Planet OpenSolaris

Dave Miner: OpenSolaris Power User Tutorial at OSCON

Thu, 02 Jul 2009 18:04:13 +0000

I really should have posted this quite some time ago, but between getting the OpenSolaris 2009.06 release out, speaking at CommunityOne, speaking at the OpenSolaris user group in New York, and trying to sleep once in a while, it's been a little tough to keep up. Anyway, Nick and I are giving a three-hour OpenSolaris tutorial at OSCON 2009 on July 21. Looking at the content draft, we've probably got more like five hours of material, but we'll figure out how to cram most of it in. Even if you've read OpenSolaris Bible you're likely to learn a lot, as a fair amount of the material is on technology that's not covered in the book, such as Crossbow and the Automated Installer. I'm also expecting to spend some time wandering around at the conference, so hope to see you there!

Glenn Brunette: NEW: OpenSolaris Immutable Service Containers

Wed, 01 Jul 2009 22:06:25 +0000

While the need for security and integrity is well-recognized, it is less often well-implemented. Security assessments and industry reports regularly show how sporadic and inconsistent security configurations become for organizations both large and small. Published recommended security practices and settings remain unused in many environments and existing, once secured, deployments suffer from atrophy due to neglect.

Why is this? There is no one answer. Some organizations are simply unaware of the security recommendations, tools, and techniques available to them. Others lack the necessary skill and experience to implement the guidance and maintain secured configurations. It is not uncommon for these organizations to feel overwhelmed by the sheer number of recommendations, settings and options. Still others may feel that security is not an issue in their environment. The list goes on and on, yet the need for security and integrity has never been more important.

Interestingly, the evolution and convergence of technology is cultivating new ideas and solutions to help organizations better protect their services and data. One such idea is being demonstrated by the Immutable Service Container (ISC) project. Immutable Service Containers are an architectural deployment pattern used to describe a platform for highly secure service delivery. Building upon concepts and functionality enabled by operating systems, hypervisors, virtualization, and networking, ISCs provide a secured container into which a service or set of services is deployed. Each ISC embodies at its core the key principles inherent in the Sun Systemic Security framework including: self-preservation, defense in depth, least privilege, compartmentalization and proportionality. Further, ISC design borrows from Cloud Computing principles such as service abstraction, micro-virtualization, automation, and "fail in place".

By designing service delivery platforms using the Immutable Service Containers mode, a number of significant security benefits:

For application owners:
- ISCs help to protect applications and services from tampering
- ISCs provide a consistent set of security interfaces and resources for applications and services to use

For system administrators:
- ISCs isolate services from one another to avoid contamination
- ISCs separate service delivery from security enforcement/monitoring
- ISCs can be (mostly) pre-configured by security experts

For IT managers:
- ISCs creation can be automated, pre-integrating security functionality making them faster and easier to build and deploy
- ISCs leverage industry accepted security practices making them easier to audit and support

It is expected that Immutable Service Containers will form the most basic architectural building block for more complex, highly dynamic and autonomic architectures. The goal of the ISC project is to more fully describe the architecture and attributes of ISCs, their inherent benefits, their construction as well as to document practical examples using various software applications.

While the notion of ISCs is not based upon any one product or technology, an instantiation has been recently developed using OpenSolaris 2009.06. This instantiation offers a pre-integrated configuration leveraging OpenSolaris security recommended practices and settings. With ISCs, you are not starting from a blank slate, but rather you can now build upon the security expertise of others. Let's look at the OpenSolaris-based ISC more closely.

In an ISC configuration, the global zone is treated as a system controller and exposed services are deployed (only) into their own non-global zones. From a networking perspective, however, the entire environment is viewed as a single entity (one IP address) where the global zone acts as a security monitoring and arbitration point for all of the services running in non-global zones.

As a foundation, this highly optimized environment is pre-configured with:

non-executable stack
encrypted swap space (w/ephemeral key)
encrypted scratch space (w/ephemeral key)
security hardened operating system (global and non-global zones)

Further, the default OpenSolaris ISC uses:

Non-Global Zone. Exposed services are deployed in a non-global zone. There they can take advantage of the core security benefits enabled by OpenSolaris non-global zones such as restricted access to the kernel, memory, devices, etc. For more information on non-global zone security capabilities, see the Sun BluePrint titled "Understanding the Security Capabilities of Solaris Zones Software". Using a fresh ISC, you can simply install your service into the provided non -global zone as you normally would.
Further in the ISC model, each non-global zone has its own encrypted scratch space (w/its own ephemeral key), its own persistent storage location, as well as a pre-configured auditing and networking configuration that matches that of the global zone. You do not need to use the encrypted scratch space or persistent storage, but it is there if you want to take advantage of it. Obviously, additional resource controls (CPU, memory, etc.) can be added as necessary. These are not pre-configured due to the variability of service payloads.

