English

Okay, i know this will annihilate productivity for today, but just in case you have some brain cycles to spare: Here is a small jump and run game called Oracle Runner.

Interesting article about stuff you have to know when you have to use IDR (Interim Diagnostics / Relief) on your system: "Top Tip: Managing Solaris 11 IDRs".

Since Solaris 11.1 the ssh implementation of Solaris supports the usage of X.509 certificates. There is a tutorial of a colleague that explains the setup however when i linked to it a while ago, i got some mails telling me, that it was a little bit on the hard side to understand. So i thought it would be a nice idea to explain the stuff Hai-May Chao wrote in her article on OTN the LKSF way.

However there are a few differences: I won't explain that much about command lines and - more important - i'm using openssl instead of pktool to create keys and certificates.

That was really cool in the recent days. I made my 4 "Solaris Security 11" events as part of the Oracle Business breakfast series talks in the last 2 weeks. I don't have the final count, but the final numbers of attendees were north of 100 people, not bad for such small event series (it's organized by local technical colleagues) with extremely technical content. There is really a lot of interest in this kind of topics. I'm doing a final release at the preso at the moment for distribution. Think i will put a deoracleized version on the blog.

Friday was a little stressful. Did a second talk about "Oracle Virtual Networking" afterwards in front of a few colleagues. This is really great technology, so i like to talk about it. Closed at 14:10, went to the garage, arrived there at 14:13 (didn't know that there was parking space directly in front of the building), the machine for payment just took cash and only bills up to 20€. Dang. Just two 50€ bills. And 17 cents short of the money in coins. Damned. Okay, going into the adjacent shopping centre to get smaller bills. 14:21. Short traffic jam in the Peteul tunnel. Doesn't sound that bad alone, but my flight to HAM started boarding at 15:00 and so things started to get interesting and in the tunnel i got a little bit nervous. As i had to refuel and return a rental car it got even more interesting. To make the story short: Was at the gate at 15:10 .. not a single minute too early.

That said: Telling people about technology, sharing my knowledge and enthusiasm for it by doing such presentations. Could do this all the time

12 years and one day after NineEleven. It's okay only to remember the victims of Nineeleven on 9/11 of each year. But on all other days we should remember that civil rights is an ongoing fight, too. Not only against terrorist in the pre-nineeleven sense and terrorists in the inflationary post-nineeleven sense, but especially against people that offer you a little bit of security with the price tag of large dents in your civil rights.

Sometimes i would like to be able to do the jedi mind trick. Like "This isn't the performance issue you are searching for". Because it would be easier to convince people in that case that they saw the effect, but not the cause. That said, I think the real root cause on what i will describe in this block of this problem is the separation of database admins and system admins. But that's my personal opinion.. Imagine from one day to another, your storage goes mad. The analytic tools of your storage show long latencies, the led of the storage just show massive use of the storage. As you didn't made any change your first assumption is "storage has a defect" or "i just hit a bug in the storage firmware". At the end he or she thinks "No major release changes. Perhaps a few minor configuration changes. And none of them has to do with storage".

The new iPhone has a fingerprint scanner and some people are already complaining that this isn't good decision of Apple in this "NSA here, NSA there" times. Perhaps it's really not a clever idea from the PR perspective. However you have to do a threat analysis. What's more reasonable and more dangerous and damanging to you. The fear that the fingerprint (most often the sensor don't deliver a finger print but something like a hash code of the print) may leave the phone (you leave 1000 copies of your finger print a day around you just by grabbing stuff anyway). Or thieves, friends preparing a prank or your significant other just following the grease traces on your phone to find out the unlock code (which you don't need with a finger print scanner)?

Never underestimate the tendency of the audience and the time you spend with the discussion to discuss NSA stuff when you do a security presentation these days. I made my "Security with Solaris 11.1" preso in Hamburg without sildes and just demoing the security features live in front of the audience, however i think i need a slide version for it in oder to get back to speed when the discussion has diverted and you need to get to plan.

When you are using kssl (like described in this blog entry) there are some tricks and hints you should be aware of:

• When you try to configure kssl and you get always a connection refused when trying to connect, please check if you have configured the Listen in your apache configuration (for example) if it's configured with an IP address and port number like:

  Listen 192.168.10.20:8080

  A listen with just a port number is not enough.
• If you want to change the default ciphers for kssl, you have to resequence the ciphers with -c of ksslcfg. The command line should look like

  ksslcfg create -f pem -i /etc/keys/my.pem -x 8080 \
  -p /etc/keys/my.pass -c "rsa_aes_256_cbc_sha,rsa_aes_128_cbc_sha,rsa_rc4_128_sha,rsa_rc4_128_md5"  \
  192.168.1.102 445

There was once a comment stating "If privacy is outlawed, only outlaws will have privacy". I would change that "If privacy is broken to catch terrorists, only terrorists will have privacy". I have my doubts that any interesting data transmitted by terrorists will be transmitted by communication means that are breakable. There are unbreakable means of encrypting and decrypting data, you can even look them up in Wikipedia: One-time pad. Perhaps using a Lady Gaga CD as a key ... that music sound pretty random to me And i assume that terrorists can read wikipedia as well as the normal people. So where are we now: The cryptography used by normal people as defined by standards is broken by agencies, however cryptography unbreakable is still available to not-so-smart-bombs with semtex underwear respectively the people sending them ...

Just as an reminder - many people think of the ZFS mirroring as two or three disk configurations. But actually it's a n-way mirroring:

You could use two disks:

root@template:/testdev# zpool create testpool mirror /testdev/test0 /testdev/test1
root@template:/testdev# zpool status testpool
  pool: testpool
 state: ONLINE
  scan: none requested
config:

        NAME                STATE     READ WRITE CKSUM
        testpool            ONLINE       0     0     0
          mirror-0          ONLINE       0     0     0
            /testdev/test0  ONLINE       0     0     0
            /testdev/test1  ONLINE       0     0     0

errors: No known data errors

You could use three disks:

root@template:/testdev# zpool create testpool mirror /testdev/test0 /testdev/test1 /testdev/test2
root@template:/testdev# zpool status testpool
  pool: testpool
 state: ONLINE
  scan: none requested
config:

        NAME                STATE     READ WRITE CKSUM
        testpool            ONLINE       0     0     0
          mirror-0          ONLINE       0     0     0
            /testdev/test0  ONLINE       0     0     0
            /testdev/test1  ONLINE       0     0     0
            /testdev/test2  ONLINE       0     0     0

errors: No known data errors

However you could do 11 mirrors as well:

root@template:/testdev# zpool create testpool mirror \
/testdev/test0 /testdev/test1 \
/testdev/test2 /testdev/test3 \
/testdev/test4 /testdev/test5 \
/testdev/test6 /testdev/test7 \
/testdev/test8 /testdev/test9 \
/testdev/test10
root@template:/testdev# zpool status testpool
  pool: testpool
 state: ONLINE
  scan: none requested
config:

        NAME                 STATE     READ WRITE CKSUM
        testpool             ONLINE       0     0     0
          mirror-0           ONLINE       0     0     0
            /testdev/test0   ONLINE       0     0     0
            /testdev/test1   ONLINE       0     0     0
            /testdev/test2   ONLINE       0     0     0
            /testdev/test3   ONLINE       0     0     0
            /testdev/test4   ONLINE       0     0     0
            /testdev/test5   ONLINE       0     0     0
            /testdev/test6   ONLINE       0     0     0
            /testdev/test7   ONLINE       0     0     0
            /testdev/test8   ONLINE       0     0     0
            /testdev/test9   ONLINE       0     0     0
            /testdev/test10  ONLINE       0     0     0

