Saturday, February 19, 2011

Solaris 11 Express: Headless X

Solaris 11 Express: Headless X


Sun had marked it's market entry with a graphical UNIX workstation, bundling all functions needed in a desktop (from email, to instant message; from network usage, to user presence,; from compilers to graphical debuggers.) During the 1990's, it was not uncommon to take Sun workstations in headless configurations and install them in rack configurations, to spread the load of work across farms of computing facilities. During the transition from 1990's to early 2000's, Sun had taken on a role in the Data Center with the creation of rack mounted equipment featuring "lights out management" and abandoning the monitor. With the entry into 2010's, Sun's premier operating system moved to Solaris 11, which defaulted the installation of headless servers to exempt windowing system Windowing can be added to a headless system.

Software History:

Sun's Solaris suite of desktop applications originally was build upon a BSD kernel with a windowing system called SunView. MIT released the X Windows System, which was merged into the Solaris environment. With the merger of AT&T SVR4 into Solaris, OpenWindows with OpenLook became the standard. The merger of a competing X Windows based MOTIF with OpenWindows occurred via a cooperative trade group called COSE creating the Common Desktop Environment, which became the default Solaris windowing system. The latest version of default desktop environment of Solaris systems based upon X Windows GNOME is referred to a the Java Desktop System. Oracle later purchased Sun. The windowing system is installed by default on systems containing video cards, but can be installed separately from a text based install on a headless system, via the new Solaris 11 Image Packagng System.

Install X Clients:

The installation of new software under Solaris 11 is done via the "Imaging Packaging System", using the "pkg" command. The installation is done from the default Solaris 11 repository over the network:
V100-SolExp11:/root# pkg install slim_install
Refreshing catalog 1/1 solaris
Caching catalogs ...
Caching catalogs ...
Creating Plan -
Completed 329/329 41226/41226 392.5/392.5

Install Phase 65166/65166

Package State Update Phase 329/329
Image State Update Phase 2/2
Finding X Clients:

The X Windows client applications used to be located in "/usr/openwin" for OpenWindows default applications and later in "/usr/dt" for CDE default applications. With the latest environment, X Windows applications are oddly installed in "/usr/bin".

Friday, February 18, 2011

EMC Ionix: Integration Basics (part 2)

EMC Ionix: Integration Basics (part 2)

Higher level integrations to network management frameworks are normally facilitated through command line processes. SMARTS, the producer a product called InCharge, which was a market leader in event correlation, was later purchased by EMC, and consolidated the product into Ionix framework. In the EMC Ionix framework, a higher level enterprise management system integration utility ("sm_ems") simplifies integration.

Integration Point:
The Managers, Open Integration, and Service Assurance Manager can be integrated to via the following commands:
  • sm_ems
    Performs individual queries and updates to a manager or manager-of-managers
The sm_ems can be leveraged to perform basic interfacing through external languages.

The "sm_ems" command offers the following options:

SparcSolaris/User777$ sm_ems --help
[No write since last change]
Usage: sm_ems [options...] [command]

--server=[name] The name of the server. Also -s.
--broker=[location] Alternate Broker location as host:port.
Specify the name or IP address of the system this alarm is associated
with. The event will automatically be associated with this system in
the ICOI topology. The system name is canonicalized using host
name lookups. If the system does not exist in the topology it may
be created automatically if the -create-system option is specified.
Also -t.
Indicates that the system should automatically be created if it does
not exist in the topology. The class defaults to Node, or use the
--element-class option to specify the class name.
Also -c.
Class name to be used if the system specified by --system
option is not found in the InCharge topology and --create-system
is specified.
Also -e .
Instance name to be used with --element-class option
Options provided with --element-class and --element-name will be used
to create the object. --system should not be used if --element-class and
--element-name are mentioned.
is specified.
Also -v .
Indicates that the element-class and element-name should automatically
be created if it does not exist in the topology.
Also -C.
Aggregate Event Class name to be used if you want to generate an Aggregate
Also -E .
Aggregate Instance name to be used with --aggregate-element-class option
Using --aggregate-element-class and --aggregate-element-name Aggregate Event
will be created.
Also -V .
--aggregate-event-name=[aggregate Event Name]
Aggregate Event name to be used if you want to generate an Aggregate
Also -g .
Optional text to include in the description field of the
audit log entry created for the action. Note that this
option is ignored for the add-audit-log command.
Also -a.
--traceServer Enable tracing of server communications.
Optional source event type for notification. If not specified, no source event type will be passed in the notify() call, which will result in the server inserting
a default value (typically "UNKNOWN") into the SourceEventType attribute.
This option only works with a server newer than 6.2-SP2.

notify [class] [name] [event] [src] [type] [clear-mode] [[attr]=[val] ...]
Notify an occurrence of the notification identified by
[class] [name] and [event].

[src] indicates the name of the application
generating the notification. Note that a subsequent
invocation to clear this notification must specify
the same value for [src]

[type] indicates the nature of the event and it
must have the value 'momentary' or 'durable'. A
momentary event has meaning only at a specific point
in time; it has no duration. An authentication failure
event is a good example. A durable event has a duration
over which the event is active and after which the
event is no longer active. An example of a durable
event is a link failure.