Solaris Auditing. A default audit policy is implemented in the global zone and all non-global zones that tracks login and logout events, administrative events as well as all commands (and command line arguments) executed on the system. The audit configuration and audit trail are kept in the global zone where they cannot be accessed by any of the non-global zones. The audit trail is also pre-configure d to be delivered by SYSLOG (by default this information is captured in /var/log/auditlog).

Private Virtual Network. A private virtual network is configured by default for all of the non-global zones. This network isolates each non-global zone to its own virtual NIC. By default, the global and non-global zones can freely initiate external communications, although this can be restricted if needed. A non-global zone is not permitted to accept connections, by default. Non-global zone service s can be exposed through the global zone IP address by adjusting the IP Filter and IP NAT policies (below).

Solaris IP NAT. Each non-global zone is pre-configured to have a private address assigned to its virtual NIC. To allow the non -global zone to communicate with external systems and networks, an IP NAT policy is implemented. Outgoing connections are masked using the IP address of the global zone. Incoming connections are redirected based upon the port used to communicate. Beyond simple hardening of the non-global zone (a state which can be altered from within the non-global zone itself), this mechanism ensures that the global zone can control which services are exposed by the non-global zone and on which ports.

Solaris IP Filter. A default packet filtering policy is implemented in the global zone allowing only DHCP (for the exposed network interface) and SSH (to the global zone). Additional rules are available (but disabled) to allow access to non-global zones on an as-needed basis. Further, rules are implemented to deny external access to any non-global zone that has changed its pre-assigned (private) IP address. Packet filtering is pre-configured to log packets to SYSLOG (by default this information is captured in /var/log/ipflog).

So what does all of this really mean? Using the ISC model, you can deploy your services in a micro-virtualized environment that offers protection against kernel-based root kits (and some forms of user-land root kits), offers flexible file system immutability (based upon read-only file systems mounted into the non-global zone), can take advantage of process least privilege and resource controls, and is operated in a hardened environment where there is a packet filtering, NAT and auditing policy that is effectively out of the reach of the deployed service. This means that should a service be compromised in a non-global zone, it will not be able to impact the integrity or validity of the auditing, packet filtering, and NAT configuration or logs. While you may not be able to stop every form of attack, having reliable audit trails can significantly help to determine the extent of the breach and facilitate recovery.

The following diagram puts all of the pieces together:

Additional private virtual networking models are also being considered. All in all, the ISC model offers a very compelling deployment model. The accessiblity and attractiveness of this model is further enhanced by the availability of an ISC construction kit that allows you to take an OpenSolaris 2009.06 system and convert it to the ISC model with a single command. Sound interesting? Give it a try, come join the project and be sure to send along your feedback !

Ghee Teo: Desktop Summit - Here I come!

Wed, 01 Jul 2009 21:44:38 +0000

Desktop Summit which is made up of GUADEC and AKademy will be held this year in the Gran Canaria from 3rd-11th July. This is by far the biggest events on its nature, FOSS and totally Desktop oriented.

I will be arriving on the 2nd July evening with the whole bunch from the Desktop group in Sun. Now that some of the people, Alberto, Luis are native Canarians. I am looking forwards to their local hospitality Also we meet up hackers old and new.

Many of the exciting talks including GNOME Shell, GNOME 3.0, Mobile Development are so exciting topics that I look forward to hear and see! I will be there until 9th July.

OpenSolaris Observatory: Zones

Wed, 01 Jul 2009 18:49:45 +0000

The installation of a zone in OpenSolaris is a bit different than in Solaris 10 (or SXCE) and it's due to IPS, which is unique to OpenSolaris. When you create a zone in Solaris 10, you get a native zone, which is very lightweight because it shares much of its system software with the base Solaris 10 installation. However, native zones presume you are using the SVR4 packing system (as opposed to IPS). Therefore, OpenSolaris uses a branded zone called ipkg.

The ipkg branded zone doesn't share any of its system information with base OpenSolaris installation. As a matter of fact, when installed, it's not even copied from the base installation, but rather downloaded from an IPS repository. Obviously this makes working with zones in OpenSolaris a bit more restrictive (it took about 10 minutes to download and install on my machine). Supposedly, work is underway to add IPS support to native zones. But until that happens, here's my guide to working with zones in OpenSolaris.

Setting up a zone involves 4 steps: create, install, boot and configure.

Step 1: Create the Zone

If you're not interested in zones, you should at least be aware that you're already running in one - the global zone:

bleonard@opensolaris:~$ zoneadm list -v
  ID NAME             STATUS     PATH                           BRAND    IP    
   0 global           running    /                              native   shared

Zones must be installed within a ZFS file system, otherwise the zone install command will generate the error "no zonepath dataset" (see defect 8468 for details). You can either use an existing ZFS file system, such as /export/home or create a new one, as I chose to do here:

pfexec zfs create -o mountpoint=/zones rpool/zones

Before we actually create the zone, let's pre-determine some information that will be required. I'm going to set the zone name to myzone. The zone needs a network interface, which can match that of the global zone. This is easiest to figure out by hovering over the connection properties icon in the top panel and noting the Network Connection:

In my case it's e1000g0.