You could now fill up your pool with some data

root@template:/testpool# dd if=/dev/urandom of=testfile
^C11266+0 records in
11266+0 records out
root@template:/testpool# md5sum testfile
788d23ef58a5e5f9c60d17958a6c4aca  testfile

Why should you want something like that. Well ... for people from the belt and suspender department this is really useful. But it think more of creating identical copies of your pool on several devices. I'm sure you already see some nice usecases when those disks are located in a SAN or on a iSCSI-Server:

root@template:/testdev# zpool split testpool testpool1_10 /testdev/test10
root@template:/testdev# zpool split testpool testpool1_9 /testdev/test9
root@template:/testdev# zpool split testpool testpool1_8 /testdev/test8
root@template:/testdev# zpool split testpool testpool1_7 /testdev/test7
root@template:/testdev# zpool split testpool testpool1_6 /testdev/test6
root@template:/testdev# zpool split testpool testpool1_5 /testdev/test5
root@template:/testdev# zpool split testpool testpool1_4 /testdev/test4
root@template:/testdev# zpool split testpool testpool1_3 /testdev/test3
root@template:/testdev# zpool split testpool testpool1_2 /testdev/test2
root@template:/testdev# zpool split testpool testpool1_1 /testdev/test1

Afterwards you could just take one of the disks and import as a separate pool:

root@template:/testdev# zpool import -d /testdev testpool1_1
root@template:/testdev# zpool status testpool1_1
  pool: testpool1_1
 state: ONLINE
  scan: none requested
config:

        NAME              STATE     READ WRITE CKSUM
        testpool1_1       ONLINE       0     0     0
          /testdev/test1  ONLINE       0     0     0

errors: No known data errors

Let's check the content:

root@template:~# cd /testpool1_1/
root@template:/testpool1_1# md5sum testfile
788d23ef58a5e5f9c60d17958a6c4aca  testfile

A customer looked at me really puzzled when doing this.When we were working at setting up a system at the console, i needed more than one command line.

Customer: "On Linux systems we would use virtual consoles"
Joerg: "On this operating system, too"

Surprisingly positive article about the SPARC M6 and Bixby presentations at Hotchips25: Oracle revs up Sparc M6 chip for seriously big iron

I think we will see some news in the usual news outlets about upcoming SPARC silicon soon. The agenda of the currently running Hotchips 25 conference has three presentations related to SPARC:

• "SPARC64 X+ : Fujitsu’s next generation processor for the UNIX servers" by Toshio Yoshida of Fujitsu
• "SPARC M6: Oracle’s Next Generation Processor for Massively Scalable Symmetric Multiprocessor (SMP) Data Center Servers with Enterprise Class RAS" by Ali Vahidsafa and Sutikshan Bhutani of Oracle
• and "Bixby: the Scalability and Coherency Directory ASIC in Oracle’s M5/M6-32 Systems" by Thomas Wicki and Juergen Schulz of Oracle

For a long time the maximum number of groups a user could belong to was 16, albeit there was a way to get 32. In Solaris 11 and recent versions of Solaris 10, the maximum number of groups a user could belong to is 1024 (which is the same limit Windows sets in this regard). It's easy to set the new limit.

set ngroups_max=1024

After a reboot, this change will be active. But why isn't this the default? There are good reasons for it. I will show you one of them in this entry. Like thinking that two digits for the year or using a signed 32-bit integer for storing the system time, the issue has it's root cause in a decision made a long time ago … in this example the moment in the past is at least 25 years ago. And often just changing something, breaks stuff that is really old, but still in use.

Experienced Solaris users, who tuned their Solaris System for up to 32 groups per user, already know the component that will be broken by having more than 16 users, because a message at the next boot of the system after the change in /etc/system that next startup will deliver a warning. It's about the problem that many people encounter when using NFS with one user in more than 16 groups (it's not an NFS problem, but i will explain that).

However, as i already said, there is a a solution for this problem since Solaris 11.1. This blog entry will show the workaround in action.