Flying the unfriendly skies

by Mads
September 24, 2006 at 22:36 | categories: security, misc

Todays PC and Pixel predicts a bleak future for airline travel.
It all fits pretty well with the wondermark comic I wrote about.
I wonder how long this can go on before people get enough? I for one don't much fancy the idea of flying to .us and I'd absolutely refuse to go there via .uk.

JET/Jumpstart x86 pxe notes

by Mads
September 20, 2006 at 23:43 | categories: sun, solaris

This is just a quick note, probably most useful for myself that I've gathered while setting up a pile of X4100s.

  • Download and install JumpStart Enterprise Toolkit 4.3.2. You don't need to install all of it, but is is small enough that I did. I'll assume it goes to /opt/SUNWjet
  • # export PATH=$PATH:/opt/SUNWjet/bin
  • I'll assume the following:
    • Solaris 10 update 2
    • You've got the dvd iso sol-10-u2-ga-x86-dvd.iso in /export
    • You're putting your files in /export/install
  • # copy_solaris_media -d /export/install/s10u2 -n s10u2 -i /export sol-10-u2-ga-x86-dvd.iso
  • Created loopback device /dev/lofi/1 for /export/sol-10-u2-ga-x86-dvd.iso
    mounted /export/sol-10-u2-ga-x86-dvd.iso at /export/install/1389/slices/s0 (of type hsfs)
    Copying Solaris image....
    Verifying target directory...
    Calculating the required disk space for the Solaris_10 product
    Calculating space required for the installation boot image
    Copying the CD image to disk...
    Copying Install Boot Image hierarchy...
    Copying /boot x86 netboot hierarchy...
    Install Server setup complete
    Added Solaris image s10u2 at the following location:
            Media:          /export/install/s10u2
    Unmounting /export/install/1389/slices/s0
    removing device /dev/lofi/1
    removing directory /export/install/1389
  • Install a dhcp server:
  • # pkgadd -d /export/install/s10u2/Solaris_10/Product SUNWdhcsr SUNWdhcsu SUNWdhcm SUNWdhcsb
  • # dhcpconfig -D -r SUNWfiles -p /var/dhcp
  • Created DHCP configuration file.
    Created dhcptab.
    Added "Locale" macro to dhcptab.
    Added server macro to dhcptab - n1master.
    DHCP server started.
  • Set up dhcp - assuming:
    • NETWORK:
    • NETMASK:
    • ROUTER:
  • # dhcpconfig -N -m -t
  • # make_template x4100
  • Adding product configuration information for 
            + base_config
            + custom
            + sds
            + vts
            + explo
            + flash
            + san
            + jass
            + zones
    Updating base_config template specifics
    Client template created in /opt/SUNWjet/Templates
  • At this point JET automatically adds nfs shares - I had to tweak mine so that I have:
  • # share -F nfs -o ro,anon=0 -d "JET Framework" /opt/SUNWjet
  • # share -F nfs -o ro,anon=0 /export/install/
  • # cd /opt/SUNWjet/Templates
  • Edit the template to fit your needs - at the bare minimum, you need to set:
    • base_config_ClientArch=
    • base_config_ClientOS=
    • base_config_client_allocation=
    • base_config_ClientEther=
    • base_config_sysidcfg_network_interface=
    • base_config_sysidcfg_netmask=
    • base_config_sysidcfg_default_route
    • base_config_sysidcfg_ip_address
  • This could look something like:
  • base_config_ClientArch=i86pc
  • Other common things to change would be the root passwd (see comment in the profile), disk layout and what cluster to use.An example diff for the interesting bits of the disk layout could look like this:
  •  ########################################
     # X86, X64 specific settings. If this is an x86 client, then you may need
    @@ -242,8 +242,8 @@
     # If you are using VxVM and want your boot disk to look like the mirror, then
    @@ -261,9 +261,9 @@
    @@ -273,7 +273,7 @@
  • I usually choose either the full or the restricted net install:
  • base_config_profile_cluster=SUNWCXall
  • make_client -f x4100
  • Gathering network information..
            Client: (
            Server: (, SunOS)
    Solaris: client_prevalidate
    Solaris: client_build
    Creating sysidcfg
    WARNING: no base_config_sysidcfg_timeserver specified using JumpStart server
    Creating profile
    Adding base_config specifics to client configuration
    Solaris: Configuring JumpStart boot for x4100
             Starting SMF services for JumpStart
    Solaris: Configure PXE/grub build
             Adding install client
            Doing a TEXT based install
             Leaving the graphical device as the primary console
             Configuring x4100 macro
             Using local dhcp server
             PXE/grub configuration complete
    Running '/opt/SUNWjet/bin/check_client  x4100'
    Check of client x4100 
    -> Passed....
  • And that's all there is to it - for the X4100, you'll have to press F12 during startup to force a network install. On a local net, the install time for SUNWCreq is about 15 minutes on an X4100

Next installments could be to use flash install, setting up JASS and zones, adding patches and extra packages.

DTrace chosen as the Gold winner in The Wall Street Journal

by Mads
September 19, 2006 at 21:32 | categories: sun, solaris

Very cool and well deserved.

Bryan Cantrill and a team of engineers at Sun Microsystems Inc. have devised 
a way to diagnose misbehaving software quickly and while it's still doing its 
work. While traditional trouble-shooting programs can take several days of 
testing to locate a problem, the new technology, called DTrace, is able to 
track down problems quickly and relatively easily, even if the cause is 
buried deep in a complex computer system.

The DTrace trouble-shooting software from Sun was chosen as the Gold winner 
in The Wall Street Journal's 2006 Technology Innovation Awards contest, the 
second time in three years that a Sun entry has won the top award.

Root free httpd on Solaris

by Mads
September 19, 2006 at 21:21 | categories: httpd, security, solaris

As I was playing around with Sun Studio 11 and trying out different compile options on httpd I bumped into the old problem of not being allowed to bind port 80. In usual circumstances I'd just switch to a port above 1024, but why not use Solaris privileges instead?

The usual error:
(13)Permission denied: make_sock: could not bind to address

Finding the missing privilege:
# ppriv -eD ./httpd -k start

httpd[12474]: missing privilege "net_privaddr" (euid = 100, syscall = 232) needed at tcp_bind+0x631

As root add the missing privilege:
# usermod -K defaultpriv=basic,net_privaddr apache
# grep apache /etc/user_attr

Start httpd as the apache user and you're done.

Of course there's a lot more to it than just handing out privileges, but you can find much more in the Roles, Rights Profiles, and Privileges section of the System Administration Guide: Security Services

wondermark comic

by Mads
August 13, 2006 at 20:51 | categories: security, misc

A rather strange comic, but sometimes amusing.
And at other times, absolutely spot on.
(By way of Bruce Schneier who is also very right in Last Week's Terrorism Arrests.)

« Previous Page -- Next Page »