Since we'll be using a shared IP stack with the global zone, the non-global zone is not at liberty to select its own IP address (or use DHCP). I may talk about exclusive IP stacks in another entry, but for now we need to choose a free IP address on the subnet (I'm running OpenSolaris in VirtualBox, which provides it's own subnet). I'll be using 10.0.2.25.

Once you have that information collected, you can begin to create the zone:

bleonard@opensolaris:~$ pfexec zonecfg -z myzone
myzone: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:myzone> create
zonecfg:myzone> set zonepath=/zones/myzone
zonecfg:myzone> add net 
zonecfg:myzone:net> set physical=e1000g0
zonecfg:myzone:net> set address=10.0.2.25
zonecfg:myzone:net> end
zonecfg:myzone> exit

To see your zone's current configuration, run:

bleonard@opensolaris:~$ zonecfg -z myzone info
zonename: myzone
zonepath: /zones/myzone
brand: ipkg
autoboot: false
bootargs: 
pool: 
limitpriv: 
scheduling-class: 
ip-type: shared
net:
	address: 10.0.2.25
	physical: e1000g0
	defrouter not specified

List the zones again, using the -c option to show all zones (not just those installed):

bleonard@opensolaris:~$ zoneadm list -cv
  ID NAME             STATUS     PATH                           BRAND    IP    
   0 global           running    /                              native   shared
   - myzone           configured /zones/myzone                  ipkg     shared

Notice the brand is ipkg.

Step 2: Install the Zone

Now that the zone's configured, let's install it. Zone installation on OpenSolaris is a much different experience than on Solaris 10, as the zone must be downloaded from the package repository rather then simply copied from the global zone:

bleonard@opensolaris:~$ pfexec zoneadm -z myzone install
A ZFS file system has been created for this zone.
  Authority: Using http://pkg.opensolaris.org/release/.
      Image: Preparing at /zones/myzone/root ... done.
 Installing: (output follows)
DOWNLOAD                                    PKGS       FILES     XFER (MB)
Completed                                  52/52   7862/7862   72.41/72.41 

PHASE                                        ACTIONS
Install Phase                            12939/12939 
PHASE                                          ITEMS
Reading Existing Index                           9/9 
Indexing Packages                              52/52 

       Note: Man pages can be obtained by installing SUNWman
Postinstall: Copying SMF seed repository ... done.
Postinstall: Working around http://defect.opensolaris.org/bz/show_bug.cgi?id=741
       Done: Installation completed in 595.162 seconds.

 Next Steps: Boot the zone, then log into the zone console
             (zlogin -C) to complete the configuration process

We can verify the installation via it's status:

 bleonard@opensolaris:~$ zoneadm list -cv
  ID NAME             STATUS     PATH                           BRAND    IP    
   0 global           running    /                              native   shared
   - myzone           installed  /zones/myzone                  ipkg     shared

Steps 3 & 4: Boot and Configure

The next steps are to boot and configure the zone. When the zone boots for the first time, sysidtool is going to run to configure the system. We will boot the zone using two terminal windows: one to boot the system and the other to configure it. Note, it is possible to automate these system configuration steps, which I'll cover in a future blog.

Log into the zone and wait for it to boot:

bleonard@opensolaris:~$ pfexec zlogin -C myzone
[Connected to zone 'myzone' console]

Open a 2nd terminal window and boot the zone. If you see the warning like I did, don't worry about it, I address this at the end of the entry.

bleonard@opensolaris:~$ pfexec zoneadm -z myzone boot
zone 'myzone': WARNING: e1000g0:1: no matching subnet found in netmasks(4) for 10.0.2.25; using default of 255.0.0.0.

Then back in the 1st terminal, proceed with system configuration:

[NOTICE: Zone booting up]


SunOS Release 5.11 Version snv_101b 32-bit
Copyright 1983-2008 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
Hostname: myzone
Loading smf(5) service descriptions: 68/68
Reading ZFS config: done.
Mounting ZFS filesystems: (5/5)
 
What type of terminal are you using?
 1) ANSI Standard CRT
 2) DEC VT100
 3) PC Console
 4) Sun Command Tool
 5) Sun Workstation
 6) X Terminal Emulator (xterms)
 7) Other
Type the number of your choice and press Return: 6 
Creating new rsa public/private host key pair
Creating new dsa public/private host key pair
Configuring network interface addresses: e1000g0.

Give the zone a host name (or select the default):

─ Host Name for e1000g0:1 ─────────────────────────────────────────────────────

  Enter the host name which identifies this system on the network.  The name
  must be unique within your domain; creating a duplicate host name will cause
  problems on the network after you install Solaris.

  A host name must have at least one character; it can contain letters,
  digits, and minus signs (-).


    Host name for e1000g0:1 myzone                          











────────────────────────────────────────────────────────────────────────────────
    F2_Continue    F6_Help

Note, for some reason the "Continue" command switches from F2, as in the screen shot above, to Esc+2, as seen in the following screens.