[clear-mode] indicates the mechanism by which the event
will be cleared. This parameter is ignored when the
type is discrete. The value 'source' indicates that
the notification will be cleared automatically by the
source when the event goes away. A value of [n]
indicates that the notification should expire in [n]
seconds. A value of 'none' indicates that the notification
should not expire and that the source will not generate
a clear event; this implies that the actual duration of
the occurrence will not be known. In this case the
system clears the event when it is acknowledged.

[attr]=[val] ... are optional attribute/value
pairs where [attr] is the attribute name and
[val] is the value. These parameters may be used
to set additional attribute values for the notification

update [class] [name] [event] [attr]=[value]
Update one or more the attributes of an event.

clear [class] [name] [event] [src]
Clear an occurrence of the notification identified by
[class], [name], and [event]. [source]
indicates the name of the application generating
the clear.
assign [class] [name] [event] [owner]
Assign ownership of the notification identified by
[class], [name], and [event] to [owner].

release [class] [name] [event]
Release ownership of the notification identified by
[class], [name], and [event]. The caller
must be the owner of the notification.

acknowledge [class] [name] [event]
Acknowledge the notification identified by
[class], [name], and [event]. The
caller must be the owner of the notification in
order to acknowledge it.

unacknowledge [class] [name] [event] [owner]
Unacknowledge the notification identified by
[class], [name], and [event]. The
caller must be the owner of the notification in
order to unacknowledge it.

add-audit-log [class] [instance] [event] [message]
Add a user note containing [message] to the audit
log for the notification identified by [class]
[instance], and [event]. Note that the --audit will
be ignored for this option.

print [class] [name] [event]
Print the properties including the audit log for the
notification identified by [class] [name] and [event].

summarize [NL name]
Print a summary of all notifications of
all NL events

Standard Options:
--help Print help and exit.
--version Print program version and exit.
--daemon Run process as a daemon.
--logname=[name] Use [name] to identify sender in the system log.
Default: The program's name.
--loglevel=[level] Minimum system logging level. Default: Error.
--errlevel=[level] Minimum error printing level. Default: Warning.
--tracelevel=[level] Minimum stack trace level. Default: Fatal.
[level]: One of None, Emergency, Alert,
Critical, Error, Warning, Notice, Informational,
or Debug. Fatal is a synonym for Critical.
--facility=[facility] Non-Windows only. A case-insensitive string which
identifies the facility to use for syslog messages.
[facility]: One of Cron, Daemon, Kern, Local0-Local7,
Lpr, Mail, News, Uucp, User. Default: Daemon.
--output[=[file]] Redirect server output (stdout and stderr). The
file name is [file], or the --logname value if
[file] is omitted. Log files are always placed
--accept=[host-list] Accept connections only from hosts on
[host-list], a comma-separated list of host
names and IP addresses. --accept=any allows
any host to connect. Default: --accept=any.
--useif=[ip-address] Use this IP address as the source/destination
interface address for SNMP and ICMP packets.
-- Stop scanning for options.
For more information:

One of the most powerful options from the "sm_ems" command is "summarize", to quickly review notifications from a manager.

SparcSolaris/user777$ sm_ems --server=SAM-27 summarize ALL_NOTIFICATIONS

ClassDisplayName = Router
InstanceDisplayName = ABC_CUAUHTEMOC99
EventDisplayName = Down
Active = TRUE
Acknowledged = FALSE
Category = Availability
TroubleTicketID =
Owner =

ClassDisplayName = Interface
InstanceDisplayName = IF-ABC_CUAUHTEMOC99/106 [VoiceEncapPeer20018]
EventDisplayName = Down
Active = TRUE
Acknowledged = FALSE
Category = Availability
TroubleTicketID =
Owner =

Note, in the output above, there are two identified types of records:
  • Interface Record
    The Interface Record can be identified through the "IF-" prefix on the display name, assigned to the Interface class, and suffixed with a "/#".
    (The "#" represents an ifIndex for the interface through SNMP and can change on the device during a reboot or other type of reconfiguration - Ionix will only recognize this after a re-discovery.)
  • Device Record
    The Device Record can be identified through not having a prefix with a "-" on it and can be noted that this is also a Router class.
For simplicity, the devices are always prefixed when loaded into smarts with "ABC_ in the above example.

The output of the "sm_ems" command can easily be parsed in POSIX awk for extracts, integrity checks with external systems, and feed external management systems.

An example follows to parse Device up/down types of events using the "sm_ems" command where the host name prefix is "ABC_":
sm_ems --server=SAM-27 summarize ALL_NOTIFICATIONS | nawk '
BEGIN { Pattern="%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n" }
# clear vars on new record
/^Class/ { Class="" ; Inst=""; Event=""; Active="";
Ack=""; Cat=""; TT=""; Owner="" ; Tag="" }
# read record
/^Class/ { Class=$3 }
/^Insta/ { Inst=$0 ; gsub("InstanceDisplayName = ","",Inst) }
/^Event/ { Event=$3 }
/^Activ/ { Active=$3 }
/^Ackno/ { Ack=$3 }
/^Categ/ { Cat=$3 }
/^Troub/ { TT=$3 ; gsub("TroubleTicketID = ","",TT) }
/^Owner/ { Owner=$3 }
# tag interesting records
/^Insta/ && $3~/^HDB_/ { Tag="Yes" }
# print interesting record in columns
/^Owner/ && Tag=="Yes" { printf Pattern,Class,Inst,Event,Active,Ack,Cat,TT,Owner }'

Node ABC_ANEA03_ID Down FALSE TRUE Availability AR000000003967636 SYSTEM
Node ABC_ANVW04_ID Down FALSE TRUE Availability AR000000003968578 SYSTEM
Node ABC_ANSM12_BR Down FALSE TRUE Availability AR000000003968469 SYSTEM

The beauty of "nawk", in conjunction with "sm_ems" is the simple capacity to move from reporting to interfacing to foreign Ionix systems.

