Quicksearch
Disclaimer
The individual owning this blog works for Oracle in Germany. The opinions expressed here are his own, are not necessarily reviewed in advance by anyone but the individual author, and neither Oracle nor any other party necessarily agrees with them.
PSARC 2009/377 In-kernel pfexec implementation
Wednesday, April 28. 2010
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
I've described one important, more of them are in the ARC documentation i've linked to.
All this work... for what?
What good is pfexec is you have a heterogenous environment?
pfexec doesn't exist on HP-UX; it doesn't exist on AIX (contrary to hype); and it most definitely does not exist on Linux.
So with this, system administrators worldwide will need to learn the intricacies of pfexec (which is extremely complex), IN ADDITION to sudo.
If they were to follow the Sun way, they would end up with a salad: pdexec/RBAC on Solaris, sudo on everything else.
Who thinks up these things?!? What is going on inside of that organization of yours?!?
What good is pfexec is you have a heterogenous environment?
pfexec doesn't exist on HP-UX; it doesn't exist on AIX (contrary to hype); and it most definitely does not exist on Linux.
So with this, system administrators worldwide will need to learn the intricacies of pfexec (which is extremely complex), IN ADDITION to sudo.
If they were to follow the Sun way, they would end up with a salad: pdexec/RBAC on Solaris, sudo on everything else.
Who thinks up these things?!? What is going on inside of that organization of yours?!?
All this work... for what?
What good is pfexec if you have a heterogenous environment?
pfexec doesn't exist on HP-UX; it doesn't exist on AIX (contrary to hype); and it most definitely does not exist on Linux.
So with this, system administrators worldwide will need to learn the intricacies of pfexec (which is extremely complex), IN ADDITION to sudo.
If they were to follow the Sun way, they would end up with a salad: pdexec/RBAC on Solaris, sudo on everything else.
Who thinks up these things?!? What is going on inside of that organization of yours?!?
What good is pfexec if you have a heterogenous environment?
pfexec doesn't exist on HP-UX; it doesn't exist on AIX (contrary to hype); and it most definitely does not exist on Linux.
So with this, system administrators worldwide will need to learn the intricacies of pfexec (which is extremely complex), IN ADDITION to sudo.
If they were to follow the Sun way, they would end up with a salad: pdexec/RBAC on Solaris, sudo on everything else.
Who thinks up these things?!? What is going on inside of that organization of yours?!?
We had this discussion already, you write your rant about pfexec everytime you see it, i won't restart the discussion ....
as@solstice:~$ uname -a; /usr/bin/sudo
SunOS solstice 5.11 snv_129 i86pc i386 i86pc
usage: sudo [-n] -h | -K | -k | -L | -V | -v
usage: sudo -l[l] [-AnS] [-g groupname|#gid] [-U username] [-u username|#uid]
[-g groupname|#gid] [command]
usage: sudo [-AbEHnPS] [-C fd] [-g groupname|#gid] [-p prompt] [-u
username|#uid] [-g groupname|#gid] [VAR=value] [-i|-s] []
usage: sudo -e [-AnS] [-C fd] [-g groupname|#gid] [-p prompt] [-u
username|#uid] file ...
so whats your exact problem now? that you get an additional way to solve your problems (a way that i would call superior)? i said it before: if you are not willing or able to learn new things or adapt to the progress: die with the past, but dont bother us with your stubborn rants. the world is evolving, dont blame others for this if you cant keep pace.
SunOS solstice 5.11 snv_129 i86pc i386 i86pc
usage: sudo [-n] -h | -K | -k | -L | -V | -v
usage: sudo -l[l] [-AnS] [-g groupname|#gid] [-U username] [-u username|#uid]
[-g groupname|#gid] [command]
usage: sudo [-AbEHnPS] [-C fd] [-g groupname|#gid] [-p prompt] [-u
username|#uid] [-g groupname|#gid] [VAR=value] [-i|-s] []
usage: sudo -e [-AnS] [-C fd] [-g groupname|#gid] [-p prompt] [-u
username|#uid] file ...
so whats your exact problem now? that you get an additional way to solve your problems (a way that i would call superior)? i said it before: if you are not willing or able to learn new things or adapt to the progress: die with the past, but dont bother us with your stubborn rants. the world is evolving, dont blame others for this if you cant keep pace.
Well, well, well, what irony... I just love it when a clueless "me too" accuses me of things he knows nothing about.
I actually have formal education in RBAC, and many other technologies in Solaris.
And as far as irony is concerned, the very OpenSolaris and innovations you are boasting about, every time you run OpenSolaris, you're running my code.
Didn't know that, did ya, "me too"? That's right, I hold copyright on some of the code you run in OpenSolaris.
Every time you run your "progress", you're running my code. Don't forget that, "me too".
I actually have formal education in RBAC, and many other technologies in Solaris.
And as far as irony is concerned, the very OpenSolaris and innovations you are boasting about, every time you run OpenSolaris, you're running my code.