Confirm the host name:

─ Confirm Information for e1000g0:1 ────────────────────────────────────────────

  > Confirm the following information.  If it is correct, press F2;
    to change any information, press F4.


    Host name: myzone















────────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-4_Change    Esc-6_Help

Configure the security policy:

─ Configure Security Policy: ───────────────────────────────────────────────────

  Specify Yes if the system will use the Kerberos security mechanism.

  Specify No if this system will use standard UNIX security.

      Configure Kerberos Security
      ───────────────────────────
      [ ] Yes
      [X] No












────────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-6_Help

Confirm the security policy:

 ─ Confirm Information ──────────────────────────────────────────────────────────

  > Confirm the following information.  If it is correct, press F2;
    to change any information, press F4.


    Configure Kerberos Security: No















────────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-4_Change    Esc-6_Help

Set the name service. I will be using DNS:

─ Name Service ─────────────────────────────────────────────────────────────────

  On this screen you must provide name service information.  Select the name
  service that will be used by this system, or None if your system will either
  not use a name service at all, or if it will use a name service not listed
  here.

  > To make a selection, use the arrow keys to highlight the option
    and press Return to mark it [X].


      Name service
      ────────────
      [ ] NIS+
      [ ] NIS
      [X] DNS
      [ ] LDAP
      [ ] None




────────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-6_Help

If you also selected DNS, set the domain name, DNS severs and search domains. I'm using the same settings as my global zone, which you can find in /etc/resolve.conf:

bleonard@opensolaris:~$ cat /etc/resolv.conf 
domain hsd1.ct.comcast.net.
nameserver 10.0.2.3

Set the domain name:

─ Domain Name ──────────────────────────────────────────────────────────────

  On this screen you must specify the domain where this system resides.  Make
  sure you enter the name correctly including capitalization and punctuation.


    Domain name: hsd1.ct.comcast.net             















────────────────────────────────────────────────────────────────────────────────

    Esc-2_Continue    Esc-6_Help

Add the DNS Server Addresses:

─ DNS Server Addresses ─────────────────────────────────────────────────────────

  On this screen you must enter the IP address of your DNS server(s).  You
  must enter at least one address.  IP addresses must contain four sets of
  numbers separated by periods (for example 129.200.9.1).



    Server's IP address: 10.0.2.3        
    Server's IP address:
    Server's IP address:











───────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-6_Help

And any search domains:

─ DNS Search List ──────────────────────────────────────────────────────────────

  On this screen you can enter a list of domains that will be searched when a
  DNS query is made.  If you do not enter any domains, DNS will only search
  the DNS domain chosen for this system.  The domains entered, when
  concatenated, may not be longer than 250 characters.



    Search domain:                                 
    Search domain:
    Search domain:
    Search domain:
    Search domain:
    Search domain:







────────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-6_Help

Confirm the network information:

─ Confirm Information ──────────────────────────────────────────────────────────

  > Confirm the following information.  If it is correct, press F2;
    to change any information, press F4.


          Name service: DNS
           Domain name: hsd1.ct.comcast.net
    Server address(es): 10.0.2.3













────────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-4_Change    Esc-6_Help

Ignore the Name Service Error (i.e., do not enter new name service information):

─ Name Service Error ───────────────────────────────────────────────────────────

  Unable to find an address entry for myzone with the specified DNS
  configuration.


      Enter new name service information?
      ───────────────────────────────────
      [ ] Yes
      [X] No












────────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-6_Help

NFSv4 Domain Name:

─ NFSv4 Domain Name ────────────────────────────────────────────────────────────

  NFS version 4 uses a domain name that is automatically derived from the
  system's naming services. The derived domain name is sufficient for most
  configurations. In a few cases, mounts that cross domain boundaries might
  cause files to appear to be owned by "nobody" due to the lack of a common
  domain name.

  The current NFSv4 default domain is: "hsd1.ct.comcast.net"


      NFSv4 Domain Configuration
      ──────────────────────────────────────────────
      [X] Use the NFSv4 domain derived by the system
      [ ] Specify a different NFSv4 domain







────────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-6_Help

Confirm:

─ Confirm Information for NFSv4 Domain ─────────────────────────────────────────

  > Confirm the following information.  If it is correct, press F2;
    to change any information, press F4.



    NFSv4 Domain Name:  << Value to be derived dynamically >>















────────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-4_Change    Esc-6_Help

Select your time zone:

─ Time Zone ────────────────────────────────────────────────────────────────────

  On this screen you must specify your default time zone.  You can specify a
  time zone in three ways:  select one of the continents or oceans from the
  list, select other - offset from GMT, or other - specify time zone file.

  > To make a selection, use the arrow keys to highlight the option and
    press Return to mark it [X].


      Continents and Oceans
      ──────────────────────────────────
  -   [ ] Africa
  │   [X] Americas
  │   [ ] Antarctica
  │   [ ] Arctic Ocean
  │   [ ] Asia
  │   [ ] Atlantic Ocean
  │   [ ] Australia
  │   [ ] Europe
  v   [ ] Indian Ocean

──────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-6_Help

Country:

─ Country or Region ────────────────────────────────────────────────────────────

  > To make a selection, use the arrow keys to highlight the option and
    press Return to mark it [X].


