New users in Solaris 10 brand­ed zones on Solaris 11 not han­dled auto­mat­i­cal­ly

A col­league noticed that on a Solaris 11 sys­tem a Solaris 10 brand­ed zone “gains” two new dae­mons which are run­ning with UID 16 and 17. Those users are not auto­mat­i­cal­ly added to /etc/passwd, /etc/shadow (and /etc/group)… at least not when the zones are import­ed from an exist­ing Solaris 10 zone.

I added the two users (netadm, netcfg) and the group (netadm) to the Solaris 10 brand­ed zones by hand (copy&paste of the lines in /etc/passwd, /etc/shadow, /etc/group + run pwconv) for our few Solaris 10 brand­ed zones on Solaris 11.

Send to Kin­dle

Increase of DNS requests after a crit­i­cal patch update of Solaris 10

Some weeks ago we installed crit­i­cal patch updates (CPU) on a Solaris 10 sys­tem (inter­nal sys­tem, a year of CPU to install, noth­ing in it affect­ing us or was con­sid­ered a secu­ri­ty risk, we decid­ed to apply this one regard­less to not fall behind too much). After­wards we noticed that two zones are doing a lot of DNS requests. We noticed this already before the zones went into pro­duc­tion and we con­fig­ured a pos­i­tive time to live in nscd.conf for “hosts”. Addi­tion­al­ly we noticed a lot of DNS requests for IPv6 address­es (AAAA lookups), while absolute­ly no IPv6 address is con­fig­ured in the zones (not even for local­host… and those are exclu­sive IP zones). Appar­ent­ly with one of the patch­es in the CPU the behav­iour changed regard­ing the caching, I am not sure if we had the AAAA lookups before.

Today I got some time to debug this. After adding caching of “ipn­odes” in addi­tion to “hosts” (and I con­fig­ured a neg­a­tive time to live for both at the same time), the DNS requests came down to a sane amount.

For the AAAA lookups I have not found a solu­tion. By my read­ing of the doc­u­men­ta­tion I would assume there are not IPv6 DNS lookups if there is not IPv6 address con­fig­ured.

Send to Kin­dle

Updat­ing FreeB­SD 8.2 (or 9.x) to 10 (beta4)

This is a lit­tle descrip­tion how I remote­ly (no con­sole, boot­ed into multi-user dur­ing update, no exter­nal ser­vices like jails/httpd/… run­ning) updat­ed a FreeB­SD 8.2 to 10 (beta4) from source. This should also work when updat­ing from FreeB­SD 9.x. Note, I had already switched to ATA_CAM on 8.2, so not instruc­tions for the name change of the ata devices. No IPv6, WLAN or CARP is in use here, so changes which are need­ed in this area are not cov­ered. Read UPDATING care­ful­ly, there are a lot of changes between major releas­es.

What I did:

  • update /usr/src
  • make build­world
  • replace “make ” in /usr/src/Makefile.inc1 with ${MAKE} (two times, one for “VERSION”, one for “BRANCH”)
  • ver­i­fy ker­nel con­fig for changes need­ed (run­ning “con­fig MyK­er­nel” in /usr/src/sys/YourArch/conf/ helps to iden­ti­fy syn­tax prob­lems), sor­ry I did­n’t take notes, but I diffed the old and the new GENERIC con­fig and added/removed accord­ing to my inter­ests
  • /usr/obj/…/src/usr.bin/bmake/make build­ker­nel KERNCONF=MyKernel
  • /usr/obj/…/src/usr.bin/bmake/make instal­lk­er­nel KERNCONF=MyKernel KODIR=/boot/kernel.10
  • merge­mas­ter ‑p
  • /usr/obj/…/src/usr.bin/bmake/make install­world DESTDIR=/somewhere/test
  • mkdir /root/net10; cp /somewhere/test/rescue/ifconfig /somewhere/test/rescue/route /root/net10
  • cre­ate the file /etc/rc.10update with:
    case $(uname ‑r) in
    8.2*)
            MYIFCONFIG=/sbin/ifconfig
            MYROUTE=/sbin/route
            ;;
    10*)
            MYIFCONFIG=/root/net10/ifconfig
            MYROUTE=/root/net10/route
            ;;
    esac
    export MYIFCONFIG
    export MYROUTE
  • change the files (stu­pid approach: grep for “ifcon­fig” and “route” in /etc/rc.d to iden­ti­fy files which need to change, I skipped files which I iden­ti­fied as not need­ed in my case, if you use pf/IPv6/bridge/…, you may have to change some more files) /etc/rc.d/auto_linklocal /etc/rc.d/defaultroute /etc/rc.d/netif /etc/rc.d/netwait /etc/rc.d/routing: add “. /etc/rc.10update” at the end of the block with “. /etc/rc.subr”, change the “ifconfig”-command to ${MYIFCONFIG}, change the “route”-command to ${MYROUTE}
  • change /etc/net­work.subr: add “. /etc/rc.10update” before the first func­tion, change the “ifconfig”-command to ${MYIFCONFIG}, change the “route”-command to ${MYROUTE}
  • make sure that the changes you made are 100% cor­rect, rather triple-check than to not check at all (you will be locked out if they are not 100% OK)
  • stop any jails and make sure they do not restart at boot
  • deac­ti­vate the gmir­ror of the root-fs, if there is one (it is maybe eas­i­er to ask a remote hand to swap the boot order in case of prob­lems)
  • here you could just a reboot of the serv­er to come back to your cur­rent OS ver­sion, so make sure that the mod­i­fi­ca­tions in /etc did not cause any prob­lems with the old ver­sion (in case you see prob­lems with the v10 ker­nel), but if you do not have a remote con­sole to single-user mode you have no chance to direct­ly fix the prob­lem (risk mit­i­ga­tion described above), no mat­ter which ver­sion of the ker­nel you boot
  • next­boot ‑k kernel.10
  • shut­down ‑r now
  • login
  • check dmesg
  • option­al: mv /boot/kernel /boot/kernel.8
  • make instal­lk­er­nel KERNCONF=MyKernel
    to have a v10 /boot/kernel
  • make install­world
  • merge­mas­ter
  • make delete-old
  • rm ‑r /etc/rc.10update /root/net10
  • change rc.conf: add “inet” in ifconfig-aliases
  • review sysctl.conf for out­dat­ed entries
  • shut­down ‑r now
  • option­al: rm ‑r /boot/kernel.10
  • enable jails again (or lat­er… updat­ing jails is not described here)
  • activate/resync mirror(s)
  • rebuild all ports (atten­tion: new pkg sys­tem)
  • make delete-old-libs
  • reboot again to make sure every­thing is OK after the port-rebuild and removal of old libs (a console.log (syslog.conf) helps here
Send to Kin­dle