To replicate the notifications from a source SAM to a destination SAM, a couple more nawk statements are all that is required, print out the command, and pipe it to a shell.

The use of the "sm_ems" allows for a simple integration point into Ionix for reporting and can also facilitate the movement of notifications to foreign systems with standard POSIX commands like "awk".

Wednesday, February 16, 2011

EMC Ionix: Architecture and Integration Basics

EMC Ionix: Architecture and Integration Basics

Network Management platforms perform monitoring, auditing, and management work of computing infrastructure. Most network management platforms target a particular aspect of management: Fault, Performance, or Configuration. SMARTS produced a fault managegment product suite called InCharge, which was later purchased by EMC and branded as Ionix - based upon the phrase "keep your eye on it". Integration into EMC Ionix is straight forward, leveraging a couple of basic command.


The Ionix infrastructure is based upon a publish-subscribe system. Individual Managers (i.e. Availability Manager [AM], MPLS Manager, etc.) perform polling of devices and publish the results, Adapters (SNMP Trap, Syslog, etc.) perform simple gathering of information from foreign systems, Open Integration [OI] consolidates information from multiple adapters and publishes the information, and a Manager of Managers called Service Assurance Manager [SAM] subscribes to information from them all. A broker tracks all components.

Integration Points:

The Managers, Open Integration, and Service Assurance Manager can be integrated to via the following commands:
  • dmctl
    Performs individual queries and updates to a manager or manager-of-managers
  • sm_adapter
    Subscribes or publishes to a manager or manager-of-manager
The dmctl can be leveraged to perform basic interfacing through external languages and even perform some subscription or publishing work.

The sm_adapter a native mechanism to perform advanced interfacing through the proprietary internal language called "asl" scripting.

The "asl" scripting is out of scope of this article.


The DMCTL interface offers the following options:
SparcSolaris/User$ dmctl
Domain Manager Control Program (V7.2.0.1) -- Type 'help' for a list of commands.
dmctl> help

attach [domain]
clear [class::instance::event]
create [class]::[instance]
delete [class]::[instance]
execute [program] [[arg1] ...]
findInstances [class-regexp]::[instance-regexp]
get [class]::[instance][::[property]]
getEvents [class]
getEventDescription [class]::[event]
getInstances [[class]]
getOperations [class]
getProperties [class]
insert [class]::[instance]::[property] [value]
invoke [class]::[instance] [op] [[arg1] ...]
loadModel [model]
loadProgram [program]
notify [class::instance::event]
put [class]::[instance]::[property] [value1] [[value2] ...]
remove [class]::[instance]::[property] [value]
restore [file]
save [file] [[class]]
To attach to a manager, like a SAM:
SparcSolaris/User$ dmctl
Domain Manager Control Program (V7.2.0.1) -- Type 'help' for a list of commands.
dmctl> attach SAM-03
Server SAM-03 User: admin
admin's Password: XXXXXXXXXX
Attached to 'SAM-03'

To retrieve basic notification instances from a SAM:
dmctl> getInstances ICS_Notification
Note, the above example, the underscore "_" is the field separator. The underscore is escaped using double underscores. The retrieved instance is formatted with the following characteristics:
This was a simple event notification. The device could be extended with an additional set of flas to uniquely define a managed resource, but this is beyond the scope of this article.

To subscribe to a live stream of events from a SAM using dmctl:
SparcSolaris/User$ dmctl -s SAM-03 subscribe .*::.*::.*
Server SAM-03 User: admin
admin's Password: XXXXXXXXXX
1297883020 Wed Feb 16 14:03:40 2011 NOTIFY ICS_Notification::NOTIFICATION-Host_ABC__ACDB05__ID_Down::RootNotification 1.00
1297880934 Wed Feb 16 13:28:54 2011 NOTIFY ICS_Notification::NOTIFICATION-Host_ABC__ANVR02__BR_Down::RootNotification 1.00
1297880633 Wed Feb 16 13:23:53 2011 NOTIFY ICS_Notification::NOTIFICATION-Host_ABC__ANND02__ID_Down::RootNotification 1.00
1297880934 Wed Feb 16 13:28:54 2011 NOTIFY ICS_Notification::NOTIFICATION-Host_ABC__ANHS04__ID_Down::RootNotification 1.00
All the properties of an event can be retrieved via dmctl:
SparcSolaris/User$ dmctl -s SAM-03 get ICS_Notification::NOTIFICATION-Host_ABC__ACDB05__ID_Down
Server SAM-03 User: admin
admin's Password: XXXXXXXXXX

Properties of ICS_Notification::NOTIFICATION-Host_ABC__ACDB05__ID_Down:
Acknowledged = FALSE
AcknowledgmentTime = 0
Active = TRUE
AggregatedBy = { }
Aggregates = { }
AuditTrail = {
Action completed successfully...