Didn't know that, did ya, "me too"? That's right, I hold copyright on some of the code you run in OpenSolaris.
Every time you run your "progress", you're running my code. Don't forget that, "me too".
and, whats the impact of this to my comment? correct, theres none. and if you have written 99% of the opensolaris code, your comment (or try to troll people) is just a stubborn rant. bother the people who made the decision to extend pfexec in this way, not the messenger. telling people how great you are doesnt substitute a argument. and nothing else you have done here. come back when you have arguments.
The messenger should not be promoting something which is a regression as progress.
It's that simple.
It's that simple.
My exact problem is that all these resources - time, effort, money - are being wasted on stuff like RBAC, when you STILL have buggy implementation of the DHCP server, still have a buggy implementation of the DHCP client, still have ZFS trip and fail if there are any lofs mounts in /etc/vfstab... should I go on?
My point is, there are very basic things, basic functionality inside of Solaris, that still isn't fixed, instead time and effort is being wasted REINVENTING WHEELS from which a sysadmin in a heterogenous environment can't benefit.
In fact, this just causes more work! It does not make one's life SIMPLER.
Fix basic functionality in Solaris services first... then do exotic things like pfexec.
My point is, there are very basic things, basic functionality inside of Solaris, that still isn't fixed, instead time and effort is being wasted REINVENTING WHEELS from which a sysadmin in a heterogenous environment can't benefit.
In fact, this just causes more work! It does not make one's life SIMPLER.
Fix basic functionality in Solaris services first... then do exotic things like pfexec.
1. Opensolaris is opensource ... why don't you help with it ? 
2. pfexec isn't an exotic feature and all the profile shells aren't one as well ...
3. Just because you don't like it, doesn't imply that no one needs it ... but that is a topic we already had in the past, too.
2. pfexec isn't an exotic feature and all the profile shells aren't one as well ...
3. Just because you don't like it, doesn't imply that no one needs it ... but that is a topic we already had in the past, too.
See above.
That's right, I do not approve of wasting time and effort on something that already exists.
I'm also criticizing anything that is more complex than it needs to be. I don't care how fancy the technology is, if it is more complex than it needs to be, than it's BUSTED, especially if there already exists a solution that works just as well and is ubiquitous.
Finally, I note that you have not spared one, not one word on commenting about using the resources in a better way, so as to fix basic functionality in Solaris, rather than chasing exotic projects like RBAC.
Very interesting.
That's right, I do not approve of wasting time and effort on something that already exists.
I'm also criticizing anything that is more complex than it needs to be. I don't care how fancy the technology is, if it is more complex than it needs to be, than it's BUSTED, especially if there already exists a solution that works just as well and is ubiquitous.
Finally, I note that you have not spared one, not one word on commenting about using the resources in a better way, so as to fix basic functionality in Solaris, rather than chasing exotic projects like RBAC.
Very interesting.
Oh .. that's just because i prefer to write new articles over having fruitless discussions with you. You should go and learn about the person who developed this stuff. And perhaps reading the "The mythical man-month" would be a nice lecture
BTW: Did you filed a bug at bugs.opensolaris about your bugs ?
BTW: Did you filed a bug at bugs.opensolaris about your bugs ?
Dear Joerg, not only have I read "The mythical man-month", I almost know it by heart.
You see, I am one of the engineers he so vividly described. At the time, I did not know what my problem was, but instinctively I felt the pain.
Then I read his book, and realized I had designed one such "second system", and that both the code and the architecture I put forth suffered from the second system effect.
That was the breaking point. From that point on, I swore I would fight complexity at every turn and at every opportunity; so when I see complexity -- a regression -- being shamelessly promoted as "progress", of course I'm going to get upset.
As for the guy who thought this stuff up, you better believe I would love to meet him in person! And you better believe I would have a few words to say to him about his "baby".
Maybe someday I'll get my wish and get to tell him/her what I think about his "invention", and WHY.
Apropos bugs: yes, I filed all of them. I used to file bugs as a matter of course, because I believed that the system works.
Then I'd get an automated e-mail about a change of status; I'd go look, and it would say "need more info - see comments", except that the comment field was disabled, and since there was no address I could contact, and couldn't update the bug, the bug would get closed eventually by an automated process.
So the system, in which I so firmly believed in, turned out to be flawed and busted.
In yet another instance, I've opened an RFE to add clustering capability to ZFS, to scope the work necessary. I can not find that bug any more; it seems to have been deleted. I looked and looked, but as I don't have the CR any more, it turned out to be futile.
So yes, I've logged bugs; and yes, I've opened RFEs.
You see, I am one of the engineers he so vividly described. At the time, I did not know what my problem was, but instinctively I felt the pain.
Then I read his book, and realized I had designed one such "second system", and that both the code and the architecture I put forth suffered from the second system effect.
That was the breaking point. From that point on, I swore I would fight complexity at every turn and at every opportunity; so when I see complexity -- a regression -- being shamelessly promoted as "progress", of course I'm going to get upset.
