Softpanorama

May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

Softpanorama Solaris Bulletin 2004

[Dec 27, 2004] Solaris Patch Management- Recommended Strategy (PDF) -- a pretty average overview paper. Mostly fluff, but it does raise one important question: when you should upgrade your server instead of patching it. Often enterprises use Solaris 6 and 7 servers while they would be long ago upgraded to Solaris 9.  And Solaris 9 is more secure in principle than, say Solaris 2.6.

Sys Admin Magazine vol 13, No. 10/Solaris 10 x86 on VMware I think Solaris 10 under VMware is a perversion (zones essentially provide 80% of useful virtualization capability) but Peter Gavlin thinks otherwise :-). Moreover imitating Linux zealots experiments he tries to install Solaris on a laptop... I understand that for a writer that might be a not a bad idea to write in windows, while cutting and pasting results from Solaris, but still the same can be done on Solaris alone using Star Office: 

Solaris 10 x86 is indeed very real and very functional. With VMware, it performs well and brings all of the new features that Sun has been proudly promoting. Although getting graphics working takes a bit of work in the VMware environment, the work is well rewarded by the functional end result.

Acknowledgements and Resources

Special thanks to Dan Price from Sun, Juergen Keil, and Scott Omar Burch for advice and guidance on getting the graphics challenges resolved.

For up-to-date information on Solaris x86, see:

http://www.solaris-x86.org 
http://sun.drydog.com 
http://multiboot.solaris-x86.org 
http://www.bolthole.com/solaris/x86-laptops.html 
http://www.sun.com/bigadmin/collections/solarisx86.html 
http://www.tools.de/solaris 
http://homepage2.nifty.com/mrym3/taiyodo/eng 
http://groups.yahoo.com/group/solarisx86 
http://forum.sun.com/forum.jsp?forum=11 
news://alt.solaris.x86 
http://wwws.sun.com/software/solaris/x86/ 
http://members.at.infoseek.co.jp/chitchat/vmware/soltips.html 

A great new resource to Sun users is now available. There is no longer a gag order on Sun employees, and they are saying some very interesting things at httpd:\\blogs.sun.com.

Phil's Solaris hints Some good documents

What's New in the Solaris 9 4-04 Operating Environment Please replace sun grep with GNU grep as it supports -P option and thus is more sain that completly crazy old sun implementation. See Freeware Enhancements for information about GNU grep 2.4.2, GNU tar 1.13, GNU wget 1.6, and Ncftp Client 3.0.3 in the Solaris 9 release.

Solaris Flash

Complete Systems Replication

The Solaris Flash feature provides new installation and provisioning functionality. System administrators can capture a snapshot image of a complete server -- including the Solaris Operating System, the applications stack, and the system configuration -- into a new Flash Archive format. Using this system image, administrators can then replicate reference server configurations onto multiple (clone) servers. Solaris Flash images can be deployed via standard media or over the network via HTTP and NFS. Solaris Flash images can be installed using custom Solaris JumpStart scripts, the Solaris Web Start graphical interface, or Solaris interactive installation.

Rapid Deployment

With Solaris Flash technology, installation time can be cut significantly. Internal tests conducted at Sun have shown that a complete Web server can be set up using the network install feature of Solaris Flash in under three minutes. This installation technology reduces configuration complexity, improves deployment scalability, and significantly saves time and administrative resources for server deployment.

Layered Flash Deployment

Solaris Flash technology provides the ability to layer Flash Archives. You can create partial Flash Archives to install in a variety of ways. This feature increases the flexibility for rapid modular deployment.

For example, you can create one archive that contains the Solaris Operating System files, a second archive that contains the files necessary to run a Web server, and a third archive that contains the files for an NFS server. You can then install the first and second archives to one machine to create a Web server, and the first and third archives to create an NFS server.

By using layered archives, you can increase the flexibility of the Solaris Flash installation while you reduce the disk space required to store Flash Archives. When you install layered archives to a clone machine, one of the archives must contain the Solaris Operating System.

Idleize - Run a Subprocess During Idle Time Only

Idleize is a simple utility which allows you to easily run background tasks during idle time only. It is ideal for running SETI@home, as well as other background tasks such as hardware simulations, compiler test suites, computer graphics rendering, and so on.

Neowin.net - Where unprofessional journalism looks better

Sun Microsystems Inc. will formally launch the next major release of its flagship Solaris operating system at a press event Nov. 15 at the Tech Museum of Innovation in San Jose, California, company officials confirmed Friday. The launch will be part of Sun's quarterly Network Computing product announcement, which is expected to include new product offerings from a variety of Sun's product groups.

Already available in an "Early Access" beta version, Solaris 10 will have a number of major new features, including a new error detection system, a highly scalable file system called ZFS, and a diagnostic tool known as DTrace. The new version of Sun's Unix operating system will also include significant performance enhancements such as a new TCP/IP (Transmission Control Protocol/Internet Protocol) stack and improved multithreading capabilities.

E-Commerce News Commentary Responding to Readers Accounting for Politics in Technology

I'd buy a Solaris-powered helicopter if I could [Kirk L. Kroeker, "DOJ Bans Linux from US in Wake of iWidget Brouhaha," TechNewsWorld, April 1, 2004], but the point is that a lot of readers seem to be outraged that I'm so clearly biased in Sun's favor. My bottom line on Sun is that I like stuff that works, and their stuff generally does -- even if Sun Press did turn down my latest book.

The more general response to a charge of bias is that I'm for what Unix can do and particularly interested in services to larger user communities. Take a long, hard look at computing Relevant Products/Services from Hewlett-Packard Mobility Solutions science today, and I think you'll agree that most of the really leading-edge research for single systems is taking place in the BSD community, that the Linux people are wreaking miracles of application delivery support across an enormous range, and that both Solaris and Sparc are evolving rapidly toward the Plan 9 view of network integrated computing.  

 

Re:Too true (Score:4, Interesting)
by zemoo (582445) on Friday July 09, @04:24AM (#9650332)
(http://www.talagrand.org/)
man does not come with its own viewer. By default, man pages are viewed with 'more', which is the behaviour you see in Solaris.
Apparently, under BSD, the pager has been set to 'less', which supports the vi commands.

Under Solaris, I try setting the PAGER environment variable to '/usr/bin/less -isrm' or something similar in your startup scripts. This will change man's behaviour.

 

Slashdot Zones are in Solaris Express (Solaris 10) It's an interesting tool for any company looking at easy consolidation without the prohibitive costs of hardware partitioning.

Solaris is for real users (Score:5, Insightful)
by mveloso (325617) on Tuesday March 02, @02:03PM (#8443098)
After reading the comments, it seems blatantly obvious that most /. readers don't work in the industry.

Zones fix some really important, real world problems. The main problem that it will solve for organizations is migration of apps from development to production boxes.

In Real Life (and in the well run organizations) there's a separation between dev, production, and sometimes test. There are a number of implications for this, the main one being this: there are usually two sets of hardware (or three, if there's a separate test area).

Now with a few moments of thought, you can see the problem. By moving the software from place to place you introduce changes. Change is bad, because change causes software to break. How many times have you had problems with your apps because you forgot to change some config file, or a machine name, or whatever?

With zones you don't need to change the machine to change the machine. You just copy your zone from one machine to another. Ta-da! You have no problem with changes impacting your app. If the app worked in test, it'll work in production. Do you need to mirror production in a test environment? Just create a bunch of zones and do it. You don't have to change the IP addresses or anything.

Need to migrate your app to a bigger box? Heck, just move your zone. No need to reinstall your app, synchronize and adjust all the configs, and repoint everyone and everything to the new box. Move it from that ultra 5 in the basement to the big cat in the data center.

I suppose you'll be able to auto-migrate zones between machines in later releases, in a form of cross data-center load balancing. Hey, that E450 is unused, let's move the web server there on the fly.

Just another step on the road to virtualization...

 

don't forget... (Score:5, Informative)
by qortra (591818) on Tuesday March 02, @09:01AM (#8439727)
(http://simeon.dyndns.info/)
Don't forget Xen [cam.ac.uk], VMWare, and Bochs [sourceforge.net] (not as fast, but still cool).
 
Re:don't forget... (Score:5, Informative)
by iserlohn (49556) on Tuesday March 02, @09:28AM (#8439946)
and also Linux-vserver [linux-vserver.org]. Great performance. Just like BSD jail.
Re:don't forget... (Score:2)
by meshko (413657) on Tuesday March 02, @10:13AM (#8440365)
(http://www.scorch2000.com/)
I think this has nothing to do with OS emulators. It's more like FreeBSD jail.
Re:don't forget... (Score:2, Informative)
by chilled (542681) on Tuesday March 02, @10:20AM (#8440458)
Actually it's not really like vmware et al. Part of the reason for zones is to make life as an admin EASIER not harder. Say a sys admin has a single Solaris machine (SPARC or x86, it doesn't matter). They are running 10 zones, however the sys admin only has to maintain one OS. There are additional overheads, ie setting up resource controls, but they are there and relatively simple, building up on pre-existing but extended Solaris 9 concepts (Solaris Resource Manager), but much easier than maintaining 10 different servers. I might be wrong, but you would need 10 different OS installs, on top of the original vmware hosting server.
Re:Hmmm.... (Score:2, Informative)
by haggar (72771) on Tuesday March 02, @09:03AM (#8439745)
(http://slashdot.org/ | Last Journal: Monday December 30, @12:57AM)
Disclaimer: I am not the author of the following post, I took it form here. [osnews.com]

I believe this is not too far from what you can achieve with user mode linux. We've been using similiar technology in unix classess at school using uml.

There are however few differences:

1.) Solaris accesses host filesystem, while in user mode linux, you have to provide file or block device with disk image it will use. This is quite bad, because you have to preallocate space for zones. There is a project that aims to allow this, but I don't know how usable is this. You could of course overcome this by doing Root FS on NFS and dhcp and letting the guest os mount host's partition via NFS. This would probably have quite significant performance overhead though :(. Filesystem in filesystem is not very optimal too.

2.) It is not that easy to setup. This could be done with few scripts. I would love Debian and possibly other distros to have scripts, which would instantly create the zone's filesystem. Preferably, it would allow for some sharing (f.e. creating hard links to original data and kernel would unlink, copy transparently if slave wants to write -- some equivalent of copy on write seen in memory management).

3.) The networking is not so easy to setup. Could be also part of the script

4.) Linux does not have so well done resource allocation as Solaris. So the guest kernel should be able to limit itself (f.e. not to use more than 30% of cpu time). Is it possible to do some precise resource allocation under Linux (maybe using some patch to kernel, or something like that?)
 
Re:Hmmm.... (Score:3, Informative)
by GiMP (10923) on Tuesday March 02, @09:23AM (#8439900)
(http://www.grokthis.net/)
User Mode Linux provides a hostfs driver for accessing the host's filesystem.

You're right about not being as easy to setup, I suspect that Solaris has made it very easy to do - but this is speculation at this point.

Linux has such resource allocations. Checkout /etc/security/limits.conf. This is a per-user setting, unfortunately.
Re:Hmmm.... (Score:2)
by haggar (72771) on Tuesday March 02, @10:08AM (#8440290)
(http://slashdot.org/ | Last Journal: Monday December 30, @12:57AM)
The FIRST LINE of my post is a disclaimer that clearly states where I quoted from.

As for Karma, I don't know and don't care about it. It makes no difference to me.
Re:Hmmm.... (Score:4, Insightful)
by Jotaigna (749859) <[email protected]> on Tuesday March 02, @09:03AM (#8439747)
(Last Journal: Monday March 08, @01:59PM)
You have pointed out a critical thing. Marketing. For many year Sun has been succesful in the market because is a reliable brand and quite good.(at least in Chile, of course) its like being "mercedes" or something like that. They have a name and a reputation that helps them a lot. If windows came with a better command line(like xterm) it would be news too!!, and they of course would make shure its news for everyone.

If we want to make OS software more succesful in the market, we have to come up with marketing schemes for it, they can be as important as good coding.
Not Quite ! (Score:5, Informative)
by Anonymous Coward on Tuesday March 02, @09:14AM (#8439833)
>Where have I seen this before... Oh that's right,
>the features Compaq/Hp have been shipping with
> their Tru64 Alpha Servers for _years_.

First I watched this movie, your comparsion is unfair; HP/Compaq/DEC partitions are more like Sun domains, i.e implemented in hardware. Domains have been around since say 1996 when E10K was introduced.

> Sorry people, but sun are pushing 20th century
> technology with some marketing spin to make it
> sound up to date.

While Solaris zones are similar to UML or other virtual OS instance technologies there are some innovative features which would be really useful say on multiprocessor Opteron that you want to consolidate some applications on:

1) Support: I can expect to run Oracle/websphere,
etc in this zone without having to say oh and this is UML (which I have seen many times on mailling lists) (I mean applications support the fact that a OS vendor is behind this is good news as well)

2) Integration with Global Zone. From the global zone you can control each zone and watch and cap resources within a zone. This means modications to ps/prstat(solaris's top) and other core OS utilities. How hard would this be under Linux? Is the UML patch even accepted by Linus yet?

3) Inteface bindings - can bind zone to specific NIC.

4) Greenline - init.d replacement becomes service aware and can stop/start zones at boot and monitor services within a zone.

5) Dtrace - the greatest thing even, dynamic tracing of the kernel. Fully integrated with Solaris Zones.
Re:Not Quite ! (Score:2, Informative)
by arturs (758304) on Tuesday March 02, @12:51PM (#8442216)
At least some of those are really working well in a vserver:

> 2) Integration with Global Zone. From the global
> zone you can control each zone and watch and
> cap resources within a zone. This means
> modications to ps/prstat(solaris's top) and
> other core OS utilities. How hard would this be
> under Linux? Is the UML patch even accepted by
> Linus yet?

Very similar. You also get vps, vpstree, vtop, vkill, vdu utilities for management starting from security context 0 (hosting server, which uses context 1 to "see" all processes).

