c1t3d0  ONLINE        0     0     0

errors: No known data errors
Now, let's "accidently" add a single disk to stripe with the mirror and copy some data into the pool:
root@solaris:~# zpool add -f test c1t4d0
root@solaris:~# zpool status test
  pool: test
 state: ONLINE
  scan: none requested
config:

        NAME        STATE      READ WRITE CKSUM
        test        ONLINE        0     0     0
          mirror-0  ONLINE        0     0     0
            c1t1d0  ONLINE        0     0     0
            c1t3d0  ONLINE        0     0     0
          c1t4d0    ONLINE        0     0     0

errors: No known data errors

root@solaris:~# cp -rp /usr/share/doc /test/
^C

root@solaris:~# gdf -h /test
Filesystem      Size  Used Avail Use% Mounted on
test            2.0G  375M  1.6G  19% /test

root@solaris:~# zpool iostat -v test
               capacity     operations    bandwidth
pool        alloc   free   read  write   read  write
----------  -----  -----  -----  -----  -----  -----
test         375M  1.60G      0    181  4.12K  5.04M
  mirror-0   242M   766M      0    173    203  3.23M
    c1t1d0      -      -      0     16  7.73K  3.28M
    c1t3d0      -      -      0     16  7.53K  3.28M
  c1t4d0     132M   876M      0      9  4.91K  2.26M
----------  -----  -----  -----  -----  -----  -----
Now, if we want to remove the accidently added disk drive it is trivial to do so:
root@solaris:~# zpool remove test c1t4d0
And let's check pool status after the device was removed:
root@solaris:~# zpool status test
  pool: test
 state: ONLINE
  scan: resilvered 132M in 1s with 0 errors on Fri Mar 30 01:53:17 2018

config:

        NAME                      STATE      READ WRITE CKSUM
        test                      ONLINE        0     0     0
          mirror-0                ONLINE        0     0     0
            c1t1d0                ONLINE        0     0     0
            c1t3d0                ONLINE        0     0     0

errors: No known data errors

root@solaris:~# zpool iostat -v test
                             capacity     operations    bandwidth
pool                      alloc   free   read  write   read  write
------------------------  -----  -----  -----  -----  -----  -----
test                       378M   630M      2    105  8.66K  1.63M
  mirror-0                 378M   630M      2     80  5.14K  1.21M
    c1t1d0                    -      -      0      8  5.09K  1.22M
    c1t3d0                    -      -      1      7  5.58K  1.22M
------------------------  -----  -----  -----  -----  -----  -----

Friday, February 23, 2018

Thursday, November 02, 2017

OpenZFS ZIL Internals

Very interesting presentation on how ZIL works and on latest improvements in OpenZFS, presented during OpenZFS Developer Summit 2017.

Tuesday, September 12, 2017

Tuesday, July 04, 2017

Sudo and Solaris Privileges

Sudo on Solaris 10 and Solaris 11 allow to specify a privilege set a command will run with. This is very powerful if you want to be more specific in granting only required privileges for a given command, instead of allowing a command to run as root. Although Solaris has additional/different means to achieve the same, which in some cases is better than sudo, but the latter is what most users are familiar with.

For example, the 'fmadm faulty' command requires sys_admin privilege to run.

milek    ALL=()PRIVS="basic,sys_admin" NOPASSWD:/usr/sbin/fmadm faulty
This means that user milek can now run: sudo fmadm faulty
and the command will now work, but it won't run as root - it will execute as user milek with privileges set to basic,sys_admin, which is more secure than allowing the command to run as root.

Tuesday, May 16, 2017

Solaris Open Source bits move to GitHub

Alan Coopersmith blogged about migration of Open Source content available in Solaris from java.net to GitHub. This is definitely an improvement.

The new repositories on GitHub are: