Register Discussions Communities Projects Download Source Browser

November 21, 2009


Moinak Ghosh
(moinak)

moinakg


I use Linux as well apart from my obsession with OpenSolaris. I have used several distros in the past and came to like Mandriva for general use. I was also once the biggest critic of Fedora. Having had bad experiences with FC3 and FC4 I cursed it and simply ignored it till recently when I started stealing spec file recipes and patches from FC 11,12 CVS repo for building packages on BeleniX :-P

During the course of that usage I now stand to take back my earlier criticisms of Fedora. In fact I am thoroughly impressed with the quality of the work they are doing. The quality of the spec files and patches speak for themselves. Many of the conventions they follow align with how things are laid out on OpenSolaris as well. I am now going around and recommending Fedora 12 to anyone who is using Linux. The only issue that one will see is from a desktop use perspective. Out of the box Fedora has very few customizations and tweaks, so it takes a while of manual work to tune it to your liking.

November 21, 2009 04:03 PM


Jim Grisanzio
(jimgris)

OpenSolaris Day at ITHB Bandung

On Tuesday we went to ITHB in Bandung, which is about two hours from Jakarta, for another university visit. We were a bit late due to some impressive winter rain, but when we arrived the energy in the room was palpable. Great fun. Loved every minute. Can`t wait to go back. More presos on OpenSolaris from Harry Kaligis, Agus Setiawan, Lukman Prihandika, Rachmat Febrianto, Alex Budiyanto. And me

OpenSolaris at ITHB Bandung OpenSolaris at ITHB Bandung

OpenSolaris at ITHB Bandung OpenSolaris at ITHB Bandung

OpenSolaris at ITHB Bandung OpenSolaris at ITHB Bandung

OpenSolaris at ITHB Bandung OpenSolaris at ITHB Bandung

OpenSolaris at ITHB Bandung OpenSolaris at ITHB Bandung

OpenSolaris at ITHB Bandung OpenSolaris at ITHB Bandung

OpenSolaris at ITHB Bandung OpenSolaris at ITHB Bandung

OpenSolaris at ITHB Bandung OpenSolaris at ITHB Bandung

OpenSolaris at ITHB Bandung OpenSolaris at ITHB Bandung

OpenSolaris at ITHB Bandung OpenSolaris at ITHB Bandung

Blog tag: indonesia-09 | Photos on Flickr | Presentation | Search for Indonesia OSUGs

November 21, 2009 03:54 PM


Jim Grisanzio
(jimgris)

Indonesia OpenSolaris User Group

On Monday after visiting Gunadarma University we went back to Jakarta for an OpenSolaris User Group meeting at the Sun office. Met a lot of nice guys and had some good conversations about OpenSolaris. More pics to come. 

Indonesia OSUG Jakarta Indonesia OSUG Jakarta

Blog tag: indonesia-09 | Photos on Flickr

November 21, 2009 03:49 PM


Jim Grisanzio
(jimgris)

OpenSolaris Day at Gunadarma University

I was in Indonesia earlier this week for some OpenSolaris university and user group events. Really cool trip. Exhausting, too. I did a lot of talking. Much more than usual. The community there is engaged and thriving, so there was a lot of talking in between the talks, too. Everyone was super friendly and quite obviously talented. It was my first trip to Indonesia, and it moved me deeply. I will go back, no question about it. I really liked it there. And I learned a lot. I shot 500 images and saved about 200, so I`ll post them across a few entries over the next few days. Indonesia should make for an interesting future for OpenSolaris in South East Asia with these guys coming along. Trust me on that one.

On Monday we started the day at Gunadarma University in Depok, which is about an hour outside Jakarta. Presenting at the event were Harry Kaligis, Alex Budiyanto, Made Wiryana, Agus Setiawan, and Rachmat Febrianto. And me. I talked about the history of OpenSolaris, some of the open development and website projects to support contributions, and how we are building a development community around the world. The other guys talked about local programs and specific technologies in the OpenSolaris distribution. After all the talks and questions/answers, we met with the school faculty to discuss how OpenSolaris can be used to help students learn software development, and we also stressed the importance of building an engineering community on campus where students can contribute both locally and globally.

OpenSolaris at Gunadarma Univ. OpenSolaris at Gunadarma Univ.

OpenSolaris at Gunadarma Univ. OpenSolaris at Gunadarma Univ.

OpenSolaris at Gunadarma Univ. OpenSolaris at Gunadarma Univ.

OpenSolaris at Gunadarma Univ. OpenSolaris at Gunadarma Univ.

OpenSolaris at Gunadarma Univ. OpenSolaris at Gunadarma Univ.

OpenSolaris at Gunadarma Univ. OpenSolaris at Gunadarma Univ.

OpenSolaris at Gunadarma Univ. OpenSolaris at Gunadarma Univ.

OpenSolaris at Gunadarma Univ. OpenSolaris at Gunadarma Univ.

OpenSolaris at Gunadarma Univ. OpenSolaris at Gunadarma Univ.

OpenSolaris at Gunadarma Univ. OpenSolaris at Gunadarma Univ.

OpenSolaris at Gunadarma Univ. OpenSolaris at Gunadarma Univ.

OpenSolaris at Gunadarma Univ. OpenSolaris at Gunadarma Univ.

OpenSolaris at Gunadarma Univ. OpenSolaris at Gunadarma Univ.

OpenSolaris at Gunadarma Univ. OpenSolaris at Gunadarma Univ.

OpenSolaris at Gunadarma Univ. OpenSolaris at Gunadarma Univ.

OpenSolaris at Gunadarma Univ. OpenSolaris at Gunadarma Univ.

OpenSolaris at Gunadarma Univ. OpenSolaris at Gunadarma Univ.

Blog tag: indonesia-09 | Photos on Flickr | Presentation | Search for Indonesia OSUGs

Special thanks to Alex Budiyanto for driving everything. Alex is an amazing community organizer (and presenter too). More to come.

November 21, 2009 03:49 PM


Jan Pechanec
(janp)

Solaris 10 Security Essentials book on Amazon

Solaris Security Essentials The "Solaris 10 Security Essentials" book is on sale, and you can get it from Amazon now. I was one of those about 20 engineers from the Solaris security organization who wrote the book. Looking forward to get my copy. 

Product Details
  * Paperback: 312 pages
  * Publisher: Prentice Hall PTR
    1st edition (November 19, 2009)
  * Language: English
  * ISBN-10: 0137012330
  * ISBN-13: 978-0137012336

November 21, 2009 03:00 PM


Simon Phipps
(webmink)

links for 2009-11-21

November 21, 2009 12:06 PM

November 20, 2009


Ben Rockwood
(benr)

A Little Friday Distraction

Role models are something we have few of; sad that perhaps the most recent one comes from a beer commercial:

I mean, come on... his advice on careers "Find what you don't do well.... and don't do that thing." Classic!

Need something more expansive? Learn Chinese! If you find it difficult, try to learn Japanesse... and then you'll go back and appreciate how much easier Chinese languages are.

Not intellectual enough? Need to stretch those brain cells a bit more? Then, I ask, what is justice? As a Christian I have all those answers, laid down thousands of years ago, but since apparently folks like to re-invent the wheel (something King Solomon explained to us about 1,000 BC... "There is nothing new under the sun"), try Harvard's Michael Sandel discussion on Justice. A fun and engaging discussion in one of Harvard's beautiful facilities, exploring the "Moral Side of Murder". It's an enjoyable mental exercise and well expressed.

And finally, since I mentioned Christianity, if you are not a Christian but curious about it, here is a recent and awesome sermon from Mars Hill Church in Seattle. Watch it, argue with it, think about it, I think you'll enjoy it. Pastor Mark is always fun.

If your reading this post on an aggregator or via RSS and don't see the embedded video, just come here to cuddletech to see it properly.

November 20, 2009 09:41 PM


Robert Milkowski
(milek)

Xen 3.4

Xen 3.4 integrated yesterday. It should appear in snv_129.

November 20, 2009 04:25 PM


Jan Pechanec
(janp)

The ChrootDirectory option resynced to SunSSH

UPDATE 2009-11-20: the Match keyword option has been resynced so it's possible to use ChrootDirectory selectively on specific user accounts, for example.

I resynced the ChrootDirectory option from OpenSSH to SunSSH, and pushed the change to the repository today. It wasn't a straightforward resync since we have different privilege separation code. I also found a few very minor issues in the OpenSSH code, and filed bugs with patches (1562, 1564, and 1566).

If you want to use the option, create an empty root-owned directory with proper permissions (no group/other writable along the whole path, so don't even use /tmp, for example, since we don't accept the sticky bit). After that, set ChrootDirectory option to it, and check that the Subsystem option contains internal-sftp. This internal SFTP will be the default in the new OpenSolaris/Nevada installations but we do not change any existing confirations on upgrades. It's quite probable you will have an existing config file with the following line: 

Subsystem       sftp    /usr/lib/ssh/sftp-server

If you run the server in the debug mode (/usr/lib/ssh/sshd -p 2222 -ddd) with the chroot directory option set and the line as displayed above, you would see something like this in the server's output after you try to connect (sftp -o Port=2222 the-hostname): 

subsystem request for sftp
subsystem: cannot stat /usr/lib/ssh/sftp-server under
    chroot directory /var/root/chroot/: No such file
    or directory
subsystem: please see the Subsystem option in
    sshd_config(4) for an explanation of 'internal-sftp'.
subsystem request for sftp failed, subsystem not found

Just change /usr/lib/ssh/sftp-server to internal-sftp, restart the SSH server (svcadm restart ssh), and you will be fine. The chroot directory option does work with the plain SSH connection or with the /usr/lib/ssh/sftp-server binary as well. However, you must provide some files in that directory, because SSH server will exec(2)'s the shell or the SFTP server process after calling chroot(2). My test chroot directory has the same list of files but check that the connecting user has the same shell, bash, as mine. If not, the list of libraries will probably be different, use ldd(1) to get your list. The list follows: 

./bin/bash
./bin/ls
./lib/libcurses.so.1
./lib/libsocket.so.1
./lib/libnsl.so.1
./lib/libdl.so.1
./lib/libc.so.1
./lib/libmp.so.2
./lib/libmd.so.1
./lib/libscf.so.1
./lib/libuutil.so.1
./lib/libgen.so.1
./lib/libm.so.2
./lib/libresolv.so.2
./lib/libcrypto.so.0.9.8
./lib/libz.so.1
./lib/libsecdb.so.1
./lib/libmapmalloc.so.1
./lib/libcrypt.so.1
./lib/libsec.so.1
./usr/lib/ld.so.1

and I can log in via plain SSH, and run ls(1) command: 

-bash-3.2$ ls
bin  lib  usr
-bash-3.2$ pwd
/

Note that the external SFTP server process would need yet another list of files, and at least one device - /dev/null, but there is really no reason to use the external binary when there is the above mentioned internal-sftp mode. Nothing is exec()'ed, the SFTP server loop is run inside of the existing SSH server process, and that means that no other files are needed in the chroot directory. If you are still not convinced then know that the SFTP server code used is the same. In the in-process implementation, the server uses the SFTP object code that is linked directly to the SSH server binary while in the external case the code is wrapped in an additional few lines to create an independent binary.

The sshd_config(4) manual page will be updated but we are in the queue so I'm not sure it will get to the same Nevada build as the code change, which is 112. It may get to 113. From that reason, see the change here: 

+ChrootDirectory
+
+  Specifies a path to chroot(2) to after authentication.
+  This path, and all its components, must be root owned 
+  directories that are not writable by any other user or
+  group.
+
+  The server always tries to change to the user's home
+  directory locally under the chrooted environment but a 
+  failure to do so is not considered an error. In addition
+  to that, the path may contain the following tokens that
+  are expanded at runtime once the connecting user has
+  been authenticated: %% is replaced by a literal '%', %h
+  is replaced by the home directory of the user being 
+  authenticated, and %u is replaced by the username of
+  that user. 
+
+  The ChrootDirectory must contain the necessary files and
+  directories to support the user's session.  For an
+  interactive SSH session this requires at least a user's
+  shell, shared libraries needed by the shell, dynamic
+  linker, and possibly basic /dev nodes such as null(4),
+  zero(4), stdin(4), stdout(4), stderr(4), random(4) and
+  tty(4).  Additionaly, terminal databases are
+  needed for screen oriented applications. For file
+  transfer sessions using ``sftp'' with the SSH protocol
+  version 2, no additional configuration of the
+  environment is necessary if the in-process sftp server
+  is used (see Subsystem for details).
+
+  The default is not to chroot(2).
+
+

      Subsystem

    Configures an external subsystem (for  example,  a  file  
    transfer  daemon).  Arguments should be a subsystem name
    and a command to execute  upon  subsystem  request.  The
    command   sftp-server(1M)   implements   the  sftp  file  
-   transfer  subsystem.  By  default,  no  subsystems   are   
+   transfer  subsystem.
+
+   Alternately the name ``internal-sftp'' implements an
+   in-process ``sftp'' server.  This may simplify
+   configurations using ChrootDirectory to force a different
+   filesystem root on clients.
+
+   By  default,  no  subsystems   are  
    defined. This option applies to protocol version 2 only.

 

As a last note, as of now, we do not plan to backport this to Solaris 10.

November 20, 2009 02:23 PM


Simon Phipps
(webmink)

☞ Mistakes That Can't Be Admitted

November 20, 2009 01:39 PM


Jim Grisanzio
(jimgris)

New Community Translation Interface

It's excellent to see that the Sun Globalization Engineering team released a new version of the Community Translation Interface tool: Sun OpenCTI: https://translate.sun.com/opencti

Among other things, this is the tool that the OpenSolaris community used to localize Auth (which we'll update with new languages soon as well). Also, the announcement from Ales says that he's opened some new translation projects to get ready for the next release of the OpenSolaris distribution. So, if you want to contribute translations to OpenSolaris, check out this new version of the Community Translation Interface. Send questions to the Internationalization & Localization Community on i18n-discuss (subscribe to the list here and/or post to the Jive forum here). More info here at the CTI team blog.

November 20, 2009 08:06 AM


Jim Grisanzio
(jimgris)

A New BOO

Bill Rushmore has been working on updating bugs.opensolaris.org. Go here for the new boo: http://bugs.opensolaris.org/. More updates to other website applications coming along soon as well.

November 20, 2009 08:05 AM


Jim Grisanzio
(jimgris)

127

I updated to OpenSolaris developer build 127 a few days ago. Nice. It performs much better than b126 on my Toshiba Tecra M10. That freezing mouse bit is gone.

November 20, 2009 08:03 AM


Theo Schlossnagle
(theo)

Jive turkey...

So... lock a dude on a flight with Internet access, free booze and free movies... yet, he codes. Nothing useful, of course.

One of my favorite programs from past days was the jive.l lexer (it's an Internet scavenger hunt to find it). Well, here's a jive bookmarklet. Try it out. Boredom on flights can be dangerous.

November 20, 2009 03:26 AM

November 19, 2009


Jan Pechanec
(janp)

PKCS#11 Engine Patch (including the token access) for OpenSSL 0.9.8l (el)

I have generated a PKCS#11 patch for OpenSSL 0.9.8l. It includes one new feature I have recently integrated into Nevada - RSA Keys by Reference. You can read the README here, and download the PKCS#11 patch.

As a test I've built the code on Solaris 10 and one Linux distro (which identified itself as GNU/Linux, I have no idea which distro was that). I had to make a couple of modifications since other systems do not have getpassphrase() function, and Linux distros have no strlcpy() function (because GNU C library has none). Hopefully I have not broken anything.

If you plan to use the patch, do not forget to check out examples and the PKCS#11 URI format in the presentation for the project. As usual, if you find problems with the patch, let me know please. And of course, if you find it really useful, you can say that as well :-)

The man page will be updated soon but before that gets to a public build it will take some time. So, below is the current draft change for the openssl(5) man page. Note that the man page in section 5 is for OpenSSL in Solaris, the one in section 1 is the original man page from the OpenSSL project. Obviously, we ship both. Use "man -s 5 openssl" to see the Sun's one, or "man -a" if unsure about sections.

openssl(5) planned addition: 

  Accessing RSA Keys in PKCS#11 Keystores

     OpenSSL can access RSA keys in PKCS#11 keystores using the
     following functions of the ENGINE API:

       EVP_PKEY *ENGINE_load_private_key(ENGINE *e,
                const char *key_id, UI_METHOD *ui_method,
                void *callback_data)

       EVP_PKEY *ENGINE_load_public_key(ENGINE *e,
                const char *key_id, UI_METHOD *ui_method,
                void *callback_data)

     key_id, formerly for filenames only, can be now also set to
     a PKCS#11 URI. The EVP_PKEY structure is newly allocated and
     caller is responsible to free the structure later. To avoid
     clashes with existing filenames, "file://" prefix for
     filenames is now also accepted but only when the PKCS#11
     engine is in use. The PKCS#11 URI specification follows:

        pkcs11:[token=<label>][;manuf=<label>][;serial=<label>]
               [;model=<label>][;object=<label>]
               [;objecttype=(public|private|cert)]
               [;passphrasedialog=(builtin|exec:<file>)]

     The ordering of keywords is not significant. The PKCS#11
     engine uses the keystore for the slot chosen for public key
     operations whic is metaslot on a standardly configured
     machine. Currently, the PKCS#11 engine ignores "objecttype"
     keyword. The only mandatory keyword is "object" which is
     the key object label. For information on how to use a
     different, possibly hardware, keystore with metaslot see
     libpkcs11(3LIB).

     The token PIN is provided via "passphrasedialog" keyword and
     is either read from the terminal ("builtin") or from the
     output of an external command ("exec:<file>"). The PIN is
     used to log into the token and by default is deleted from
     the memory then. The keyword "pin" is intentionally not
     provided due to inherent security problems of possible use
     of a password in the process arguments.

     Due to fork safety issues the application must re-login if
     the child continues to use the PKCS#11 engine. It is done
     inside of the engine automatically if fork is detected and
     in that case, "exec:<file>" option of the "passphrasedialog"
     keyword can be used. Alternatively, an enviroment variable
     OPENSSL_PKCS11_PIN_CACHING_POLICY can be used to allow the
     PIN to be cached in memory and reused in the child. It can
     be set to "none" which is the default, "memory" to store
     the PIN in memory, and "mlocked-memory" keep the PIN in a
     locked page via mlock(3C). Note that PRIV_PROC_LOCK_MEMORY
     privilege is required in that case.

     Sensitive parts of private keys are never read from the
     token to the process memory no matter whether the key is
     tagged with sensitive flag or not. The PKCS#11 engine uses
     the public compoments as a search key to get a PKCS#11
     object handle to the private key.

     Note that in order to use the RSA keys by reference, high
     level API functions must be used, like RSA_public_decrypt(),
     EVP_PKEY_set1_RSA(), or EVP_SignInit(). Low level functions
     might go around the engine and thus fail to make use of the
     feature.

  Additional Documentation

      Extensive additional documentation for  OpenSSL  modules  is
      available       in      the      /usr/share/man/man1openssl,
      /usr/share/man/man3openssl, /usr/share/man/man5openssl,  and
      /usr/share/man/man7openssl directories.

      To view the license terms, attribution,  and  copyright  for
      OpenSSL, see /var/sadm/pkg/SUNWopensslr/install/copyright.

EXAMPLES

     Example 1: generate and print a public key stored in an
                already initilized PKCS#11 keystore. Note the
                use of "-engine pkcs11" and "-inform e".

        $ pktool gencert keystore=pkcs11 label=mykey \
            subject="CN=test" keytype=rsa keylen=1024 serial=01
        $ openssl rsa -in \
            "pkcs11:object=mykey;passphrasedialog=builtin" \
            -pubout -text -engine pkcs11 -inform e

November 19, 2009 07:21 PM


Ben Rockwood
(benr)

Must Have Apps for the Mac

Lots of folks have switched to Mac, its the most commonly used laptop in the Bay Area now. Sometimes people give me flack for using it, but I'll tell you why I use a Mac laptop:

  1. It just works! When going to a client site, a conference, or just a cafe, there is nothing more embarrassing than spending 20 minutes trying to get your l337 *NIX laptop to connect to wireless or properly DHCP or work with a printer. This isn't as big a problem as it once was but it can still happen. This is especially the case if you ever do a presentation where your fiddling with things in front of 30+ people. Mac's just work, period.
  2. The Apps are high quality! Thanks to the Linux desktop invasion we have a lot of great apps for *NIX; however Mac apps have a very high standard for quality, all work more or less similarly, and there are lots of great apps. The problem I have on Windows these days is that there aren't as many great apps for Windows as there are for OS X.
  3. Its UNIX! This is the most important fact for me, its a real desktop OS with a real UNIX underneath. I was a Mac hater prior to OS X, but developed a love affair with NeXT... when the two converged in OS X I was a happy camper indeed.
  4. The Apple Laptops are the best on the market! I can not find a PC Laptop with the same build quality and durability of the Apple's. Most PC's use cheap plastics, are too thick, too flimsy, etc. The MacBook Pro 15" Aluminum is what I still use and love. The size is absolutely perfect, the thing is solid, and very comfortable to use. The power adapters are even better. Even if I wanted a machine just to run Solaris on metal, I'd want a MacBook Pro over any PC laptop available. In terms of hardware you really do seem to get what you pay for.

Now, please note that I do not have nor do I ever plan to have a Mac desktop! For my daily work I need a real UNIX Workstation. I prefer to work with Enlightenment, Eterm, and have a real Solaris system on which to work. Without my desktop I can't accomplish real work, but for the road I need my MacBook Pro.

So here are some of my "must have apps" for OS X:

  • iTerm: It once was that OS X's terminal was pretty basic and pathetic, glTerm and iTerm filled the void. Since that time the default terminal application has improved significantly making iTerm unnecessary, but I continue to be faithful to it.
  • Adium: Adium is the best multi-protocol IM client available for Mac. While iChat AV is fantastic for voice and video "chat", I want to keep my desktop tidy which means I want IRC style chat in multiple tabs, not windows. I just can't stand having a real discussion in those iChat balloons.
  • NewsFire: Best RSS reader, imho. The primary advantage to Newsfire is that it doesn't make RSS look like email! Email feels like work, I just want to flip through RSS and see whats news. Newfire is free and really spiffy.
  • TrueCrypt: I'm not a really big crypto freak, I wish I were, but I'm lazy. Never the less, at some point you'll go on the road and Sysadmins are bound to have text files containing sensitive information. TrueCrypt makes it easy to create a small encrypted drives on which to store that data. Plus, the virtual drives it creates are cross-platform, so your not locked into only retrieving the data on Mac like other encrypting archive apps.
  • Things: I think its the best todo application available. Its light-weight and easy to use. OmniFocus is a much more structured application and I think is good for people who need rigorous structure to keep them honest, but Things can be made to do almost everything OmniFocus can do, if you choose to, or be used much more casually.
  • RealVNC: The most popular VNC Viewer application for OS X is "Chicken of the VNC". I love the name, love the icon, but a lot of times it doesn't work for me. RealVNC isn't so sexxy but works every time without a problem.
  • Colloquy: Great IRC application. Many *NIX folks will prefer a more traditional terminal based IRC client, but if your an Xchat users who's looking for a nicely integrated IRC client for OS X Colloquy is the best imho.
  • VirtualBox: Very powerful and free to boot. I use both VirtualBox and VMware Fusion. Honestly, VMware is slightly faster, but VirtualBox is still fantastic and the additional portability is handy.
  • Apache Directory Studio: If there is one nifty app the Windows boys have its Softerra LDAP Administrator. Apache Directory Studio is the best alternative I've seen, and I think will ultimately surpass Softerra's capabilities.
  • iShowU: Best screen recording app period. Very easy to use, very flexable and lightweight. When creating screencasts I recommend using the Quicktime Animation CODEC; you'll be happy with it.
  • globalSAN iSCSI initiator for OS X: Its sad that even in Snow Leopard we don't have an Apple supplied iSCSI Initiator, but thankfully globalSAN has us covered. Its free and works very well with COMSTAR.
  • Cornerstone: I didn't think Subversion needed a GUI... but Zennaware Cornerstone changed my mind. Its expensive, but if you do a lot of SVN work you won't want to miss it.

I'll add some more to the honorable mention list...

  • Textmate
  • iWork '09
  • iLife '09
  • Skitch
  • iStumbler
  • Netbeans
  • Navicat Lite
  • OmniGraffle
  • ...

On the hardware side, every UNIX Admin must be able to access an RS-232 serial console. This fact kept me away from Mac laptops for a long time. Which is why you need this:

The Keyspan Serial-USB Adapter. Buy one, download the Keyspan Assistant software and install Zterm. Good to go!

Finally let me point out 2 things which are already in Leopard that you may not be aware of:

First, with the OS on the Install disk is the Apple Xcode IDE. Along with Xcode is the koolest GUI for DTrace you'll ever see: Instruments Its really amazingly awesome and a must see.

Secondly, OS X includes native Kerberos support and a ticket management GUI which is sort of buried: /System/Library/CoreServices/Kerberos. If you use Kerberos at all drag that binary onto your doc for quick access. Several other hidden gems can be found in the same directory.

November 19, 2009 06:57 PM


Jan Pechanec
(janp)

RSA Keys by Reference (through the OpenSSL PKCS#11 Engine)

UPDATE 2009-11-19: I have generated the PKCS#11 patch for 0.9.8l.

I have just done my putback to the SFW gate for the "RSA Keys by Reference" project. It will be part of the Nevada build 129 and the next version of OpenSolaris. The CR was "6479874 OpenSSL should support RSA key by reference/hardware keystores". With this code, applications can access RSA keys stored in PKCS#11 tokens through the existing OpenSSL API functions ENGINE_load_private_key() and ENGINE_load_public_key(), without any need for the private keys to be loaded to memory. The code was based on alpha code I wrote more than 2 years ago, and which was quickly part of the PKCS#11 patch. The code was really alpha, more proof of concept that something usable in the production environment. It took me another couple of months to mold it into the current form that could be commited to the repository.

Part of the project was a specification of the PKCS#11 URI. Unfortunately I do not have many cycles right now for this blog entry so if you are interested or if you have any questions, please read slides I wrote for the project presentation I gave here at Sun to our team. It has enough details and a few examples. I'm sure I'll get back here with some multithreaded C code and possibly more information.

There is no patch available yet against the regular OpenSSL tarball distribution. I need some time to take care of other stuff I did not have time for recently because I have been finishing up this project. I'd like to generate it soon though.

November 19, 2009 06:43 PM


Alvaro Lopez Ortega
(alo)

Cherokee Web Server Introductory Screencast

We have recently uploaded our very first Cherokee Web Server introductory screencast. It's a 5 minutes video to introduce the Cherokee configuration interface:

We will record more videos in the upcoming weeks. Hopefully they will help us to show the World the cool features that Cherokee offers. Enjoy it!

November 19, 2009 01:09 PM


Simon Phipps
(webmink)

☞ Sometimes the Improbable is the Answer

November 19, 2009 12:45 PM


Jim Grisanzio
(jimgris)

OSDevCon Images

Here are some images from OSDevCon in Germany last week. I grabbed them off of advocacy-discuss from Wolfgang, Karim, and Nicolas. And I see Teresa was taping the event, so watch the OSDevCon site for video (presos already there). I am really bummed I couldn`t go this year. But I have been totally swamped (slightly overwhelmed, actually) and sick, and so the schedule just made it impossible. I am seriously cutting back this year. Need to get back to some sort of balance for my own sanity and health. Anyway, the conference looked very cool. I continue to be impressed with the OpenSolaris User Groups as they just go about the day-to-day business of building community.

Photos: here, here, here, here. osdevcon09 tag on Flickr here. If more crop up, I will update this post.

November 19, 2009 08:37 AM

November 18, 2009


Shawn Walker
(binarycrusader)

Enabling pkg(5) Availability

With the putback for the following issues in revision 1504:

9969 client support for multiple origins desired
11715 ImageConfig does not handle None for publisher correctly
11793 image-create example partially disagrees with the usage

...the client now supports multiple origins for publisher repositories.  The purpose of this change was to enable greater pkg (5) server availability and redundancy.

What is an origin?

An origin is simply a location of a package repository that contains package file, manifest, and catalog data; such as: http://pkg.opensolaris.org/dev.  The default mode for the pkg.depotd process is to run as an 'origin'.

A mirror, in contrast, only contains package file data and is currently provided by a pkg.depotd server running in --mirror mode.

What does this change mean?

This change means that redundancy can now more easily be built into package server infrastructure.  For example, you could have http://pkg1.example.com/, http://pkg2.example.com/, and http://pkg3.example.com/.

A client, once configured, would have pkg publisher output similar to the following:

PUBLISHER                TYPE   STATUS URI
example.com  (preferred) origin online http://pkg1.example.com/
example.com  (preferred) origin online http://pkg2.example.com/
example.com  (preferred) origin online http://pkg3.example.com/

During package operations, the client will automatically attempt to select and use the best repository origin if any data needs to be retrieved for that publisher.

In addition, ipkg branded zone creation and attach has been updated to use this additional origin and mirror information when configuring zones.

How do I use this?

For consistency, and to support this new client functionality, the image-create and set-publisher subcommands for pkg(1) have changed as follows:

image-create
 New Options:
  [-g|--origin ...] [-m|--mirror ...]

set-publisher
 New Options:
  [-g origin_to_add | --add-origin=origin_to_add ...]
  [-G origin_to_remove | --remove-origin=origin_to_remove ...]

 Deprecated Options:
  [-O uri]

So, as an example, to create a new, full image, with publisher example.com, that also has an additional mirror, two additional origins and that is stored at /aux0/example_root:

$ pkg image-create -F -p example.com=http://pkg.example.com:10000 \
  -g http://alternate1.example.com:10000/ \
  -g http://alternate2.example.com:10000/ \
  -m http://mirror.example.com:10000/ \
  /aux0/example_root

Alternatively, to add a new publisher or update an existing publisher with the above information:

$ pkg set-publisher \
  -g http://pkg.example.com:10000 \
  -g http://alternate1.example.com:10000/ \
  -g http://alternate2.example.com:10000/ \
  -m http://mirror.example.com:10000/ \
  example.com

Are there are any client compatibility concerns?

No.  Clients upgrading from older versions of the pkg client software to this version of the client software will not experience any issues.  In addition, some care has been taken to ensure older clients that understand the current image format are compatible with this new configuration, although they will be limited to using the first origin for a repository.

Do I need to update my scripts or client usage?

While the '-O' option has been deprecated for the set-publisher command and is no longer documented, it will continue to work exactly as it has in the past so no change is strictly necessary.  The command-line option compatibility for -O is currently planned to be maintained through the next major OpenSolaris release (2010.x), but will be dropped after that.

However, if you are using any scripts or programs that parse the output of the 'pkg publisher' command, and only expect a single origin to be listed for each publisher, they will need to be updated to account for this.

Comments or concerns should be sent to the pkg-discuss mailing list on opensolaris.org.

November 18, 2009 08:26 PM


Garrett D'Amore
(gdamore)

Bad sound in Virtual Box in recent builds

Its been pointed out to me that if you use Virtual Box and Solaris guests with recent builds (say newer than 124), that you might get a bad sound in the Solaris guest.

Turns out that the problem is that the Boomer stack has increased its timing accuracy to a higher limit, beyond what Virtual Box can provide.

We're going to fix this properly soon... but in the meantime, you can just edit /kernel/drv/audio810.conf and change the play-interrupts to 30 in the guest.

This is CR 6901849 in case anyone is tracking it closely.

November 18, 2009 08:07 PM


Simon Phipps
(webmink)

☞ Getting A Clue

November 18, 2009 01:56 PM


Marcelo Leal
(leal)

Futebol brasileiro tem que ter decisão!

Parece que sou minoria, mas realmente não gosto desta nova fórmula do campeonato brasileiro de pontos corridos. Acho uma cópia barata do modelo europeu, e como não podia ser diferente, está indo pelo mesmo caminho… Acontece que por lá, os países tem dois ou três times que concorrem ao título, passeando pelo país com seus times [...]


November 18, 2009 01:23 PM

November 17, 2009


Ben Rockwood
(benr)

Intel Capital Invests in Joyent

I'm really pleased to announce that Intel Capital has invested in Joyent.

This is a really exciting thing for us. This is the first time we've taken funding. We've really been proud of the fact that we haven't needed funding, but the benefits that come along with an investment from Intel are fantastic and just that relationship alone is exciting.

This is a big announcement not only for Joyent, but for OpenSolaris as well. We're thrilled that Intel supports not only what we're doing, but also how we're doing it. Combined with our recent expansion into China, we have a lot to be happy about.

November 17, 2009 10:08 PM


Ben Rockwood
(benr)

LISA BoF

My talk at LISA is now available. This is a 1 hour version of the ZFS in the Trenches talk. As always I hope that you find it informative and at least a little entertaining. Slides are here).

I also want to take this opportunity to say a heart felt thank you to Deirdré Straughan, Lynn Rohrer, and Teresa Giacomini.

Because of Deirdre countless people around the globe can participate and learn from important events. Not only does she spend a mind-boggling amount of time going to these events, but she has done a fantastic job producing very high quality content, and I think is setting the bar in community video presentation. We just don't get this kind of content from other top tier vendors and I really hope they take notice of her efforts and the benefit to Sun's current and prospective customer bases.

So please join me in extending your support and appreciation to Deirdre and everyone at Sun that makes these events accessible to the whole world!

November 17, 2009 09:54 PM


Peter Tribble
(ptribble)

Not so lucky any more?

The Google home page has seen some changes of late. One of these is the removal of the "I'm feeling lucky" button.

One of the things I've noticed over the past few months is that searching online has become dramatically worse. Google is increasingly failing to find useful results, and when it does find something it will rather present you with multiple instances of the same thing (the same news article syndicated to different sources, for example) rather than the more useful list of independent answers. Commonly I end up going to subsequent search pages, and often don't get to anything useful at all.

Is Google losing its touch? Has dumb search had its day? Perhaps the "feeling lucky" option was removed because it almost never works any more.

November 17, 2009 05:00 PM


Brendan Gregg
(brendang)

NFS Analytics example

I just tracked down a minor performance issue on my desktop in a couple of minutes, and thought it may make a good example to follow as it demonstrates using Analytics along with dtrace, truss, snoop and kstats - really the entire suite of perf tools I regularly use on Solaris.

I was downloading a file and happened to run the kstat based nicstat tool to watch network traffic. After the download finished, traffic continued:

    brendan@deimos:~> nicstat 1
    Time     Int   rKB/s   wKB/s   rPk/s   wPk/s    rAvs    wAvs   %Util    Sat
20:53:30    nge0   10.81   13.13   35.77   37.69   309.4   356.6    0.02   0.00
20:53:30     lo0    0.00    0.00    0.00    0.00    0.00    0.00    0.00   0.00
    Time     Int   rKB/s   wKB/s   rPk/s   wPk/s    rAvs    wAvs   %Util    Sat
20:53:31    nge0   28.17   21.71   89.51   91.50   322.2   243.0    0.04   0.00
20:53:31     lo0    0.00    0.00    0.00    0.00    0.00    0.00    0.00   0.00
    Time     Int   rKB/s   wKB/s   rPk/s   wPk/s    rAvs    wAvs   %Util    Sat
20:53:32    nge0   26.18   19.71   84.15   85.14   318.6   237.0    0.04   0.00
20:53:32     lo0    0.00    0.00    0.00    0.00    0.00    0.00    0.00   0.00
    Time     Int   rKB/s   wKB/s   rPk/s   wPk/s    rAvs    wAvs   %Util    Sat
20:53:33    nge0   26.89   19.93   80.18   85.13   343.4   239.7    0.04   0.00
20:53:33     lo0    0.00    0.00    0.00    0.00    0.00    0.00    0.00   0.00
    Time     Int   rKB/s   wKB/s   rPk/s   wPk/s    rAvs    wAvs   %Util    Sat
20:53:34    nge0   26.89   21.50   88.14   91.11   312.3   241.6    0.04   0.00
20:53:34     lo0    0.00    0.00    0.00    0.00    0.00    0.00    0.00   0.00
^C

It's not much, but my desktop should be idle, and yet there are regular network reads and writes. I'd like to know what that is.

Running snoop should give me a quick idea of the traffic over the wire:

    root@deimos:/> snoop -r | cut -c1-80
Using device nge0 (promiscuous mode)
192.168.1.109 -> 192.168.2.156 NFS C 4 (lookup valid) PUTFH FH=700C NVERIFY GETA
192.168.2.156 -> 192.168.1.109 NFS R 4 (lookup valid) NFS4ERR_SAME PUTFH NFS4_OK
192.168.1.109 -> 192.168.2.156 NFS C 4 (lookup valid) PUTFH FH=700C NVERIFY GETA
192.168.2.156 -> 192.168.1.109 NFS R 4 (lookup valid) NFS4ERR_SAME PUTFH NFS4_OK
192.168.1.109 -> 192.168.2.156 NFS C 4 (lookup valid) PUTFH FH=700C NVERIFY GETA
192.168.2.156 -> 192.168.1.109 NFS R 4 (lookup valid) NFS4ERR_SAME PUTFH NFS4_OK
192.168.1.109 -> 192.168.2.156 NFS C 4 (lookup valid) PUTFH FH=700C NVERIFY GETA
192.168.2.156 -> 192.168.1.109 NFS R 4 (lookup valid) NFS4ERR_SAME PUTFH NFS4_OK
192.168.1.109 -> 192.168.2.156 NFS C 4 (lookup valid) PUTFH FH=700C NVERIFY GETA
192.168.2.156 -> 192.168.1.109 NFS R 4 (lookup valid) NFS4ERR_SAME PUTFH NFS4_OK
[...]

That's not what I was expecting. I'm doing NFS traffic? The only NFS share I have mounted is my home directory, and I'm not doing any sustained I/O right now.

Fortunately my home directory server is a Sun Storage system, so I can examine the NFS traffic with Analytics from the server side:

I'll begin by drilling down by client, as I know my desktop is "deimos":

This shows I'm doing more NFS IOPS to the home directory server than anyone else.

Now to drill down further, by type of operation and by file:

".elinks"? elinks is a text based browser that I use - a modern version of lynx.

Here's a screenshot of elinks viewing osnews:

So why is elinks causing so much NFS traffic?

Right now I could aim DTrace at elinks to get a detailed view of what it is up to, but as I'm not worried about slowing the target in this case, I'll take a quick look with truss to start with (runs non-root by default, fewer keystrokes and inbuilt syscall translation):

    brendan@deimos:~> truss -fp `pgrep elinks`
295062: pollsys(0x08047AC0, 3, 0x08047B68, 0x00000000)  = 0 
295062: alarm(0)                                        = 0
295062: open64("/home/brendan/.elinks/formhist", O_RDONLY) Err#2 ENOENT
295062: time()                                          = 1258176283
295062: time()                                          = 1258176283
295062: time()                                          = 1258176283
295062: open64("/home/brendan/.elinks/formhist", O_RDONLY) Err#2 ENOENT
295062: time()                                          = 1258176283
295062: time()                                          = 1258176283
295062: time()                                          = 1258176283
295062: open64("/home/brendan/.elinks/formhist", O_RDONLY) Err#2 ENOENT
295062: time()                                          = 1258176283
295062: time()                                          = 1258176283
295062: time()                                          = 1258176283
295062: open64("/home/brendan/.elinks/formhist", O_RDONLY) Err#2 ENOENT
295062: time()                                          = 1258176283
295062: time()                                          = 1258176283
295062: time()                                          = 1258176283
295062: open64("/home/brendan/.elinks/formhist", O_RDONLY) Err#2 ENOENT
[...]

Ahh - elinks is repeatedly trying to read a non-existant file from my home directory, which is causing the NFS traffic.

To get an accurate read on the rate of these opens, I'll use dtrace to frequency count the filenames that were called with open() by elinks, printing a summary every second:

    root@deimos:/> dtrace -n 'syscall::open*:entry /execname == "elinks"/ {
        @[copyinstr(arg0)] = count(); } tick-1sec { printa(@); clear(@); }'
dtrace: description 'syscall::open*:entry ' matched 3 probes
CPU     ID                    FUNCTION:NAME
  1  87538                       :tick-1sec
  /home/brendan/.elinks/formhist                                   63

  1  87538                       :tick-1sec
  /home/brendan/.elinks/formhist                                   63

  1  87538                       :tick-1sec
  /home/brendan/.elinks/formhist                                   63

^C

It's 63 opens per second, all of the ".elinks/formhist" file.

DTrace can dig deeper, shedding light as to why elinks is reading that file. I can just add "ustack()" as a second key to the DTrace aggregation used to frequency count filenames, to include the entire user stack trace:

    root@deimos:/> dtrace -n 'syscall::open*:entry /execname == "elinks"/ {
        @[copyinstr(arg0), ustack()] = count(); } tick-1sec { printa(@); clear(@); }'
dtrace: description 'syscall::open*:entry ' matched 3 probes
CPU     ID                    FUNCTION:NAME
  1  87538                       :tick-1sec
  /home/brendan/.elinks/formhist
              libc.so.1`__open64+0x7
              libc.so.1`_endopen+0xb8
              libc.so.1`fopen64+0x29
              elinks`load_formhist_from_file+0x57
              elinks`get_form_history_value+0x39
              elinks`draw_forms+0xec
              elinks`draw_view_status+0x1a
              elinks`draw_doc+0x3fd
              elinks`refresh_view+0x1b
              elinks`draw_formatted+0x115
              elinks`tabwin_func+0xb4
              elinks`term_send_event+0x154
              elinks`redraw_terminal+0x36
              elinks`redraw_leds+0xb2
              elinks`check_timers+0x87
              elinks`select_loop+0x19a
              elinks`main+0x43
              elinks`_start+0x80
               63

I'm not familiar with the elinks source, so I'll read from the bottom of the stack trace up, looking for high level functions. It looks generic until I get to redraw_leds(). leds? LEDs? There is a pseudo-LED text display in the bottom right of the screen. It's calling redraw_terminal(), which is calling refresh_view(), and then into load_formhist_from_file() - causing the file open.

Doing file opens with the frequent update of the status LEDs sounds like a bug, and perhaps a known one. A minute with google found that this was known and fixed in the next version of elinks.

While I was watching, the home directory server for fishworks was serving most of its NFS IOPS for a bug in elinks on my desktop. Which I can eliminate by upgrading my elinks version. This is an example of the best type of performance win: eliminating unnecessary work.

November 17, 2009 04:00 PM


Steven Stallion
(sstallion)

Working from Home

November 17, 2009 03:46 PM


Tim Foster
(timf)

New zfs-auto-snapshot implementation on it's way

Niall wrote a post to the zfs-auto-snapshot alias announcing his new time-sliderd implementation of the ZFS Automatic Snapshot service.

I'm looking forward to this new implementation: I wrote the old ksh-based code back in 2006 and have been adding features & fixing bugs ever since. Over time, it's started creaking at the seams - there were a few issues with it that were tricky to deal with in it's existing implementation. I've long felt the desire to start again, but just couldn't give it the time it needed. Well, Niall's done just that - many thanks Niall!

I've got commentary on the thread on the auto snapshot mailing list and have also forwarded Niall's announcement to zfs-discuss. The old README on this blog has been updated, with a pointer to the original heads-up message.

So now I get to focus on my day-job again :-)

November 17, 2009 02:57 PM

November 16, 2009


Garrett D'Amore
(gdamore)

Jack of all trades, master of none

While I probably say this about other things (C++, perl), I think I've found something else it applies to -- the OpenSolaris Live CD.

The Live CD attempts to offer both a "Live Use" environment, and a "full" (for some value of full) installable copy of OpenSolaris.

The problem with this is that we have way, way too many things duplicated on the Live CD. For example, two copies of Mozilla, two copies of Evolution, and two copies of Thunderbird. (One copy each to run in the live environment, and one copy in packaged form for installation.)

This is crazy.

People who want to play around with an operating system don't need two different mailer packages. In fact, one could argue that if I'm going to use a Live environment, the CD is not going to be my method of choice. I'm going to want eithe a DVD, or (more likely) USB media where I can get faster performance and have more options. Trying to keep a live demonstration environment in the confines of a CD (or rather the space left on the CD after the installable portions), makes no sense at all. As a Live environment, I am going to want all the bells and whistles, and compilers too! (And -- perhaps most importantly -- office applications like Open Office, which don't fit in the CD right now.)

Conversely, there are those who just want to install the bits. The live media is just a vehicle to install from. Oh, there are potentially useful applications that can be present too, but they are always in support of installation. Having a web browser so that I can access my router's configuration, for example, or search for updated information about my hardware, is likely to be useful. But do I really need or want two different mailers? And klotski? PDA synchronization? Etc. This is crazy.

And its worse; because of the size of the Live "CD", we already have a situation where it does not fit on the CD. We have also sacrificed other things that, in my opinion, we should not have, in the name of "space". I'm a strong tcsh advocate, and its absence from the installation media is sorely felt, especially when installing to systems that don't have a Internet connectivity. I'm sure there are other similar things that could be the installation media if only there were space.

Well, there is space. Easily. We just need to be smarter about it.

Its time to separate the jobs into separate tasks.

  • Live Media. (Live DVD, and probably also USB.) Give up on trying to do it in 700MB for a CD though. This should be sized for a single DVD, and have all the goodies, including OpenOffice. It should continue to offer installable bits as well.
  • Install media. This should not have the Live environment, but have only those tools which are deemed supportive to installation. (Do include a web browser, but don't include games or a music player, for example.) It should fit easily within 700MB. I suspect that the installation media could even be merged into the AI media, to support a single disk that can do either network installation, or local CD-ROM based installation.

Eventually the 700MB limitation is going to be a problem even with a change like the above. I believe that we can go a lot longer with what we've got, if we don't try to force the jack-of-all-trades to fit into a shoebox, though.

November 16, 2009 10:33 PM


Peter Tribble
(ptribble)

So what is wrong with SVR4 packaging, really?

So, as might be predicted I suppose, some people wilfully disregarded the thrust of my argument, and turned it into a debate over specific packaging technologies.

OK, so that brings us to the question: what is so bad about SVR4 packaging, really?

I could go on for pages. One of the reasons I found OpenSolaris attractive was the prospect of being able to fix all the bad things with Installation and Packaging in Solaris. Let's takes some of the comments though:

old and clunky

Guilty as charged. Really, it is old. It is clunky. It's been neglected and unloved. It needs fixing. Those reasons alone aren't enough to dismiss it - the key question should be whether it can actually do the job.

missing lots of features

OK, so what features does dpkg have that SVR4 packaging doesn't? That's really the comparison - versus the dpkg or rpm commands.

enabler of dim-sum patching

Completely and utterly false. The problem with Solaris patching lies fairly and squarely in the domain of patching. This could trivially be solved without any changes to tools - either deliver whole packages, or simply institute a policy saying that you can't deliver changes to a package (or related set of packages) in independent patches. This is a process problem, not something inherent to the underlying package system.



Then there are more material objections:

no repository support

Actually, SVR4 packaging does have the ability to fetch and install packages from remote locations. (A crippling limitation of IPS is that it can't do anything else.) What's wrong with this picture is the lack of repositories - blastwave aside. Wouldn't it have been easier to simply make existing packages available on a web site, without having to retool everything?

lack of dependency resolution

As the success of dpkg/apt demonstrates, having your underlying packager do all the work is neither necessary nor desirable. What that does demonstrate is the requirement for more powerful tools above the base packager. Actually, separating the fancy interface from the tools doing the low-level work is probably a really good thing - it enables compatibility of the system over time even if the higher-level tools change, and it enables innovation by allowing independent components to be developed independently.

arbitrary scripting

Actually, one of the key weaknesses of SVR4 packaging is not that it supports scripting, but that the support it offers is pretty poor. there is no real support - there ought to be a strong scripting framework with a well-defined environment, and predefined functionality for common tasks. Oh, and trigger scripts would be nice. Banning scripting (yet allowing it to sneak in through the back door) fails to solve the problem, and encourages bad workarounds.

poor package names

The actual package names are pretty much immaterial. Assigning real significance to them would be false. What matters is that they're unique and follow a scheme. As a user, you might want to install "php" - all that means is that the software studies the package metadata and works out what packages to really install. Actually having a pcakge with that name isn't necessary, and probably not even desirable (it locks you into current names and prevents evolution).



So, beyond a recognition in the codebase that the 21st century has arrived, and the lack of an apt-get/synaptic style front-0end - all of which could fairly easily be remedied - what is really wrong with SVR4 packaging?

November 16, 2009 08:52 PM


OpenSolaris Observatory
(observatory)

Defects

As a user of OpenSolaris, one of the best ways you can contribute to the community is by taking the time to submit the bugs you find in the product. You may also find that you get better traction with OpenSolaris engineering than raising the same issue in the forums - bug counts are reviewed weekly, forum postings are not.

The OpenSolaris project uses Bugzilla as its tracking system and its home page is at http://defect.opensolaris.org. Note, it uses a separate registration database then opensolaris.org, so you'll have to create a new account.

Before filing a bug you should first search to see if it's already being tracked. If so, feel free to add additional information or just CC yourself on the bug to keep informed of its progress. For example, I've CC'd myself on over 140 bugs.

The advanced search form is very powerful, which also makes it somewhat daunting. I mostly use the simple text based search form on the home page. Here are some basic tips I've found helpful for getting the most out of the simple text search:

  • By default, only open bugs are returned. Since the problem you are looking for might very well have already been fixed in a development build, prefix your search with ALL, for example, ALL mouse wheel.
  • Don't worry about case - table, Table and TABLE are all the same.
  • Substrings are searched - so use localiz instead of localize or localization, which will find both occurrences of the word.
  • Use quotes to search for exact words or phrases

See the Bugzilla QuickSearch page for more tips.

You'll notice at the bottom of the search results there's an option to "Remember search as":


This is very handy, especially if you've taken the time to cobble together an advanced search. Saved searches are then set up as links in the page footer. In the image above you can see I currently have 2 saved searches: "My Bugs" and "My CC'd Bugs".

Once you're reasonably sure the bug you've found hasn't been filed yet, click the File a Bug button on the home page. You'll be prompted to select a classification, for which you want to choose Distribution.


This will take you to the Enter Bug form:

Select the Component that is most closely related to your problem. As you select the components you'll see their description in the text box to the right. If you are still unsure, you can look at similar bugs you found during your search. Don't worry if it's mis-classified - it will get corrected.

After selecting the Version of OpenSolaris you are using, select the Severity. Although all bugs may feel like mission critical blockers to you, please try to be realistic with this setting:

Blocker Blocks development and/or testing work
Critical crashes, loss of data, severe memory leak
Major major loss of function
Normal regular issue, some loss of functionality under specific circumstances
Minor minor loss of function, or other problem where easy workaround is present
Trivial cosmetic problem like misspelled words or misaligned text
Enhancement Request for enhancement

Note the Enhancement value. I use this one a lot to request features I'd like to see in the product.

The two most important fields are the Summary and the Description. A good summary will quickly and uniquely identify the bug. Provide as much detail in the description as you can, ideally providing the exact steps on how to reproduce the bug and any possible work-arounds you may have discovered (documented work-arounds are one of the great benefits of searching through the bug database). Finally, don't clutter the Description field with large amounts of output or log text. Rather, use the attachment button to attach the text or log. Likewise, if you can take a snapshot of the problem, attach that as well (there's a screen shot tool in Applications > Graphics > Save Screenshot).

See the Bug Writing Guidelines for more information.

When satisfied, press Commit to submit your bug. And thank you, you've just made a valuable contribution to OpenSolaris.

November 16, 2009 05:48 PM

November 15, 2009


Garrett D'Amore
(gdamore)

sar graphical output - do you use sag?

In the process of trying to "clean house", one of the hiccups we've run into is "sag", which is used to generate graphical output from "sar" data. (If you don't use "sar" or "sag", you can stop reading now.)

sag generates Tek 4014 mode output, which can (through some contortions) be viewed either in xterm, or converted (using "posttek") to PostScript. The results are actually fairly unpleasant to work with, and rather ugly, as the results are generated through some rather ugly abuse of "graph" and "plot".

I'd like to eliminate sag altogether, because I believe far superior alternatives exist. One example is kSar, which is a Java application which generates a variety of graphs and has both interactive and scripted operation. (It can also process sar output from the Sysstat package used on Linux, or AIX which is a plus.) It can generate output in a variety of useful formats as well, making it useful in generation of web-based reports, etc.

If you use sag, and would be impacted by its absence, I would really like to know. I am operating on the belief that there are very few, if any, of you out there -- tell me otherwise if this case, please!

Specifically, are you using sag in programs or scripts? What does sag offer for you that kSar lacks? (Or would the transition to kSar otherwise be painful for some reason?)

Note that for the purposes of this discussion we can assume that I'd be making kSar available as an IPS package via the SFW consolidation, and that it can process sar data from any version of Solaris going all the way back to at least Solaris 2.6 (and likely all the way back to Solaris 2.0 or 2.1.)

November 15, 2009 11:44 AM