> 3) Inteface bindings - can bind zone to specific > NIC.

very well working in vserver

> 4) Greenline - init.d replacement becomes
> service aware and can stop/start zones at boot
> and monitor services within a zone.

vserver also has a reboot manager; as for service monitoring, you can use userland aplications for any vserer or set them in a host server to switch to security context 1 and thus monitor all services globally.
Re:Can this be used for honeypots? (Score:4, Informative)
by Darren.Moffat (24713) on Tuesday March 02, @12:15PM (#8441805)
Sorry but that is wrong. Both in Trusted Solaris and in Zones there is a single Solaris kernel that is responsbile for the isolation. This is separate userlands with their own nameservice their own filesystems and their own root account.

Zones can't load kernel modules (except indirectly as protocol modules (eg telmod, rlmod), Zones can't (by default) access any raw devices and can't add new network interfaces by themselves.
Re:Can this be used for honeypots? (Score:4, Informative)
by Brandon Hume (73471) on Tuesday March 02, @11:59AM (#8441640)
(http://www.bofh.halifax.ns.ca/)
This feature has been compared to BSD jails, and it's logical to say that it grew from that feature, but the functionality isn't exactly the same.

A Solaris zone can be rebooted independant of the other zones on the machine; it can have resources added or removed from the zone (CPUs, for example) dynamically, etc.

I'm still installing my copy of SolExp, so I haven't played with the feature just yet. But it looks to be located somewhere between FreeBSD jails and a completely emulated machine like VMWare.
Re:Can this be used for honeypots? (Score:2)
by viktor (11866) on Tuesday March 02, @02:01PM (#8443071)
(http://www.dtek.chalmers.se/~viktor/)
Sun has gone to great lengths to make sure that a compromized zone does not imply compromize of other zones.

In fact, one of Suns examples is a Zone for each service, where the technician that explained to me explicitly said that if one of the Zones run a sendmail which is rooted, the others are unaffected because there are separate "root" accounts for each zone (and we're not just talking separare passwords but actual separate root:s).

They protect stuff like /dev/kmem, you can't access raw devices, and so on within Zones. The machine still has a "core", outside of any Zones, which is a regular Solaris environment, but from within a Zone it's apparently very, very difficult to break out. Sun calls it "impossible" which means you'll most likely need to find a bug within the Zone implementation itself to break free.

Sun's also done similar things within Trusted Solaris before, so it's not something they just came up with.

Re:Jails vs. Zones (Score:5, Informative)
by sysadmn (29788) <sysadmn&netscape,net> on Tuesday March 02, @09:19AM (#8439877)
Zones differ from jails in that you can limit the amount of resources a zone can consume. Even in jail you can launch a denial of service with a fork() bomb or busy loop, or even netcat. With zones, you can limit the amount of cpu cycles, network io, and (perhaps? don't have docs nearby) disk and serial io. Plus zones get their "own" virtual os, so you can reboot them.
Re:Jails vs. Zones (Score:2)
by mr_majestyk (671595) on Tuesday March 02, @09:46AM (#8440107)
Plus zones get their "own" virtual os, so you can reboot them.

Sure about that? All the zones share the same copy of Solaris, so how can you reboot one without rebooting all the others?
Re:Jails vs. Zones (Score:5, Informative)
by chilled (542681) on Tuesday March 02, @10:11AM (#8440341)
Very sure.
The zones routines, just re-read the zone config and re-initialise it. From the outside it can appear as an OS, but from another perspective (and this is gross over simplification but works for this point) it's just like loading an instance of an application.
Re:Jails vs. Zones (Score:2, Informative)
by paxvel (758242) on Tuesday March 02, @10:17AM (#8440422)
Marko Zec has done an excellent work on further virtualizing FreeBSD kernel: Network stack cloning / virtualization extensions [tel.fer.hr].

Within a patched kernel, every process, socket and network interface belongs to a unique virtual image. Each virtual image provides entirely independent:

* set of network interfaces and userland processes;
* interface addresses and routing tables;
* TCP, UDP, raw protocol control blocks (PCBs);
* network traffic counters / statistics;
* set of net.inet tunable sysctl variables (well, most of them actually);
* ipfw and dummynet instance;
* kernel message buffer instance;
* system load and CPU usage accounting;
* proportional share CPU scheduling

Re:Jails vs. Zones (Score:3, Informative)
by dohcvtec (461026) on Tuesday March 02, @01:05PM (#8442404)
Here [blastwave.org] is a very informative article not only describing Solaris Zones, but also showing it in action. From what I can see, it seems similar to UserMode Linux, but nicely integrated into the OS, and supplied with a good set of administration tools.
But... does "rebooting" a zone fix issues? (Score:5, Interesting)
by 192939495969798999 (58312) on Tuesday March 02, @09:03AM (#8439746)
(http://www.devinmoore.com/)
What makes zones so important in large systems is the ability to restart one, or totally reconfigure it, without taking down the other zones. This seems obvious, but it helps put a layer in between the hardware and the software. What surprises me is that if so many other platforms already supported this to a large degree, how come its deployment has not been extensive? It seems like a great feature.
 
Re:But... does "rebooting" a zone fix issues? (Score:3, Informative)
by gilrain (638808) <[email protected]> on Tuesday March 02, @09:35AM (#8439999)
(http://lunarpolicy.net/)
It has been! Notice the huge growth of "virtual colocation" services? Those are usually run with BSD jails or UML. They are a middle ground between consumer shared hosting and full-on managed servers.

This technology has already created a successful and useful market. I think we can only expect more.
Re:But... does "rebooting" a zone fix issues? (Score:5, Interesting)
by nemaispuke (624303) on Tuesday March 02, @09:48AM (#8440124)
Yes there are other platforms that have similar features (AIX LPAR and DLPAR, HP-UX VPAR, Solaris Dynamic Domains). The problems are (1) you have to be using recent versions of the OS for the software virtualization (AIX 5L 5.2, HP-UX 11 and 11i) or (2) have the specific hardware necessary to use the hardware virtualization (AIX, HP-UX, and Solaris). And this hardware is costly (minimum cost for a Sun Sun Fire midrange to support dynamic domains is $100,000.00).
Re:But... does "rebooting" a zone fix issues? (Score:2, Informative)
by spell (18829) on Tuesday March 02, @03:06PM (#8444036)
AIX does have DLPAR, but the problem with this is that it is only partitioning on a CPU boundary which means despite the fact it is supported on lower-end AIX boxes kind of limits it's use. However with AIX 5.3 and Power-5, DLPARing will be at a sub-CPU partition, up to 100 partitions per CPU is what I've heard. The Power-5 machines will ship with the lower end first before the replacement to the p690, certainly less than $100k per box. It will also support virtual networking etc, so that the LPARs will not have to go out onto the network and the traffic will stay within the box (much goodness). So although Zones sound good, I think that genuine virtual machines ala LPAR are better.
 
Re:in comparison? (Score:4, Informative)
by smitty45 (657682) on Tuesday March 02, @09:41AM (#8440057)
"fixes it for you before you've finished typing the mail."

no need to exaggerate here.

the differences between jails and zones should be quite clear, but I can see how someone not having a Sun engineer on the clock to explain it to them might not get it.

zones should be used for a completely different purpose than jails. chrooted 'jails' are for restricting the runtime and filesystems environments for a particular process. in most cases, chrooted jails have nothing but the bare minimum libs and binaries, but it spawned from the original kernel which the parent machines runs.

zones are more like vmware in the way that it is a self-contained runtime environment that has its own protected memory space and kernel...these can then be restricted and allowed for full destruction, since the parent OS is not ifluenced in the same way as a chrooted jail.

in my opinion, Sun's support has never been worse or better than SGI's, HP's or DEC's...and that is still true today. the guy asked a question about the differences between jails and zones, not which is better from a support standpoint. it's a digression, and somewhat of a trolling one at that.

Linux Overview for Solaris Users (PDF)

Solaris Command Linux Command Purpose

Download Solaris 9 4/04 ISOs Now available for download, the new features and then  Some of the new features include the addition of "metassist" in SVN for top-down volume creation (backported from Solaris10), the Standard Type Services Framework, and Sun Remote Services (SRS) Net Connect 3.1 has been added to the Solaris bundle. Also, on the JumpStart front the add_install_client is now avalible for x86 PXE boots, and an exciting update, already found in Solaris10, is 2 new JumpStart keywords "filesys" and "metadb" which allow for boot disk mirroring during a JumpStart without using post-install scripts!

Sun plans Solaris subscription pricing CNET News.com - Sun compilers are up to 40 percent faster than the GCC compiler widely used with Linux.

Sun hopes to remain a step ahead of Linux, in particular with new features coming with Solaris 10, due to be released by the end of the year, said John Loiacono, senior vice president of Sun's Operating Platforms Group. Among the new features, all of which apply to Solaris for UltraSparc as well as for x86 chips:

• N1 Grid Containers, a technology formerly called Kevlar, zones or hardened containers that lets a single server be divided up so that it appears to be several independent machines. Several containers share the same version of Solaris, but from an administrator point of view, they appear separate, and as many as 4,000 containers will fit on one instance of Solaris.

• Rewritten software to speed up networking using TCP/IP, which underlies Ethernet and the Internet. The new TCP/IP software "stack" can process networking data at the full speed of 10-gigabit-per-second Ethernet cards, Loiacono said.

• The "NextGen" file system, called ZFS, which uses a 128-bit addressing scheme to accommodate the growth into the exabyte size range that data sets will experience in the next 10 to 15 years, Loiacono said. (An exabyte is a billion gigabytes.) ZFS also makes it easier to administer multiple storage volumes and automatically checks data for errors as it is written or read, he said.

• Policy-based security will restrict access to computing resources, depending on computer user roles. The technology comes from the Trusted Solaris product created for military and intelligence agency customers. About 70 percent to 80 percent of that product's features will move to the standard operating system with version Solaris 10, Loiacono said.

• "Predictive self-healing" will mean that a server can detect recurring problems with a memory bank and automatically switch to another without halting operations or losing data.

• "Dynamic tracing" software, or DTrace, diagnostic software that lets programmers pinpoint bottlenecks but that only degrades performance by less than 1 percent, Loiacono said.

• This summer, Sun will begin selling programming tools called compilers to write software that runs on Solaris for x86 chips, with a Linux version coming later, said Rich Green, vice president of Sun's Developer Platforms Group. Compilers translate a programmer's source code into instructions a computer can understand, and Sun boasts that its compilers are up to 40 percent faster than the GCC compiler widely used with Linux.

The new technology is creditable, Haff said, but with the exception of containers isn't likely to directly compete with Linux, which is used mostly on lower-end servers. "The real value is on the really large systems," he said.

Sun Ultra 5 Primer - OSNews.com The OBP, or OpenBoot PROM/Firmware, is the mechanism that acts much like the BIOS on x86 systems.

The OpenBoot is command-line driven, as opposed to x86 text-based (and some graphical) menu systems in the BIOS. Because of its command-line nature, the OpenBoot is arguably better suited for data canter and remote installations, where control of the system is possible with a simple, low-bandwidth (9600 baud) serial connection. While some x86 BIOS systems allow output to serial console, those systems are rare.

Because of this, it's much more practical (and less expensive in terms of remote management equipment) to administer systems at a remote location, greatly reducing (but not eliminating entirely) the need for hands-on access. On Sun systems, OpenBoot is shown with what's commonly referred to as the "OK" prompt:

ok>

With the OpenBoot, you can halt, interrupt, change boot-parameters, go into diagnostics, perform SCSI and IDE bus probing, and fully control the hardware, all from a 9600 baud serial connection.

Here are a few commands that will help you:

This will check to see what IDE devices are connected to the system.

ok> probe-ide

If you've got a SCSI system (such as the SPARCStation 5), the command is probe-scsi.

This command boots from the CD-ROM drive, such as when you're installing a new operating system.

ok> boot cdrom

To boot from disk:

ok> boot disk

To boot from the default device, use this command.

ok> boot

To reset the system, which also usually boots the system from the default device:

ok> reset

Any time the boot command is issued, it automatically resets the system (regardless of whether an operating system is running or not).

That just scratches the surface of the OpenBoot system, but this should help get your started if you're looking to boot and install the various operating systems covered. One such resource is the OpenBoot 3.x Command Reference Manual [http://d] from the Sun docs site (The OB version for my Ultra 5 is 3.10). There are numerous FAQs available to help answer any questions you might have. How to Get to the OK Prompt If you're using a serial connection, sending a break signal at any time when the system is powered up will bring you to the ok> prompt, even if an operating system is running (the operating system will be "paused")

If you're using the keyboard and screen, the "stop" key from the left vertical row of keys, just above the "props" key (the key used to give someone props; combine with the shift key to give someone mad props) in combination with the "a" key will pause the operating system and bring you to the ok> prompt.

Slashdot Previewing the Next Solaris OS

Re:What about pluggable crypto? (Score:4)
by segfaultcoredump (226031) on Friday February 20, @01:05PM (#8341070)
MD5? I prefer the support for BSD style Blowfish password hashes. Just set CRYPT_DEFAULT to '2a' in /etc/security/policy.conf

so while the old crypt style sting looks like this:
Ely3JjNj4Vjz6

and the md5 hashes look like this:
$1$2ZIvIsPP$GqZ5GnNFOm1rgklvylPmP0

the new blowfish strings look like this:
$2a$04$TZ3DP5jgu9s7rbXTJ.i5P.lVl5HX1jWx3BRQB8SkAr1 xKsUQIJIcK

(now if only i could find a niceacademic paper that discusses the relative advantages of each one)

I'm currently moving all of our systems from Solaris 8 to 9 and the support for md5 and blowfish in /etc/shadow was a very nice addition. (Not to mention the extra thread performance, better ldap support (no more nis) and a few dozen other things.
Re:Hope they have Bash, OpenSSL (Score:4, Informative)
by Gollum (35049) on Friday February 20, @07:13AM (#8338261)
ssh access is all you really need to execute X11 commands. Install Cygwin and Xfree86 if Exceed is too complex. Then SSH in to the box, and check what your DISPLAY variable is set to (echo $DISPLAY). It should point back to your IP address (or hostname), followed by :0.0

if it is not, do "export DISPLAY=your.ip:0.0" and execute an xterm, or start gnome, or do whatever you want to.
Re:Hope they have Bash, OpenSSL (Score:5, Informative)
by 4of12 (97621) on Friday February 20, @08:34AM (#8338633)
(http://slashdot.org/ | Last Journal: Wednesday October 23, @05:38PM)
??