Lin­ux­u­la­tor explained: How to cre­ate Lin­ux bina­ries on FreeB­SD

There may by cas­es where you want to gen­er­ate a Lin­ux bina­ry on a FreeB­SD machine. This is not a prob­lem with the lin­ux­u­la­tor, but not with the default linux_base port.

As you may know, the linux_base port is designed to deliv­er an inte­grat­ed expe­ri­ence with FreeB­SD native pro­grams. As such some parts of the native FreeB­SD infra­struc­ture is used. If you would try to use a Lin­ux-com­pil­er to gen­er­ate Linux-bina­ries, you would run into the prob­lem that by default the FreeB­SD includes are used.

Pre­req­ui­sites

To have a ful­ly fea­tured and non-integrated Lin­ux envi­ron­ment on your FreeB­SD sys­tem either mount an exist­ing (and com­pat­i­ble) Lin­ux instal­la­tion some­where into your FreeB­SD sys­tem, or install a linux_dist port. This can be done addi­tion­al­ly to an already installed linux_base port.

Prepa­ra­tion

When you have a com­plete Lin­ux envi­ron­ment avail­able, you need to mount the FreeB­SD devfs to /path/to/complete_linux/dev, lin­procfs to /path/to/complete_linux/proc and lin­sys­fs to /path/to/complete_linux/sys to have a com­plete set­up.

Use it

Now you just need to chroot into this  /path/to/complete_linux and you configure/make/install or what­ev­er you need to do to gen­er­ate your desired Lin­ux bina­ry.

Send to Kin­dle

Sta­tus cryp­to cards HOWTO: prob­lems with the card read­er (sup­port could be bet­ter)

After hours (spread over weeks) I come to the con­clu­sion that there is a lot of poten­tial to improve the doc­u­men­ta­tion of card read­ers (but I doubt the card read­er ven­dors will do it) and of the pcsc doc­u­men­ta­tion. It is not easy to arrive at a point where you under­stand every­thing. The com­pat­i­bil­i­ty list does not help much, as the card read­ers are part­ly past their end of life and the mod­els which replace them are not list­ed. Respec­tive­ly the one I bought does not sup­port all the fea­tures I need. I even port­ed the dri­ver to FreeB­SD (not com­mit­ted, I want­ed to test every­thing first) and a lot of stuff works, but one crit­i­cal part is that I can not store a cer­tifi­cate on the cryp­to card as the card read­er or the dri­ver  does not sup­port extend­ed APDUs (need­ed to trans­fer more than 255 bytes to the card read­er).

Well, the sta­tus so far:

  • I have a HOWTO what to install to use cryp­to cards in FreeB­SD
  • I have a HOWOT what to install / con­fig­ure in Win­dows
  • I have a HOWTO regard­ing cre­at­ing keys on a openpgp v2 card and how to use this key with ssh on FreeB­SD (or any oth­er unix-like OS which can run pcsc)
  • I have a card read­er which does not sup­port extend­ed APDUs
  • I want to make sure what I write in the HOW­TOs is also suit­able for the use with Win­dows / PuT­TY
  • it seems Win­dows needs a cer­tifi­cate and not only a key when using the Win­dows CAPI (using the ven­dor sup­plied card read­er dri­ver) in PuTTY-CSC (works at work with a USB token)
  • the pcsc pkcs11 Win­dows DLL is not suit­able yet for use on Win­dows 8 64bit
  • I con­tact­ed the card read­er ven­dor if the card read­er or the dri­ver is the prob­lem regard­ing the extend­ed APDUs
  • I found prob­lems in gpg4win / pcsc on Win­dows 8
  • I have send some mon­ey to the devel­op­ers of gpg4win to sup­port their work (if you use gnupg on Win­dows, try to send a few units of mon­ey to them, the work stag­nat­ed as they need to spend their time for paid work)

So either I need a new card read­er, or have to wait for an update of the lin­ux dri­ver of the ven­dor… which prob­a­bly means it may be a lot faster to buy a new card read­er. When look­ing for one with at least a PIN pad, I either do not find any­thing which is list­ed as sup­port­ed by pcsc on the ven­dor pages (it is incred­i­ble how hard it is to nav­i­gate the web­sites of some com­pa­nies… a lot of buzz­words but no way to get to the real prod­ucts), or they only list updat­ed mod­els where I do not know if they will work.

When I have some­thing which works with FreeB­SD and Win­dows, I will pub­lish all the HOW­TOs here at once.

Send to Kin­dle