      Countries and Regions
      ───────────────────────────
  -   [X] United States
  │   [ ] Anguilla
  │   [ ] Antigua & Barbuda
  │   [ ] Argentina
  │   [ ] Aruba
  │   [ ] Bahamas
  │   [ ] Barbados
  │   [ ] Belize
  │   [ ] Bolivia
  │   [ ] Brazil
  │   [ ] Canada
  │   [ ] Cayman Islands
  v   [ ] Chile

──────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-6_Help

Time Zone:

─ Time Zone ───────────────────────────────────────────────────────────────────

  > To make a selection, use the arrow keys to highlight the option and
    press Return to mark it [X].


      Time zones
      ──────────────────────────────────────────────────────────────────────────
  -   [X] Eastern Time
  │   [ ] Eastern Time - Michigan - most locations
  │   [ ] Eastern Time - Kentucky - Louisville area
  │   [ ] Eastern Time - Kentucky - Wayne County
  │   [ ] Eastern Time - Indiana - most locations
  │   [ ] Eastern Time - Indiana - Daviess, Dubois, Knox & Martin Counties
  │   [ ] Eastern Time - Indiana - Starke County
  │   [ ] Eastern Time - Indiana - Pulaski County
  │   [ ] Eastern Time - Indiana - Crawford County
  │   [ ] Eastern Time - Indiana - Switzerland County
  │   [ ] Central Time
  │   [ ] Central Time - Indiana - Perry County
  v   [ ] Central Time - Indiana - Pike County

────────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-6_Help

Confirm Time Zone:

─ Confirm Information ─────────────────────────────────────────────────────────

  > Confirm the following information.  If it is correct, press F2;
    to change any information, press F4.


    Time zone: Eastern Time
               (US/Eastern)














──────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-4_Change    Esc-6_Help

And finally, set the root password:

─ Root Password ────────────────────────────────────────────────────────────────

  Please enter the root password for this system.

  The root password may contain alphanumeric and special characters.  For
  security, the password will not be displayed on the screen as you type it.

  > If you do not want a root password, leave both entries blank.


    Root password:  *********
    Root password:  *********       










────────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-6_Help

Zone configuration is complete. You can now log into the zone:

System identification is completed.

myzone console login: root
Password: 
Apr  1 21:48:04 myzone login: ROOT LOGIN /dev/console
Sun Microsystems Inc.   SunOS 5.11      snv_101b        November 2008
root@myzone:~#

From the other terminal, the zone's status now shows as running:

bleonard@opensolaris:~$ zoneadm list -v
  ID NAME             STATUS     PATH                           BRAND    IP    
   0 global           running    /                              native   shared
   1 myzone           running    /zones/myzone                  ipkg     shared

Working with the Zone

To drop off the zone console, exit the shell prompt and then type ~. at the console login prompt:

root@myzone:~# exit
logout

myzone console login: ~.
[Connection to zone 'myzone' console closed]
bleonard@opensolaris:~$

The zone is still running. Log in again:

bleonard@opensolaris:~$ pfexec zlogin -C myzone
[Connected to zone 'myzone' console]

Hit return to get the login prompt:

myzone console login: root
Password: 
Last login: Wed Apr  1 22:00:12 on console
Sun Microsystems Inc.   SunOS 5.11      snv_101b        November 2008
root@myzone:~#

The zone can be shutdown, halted or rebooted from within the zone (here's a reboot example):

root@myzone:~# reboot
Apr  2 01:18:50 myzone reboot: initiated by root on /dev/console

[NOTICE: Zone rebooting]


SunOS Release 5.11 Version snv_101b 32-bit
Copyright 1983-2008 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
Hostname: myzone
Reading ZFS config: done.
Mounting ZFS filesystems: (5/5)

myzone console login:

Or from the global zone:

pfexec zoneadm -z myzone reboot

Now that we have a zone, there's plenty of opportunity to experiment...

Deleteing the Zone

pfexec zoneadm -z myzone uninstall

pfexec zonecfg -z myzone delete -F

Fixing the netmask Warnings

If you're getting the netmask warning as I did when the zone boots:

zone 'myzone': WARNING: e1000g0:1: no matching subnet found in netmasks(4) for 10.0.2.25;⁞ using default of 255.0.0.0.

You can eliminate it by adding the zone's IP subnet into /etc/inet/netmasks. However, before we can edit the netmasks file, we need to make it writable:

pfexec chmod u+w /etc/inet/netmasks

Then add the proper subnet for you network. For example:

10.0.2.0 255.255.255.0

Now the zone will boot cleanly. For more information see netmasks Warning Displayed When Booting Zone.

OpenSolaris Observatory: Codeina

Wed, 01 Jul 2009 17:07:22 +0000

Codeina's a nifty little feature of OpenSolaris 2009.06. It's an application from Fluendo that points applications such as Totem or Rhythmbox to Fluendo's web shop if you are missing the codec for the file you are trying to play. In the case of MP3s, the codec is free. For other audio and video formats, you'll have to pay a small license fee.

