Col's Tech · But what is it good for?

FiOS Customer Discovers the Limits of “unlimited” Data: 77TB a Month

07Jun13

Yes, Virginia, there is a limit to what Verizon will let you do with FiOS' "unlimited" data plan. And a California man discovered that limit when he got a phone call from a Verizon representative wanting to know what, exactly, he was doing to create more than 50 terabytes of traffic on average per month—hitting a peak of 77TB in March alone.
— FiOS customer discovers the limits of “unlimited” data: 77TB a month | Ars Technica

Impressive for a residential plan, but wait until you see what he does to generate that much traffic. Best bit: he's got two Solaris hosts running ZFS for backups.

Construction of the Encrypted Password String On Solaris

07Jun13

Ever looked at the password encrypted using an algorithm other than crypt_unix(5) in the /etc/shadow file on Solaris and thought "How is that string constructed?" No? Why not? Well, you will now Lets take a look.

Suppose you've got a Solaris 11 system with the default password encryption algorithm of SHA-256 selected (How to change the default password encryption algorithm). You'll see your users have a password hash in the /etc/shadow file which looks similar to:

$5$KvXJcReF$KGNfwC/Dan0Dsk8vC4mM4buU0ALJGRI7jl/unca29w6

With the knowledge that the $ char is the field separator, we can describe the string as follows:

$<Algorithm_Identifier>$<Salt_String>$<Final_Hash>

So if we break down our original password string, we get:

5 ⇒ Algorithm Identifier (other options offered in Solaris 11).
KvXJcReF ⇒ Salt
KGNfwC/Dan0Dsk8vC4mM4buU0ALJGRI7jl/unca29w6 ⇒ Final password hash

This isn't the only way the password string could be depicted... if you customize the number of "rounds" in the /etc/security/crypt.conf file, your salt string may include an additional field. For example, after adding "rounds=1000" (the default is 5000) to the crypt_sha256.so.1 line in /etc/security/crypt.conf file and regenerating my password, the password string now looks like this:

$5$rounds=1000$g.e4m24n$/i4iakvQxay8LWFFdvmVCY8q5GkzBeBx3KlhC8FnOK9

So now you may be thinking "Well, the encryption identifier is easy enough to workout, but how are the salt and hash fields generated?".

The salt string is randomly generated for each password and the hash... well that's a little more complicated. If you really want to know how the hash is actually generated, and read about the full implementation details and logic behind this encrypted string, you can find all the gory details here and for a more relaxed explanation for the very similar SunMD5 hashing algorithm, check out Alec Muffet's explanation.

And now you know how that encrypted password string on Solaris is constructed.

Why Sun's NIS Will Never Die

05Jun13

While NIS has strikes against it, we also need to take into consideration that it works, and it works well. It's a small, clean service that is easily made redundant, and it ties in easily with just about any flavor of Unix you can find. In a greenfield environment, NIS would definitely not be the go-to solution. But in a mostly trusted environment, such as Unix/Linux development shops with many workstations and compute/compile servers, NIS is the answer -- the security risks are minimal, the setup is simple, and the function is solid. Many of these environments have tightly coupled infrastructures that carry the weight of years, and they rely heavily on information distributed via NIS that would be challenging to replicate with any other mechanism. And let's face it -- LDAP configuration is hugely more complex than NIS configuration.
— Why Sun's NIS will never die | Data Center - InfoWorld

So true.

pkgask(1M) Can't Find Interactive Request Script

30May13

Here's one that doesn't come up very often, but when it does, it catches people out.

In an attempt to automate the installation of Solaris pkgs on Solaris 10 and earlier, people turn to the pkgask(1M) command thinking this is what they need to do. They read the man page and then attempt to create the response file, and it fails as follows...

# pkgask -r /var/tmp/response -d . SUNWzsh

Processing package instance  from 

Z shell (zsh)(sparc) 11.10.0,REV=2005.01.08.05.16
pkgask: ERROR: package does not contain an interactive request script

Processing of request script failed.
No changes were made to the system.
#

Believe it or not this is correct and expected behaviour. The issue here is you're using the wrong tool for the job.

To quote the pkgask(1M) man page:

DESCRIPTION
     pkgask allows the  administrator  to  store  answers  to  an
     interactive  package  (one with a request script, that is, a
     user-created file that must  be  named  request).

Now what isn't clear here is pkgask(1M) is only useful for pkgs that include a script called PKGname/install/request. The request script is usually used to configure the application once the pkg has been installed.

If we look at the SUNWzsh pkg I used in the example, we'll see that file doesn't exist...

# ls -l SUNWzsh/install
total 10
-rwxr-xr-x   1 root     staff       1097 Dec 21  2009 copyright
-rwxr-xr-x   1 root     staff        875 Apr 15  2011 depend
-rw-r--r--   1 root     staff       2369 Jan 17 18:32 i.none
#

This means we can't use pkgask(1M) to generate a response file to automate our installation of this pkg.

What you actually want is to use an admin file. To quote the pkgadd(1M) man page...

     -a admin

         Define an installation administration file, admin, to be
         used  in  place  of the default administration file. The
         token none overrides the use of any admin file, and thus
         forces  interaction  with  the  user. Unless a full path
         name is given, pkgadd first looks in the current working
         directory  for the administration file. If the specified
         administration file is not in the current working direc-
         tory, pkgadd looks in the /var/sadm/install/admin direc-
         tory for the administration file.

... and later in the man page ...

     If the default admin file is too restrictive,  the  adminis-
     tration  file  may  need  to  be modified to allow for total
     non-interaction during a package installation. See  admin(4)
     for details.

So what you actually need to perform a non-interactive installation of this pkg is an admin file. You will need this for pkgs that contain request scripts too.

Simply copy the default - /var/sadm/install/admin - to a convenient location and replace all instances of "ask" with a value that suits your needs. Refer to the admin(4) man page for acceptable values. You can then install your pkg, non-interactively using "pkgadd -a /path/to/your/admin -d /path/to/pkg YOURpkg".

Twitter Launches Two-factor Authentication

23May13

So Twitter announced yesterday that they have now enabled optional two-factor authentication. "Great!" you may think, but think again... it seems Twitter has gone their own way and made it a right PITA to use. Ars Technica summarise it nicely...

Like Google's two-factor authentication, Twitter's login verification sends a code via SMS to be entered to confirm login. But unlike Google's system, the code will be sent every time users sign into Twitter through its website. This is the case even if it's from a computer or device that they've logged in from before. The phone has to be enrolled through Twitter's existing SMS service first—you have to text a code to Twitter to verify the phone first, which may not work with some phone carriers. The relationship between phones and accounts is also strictly one-to-one: if you have a shared business account, you're going to need to share a phone number too. If you have multiple accounts and only one phone number, then you can only secure a single account.
There are some additional limitations to Twitter's scheme. Other mobile devices and applications (such as HootSuite and TweetDeck) will have to be configured individually as they're added, using a temporary password generated through Twitter's applications page to be authorized on first login. Unlike the RFC 6238 scheme used by Google, Facebook, and Microsoft, there's no way to use standard, generic authentication apps to generate time-based, one-time passwords. So if you can't get the SMS, you're out of luck. And unlike those systems, there's no facility to create persistent application-specific passwords.
— Twitter launches two-factor authentication, too late to save The Onion | Ars Technica

Whilst enabling two-factor authentication is a great idea, I think their implementation may put off quite a few people. We'll see.

How to Build a Web-Based Storage Solution Using Oracle Solaris 11.1

01May13

Create your own Dropbox clone using Solaris 11.1...

This article describes a PHP-based open source solution that uses AjaXplorer, Oracle Solaris 11.1, and Apache Web server (although other Web servers can be used) to build a cloud-based storage service that is similar to Dropbox.
Of course, you can also build the storage in the same way using AjaXplorer with other operating systems, such as Microsoft Windows, Mac OS X, and Linux. However, when using Oracle Solaris 11.1, you will be able to configure the storage in a more powerful and secure way by taking advantage of ZFS.
— How to Build a Web-Based Storage Solution Using Oracle Solaris 11.1

How ZFS Continues to be Better Than btrfs

19Apr13

The reality is that, today, ZFS is way better than btrfs in a number of areas, in very concrete ways that make using ZFS a joy and make using btrfs a pain, and make ZFS the only choice for many workloads. Even in single-disk laptop or desktop configurations, ZFS has a number of advantages over btrfs that will make your life much easier.
— How ZFS continues to be better than btrfs — Rudd-O.com in English

Very interesting comparison.

Keep one thing in mind when reading this: the author is comparing brtfs on Linux with ZFS on Linux, not ZFS on Solaris. ZFS on Linux trails ZFS on Solaris by quite some margin.

HOWTO: Update Java 1.4.2 on Solaris 10

18Apr13

Java 1.4.2 as supplied with Solaris 10 is no longer updated via normal patches. In order to update your Java 1.4.2 instance on Solaris 10, you need to update the pkgs that supply Java 1.4.2.

At the time of writing this document, the "Updated Release of the February 2013 Oracle Java SE Critical Patch Update" is the latest Java CPU that updates Java 1.4.2 and it updates it to Java 1.4.2_42. This is mentioned in Doc ID 1526106.1 to which the CPU links. Unfortunately, neither document detail how what is required and how to perform the update.

This post serves to fill that gap and detail how to update the Solaris 10 supplied Java 1.4.2 to the latest version available.

Download the SDK 1.4.2_42 files appropriate for your architecture from here (You'll need an Oracle login and possibly a support contract). This link is provided in Doc ID 1526106.1 which the "Updated Release of the February 2013 Oracle Java SE Critical Patch Update" links to.

You will need to download both the 32-bit and 64-bit versions of the pkgs available.

The downloaded files contain the Solaris packages and the self-extracting shell script. We're only interested in the Solaris packages.
Transfer the files to your Solaris host and unzip them.

Extract the tarballs that contains the Solaris pkgs.

The filenames you will need to extract will be, depending on your architecture:

                  From the 32-bit zip file              From the 64-bit zip file
    SPARC:     j2sdk-1_4_2_42-solaris-sparc.tar.Z    j2sdk-1_4_2_42-solaris-sparcv9.tar.Z
      X86:     j2sdk-1_4_2_42-solaris-i586.tar.Z     j2sdk-1_4_2_42-solaris-x64.tar.Z

Once the tarballs have been extracted, you should have the following pkgs in the current directory:

    SUNWj3cfg      SUNWj3dev      SUNWj3dmo     SUNWj3dmx
    SUNWj3dvx      SUNWj3jmp      SUNWj3man     SUNWj3rt
    SUNWj3rtx

Uninstall all of the SUNWj3* pkgs from the current system:
```
# pkgrm SUNWj3cfg SUNWj3dev SUNWj3dmo SUNWj3dvx SUNWj3irt SUNWj3man SUNWj3rt SUNWj3rtx
```
Ignore all warnings about dependencies. We'll be re-installing the updated pkgs in the next step and this will rectify the dependencies.

Install the pkgs extracted in step 3 above:

# pkgadd -d . SUNWj3rt SUNWj3rtx SUNWj3cfg SUNWj3dev SUNWj3dvx SUNWj3man SUNWj3jmp SUNWj3dmo SUNWj3dmx

You can now confirm you have the updated version of Java 1.4.2:

# /usr/j2se/bin/java -version
java version "1.4.2_42"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_42-b03)
Java HotSpot(TM) Client VM (build 1.4.2_42-b03, mixed mode)
#
# /usr/j2se/bin/sparcv9/java -version
java version "1.4.2_42"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_42-b03)
Java HotSpot(TM) 64-Bit Server VM (build 1.4.2_42-b03, mixed mode)

All your OS supplied tools and utilities that use the OS supplied Java 1.4.2 should continue to work as before.

One word of warning: do not perform this procedure whilst your system is running any Java processes that are using the Java 1.4.2 instance you are updating.

Solaris 11 SRU Naming Convention Change

12Apr13

We're tweaking the naming convention used by Oracle Solaris SRUs (Support Repository Updates) to use a 5-digit version taxonomy.
For example, Oracle Solaris 11.1.6.4.0
The digits represent Release.Update.SRU.Build.Respin
For the above example, Oracle Solaris 11.1 SRU 6.4.
— Solaris 11 SRU naming convention change (Solaris 11 Maintenance Lifecycle)

I saw this one coming when I saw the version strings used for pkgs when first introduced in Solaris 11, especially the "entire" pkg, and have been eager to use this method of identifying Solaris 11 release and SRU but have held off for fear of causing confusion. Well not anymore as it's now official.

So don't be surprised when your support engineer starts referring to Solaris 11.1.6.4.0 in your SRs, and even then Solaris will probably be shortened to just "S", ie S11.1.6.4.0.

Habari 0.9.1 Released and New Habari Site Design

05Apr13

I've been a little quiet on the Habari front of late as I've been very tied up with $work and my own dev stuff (check out my new personal site design) so have just been lurking on IRC with very little in the way of contributing. I hope to change that as there are some pretty exciting things coming with some major enhancements and loads of bug fixes making their into the code that will be Habari 1.0 (and if I don't pull finger, I'm going to be left behind).

To start with, Habari 0.9.1 has just been released. Loads of bug fixes and enhancement here, especially for those who plan to install Habari on Windows hosts.

Next we finally have an "Addons Catalog" to make showing off, reviewing and installing plugins and themes a cinch, and I think the implementation is pretty impressive too...

The Catalog is currently powered by Github, and pulls from Habari Extras. What is exciting is that the catalog has been crafted to allow you to host your addons in your own repo. We don't lock you into using a repo we control. Simply add a call to our import beacon to your webhooks list, and you are good to go. In the coming months we will be releasing support for other repository providers like bitbucket and beanstalk. Did we mention that you can find the code that powers our catalog in Habari Extras? Feel free to fork away and do something amazing with it.

A little more work is needed on some of the plugins in Habari Extras, but with time everything should be integrated and easily installed.

Last but not least, the Habari site has a gorgeous new design... not just a new layer of paint, but a whole new design, and it's amazing....

New Habari Site

The screenshot just doesn't do it justice. You must head on over and check it out in all its glory and whilst you're there, be sure to check out What's New.

A huge big thanks needs to go out to the guys, you know who you are, who've spent endless hours fixing bugs, enhancing Habari, creating the Addons Catalogue and the awesome new site design. Brilliant work!

If you're starting to get annoyed with Wordpress and are looking for something leaner, meaner and far superior, give Habari a go. You won't be disappointed. Oh and don't be shy to drop us a line, join us on IRC or start contributing... as Tescos say: "Every little helps."