As for the guy who thought this stuff up, you better believe I would love to meet him in person! And you better believe I would have a few words to say to him about his "baby".
Maybe someday I'll get my wish and get to tell him/her what I think about his "invention", and WHY.
Apropos bugs: yes, I filed all of them. I used to file bugs as a matter of course, because I believed that the system works.
Then I'd get an automated e-mail about a change of status; I'd go look, and it would say "need more info - see comments", except that the comment field was disabled, and since there was no address I could contact, and couldn't update the bug, the bug would get closed eventually by an automated process.
So the system, in which I so firmly believed in, turned out to be flawed and busted.
In yet another instance, I've opened an RFE to add clustering capability to ZFS, to scope the work necessary. I can not find that bug any more; it seems to have been deleted. I looked and looked, but as I don't have the CR any more, it turned out to be futile.
So yes, I've logged bugs; and yes, I've opened RFEs.
To cite you: "As for the guy who thought this stuff up, you better believe I would love to meet him in person! And you better believe I would have a few words to say to him about his "baby""
What's really interesting, that you don't want to ask him about his "baby" and why he did it the other way and not the one preferred by you. It just looks the way, that you just want to tell the world your opinion but you aren't willing to really discuss it ...
PS: Pass me a bug id ... i will look up why you aren't able to to see the comments ...
What's really interesting, that you don't want to ask him about his "baby" and why he did it the other way and not the one preferred by you. It just looks the way, that you just want to tell the world your opinion but you aren't willing to really discuss it ...
PS: Pass me a bug id ... i will look up why you aren't able to to see the comments ...
C.D.?
Now that's a stab in the heart, because I do hold him in high regard.
As far as I know though, he is not the father of RBAC. And that's the guy I want to have a chat with.
If I can find the CR ID, I'll be glad to pass it to you. It's been closed long since though. All of them, not just one.
Now that's a stab in the heart, because I do hold him in high regard.
As far as I know though, he is not the father of RBAC. And that's the guy I want to have a chat with.
If I can find the CR ID, I'll be glad to pass it to you. It's been closed long since though. All of them, not just one.
I thought, you thought about the implementation in Solaris, not about RBAC in general.
Nevertheless I don't think that you understood my comment. Perhaps i expressed it wrong.To express it simpler: Why do you just want to tell C.D. what you think about it, but not mention to ask C.D. what he thought, when he implemented it that way. That was my point. And that what i call discussion. Not just "i will tell him a word or two".
Regarding the CR: Nevertheless interesting, just want to check it, to prevent future problems. You can file bugs about the bug filing system
Nevertheless I don't think that you understood my comment. Perhaps i expressed it wrong.To express it simpler: Why do you just want to tell C.D. what you think about it, but not mention to ask C.D. what he thought, when he implemented it that way. That was my point. And that what i call discussion. Not just "i will tell him a word or two".
Regarding the CR: Nevertheless interesting, just want to check it, to prevent future problems. You can file bugs about the bug filing system
Here is one, opened by yours truly:
http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6859418
http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6859418
From the internal bug system: "There are countless Solaris users (myself included) who do this every day using the latest builds without issue; we're going to need something more to go on tha n what's in the Description. As a starting point, starting dhcpagent by hand wi th /sbin/dhcpagent -d1 -f -v& ... and attempting to acquire a lease with if config, then sending us the logs would be a good first step. Also, the packet e xchange with snoop and a gcore(1) of dhcpagent once it gets into this state woul d also be helpful. Marking "incomplete" until we have some way to proceed. "
Send it to me and i will pass it to the responsible engineer ...
Send it to me and i will pass it to the responsible engineer ...
+1
The LKSF book
The book with the consolidated Less known Solaris Tutorials is available for download here
Web 2.0
Contact
Networking
xing.com
LinkedIn
Facebook
My photos
- mail: joerg@c0t0d0s0.org
- icq: 144000169
- Me, myself and I
- openBC
- My del.icio.us
- c0t0d0s0@twitter
- c0t0d0s0@last.fm
- wiki@c0t0d0s0
- Amazon Wishlist
Networking
xing.com
My photos
Comments
about Nanosecond
Wed, 23.05.2012 00:11
I remember this being drummed
into us during Digital Design
at Uni. It's important to cons
ider it when laying out [...]
Mon, 21.05.2012 18:04
Hello Kevin, Im not surprised
with what you are seeing or ha
ve seen when attaching a SSD t
o a USB2.0. USB3.0 helps [...]
Mon, 21.05.2012 04:44
Hi Greg,
With regards to IO
PS I have seen terrible result
s using a 60GB SATA2 SSD with
USB2.0 - USB2 really cho [...]
about ZFS Dedup Internals
Sat, 19.05.2012 09:50
There is no impact to boot/imp
ort times, as the DDT is loade
d as needed ... so the pool is
imported as fast as wit [...]
Buttons
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Germany License