For example, when I attempt to play an MP3 in Totem, I'm presented with the following:

Clicking Install launches the Codeina Web Shop application where I can register to "buy" the free MP3 decoder:

And then Install the decoder:

Which will quickly complete:

After which my song will automatically start playing.

Note, if Codeina isn't working for you, you may be running into issue Codeina fails to start. The quick fix for this is to remove the Fluendo configuration file and try again.

rm ~/.local/share/codeina/providers/fluendo.xml

OpenSolaris Observatory: Just enough Web Space Server

Wed, 01 Jul 2009 14:17:48 +0000

I was poking around with the Just enough Operation System (JeOS) delivery form of OpenSolaris, when I found the Web Space Server project built on top of that platform. The Web Space Server project is based on the Liferay Portal and it has been packaged up nicely into a variety of virtual machines for both VirtualBox and VMware.

For this example I grabbed the OVF (Open Virtualization Format) which is designed for packaging up such appliances and was a snap to import into VirtualBox (File > Import Appliance):

When the import is complete, go ahead and start the WebSpaceServer. As this is a "just enough" distribution of OpenSolaris, there is no GUI. When the machine boots up, it will give you the HTTP address of the server, which in my case is 10.0.1.14:

Note, the machine takes anywhere from 5-10 minutes to complete service startup. To monitor its progress, you can log in using template / template.

One thing you probably want to do right off bat is enable ssh so you can log into the server remotely:

svcadm enable ssh

Then, from another host:

bleonard@opensolaris:~$ ssh template@10.0.1.14
The authenticity of host '10.0.1.14 (10.0.1.14)' can't be established.
RSA key fingerprint is 7c:6d:df:62:e2:ec:1f:a5:d7:2a:5f:3f:72:9a:ac:45.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.1.14' (RSA) to the list of known hosts.
Password: 
Last login: Tue Jun 30 03:55:15 2009

Welcome to a Sun GlassFish Web Space Server and OpenSolaris virtual 
machine image.

Use of this virtual machine image is subject to the license terms found 
in /etc/notices.

template@webspace:~$

You need to wait for the GlassFish server to finish starting up. You can check the domain2 SMF service:

template@webspace:~$ svcs -l domain2
fmri         svc:/application/SUNWappserver/domain2:default
name         Appserver Domain Administration Server
enabled      true
state        offline
next_state   online
state_time   Tue Jun 30 04:35:59 2009
logfile      /var/svc/log/application-SUNWappserver-domain2:default.log
restarter    svc:/system/svc/restarter:default
contract_id  46 
dependency   require_all/none svc:/milestone/network:default (online)
dependency   require_all/none svc:/system/filesystem/local:default (online)

Here you can see its current state is offline, but it's transitioning to online. You can tail the server log file to track its progress:

tail -f /opt/webspace/glassfish2/domains/domain2/logs/server

Ultimately, you'll see a line like the following:

[#|2009-06-30T11:44:37.899+0000|INFO|sun-appserver2.1|javax.enterprise.system.core|_ThreadID=10;_ThreadName=main;|Application server startup complete.|#

Once that is complete, you can then browse to the server. It has a professional home page with links to try the Web Space Server and a Quick Start Tour. Webmin is also included for managing MySQL and OpenSolaris.

When you first try the Web Space Server, be patient as it configures itself to run for the first time. Eventually, the Welcome page will appear:

Resources

Marcelo Leal: FMA Messages WIKI way…

Tue, 30 Jun 2009 23:48:26 +0000

Almost perfect!! Wow, that was a really, really nice surprise! I do like all the new stuff from Solaris 10/OpenSolaris, and i say that in every opportunity, like now. I did write some posts about FMA, like this one… but one problem about the fmdump messages IMHO, was the fact that the messages on console were [...]

Jim Grisanzio: 1 Minute at CommunityOne

Tue, 30 Jun 2009 13:10:48 +0000

Ashwin Bhat and Angad Singh asked me for one minute of my time outside the keynote hall at CommunityOne a few weeks ago. Hey, what's a minute, right? Happy to. But this minute was to be digitally recorded. Uha. Video. I generally shy away from such things because I`m shy about being interviewed. But these are really good guys and they`ve done great work as Campus Ambassadors in India, so I felt safe in front of their camera (though I`d clearly much rather be behind the camera). It wasn't too bad, though. But the 1 minute ran for 2 minutes and 21 seconds! Anyway. Thanks, guys. Great fun. Hope to get back to India sometime soon.

OpenSolaris Observatory: Fun with Crossbow

Tue, 30 Jun 2009 01:02:45 +0000

The Crossbow project is probably the most exciting new feature in OpenSolaris 2009.06. It a nutshell, project Crossbow brings virtualization to the networking layer. In this quick example I'm going to create a virtual network interface card (VNIC) and dynamically alter it's maximum bandwidth as traffic is flowing over it.

