bosconet.org: chocolately writings

Until recently I wwas using sunfreware’s version of php. It worked great until I wanted to use PHP with my postgres DB.

The simple way to do this was rebuild PHP from source and include postgres support. Simple enough and I did that last week. However when I opened up my phpinfo.php page it still showed I was using the old version of php. Multiple restarts of lighttpd and it was still reporting I was using the old version of php. I was getting very frustrated.

Tonight I rebuilt php yet again. Everything was still reporting using the old version. When I executed php-cgi interactively against phpinfo.php it reported the new version. This told me that it wasn’t the code, it must therefore be the lighttpd.conf configuration file. I’d looked at that previously but didn’t notice the socket line that precedes the path to php-cgi in the configuration. When I looked for the open socket I found 4 open sockets. I killed lighttpd and deleted the sockets, restarted lighttpd and it worked!

But now it is late and I need some sleep so I can verify functionality yet.

with vold running it is fairly simple.

First edit /etc/vold.conf.

By default it won’t support removable media. (that’s actually a good thing IMESHO)
edit this line:

support nomedia

to be this:

support media

After you do that restart vold like this:.

svcadm restart vold

Now when you plug in your USB device you will have access to it.
Hoe do you access it? If it is a mass storage device do the following:

1. show what raw device the USB drive is using with this command:
   
rmformat -l

2. the output will show the raw device the drive is using. The you can issue a command like this one:
   
mount /dev/rdsk/c4t0d0s2 /mnt

   and mount the drive

if you need/want to create a new UFS filesystem on the device that’s accomplished by this command:

newfs -v /dev/rdsk/c4t0d0s2


Perl’s CPAN module Authen-PAM is one of those annoying pieces of code that assumes you have linux. As such doing the normal:

perl ./Makefile.PL
make
make test
make install

fails on the make…..

WHat you need to do to get it to compile cleanly is:

CC=gcc perl Makefile.PL

then edit the resulting the Makefile to remove the following options located in various parts of the Makefile:

-KPIC
-xO3
-xspace
-xildoff
-xarch=v8


Then it will compile cleanly.

I was beating my head against the wall for a while trying to get the included Makefile to work on my Solaris 10 (sparc) machine. I then found two separate references to fixing the problems I was encountering. One suggested using this string to compile:


gcc -Wall -fPIC -c pam_radius_auth.c -o pam_radius_auth.o


the other using this string to link:

ld -G pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so -lsocket


after that I had a functioning PAM module.

Adding the following line to /etc/pam.conf enable radius auth via PAM:


sshd-kbdint auth required pam_radius_auth.so debug
sshd-kbdint auth required pam_unix_cred.so.1


Then configuring the server and client with the same secret resulted in Solaris 10 (sparc) successfully authenticating against my authentication server.

I have to same I am happy at the pace at which I am proceeding.

[update: on my intel based Solaris machine the included Makefile works just dandy with no modifications]

UPDATE 1 Oct 2008:
Here is my pam.conf file per a request in the comments:

# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth required           pam_unix_auth.so.1
#
# Kerberized rlogin service
#
krlogin auth required           pam_unix_cred.so.1
krlogin auth binding            pam_krb5.so.1
krlogin auth required           pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_cred.so.1
#
# Kerberized rsh service
#
krsh    auth required           pam_unix_cred.so.1
krsh    auth binding            pam_krb5.so.1
krsh    auth required           pam_unix_auth.so.1
#
# Kerberized telnet service
#
ktelnet auth required           pam_unix_cred.so.1
ktelnet auth binding            pam_krb5.so.1
ktelnet auth required           pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_cred.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth required           pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth required           pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1
#
# ssh authentication
sshd-kbdint auth required pam_radius_auth.so debug
sshd-kbdint auth required pam_unix_cred.so.1

The last two lines is how I enabled ssh to use pam_radius for authentiation. You also need to enable
PAMAuthenticationViaKBDInt in your sshd_config for this to work.

Oh and I Was only using radius for external access to the machine. For sudo I was still using the local credentials stored in /etc/shadow.

The Service Management Facility (or SMF) in Solaris 10 replaces traditional init scripts that almost all unix system administrators are familiar with. While init scripts work well there are some short comings that SMF overcomes.

ClamAV SMF config in a zone

in the global zone you need the equivalent of an init script:

/lib/svc/method/svc-clamav

#!/bin/sh
#
LD_LIBRARY_PATH=/usr/local/ssl/lib/
export LD_LIBRARY_PATH
CONFIG=/etc/clamav/clamd.conf
case "$1" in
        start)
                echo -n $"Starting Clam AV daemon: "
                /usr/local/sbin/clamd --config-file=$CONFIG
        ;;
        stop)
                echo -n $"Stopping Clam AV daemon: "
        ;;
esac

chown root:bin  /lib/svc/method/svc-clamav
chmod 555  /lib/svc/method/svc-clamav

in the sub zone:

/var/svc/manifest/system/security/clamav.xml
<?xml version='1.0'?>
 <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<!--

        Paul M Johnson
        Service manifest for ClamAV
        E-mail: pjohnson@bosconet.org
 -->

 <service_bundle type='manifest' name='clamav:clamav'>

<service name='system/security/clamav'
         type='service'
         version='1'>
         <create_default_instance enabled='false' />
         <single_instance />

         <dependency name='fs'
                 grouping='require_all'
                 restart_on='none'
                 type='service'>
                 <service_fmri value='svc:/system/filesystem/local' />
         </dependency>

         <dependency name='net'
                 grouping='require_all'
                 restart_on='none'
                 type='service'>
                 <service_fmri value='svc:/network/loopback' />
         </dependency>

        <dependency name='config'
            grouping='require_all'
            restart_on='restart'
            type='path'>
                <service_fmri value='file://localhost/etc/clamav/clamd.conf' />
        </dependency>

         <exec_method type='method'
                 name='start'
                 exec='/lib/svc/method/svc-clamav  start'
                 timeout_seconds='-1'>
         </exec_method>

         <exec_method type='method'
                 name='stop'
                 exec=':kill'
                 timeout_seconds='-1'>
         </exec_method>

 </service>

 </service_bundle>

chown root:sys /var/svc/manifest/system/security/clamav.xml
chmod 444 /var/svc/manifest/system/security/clamav.xml

Import the service into the service repository:

svccfg import /var/svc/manifest/system/security/clamav.xml

Enable the service:

svcadm -v enable clamav

Update 6 May 2009

there was an extra space in the XML above and I found this command:

xmllint -valid <FILE NAME>

to help identify the offending lines.

I have several sun servers I want too se up in a more repeatable process than I have in the past. I’ve set up Solaris install servers in the past but it has been almost 7 years since I last did this. As such I’ve been re–learning the process. I got to the point where the server was successfully net booting and getting it’s network configuration but failed to automatically install according to the profile I had created. Here’s the error I kept getting:

cat: cannot open /cdrom/.cdtoc

Googling on that error was not much help. I did manage to figure out my problem.
The problem ended up being with the install parameter in /etc/bootparams.

The trouble stemmed from a misunderstanding of how to use the setup_install_server script. I had originally been running it twice. Once to setup a boot server in one directory and a second time to set up an install server.
As it turned out I did not need to set-up both of these since my install server was also the local boot server.

client root=192.168.10.200:/export/Jumpstart/jumpstart/OS/10-sparc/Solaris_10/Tools/Boot \
sysid_config=192.168.10.200:/export/Jumpstart/jumpstart/sysidcfg/jump2 \
install=192.168.10.200:/export/Jumpstart/jumpstart/OS/10-sparc boottype=:in \
install_config=192.168.10.200:/export/Jumpstart/jumpstart rootopts=:rsize=8192

So when setting up an install server that is the local boot server all you need to do is cd /cdrom/sol_10_1106_sparc/s0/Solaris_10/Tools and type:

./setup_install_server <target LOCATION>

That’s all you need to do to solve the problem.

In August 2006 Sun changed their policies in allowing access to patches. Now instead of going directly to sunsolve.sun.com and downloading a zipped bundle of patches you need to use a tool. There are plenty of tools out there you can use but sometimes you just want something simple, like wget.

So here is how you can directly download a patch from Sun:

1. get the PATCH ID (e.g. 122300-06 [SunOS 5.9: Kernel Patch]) from Sun.
2. if you don’t already have a sunsolve.sun.com account go create one.
3. using any version of wget (including the one that you can install from Sun’s install media) use the following syntax:
   

   /usr/sfw/bin/wget \
   –http-user=<USERID> \
   –http-passwd=<PASSWORD> \
   -nv \
   “https://sunsolve.sun.com/private-cgi/pdownload.pl?target=<PATCH ID>&method=h” \
   -O /tmp/patches/<PATCH ID>.zip

4. Watch the patch download to /tmp/patches (or whatever directory you specify).

I have a watchdog script one of of my servers that monitors disk usage. When it gets over 80% II start getting a daily email telling me that space is running out. The other day my server started sending me emails that capacity on /var was over 80%. I ignored this for a couple days and the usage was creeping up by about 1% a day. No big deal.

When I did look at the file system I quickly found the offending file. before deleting the file here’s what the output of df on /var looked like:

Filesystem            Size  Used Avail Use% Mounted on
....
/dev/dsk/c0t0d0s6     2.0G  1.7G  240M  88% /var
...

I deleted the file and df still reported this:

Filesystem            Size  Used Avail Use% Mounted on
....
/dev/dsk/c0t0d0s6     2.0G  1.7G  240M  88% /var
...

That’s not right I just deleted a file and I should have more space……so like see what du reports for /var

root@ryerson:/var$ du -sh .
271M    .

This seems to imply that df is not reporting information correctly. Since this server is not critical I can reboot it anytime. I suspect that will solve the problem of df reporting the wrong size. And after a reboot I am proved correct:

Filesystem            Size  Used Avail Use% Mounted on
....
/dev/dsk/c0t0d0s6     2.0G  273M  1.6G  14% /var
....

I haven’t researched this any further and wonder if this is a bug in df or soalris…..

In an effort to return stability to my server I took the somewhat drastic step of replacing hardware yesterday. Earlier in the week I acquired a similar server (Sun Netra X1) off ebay for under $70 shipped. (This is one advantage of using older hardware you can get really good deals on it). [this purchase was a calculated risk since the seller couldn't test it any further than verifying that the LOM prompt came up. I figured if the machine worked I had a good deal, if I didn't I still had a spare power supply that I could use in an emergency and for a lot less than I could purchase one new { approximate cost of a new PS: $180}]. I got lucky and this new machine worked just fine once I put memory and a hard drive in it.

Now that I had working spare hard ware I decided to take a drive down to the co-lo facility on Saturday and swap machines. If all went well this should take about 30 minutes and solve the twice daily reboots my server had been occurring for almost a month now. Actually my plan wasn’t to completely swap machines. My plan was to basically swap the motherboard and CPU, while keeping the HD and memory. The swap went quickly and bosconet came back-up clean with no errors and was publicly available in about 30 minutes.

Since yesterday when I swapped the hardware my server has been stable and up for just about 25 hours now. Surprisingly the old hardware has also been up and running without a reboot for that same amount of time.

So again I’m stumped what was causing the rebooting in the first place. But I am happy to have a stable server again.

I mention just over a week ago in periodic reboots that my server since I rebooted has decided that it likes rebooting and keeps doing it every 11 hours and 42 minutes. In consulting with other knowledgeable Solaris admins this seems to have stumped them also. I just posted to the Sun forums and hopefully that will get me an answer.