11.3.SRU31 - updated pam_list

The just released Solaris 11.3 SRU31 has an updated pam_list module which adds support for '*' and comments. The '*' wildcard is really useful, as it allows common PAM configuration where access to a server can be managed only by an allow file. For example, in /etc/pam.d/XXX you can now have:

account sufficient pam_list.so.1 allow=/etc/security/access.conf

If the access.conf file has only '*' which means all users have access, or you can just list users, netgroups or unixgroups.

To achieve the '*' before one had to modify the PAM configuration or use a different module (for example compile pam_access from Linux).

This is a good example of one of the small but very useful changes.

GCC 7 on Solaris 11.4

How to get gcc-7 on Solaris 11.4?

root@solaris:~# pkg install gcc-7
           Packages to install: 14
           Mediators to change:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

DOWNLOAD                      PKGS         FILES    XFER (MB)   SPEED
Completed                    14/14     1822/1822  332.0/332.0  423k/s

PHASE                                          ITEMS
Installing new actions                     2253/2253
Updating package state database                 Done 
Updating package cache                           0/0 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           1/1 
root@solaris:~# 

root@solaris:~# gcc --version
gcc (GCC) 7.3.0
Copyright (C) 2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

root@solaris:~# 

Older versions are available as well.

Golang on Solaris

So what do you do if you want to program in golang on Solaris 11.4? You just type: pkg install golang

ZFS: Device Removal

As finally publicly presented at Solaris Tech Day in Vienna couple of weeks ago, ZFS in Solaris 11.4 will have the long awaited on-line device removal feature. This is top-level vdev removal only, but still very useful in some scenarios.

Here is an example on how it works.

First, let's create a test pool whish is a mirror of two disks:

root@solaris:~# zpool create test mirror c1t1d0 c1t3d0
root@solaris:~# zpool status test
  pool: test
 state: ONLINE
  scan: none requested
config:

        NAME        STATE      READ WRITE CKSUM
        test        ONLINE        0     0     0
          mirror-0  ONLINE        0     0     0
            c1t1d0  ONLINE        0     0     0
            c1t3d0  ONLINE        0     0     0

errors: No known data errors

Now, let's "accidently" add a single disk to stripe with the mirror and copy some data into the pool:

root@solaris:~# zpool add -f test c1t4d0
root@solaris:~# zpool status test
  pool: test
 state: ONLINE
  scan: none requested
config:

        NAME        STATE      READ WRITE CKSUM
        test        ONLINE        0     0     0
          mirror-0  ONLINE        0     0     0
            c1t1d0  ONLINE        0     0     0
            c1t3d0  ONLINE        0     0     0
          c1t4d0    ONLINE        0     0     0

errors: No known data errors

root@solaris:~# cp -rp /usr/share/doc /test/
^C

root@solaris:~# gdf -h /test
Filesystem      Size  Used Avail Use% Mounted on
test            2.0G  375M  1.6G  19% /test

root@solaris:~# zpool iostat -v test
               capacity     operations    bandwidth
pool        alloc   free   read  write   read  write
----------  -----  -----  -----  -----  -----  -----
test         375M  1.60G      0    181  4.12K  5.04M
  mirror-0   242M   766M      0    173    203  3.23M
    c1t1d0      -      -      0     16  7.73K  3.28M
    c1t3d0      -      -      0     16  7.53K  3.28M
  c1t4d0     132M   876M      0      9  4.91K  2.26M
----------  -----  -----  -----  -----  -----  -----

Now, if we want to remove the accidently added disk drive it is trivial to do so:

root@solaris:~# zpool remove test c1t4d0

And let's check pool status after the device was removed:

root@solaris:~# zpool status test
  pool: test
 state: ONLINE
  scan: resilvered 132M in 1s with 0 errors on Fri Mar 30 01:53:17 2018

config:

        NAME                      STATE      READ WRITE CKSUM
        test                      ONLINE        0     0     0
          mirror-0                ONLINE        0     0     0
            c1t1d0                ONLINE        0     0     0
            c1t3d0                ONLINE        0     0     0

errors: No known data errors

root@solaris:~# zpool iostat -v test
                             capacity     operations    bandwidth
pool                      alloc   free   read  write   read  write
------------------------  -----  -----  -----  -----  -----  -----
test                       378M   630M      2    105  8.66K  1.63M
  mirror-0                 378M   630M      2     80  5.14K  1.21M
    c1t1d0                    -      -      0      8  5.09K  1.22M
    c1t3d0                    -      -      1      7  5.58K  1.22M
------------------------  -----  -----  -----  -----  -----  -----

DTrace GPL'ed

Looks like DTrace is under GPL now. It would be really great to see it on Linux.

Solaris 12 Public Beta

Ok, the title should really be Solaris 11.4 Public Beta. However Solaris 11.4 is essentially what Solaris 12 was supposed to be. See the announcement and What's New document.

Alan Coopersmith created an excellent page with all different blogs about new features in 11.4 beta.

Also, see some blogs about sepecific features.

reflink(3c) What is it? Why do I care? And how can I use it?
Application Sandboxing in Oracle Solaris 11.4
Protecting Sensitive Data in Oracle Solaris 11.4
Immutable Zones: SMF changes & Trusted Path services
Solaris Analytics
Getting Data Out of StatsStore
Where Did The 32-Bit Linkers Go?
Weak Filters: Dealing With libc Refactoring Over The Years
Goodbye (And Good Riddance) to -mt -and -D_REENTRANT
New CRT Objects. (Or: What Are CRT objects?)
Regular Expression and Glob Matching for Mapfiles
ld -ztype, and Kernel Modules That Know What They Are
ELF Section Compression
ELF Program Header Names
Core File Enhancements for elfdump
kldd: ldd Style Analysis For Solaris Kernel Modules
Default Memory Allocator Security Protections using Silicon Secured Memory (SSM ADI)
More adventures in Software FMA
Live Zone Reconfiguration for Dataset Resources
Migrating from IPF to Packet Filter in Solaris 11.4
What's in a uname ?

ZFS past & future by Mark Maybee

OpenZFS ZIL Internals

Very interesting presentation on how ZIL works and on latest improvements in OpenZFS, presented during OpenZFS Developer Summit 2017.

General Purpose Server OS

Is general purpos server OS dead in the next few years? It definitely seems that way.

Sudo and Solaris Privileges

Sudo on Solaris 10 and Solaris 11 allow to specify a privilege set a command will run with. This is very powerful if you want to be more specific in granting only required privileges for a given command, instead of allowing a command to run as root. Although Solaris has additional/different means to achieve the same, which in some cases is better than sudo, but the latter is what most users are familiar with.

For example, the 'fmadm faulty' command requires sys_admin privilege to run.

milek    ALL=()PRIVS="basic,sys_admin" NOPASSWD:/usr/sbin/fmadm faulty

This means that user milek can now run: sudo fmadm faulty
and the command will now work, but it won't run as root - it will execute as user milek with privileges set to basic,sys_admin, which is more secure than allowing the command to run as root.

Solaris Open Source bits move to GitHub

Alan Coopersmith blogged about migration of Open Source content available in Solaris from java.net to GitHub. This is definitely an improvement.

The new repositories on GitHub are:

• solaris-userland
• solaris-xorg
• solaris-ips

Ebbisland and Extremeparr

Although The Register and others were suggesting Solaris 11 might be affected, it seems not to be the case - according to Oracle Solaris 11 has never been affected be either of them.The Register clarified it as well.

Also if you have a support contract you should have been told this much quicker.

ps. if you have CDE installed on Solaris 10 then there is an IDR available for extremeparr local exploit (again, Solaris 11 is not affected)

Solaris is a dinosaur!

A friend of mine blogged about Eoraptor, Unaysaurus and T-Rex. A fun read about FreeBSD, Solaris, Linux and others.

Solaris 11 Continuous Delivery Model

Solaris 11 adopts Continuous Delivery model, which means instead of Solaris 12 there will be Solaris 11.4, 11.5, etc. This is generally a good thing - quicker adoption of new features as most software certified for Solaris 11 should stay certified for the new dot releases, etc. This is also similar to what Microsoft did with Windows.

Oracle also extended Solaris 11 support to 2031.

AI: Distro Constructor and a Custom Script

When building your own AI images with distro_const it is useful sometimes to add a custom script to modify the resulting image. This is easily achievable by adding a custom script to the xml manifest provided to distro_cons.

For example, to change the default password for user jack, add the following checkpoint to the xml file, just before pre-pkg-img-mode checkpoint. 

<!--
  Set password to user jack, should match root password
  (if hash contains slashed they need to be backslashed)
-->
      <checkpoint name="lock-jack-account"
         desc="Lock the jack account from login"
         mod_path="solaris_install/distro_const/checkpoints/custom_script"
         checkpoint_class="CustomScript">
         <args>/usr/bin/gsed -i -e 's/jack:.[^:]*:/jack:XXXXXX:/g' 
                             {PKG_IMAGE_PATH}/etc/shadow
         </args>
      </checkpoint>