Subscribing to an Open Integration manager is also possible:
SparcSolaris/User$ echo "" | dmctl -s OI-30 subscribe .*::.*::.*
1297891133 Wed Feb 16 16:18:53 2011 NOTIFY ICS_Notification::NOTIFICATION-Host_ABC__ACSH02__BR_Down::RootNotification 1.00
1297891133 Wed Feb 16 16:18:53 2011 NOTIFY ICS_Notification::NOTIFICATION-Host_ABC__ACBI06__BR_Down::RootNotification 1.00
1297891133 Wed Feb 16 16:18:53 2011 NOTIFY ICS_Notification::NOTIFICATION-Host_ABC__ANMZ03__BR_Down::RootNotification 1.00

Subscribing to an Open Integration manager for a complete details is also possible with some nawk glue:
SparcSolaris/User$ echo "" | dmctl -s OI-30 subscribe .*::.*::.* |
nawk 'NF==8 || NF==9 { gsub("::"," ") ; print "get " $8 "::" $9 }' |
dmctl -s OI-30
Domain Manager Control Program (V7.2.0.1) -- Type 'help' for a list of commands.
Attached to 'OI-30'
Properties of ICS_Notification::NOTIFICATION-Host_HDB__ACSH02__BR1_Down:
Acknowledged = FALSE
AcknowledgmentTime = 0
Active = TRUE
AggregatedBy = { }
Aggregates = { }
AuditTrail = {

The sm_adapter command has variety of options:
SparcSolaris/User$ sm_adapter --help 
Usage: sm_adapter [options...] [[rule-set]]
* [rule-set] ASL rules file.

--broker=[location] Alternate Broker location as host:port.
Also -b [location].
--model=[model] Name of model library to load. Also -M [model].
--dynamic Load dynamic model files.
--name=[name] Start a server registered under [name].
Also -n [name].
--port=[port] Alternate registration port. Use with --name.
--timeout=[secs] Set the timeout for server interaction. The
timeout applies to the back-end connection
except when using the subscriber front end, in
which case it applies to the front end. The
argument is in seconds, and can be a decimal
value. If the --timeout option appears with no
value, 600 seconds is used. By default, there
is no timeout.
--wait Wait for initial driver to complete.

Rule-Set Options:
-D[var]=[value] Override value for a rule set variable.
--verify Validate rules only.

Front-End Options:
--file=[path] Read input from a file. Also -f [path].
--tail=[path] Read input by tailing a file from the current
position. Also -t [path].
--tailFromStart=[path] Read input by tailing a file from the beginning.
--program=[cmd] Read input from a command pipeline. Also -p [cmd].
--field-separator=[c] Translate 'C' to the field separator (FS) marker.
Valid only in conjunction with --file, --tail or
--program. Also -F [c].
--subscribe=[sub] Use the subscriber front-end. Subscriptions
are sent to the server specified with the
--server option. The [sub] parameter is the
subscription request.

If [sub] is 'topology' a subscription for
topology changes is requested.

If [sub] is of the form '[name]/n' then
a subscription to NL [name] is requested.
Note that only one NL subscription may be

If [sub] is of the form
C::I::E[/paev], 'C', 'I', 'E' are regexp
patterns representing the classes, instances,
and events to which to subscribe. The letters
following a slash (/) are subscription qualifiers:
'p' means subscribe to problems; 'a' means
subscribe to aggregates (impacts); and 'e' means
subscribe to events. If none of these are
present, 'p' is assumed. 'v' means run in
verbose mode, which turns on subscription
control messages.

Otherwise, [sub] is a profile name; that profile
specifies what subscriptions are to be requested.
A profile name may optionally be followed by the
/v qualifier.

Multiple --subscribe options can be specified.

--subscribeProp=[sub] Subscribe to property changes.
[sub] is of the form C::I::P[/v], 'C', 'I', 'P'
are regexp patterns representing the classes,
instances,and properties to which to subscribe.
The patterns are optionally followed by the /v
qualifier which, turns on the subscription
of the control messages too.

Multiple --subscribeProp options can be specified.

--smoothing=[num] Event smoothing interval. This parameter is
used by the subscriber front-end to smooth
event notifications (and clears) received
from the server. Only events (or clears) that
stay active (or cleared) for [num] seconds
are fed into the input stream. [num] must be a
non-negative integer. The default value is 0
which disables smoothing.
--ignoreOld Ignore old notifications. This parameter is
used by the subscriber front-end. Notifications
for events that were active at the before this
adapter connected are not fed to the input

Back-End (Server) Options:
[--server=self] Connect driver to local repository; the
--server=null Do not connect to any server. Useful for
debugging offline in combination with
--server=[name] Connect driver to remote server.
Also -s [name].
--rserver=[name] Auto-reconnect driver to remote server.
Also -S [name].
--description=[desc] Description of this adapter;
sent to remote server.
--mcast=[name] Connect driver to a local subscription server.