The VNIC must be linked to an actual network interface device. To see the existing devices on the system:

bleonard@opensolaris:~$ dladm show-phys
LINK         MEDIA                STATE      SPEED  DUPLEX    DEVICE
e1000g0      Ethernet             up         1000   full      e1000g0
iwh0         WiFi                 down       0      unknown   iwh0
vboxnet0     Ethernet             unknown    0      unknown   vboxnet0

The current device in use is e1000g0, so I'll create my VNIC over that device:

pfexec dladm create-vnic -l e1000g0 vnic0

View the new VNIC:

bleonard@opensolaris:~$ dladm show-vnic
LINK         OVER         SPEED  MACADDRESS           MACADDRTYPE         VID
vnic0        e1000g0      1000   2:8:20:e2:77:62      random              0

Note its speed matches that of the physical link. Let's reduce this from 1000 megabits/second to 2 megabits/second:

pfexec dladm set-linkprop -p maxbw=2 vnic0

Before the VNIC can be used, it must be plumbed:

pfexec ifconfig vnic0 plumb

And assigned an IP address. If you're using DHCP, the following will work:

pfexec ifconfig vnic0 dhcp start

Now you can see vnic0 using ifconfig:

bleonard@opensolaris:~$ ifconfig vnic0
vnic0: flags=1104843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,ROUTER,IPv4> mtu 1500 index 7
	inet 10.0.1.16 netmask ffffff00 broadcast 10.0.1.255

The VNIC has been assigned IP address 10.0.1.16 and is now ready for use. To test it out, we'll copy a large file from one host to another, over the VNIC. To test this on a single machine, use a virtual machine configured with bridged networking or a zone. From the other host:

bleonard@os200906:~$ mkfile 100M big-file
bleonard@os200906:~$ scp big-file bleonard@10.0.1.16:bile-file
The authenticity of host '10.0.1.16 (10.0.1.16)' can't be established.
RSA key fingerprint is f7:1d:2c:d7:24:e3:1c:57:53:0f:59:75:31:4a:0f:7d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.1.16' (RSA) to the list of known hosts.
Password: 
big-file               0% |                             |   128 KB    13:22 ETA

Notice it's estimated to take over 13 minutes to copy this file. While the file is being copied, back on the host machine, change the maxbw property to 1000 megabits / second:

pfexec dladm set-linkprop -p maxbw=1000 vnic0

Immedially you'll notice the copy operation speed up and quickly complete:

big-file             100% |*****************************|   100 MB    00:37

Very cool!

Jim Grisanzio: Japan OpenSolaris Community Meeting 062709

Mon, 29 Jun 2009 14:44:37 +0000

The Japan OpenSolaris Community together on Saturday. Nice day (and night). About 60 people came by for the three sessions, two of which were in Japanese and the third in English. Then all three groups came together for a nomikai. I think the model works well to start integrating the Japanese and international OpenSolaris communities.

I used a new lens for this event. My f/1.4 lens is getting fixed, so I borrowed Jon`s 50mm f/1.2, which is one scary smart lens. It`s a tad expensive, too, so I was more than a little nervous shooting with it. Anyway, at f/1.2 the focus is just razor thin. Focus on someone`s glasses and their entire face is out. I messed up a few images that way, but by the end of the night I was getting used to it. Amazing piece of glass. By the way, you can see Jon`s stuff here. He`s one of the best photographers around.

Japan OpenSolaris Community: http://blogs.sun.com/jimgris/tags/jposug
Michael Sullivan presentation on OpenSolaris & Storage: OSol + ZFS = NAS

Simon Phipps: links for 2009-06-29

Mon, 29 Jun 2009 14:30:40 +0000

The Six Dumbest Ideas in Computer Security

Deliciously direct and deep paper looks at the assumptions behind our security thinking and confronts them head-on. Still relevant after 4 years, which is good going for anything geeky.

(tags: Computer Security networking Hack hacking network software internet sysadmin)

Jim Grisanzio: Tokyo Hackerspace

Mon, 29 Jun 2009 08:20:22 +0000

I've been checking out the Tokyo Hackerspace gmail list for a few weeks. Looks very interesting. The project grew out of some discussions at BarCamp Tokyo a couple of months ago, and I spoke to Karamoon about it at the OpenSolaris community event this weekend. In a world of ever expanding global digital communities, it seems like a nice idea to have a very local a very physical space to hang out in and hack on things that need hacking. Global and digital are fine, but local and physical are needed too. For info, check it out on the wiki.

Jim Grisanzio: Website Transition: Two Phase 1 Documents Posted

Mon, 29 Jun 2009 02:35:55 +0000

This morning Bonnie posted two documents supporting the Phase 1 website transition plans:

The plan to implement the governance and website roles and collectives, and
The data migration strategy outlining how data will be migrated from existing databases into the new Auth database.

Bonnie and Alan drafted the documents and all three of us iterated for a couple of weeks as they went through multiple drafts. It`s amazing experiencing the distinction between writing a document that articulates some issue in theory and writing a document that articulates a specific implementation that has to actually work. It`s the distinction between night and day. Ideas are fine, but if you don`t build them they are not real. That lesson is learned.