When I do

$ ssh -X solarisbox

my X network traffic is nicely hidden taken caer of by ssh; the Solaris box puts X traffic onto a fake local framebuffer DISPLAY like

solarisbox:10.0

before sending it back to my realbox:0.0.

It might be slower than what you suggest, but I think it's a lot more secure. Without ssh doing the job of making your X network traffic secure you'll have to worry about Xauthority. Too many people (and I was one once) get around Xauthority hassles with an

$ xhost +

and I can't begin to tell you just how Bad that is.

Re:Wishlist - Global file system (Score:1, Informative)
by Anonymous Coward on Friday February 20, @09:37AM (#8339081)
An article at aces's hardware [aceshardware.com] has managed to pick up some information about ZFS (the zettabyte file system). If it's really as good as it promises (as other rumours indicate), then ZFS+NFSv4 will be an amazing combination.
Re:Wishlist - Global file system (Score:2)
by hackstraw (262471) * on Friday February 20, @11:09AM (#8339928)
They do have the poorly documented/marketed QFS which allows for multiple hosts to share a common fibre channel disk array.
Re:devfs (Score:1, Insightful)
by Anonymous Coward on Friday February 20, @08:06AM (#8338466)
Nice, Solaris is getting devfs support . . . just as it is marked deprecated in Linux 2.6

Solaris lack of change is one of the main reasons why it's so damn stable as an OS. They do not want to be like Linux where there is a new API every year. A new API or new low level things are not bad per-se but it's something else that needs to be debugged, something else that needs to be learned and something else that may not be compatible with current software.

Case in point: Oracle on Linux, or any commercial application for that matter. The reason Oracle is only certifed for RHAS is because it's very static. They don't have to verify it works with 50 different kernels and 50 different version of GLIBC. When you have to support your software in situations like this it can be costly not only in terms of money and manhours but also performance and proving customer support. This applies to almost any big name commercial software including BEA's WebLogic and IBM's Tivoli suite.

That's why Solaris is known for and maintains it's rock solid reputation. Sometimes, staying off the bleeding, or just the leading edge is a good thing.
DTrace (Score:4, Interesting)
by Anonymous Coward on Friday February 20, @07:18AM (#8338283)
DTrace definitely seems to be worth checking out. As the article indicates, more info is available here [sun.com].
As the article does not indicate -- but it seems to be worth mentioning -- DTrace was introduced in a comp.unix.solaris post here [google.com]. Seems pretty damn cool...
Privileges (was Re:cool feature i am using) (Score:3, Interesting)
by Nonesuch (90847) <nonesuch.msg@net> on Friday February 20, @10:17AM (#8339435)
(Last Journal: Friday September 14, @12:46PM)

Does Linux or BSD have ppriv? Or is this something new?

The closest thing to this that I have encountered is the kernel-level "Type Enforcement" in SecurOS, a BSD variant used for Secure Computing firewalls.

BSD and Linux can use Systrace, which offers some similar process-level controls (can set execution system call profiles per application).

While Solaris has offered file level ACLs forever, they weren't used by default to protect critical system files and very few admins knew to enable them.

One of the things I like about Solaris (I still prefer OpenBSD) is the cool little security and debugging tools that are included in the default install -- when you don't have source, "truss" was a godsend, and "dtrace" takes debugging to a whole new level.

Fire Engine (Score:5, Interesting)
by zz99 (742545) on Friday February 20, @07:57AM (#8338435)
The register has an old story [theregister.co.uk] about the new TCP/IP stack in Solaris 10, that is good reading.

A quick summary of the story:

The new stack has:
- Efficient at handling multiple NICs
- Low CPU usage (30% lower than Linux)
- Build for targeting 10/100 Gbps in the future. Has a new construction where it is possible to offload the cpu by routing packet to dedicated packet processing processors.