Trace Options:
--traceRules Trace rule compilation.
--traceServer Trace interactions with the back-end server.
--traceParse Trace rule matching.
--trace Enable all tracing. Also -d.

Standard Options:
--help Print help and exit.
--version Print program version and exit.
--daemon Run process as a daemon.
--logname=[name] Use [name] to identify sender in the system log.
Default: The program's name.
--loglevel=[level] Minimum system logging level. Default: Error.
--errlevel=[level] Minimum error printing level. Default: Warning.
--tracelevel=[level] Minimum stack trace level. Default: Fatal.
[level]: One of None, Emergency, Alert,
Critical, Error, Warning, Notice, Informational,
or Debug. Fatal is a synonym for Critical.
--facility=[facility] Non-Windows only. A case-insensitive string which
identifies the facility to use for syslog messages.
[facility]: One of Cron, Daemon, Kern, Local0-Local7,
Lpr, Mail, News, Uucp, User. Default: Daemon.
--output[=[file]] Redirect server output (stdout and stderr). The
file name is [file], or the --logname value if
[file] is omitted. Log files are always placed
--accept=[host-list] Accept connections only from hosts on
[host-list], a comma-separated list of host
names and IP addresses. --accept=any allows
any host to connect. Default: --accept=any.
--useif=[ip-address>] Use this IP address as the source/destination
interface address for SNMP and ICMP packets.
-- Stop scanning for options.
For more information:

A notification list can be defined in an OI or a SAM for individual gui's to subscribe to. Notification lists can also be subscribed to via the sm_adapter:
SparcSolaris/User$ echo "" | sm_adapter -s OI-30 --subscribe='ALL_NOTIFICATIONS/n' 

Note, with the sm_adapter output, the information can be parsed using the vertical pipe "|".

The sm_adapter can run individual "asl" script to perform the parsing in real time, but that is beyond the scope of this article.


Integrating into Managed Service Provider frameworks for Network Management such as EMC Ionix is fairly straight forward and can be done by competent staff with POSIX scripting capabilities.

Friday, February 11, 2011

Enabling SaMBa Under Solaris 10

Enabling SaMBa Under Solaris 10

IBM created a proprietary file sharing protocol under DOS referred to as SMB. This was adopted by Microsoft, and it later became referred to as CIFS. Open Source developers took a portion of the file sharing suite an implemented it under a product called SaMBa. Solaris 10 ships with an installation of SaMBa to allow for rudimentary SMB and CIFS cfile sharing.

SaMBa is already installed with Solaris 10 Update 4 until Update 9. Creating a configuration file with a service start is all that is required. The Samba book from O'Reilly is an excellent resource in trying to understand all of the obtuse options available

Check to see if you are working with a fairly recent release of Solaris 10, with the SaMBa support.
sunv890/user$ svcs -a | grep samba
disabled Jan_28 svc:/network/samba:default

If you try to enable SaMBa without the configuration file, the service will not function, but will reside in maintenance mode until repaired and restarted:
sunv890/root$ svcadm enable samba

sunv890/user$ svcs -a | grep samba
maintenance 10:23:47 svc:/network/samba:default

The Service Management Facility (SMF) will identify the failed service and log the problem.
SaMBa/user$ tail /var/adm/messages
Feb 11 14:08:46 sunv890 svc.startd[7]: [ID 652011 daemon.warning] svc:/network/samba:default: Method "/usr/sfw/sbin/smbd -D" failed with exit status 255. Feb 11 14:08:46 SaMBa svc.startd[7]: [ID 748625 daemon.error] network/samba:default failed: transitioned to maintenance (see 'svcs -xv' for details)

Debugging is fairly simple - just look for the configuration file. In this example, there is none.
sunv890/user$ ls -al /etc/sfw/smb.conf
/etc/sfw/smb.conf: No such file or directory

Create a sample configuration file to share the temporary directory as writable, ensure SaMBa will be derived as a host name, install the configuration file. (Note, you can always substitute an IP Address for SaMBa.)
sunv890/user$ cat /etc/sfw/smb.conf
# Global parameters
workgroup =
netbios name = SaMBa
security = SHARE
local master = No
guest account = nobody
delete veto files = Yes
encrypt passwords = Yes
winbind uid = 10000-65000

comment = Temporary Share
path = /tmp
writeable = Yes
guest ok = Yes
preserve case = No

sunv890/root$ svcadm disable samba

sunv890/root$ svcadm enable samba

sunnv890/user$ svcs samba
online 14:17:01 svc:/network/samba:default

To test your installation, from a Windows platform, try to browse the temporary directory, or read a sample file which you know is in the directory.
Start -> Run -> \\sunv890\Temp
Start -> Run -> wordpad \\sunv890\Temp\smb.conf

The SaMBa configuration under Solaris 10 is simple and managed well by the Service Management Facility infrastructure of Solaris 10.

Wednesday, February 9, 2011

What do CoolThreads Cores & Crypto Engines Buy You?

(UltraSPARC T3 Micrograph)

What do CoolThreads Cores & Crypto Engines Buy You?