Also, I appreciate more than ever the process I went through in the recent past attempting to re-write the OpenSolaris Constitution. Building and describing the new site would have been so much easier had that Constitution been approved in March. But it wasn`t. That`s life I suppose. So, now we have to implement the old Constitution while also accounting for things that document doesn`t even mention because it came about after the original site was designed. Not to mention all the odd stuff that evolved (and broke) on the current site -- all of which has to be migrated to the new site. As a result, in August we will have some things covered under Governance and some things covered under generally accepted practice -- and that last bit was really the basis of the concept we were trying to move toward with the proposed Constitution. Hopefully, the OGB will at some point this year take up that proposed Constitution again, get it updated, and get it approved so our Governance documents reflect the reality of how the community operates in real life.

Anyway, until that happens we will continue building what we have to build, and it will be good to finally break with the past of the old site. So, it`s important for anyone with an account on opensolaris.org to review these new documents and the other information we have posted in the Website community recently to be prepared for the changes coming in July and August. All users on the site will be affected by this multi-phase transition (hopefully in a good way, of course). More documents will be posted in the coming weeks on website feature mappings, Auth transition instructions, and content migration plans. And that`s just Phase 1 and Phase 2. There will be a Phase 3 that will take us well into the fall.

Website Transition Documentation | Auth System Beta | XWiki Website Beta | Program Roadmap

Jim Grisanzio: OpenSolaris PDAs?

Mon, 29 Jun 2009 02:33:29 +0000

"I hope that after some time we'll see OpenSolaris powered PDAs." -- Alexander Eremin

Glynn Foster: OpenSolaris on FLOSS Weekly

Mon, 29 Jun 2009 00:59:15 +0000

I had the privilege to be a guest on FLOSS Weekly with Leo Laporte and Jono Bacon this week, thanks guys! Of course Aaron and David had done awesome groundwork with an interview on ZFS a few weeks earlier. It was a fun hour, and I enjoyed it though can think of many thing I’d answer differently now! Looking forward to catching up with Jono and others at the Community Leadership Summit next month in San Jose, the weekend before OSCON.

And yes, OpenSolaris is officially ‘not bollocks’. Check it out!

Jim Grisanzio: New ZFS Book Coming to Japan

Sun, 28 Jun 2009 06:50:41 +0000

Four members of the Japan OpenSolaris Community wrote a book on ZFS recently. It`s coming out in July, and it`s specifically for the Japanese market. The cover has not been selected yet, but here are the early details: ZFS 仮想化されたファイルシステムの徹底活用 (大型本) by Hisayoshi Kato, Michitoshi Sato, Nagahara Niroharu, and Imai Satoshi. This is quite a significant contribution to the community in Japan because it`s important to have technical content written by Japanese engineers for Japanese engineers. Translating English content from the west good, of course, but the generation of original content in Japanese also needs to be part of this community`s growth plans.

Here are some more books on OpenSolaris: http://blogs.sun.com/jimgris/tags/book

Yong Sun: Photos of AGC Family Party

Sun, 28 Jun 2009 05:13:36 +0000

见到了好多老朋友，真是很高兴！希望不必”再过二十年，我们来相聚” ...

Jim Grisanzio: Japan Linux Symposium: Tokyo, October 2009

Sat, 27 Jun 2009 02:53:52 +0000

It's excellent to see the 9th Annual Linux Kernel Summit and the 1st Annual Japan Linux Symposium coming to Tokyo in October. Check out this language from the LF website: "The Japan Linux Symposium will be the showcase Japan and Asia Pacific conference for The Linux Foundation." Showcase. This is significant. The Japanese may not shout about it much, but developers in this country are contributing to FOSS and their contributions are growing. The potential in Japan for open source is huge. I've been saying it since I got here. So cool that the LF clearly recognizes this potential by bringing their conferences here. Also interesting: the LF website appears in two languages -- English and Japanese.

I already hang out with the Tokyo Linux User Group (here, here), so I hope to attend this gig in October.

Jim Grisanzio: OpenSolaris in Brazil: Right at the Top!

Sat, 27 Jun 2009 02:04:39 +0000

Nothing like going right to the very top, eh? My goodness. Here's the OpenSolaris community in Brazil at FISL hanging out with Brazil's President Luiz Inácio Lula da Silva. I think this sets a new standard in government relations for the entire OpenSolaris community, don't you think? So, each one of us around the world now has to go out and shoot some images (video is fine, too) of our country's leader standing with our respective communities all dressed up in OpenSolaris stuff. Ok. Should be easy enough. Just send your images to osug-leaders or advocacy-discuss, and we'll collect them there.

Absolutely. Outrageous.

Marcelo Leal: FISL 10

Fri, 26 Jun 2009 23:38:46 +0000

Congratulations to Vitório Sassi and all OSOL users from OpenSolaris-BR (special to PoaOSUG ;-) that are doing a great work at FISL 10!