The last part seems like a preparation for the Sun hardware of tomorrow.
cool feature i am using (Score:5, Interesting)
by Anonymous Coward on Friday February 20, @08:08AM (#8338473)
i try with solaris express and I find a cool feature called "ppriv" like this:

gta3# ppriv $$
1124: bash
flags = 0x0
                E: all
                I: basic
                P: all
                L: all

Ok, so I am root I have all privileges I think

but now look at rpcbind, it is runnign as daemon but has less priviliges even than normal processes

gta3# ppriv 100182
100182:
/usr/sbin/rpcbind
flags = 0x2
                E: net_privaddr,proc_fork,sys_nfs
                I: none
                P: net_privaddr,proc_fork,sys_nfs
                L: all

see, it does not have privilege to do 'exec'... there are 30 or more privileges and it has only 3. So i guess this means some stack attack will not work against it like exec shell

also i can run and see privileges like thids

gta3$ ppriv -D -e cat /etc/shadow
cat[100619]: missing privilege "file_dac_read" (euid = 77293, syscall = 225) needed at ufs_iaccess+0xd2
cat: cannot open /etc/shadow

not sure what this means?
Another intro to Solaris 10 (Score:5, Interesting)
by ChrisRijk (1818) on Friday February 20, @08:16AM (#8338519)
Ace's Hardware had a post about Solaris 10 [aceshardware.com] back in November.

There is an alternative introduction on the main Solaris 10 page [sun.com] too. Eg:

N1 Grid Containers is a breakthrough approach to virtualization with multiple software partitions per single instance of the OS. N1 Grid Containers make consolidation simple, safe and secure.

* Superior Resource Utilization. N1 Grid Containers dynamically adjust resources to business goals within and across the container. With little management overhead (less than 1%), it offers over 4,000 containers per system.
* Increased Uptime. With N1 Grid Containers, applications are isolated from each other and from system faults. Using Instant Restart, each Container can be restarted in just seconds. Boot time in large systems can be reduced by as much as 70%.
* Reduced Costs. N1 Grid Containers simplifies and accelerates consolidation. It also significantly reduces system, admin and maintenance overhead.

The containers (previous called Solaris Zones) can also each have their own root password and own IP address, as well as min/max/QoS resource settings.

Re:Another intro to Solaris 10 (Score:2)
by gtrubetskoy (734033) * on Friday February 20, @01:45PM (#8341513)
(http://www.ispol.com/home/grisha)
breakthrough approach to virtualization

I am not 100% certain, but I believe their approach is similar to that of FreeBSD jails or the Linux VServer where in addition to a user id and a process id you also have another id (jail id or context id in FreeBSD and VServer respectively). The point is that it's not breakthrough because FreeBSD and Linux already do this.

Re:Another intro to Solaris 10 (Score:1)
by slickwillly (754596) on Saturday February 21, @12:29AM (#8347472)
Actually Linux is not even close to having this capability. This comes from Sun's protected (DoD certified) "Trusted Solaris" and is analogous to having the multiple kernel installations (all with their own domains) on a single 'instance'.

It will take nearly a complete re-write of the Linux kernel to achieve the same
DTrace probes (Score:5, Interesting)
by haggar (72771) on Friday February 20, @08:19AM (#8338533)
(http://slashdot.org/ | Last Journal: Monday December 30, @12:57AM)
Dtrace probes was be the most important factor for our decision to upgrade all development servers to Solaris 10. We'll mostly skip Solaris 9, actually.

The fact is that we need as much insight in our processes as we can possibly get, as every little performance increase helps. Plus, we get to inspect possible sources of instability.

Typically our products interact with several third-party products, and the DTrace probes will be very useful in tracking down memory leaks and utilization details in such complex environments.

Sun Microsystems - BigAdmin DTrace

DTrace is a comprehensive dynamic tracing framework for the Solaris Operating Environment. DTrace provides a powerful infrastructure to permit administrators, developers, and service personnel to concisely answer arbitrary questions about the behavior of the operating system and user programs.

The Solaris Dynamic Tracing Guide describes how to use DTrace to observe, debug and tune system behavior. The book (below) also includes a complete reference for bundled DTrace observability tools and the D programming language.

 

Solaris 10 features :

It would be more than that, at least from what the description suggests. The problem with sudo is that you're often giving suid access to programs that aren't designed to be suid, so someone who was the right entries in the sudoers file can root the machine with ease. Proper privilege separation in the admin tools would mean being able to give someone access to run apt-get dist-upgrade (or whatever it is) without his being able to install his own packages. It would mean letting someone add non-root users but not root users, or resetting passwords but only for users in a certain group. It requires planning when creating admin tools, not a "slap it on" solution like sudo.

Sun's current road map for SPARC -- shows it splitting into 2 distinct roles (as apposed to the current i/s/e suffix Sun gives the CPUs right now.

Sun's compiler, Forte from SunONE Studio 7.

The speed improvements that forte adds make it very attractive. You can compile almost every open source program using forte 7 including I compiled GNOME and KDE (I wouldn't say they were easy to compile, but still its possible)

gnu make, autoconf, automake, m4,  and is an improvement over the same env with gcc.


Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019