"SPARC T1...That CPU had a cryptographic accelerator in it. Later, the SPARC T2 improved things by implementing a Crypto engine in each of the 8 cores."

The move from 1 to 8 was not with the Crypto units, but with the Floating Point Unit, when moving from the T1 to the T2 processor.

Page 5
"The eight MAUs, one for each core, are driven by the Niagara Crypto Provider (NCP) device driver in the Solaris 10 OS for both UltraSPARC T1 and T2 processors.
On systems with UltraSPARC T1 processors, NCP supports hardware assisted acceleration of RSA and DSA cryptographic operations. On systems with UltraSPARC T2 processors, NCP supports RSA, DSA, DH, and ECC cryptographic operations"

Understanding the different members of the CoolThreads processing family could be
  • UltraSPARC T1
    8 Integer, 1 Floating, 8 Crypto engines.
  • UltraSPARC T2
    8 Integer, 8 Floating, 8 "enhanced" Crypto engines (with additional algorithms supported.)
  • SPARC T3
    16 Integer, 16 Floaring, 16 "steroid enhanced" Crypto engines (with even more Crypto algorithms supported.)
The Crypto instructions in the new Intel chip was to assist in Crypto work, but the CPU cores have to work to process the data.

Contrast the Intel architecture to the T Series: the CoolThreads Crypto units are completely parallel... simply speaking, the CPU dump a pointer to the Crypto core to work on on a set of bytes to encrypt/decrypt, the Crypto core ends a message back to the CPU when it is done. The CPU can do real work during the time the parallel Crypto unit is operating.

This is pretty close to how it all works, considering that this layman did not design the CPU's.

In total, for workloads that are heavily encrypted (databases, file systems, web servers, middleware, etc.) - the T processors are the processor of choice. It makes NO SENSE to buy CPU's without Crypto engines (i.e. Intel) where the central processing power that you are paying licensing points for has to burn those license points doing Crypto work instead of off-loading the work to 8 or 16 different crypto engines (for free) and then only pay your licensing for the work that the CPU is really doing for your applications.

Tuesday, February 8, 2011

Comparing Packages Between Platforms

Comparing Packages Beteen Plataforms

When working in a clustered environment, it is often a requirement to see if the appropriate packages have been installed on all platforms in the cluster. The number of packages on a platform are many, but a simple script can be helpful.

Packaging Technology:
The industry standard packaging for UNIX systems is UNIX SVR4 packaging. Standard tools for packaging include: pkgadd, pkginfo, pkgtrans, pkgrm, pkgmk, pkgchk, pkgparam, pkgproto, pkgadm.

A long utput from the pkginfo command follows:

sun9/user$ pkginfo -l HPNP                                             

NAME: JetAdmin for Unix
CATEGORY: application
ARCH: sparc
VERSION: D.06.15
DESC: HP Network Printer support package
PSTAMP: odybld3981208144215
INSTDATE: Aug 12 2005 08:50
STATUS: completely installed
FILES: 348 installed pathnames
6 shared pathnames
32 directories
238 executables
13353 blocks used (approx)

For a cursory view of a system, the pkginfo command provides basic information required for cursory consistency checks.

Simple Check:
If the identical install media is used, a simple post-install check may be desired across multiple platforms in a cluster. An sample script follows where sun1, sun2, sun3, sun4 are located on a network where temporary directories are shared via NFS and automounting is enabled.

sun1/user$ pkginfo >/net/sun4/tmp/sun1.packages
sun2/user$ pkginfo >/net/sun4/tmp/sun2.packages
sun3/user$ pkginfo >/net/sun4/tmp/sun3.packages
sun4/user$ cd /tmp

sun4/user$ nawk ' BEGIN { Pattern="%35s%35s%35s%35s\n" }
FILENAME=="sun1.packages" { sun1[$2]=$2 ; Name[$2]=$2 }
FILENAME=="sun2.packages" { sun2[$2]=$2 ; Name[$2]=$2 }
FILENAME=="sun3.packages" { sun3[$2]=$2 ; Name[$2]=$2 }
printf Pattern,"Common","sun1","sun2","sun3"
for ( i in Name ) printf Pattern,i,sun1[i],sun2[i],sun3[i]
}' *.packages sort nawk 'NF<4'
A simple output of 4 columns is produced, with differences.

   SMCdb       SMCdb     SMCdb                      
SFWatk SFWatk SFWatk
SMCgcc SMCgcc SMCgcc
SMCtcl SMCtcl SMCtcl
SMCxpm SMCxpm SMCxpm
TSIpgx TSIpgx
SFWdbus SFWdbus SFWdbus
SFWgtk2 SFWgtk2 SFWgtk2
SMCgdbm SMCgdbm SMCgdbm
SMCntop SMCntop SMCntop
SMCossl SMCossl SMCossl
SMCpcre SMCpcre SMCpcre
SMCrrdt SMCrrdt SMCrrdt
SMEvplr SMEvplr
SMEvplu SMEvplu
Versioning and Integrity Checks:

In order to test for proper versions and package integrity, there are other commands which can be leveraged:
  • pkgchk
    Check detailed integrity of files associated with packages, including existence, permissions, etc.
  • pkginfo -l
    Check versioning, architecture, dates, install integrity, etc.
The package checking script can be enhanced with such scripts for more robust checking.

Tuesday, February 1, 2011

Primer: Solaris 10 Update 9

Primer: Solaris 10 Update 9

During the installation of Solaris 10 Update 9, there may be several odd symptoms that might catch an installer by surprise.

Sluggish or Long Login Time
Takes 20 seconds run quota during a login

If logging into a server with "rlogin", "telnet" or "ssh" taking a long time, try to perform a "prstat" during the login process. You may get about 20 seconds to figure out what is going wrongly. The "root" user may not experience the delay.

If "quota" is showing up for an extended period of time, it may be due to a search over NFS mounted file systems without NFS being configured correctly. This can be alleviated by unmounting the mounted NFS file system. The "mount | grep nfs" will help to identify the nfs file systems (you can normally ignore "vold".)
sunv890/user$ nawk '/nfs/ && !/vold/' /etc/mnttab
sunt2000:/u000/prodsupt /mnt nfs rw,xattr,dev=5ec0004 1296682012
sunv890/dh127087$ time quota
real 0m20.03s ...
umount /mnt
nawk '/nfs/ && !/vold/' /etc/mnttab
time quota
real 0m0.02s
Ensure quota and nfs partitions are properly configured on a newly installed system.

Occasional Network Failures
node name or service name not known

Some common operations may occasionally fail, for no apparent reason, such as: ping, telnet, ftp, etc. This is usually a name resolution issue. DNS is more commonly run by non-robust operating systems, so these types of errors may become more frequent.

If you have a variety of servers in a cluster or network management servers, where the ip addresses do not change - one may wish to basically guarantee the name resolution for those connections attempts by adding those ip & server entries to the "/etc/hosts" file and adjusting your "hosts:" option in the "/etc/nsswitch.conf" to perform a host table lookup before going to DNS via: "hosts: files dns".

v890/user$ grep host /etc/nsswitch.conf
# "hosts:" and "services:" in this file are used only if the
#hosts: dns files
hosts: files dns
Don't let an consumer appliances, immature or consumer grade operating systems place your mission critical operation at risk.

Service Management Facility
How to tell what services are available

Solaris 10 offers a large variety of services to the user and application community. If functionality you are expecting is not working "out of the box", it is a good chance there is a security reason for it. The best place to start is by getting a description of that services are available.

Ultra60/root# svcs -o FMRI,DESC | sort
lrc:/etc/rc2_d/S10lu -
lrc:/etc/rc2_d/S20sysetup -
lrc:/etc/rc2_d/S40llc2 -
lrc:/etc/rc2_d/S42ncakmod -
lrc:/etc/rc2_d/S47pppd -
lrc:/etc/rc2_d/S70uucp -
lrc:/etc/rc2_d/S72autoinstall -
lrc:/etc/rc2_d/S73cachefs_daemon -
lrc:/etc/rc2_d/S81dodatadm_udaplt -
lrc:/etc/rc2_d/S89bdconfig -
lrc:/etc/rc2_d/S89PRESERVE -
lrc:/etc/rc2_d/S90loc_ja_cssd -
lrc:/etc/rc2_d/S91ifbinit -
lrc:/etc/rc2_d/S91jfbinit -
lrc:/etc/rc2_d/S94ncalogd -
lrc:/etc/rc2_d/S98deallocate -
lrc:/etc/rc3_d/S16boot_server -
lrc:/etc/rc3_d/S50apache -
lrc:/etc/rc3_d/S52imq -
lrc:/etc/rc3_d/S80mipagent -
lrc:/etc/rc3_d/S84appserv -
lrc:/etc/rc3_d/S84patchserver -
svc:/application/cde-printinfo:default CDE Print Viewer
svc:/application/font/fc-cache:default FontConfig Cache Builder
svc:/application/font/stfsloader:default Standard Type Services Framework (STSF) Font Server loader
svc:/application/graphical-login/cde-login:default CDE login
svc:/application/management/dmi:default Sun Solstice Enterprise DMI
svc:/application/management/seaport:default net-snmp SNMP daemon
svc:/application/management/sma:default net-snmp SNMP daemon
svc:/application/management/snmpdx:default Sun Solstice Enterprise Master Agent
svc:/application/management/wbem:default SMC and WBEM Server
svc:/application/print/ipp-listener:default Internet Print Protocol Listening Service
svc:/application/print/ppd-cache-update:default ppd cache update
svc:/application/print/rfc1179:default BSD print protocol adapter
svc:/application/stosreg:default Service Tag OS Registry Inserter
svc:/application/x11/xfs:default X Window System font server
svc:/application/x11/xvnc-inetd:default X server that displays to VNC viewers
svc:/milestone/devices:default device configuration milestone
svc:/milestone/multi-user:default multi-user milestone
svc:/milestone/multi-user-server:default multi-user plus exports milestone
svc:/milestone/name-services:default name services milestone
svc:/milestone/network:default Network milestone
svc:/milestone/single-user:default single-user milestone
svc:/milestone/sysconfig:default Basic system configuration milestone
svc:/network/cde-spc:default CDE subprocess control
svc:/network/dns/client:default DNS resolver
svc:/network/finger:default finger
svc:/network/ftp:default FTP server
svc:/network/inetd:default inetd
svc:/network/initial:default initial network services
svc:/network/ipsec/ipsecalgs:default IPsec algorithm initialization
svc:/network/ipsec/policy:default IPsec policy initialization
svc:/network/iscsi/initiator:default -
svc:/network/login:rlogin remote login
svc:/network/loopback:default loopback network interface
svc:/network/nfs/cbd:default NFS callback service
svc:/network/nfs/client:default NFS client
svc:/network/nfs/mapid:default NFS ID mapper
svc:/network/nfs/nlockmgr:default NFS lock manager
svc:/network/nfs/rquota:default remote quota server
svc:/network/nfs/server:default NFS server
svc:/network/nfs/status:default NFS status monitor
svc:/network/pfil:default packet filter
svc:/network/physical:default physical network interfaces
svc:/network/routing-setup:default Initial routing-related configuration.
svc:/network/rpc-100235_1/rpc_ticotsord:default 100235
svc:/network/rpc/bind:default RPC bindings
svc:/network/rpc/cde-calendar-manager:default CDE calendar manager server
svc:/network/rpc/cde-ttdbserver:tcp ToolTalk database server
svc:/network/rpc/gss:default Generic Security Service
svc:/network/rpc/mdcomm:default SVM multi-node communications
svc:/network/rpc/meta:default SVM remote metaset services
svc:/network/rpc/metamed:default SVM remote mediator services
svc:/network/rpc/metamh:default SVM remote multihost disk services
svc:/network/rpc/rstat:default kernel statistics server
svc:/network/rpc/rusers:default network user name service
svc:/network/rpc/smserver:default removable media management
svc:/network/security/ktkt_warn:default Kerberos V5 warning messages daemon
svc:/network/service:default layered network services
svc:/network/shares/group:default Share Group
svc:/network/shares/group:zfs Share Group
svc:/network/shell:default rsh
svc:/network/smtp:sendmail sendmail SMTP mail transfer agent
svc:/network/ssh:default SSH server
svc:/network/stdiscover:default Service Tag discovery probe
svc:/network/stlisten:default Service Tag Discovery Listener
svc:/network/talk:default talk
svc:/network/telnet:default Telnet server
svc:/network/tnctl:default trusted networking templates
svc:/system/basicreg:default -
svc:/system/boot-archive:default check boot archive content
svc:/system/boot-archive-update:default update boot archive if necessary
svc:/system/console-login:default Console login
svc:/system/coreadm:default system-wide core file configuration
svc:/system/cron:default clock daemon (cron)
svc:/system/cryptosvc:default cryptographic services
svc:/system/device/fc-fabric:default Solaris FC fabric device configuration.
svc:/system/device/local:default Standard Solaris device configuration.
svc:/system/dumpadm:default system crash dump configuration
svc:/system/filesystem/autofs:default automounter
svc:/system/filesystem/local:default local file system mounts
svc:/system/filesystem/minimal:default minimal file system mounts
svc:/system/filesystem/root:default root file system mount
svc:/system/filesystem/usr:default read/write root file systems mounts
svc:/system/fmd:default Solaris Fault Manager
svc:/system/fpsd:default FP Scrubber - Online Floating Point Unit Test
svc:/system/identity:domain system identity (domainname)
svc:/system/identity:node system identity (nodename)
svc:/system/installupdates:default system update installer
svc:/system/keymap:default keyboard defaults
svc:/system/manifest-import:default service manifest import
svc:/system/name-service-cache:default name service cache
svc:/system/patchchk:default Launcher for Automatic Patching services
svc:/system/picl:default platform information and control
svc:/system/pkgserv:default Flush package command database to disk (see pkgadm(1m)).
svc:/system/postrun:default Postponed package postinstall command execution
svc:/system/power:default power management
svc:/system/resource-mgmt:default Global zone resource management settings
svc:/system/rmtmpfiles:default remove temporary files
svc:/system/sac:default SAF service access controller
svc:/system/scheduler:default default scheduling class configuration
svc:/system/svc/restarter:default master restarter
svc:/system/sysevent:default system event notification
svc:/system/sysidtool:net sysidtool
svc:/system/sysidtool:system sysidtool
svc:/system/system-log:default system log
svc:/system/utmp:default utmpx monitoring
svc:/system/webconsole:console java web console
svc:/system/zones:default Zones autoboot and graceful shutdown
Finding Failed Services
The Service Management Facility in Solaris 10 offers the ability to understand the relationship to other services.

v890/root# svcs -xv
svc:/application/print/server:default (LP print server)
State: disabled since Tue Feb 01 05:06:28 2011
Reason: Disabled by an administrator.
See: man -M /usr/share/man -s 1M lpsched
Impact: 2 dependent services are not running:
Fault Management Running via SMF
The Fault Management system is enabled through the Service Management Facility.

v890/root# svcs svc:/system/fmd:default
online Feb_01 svc:/system/fmd:default
Fault Management System
Listing Fault Engines
The Fault Management infrastructure built into Solaris 10 monitors many of the core system features across architectures (both SPARC and Intel.) A listing of the current engines can be displayed via the "fmadm" command.

v890/root# fmadm config | sort
cpumem-diagnosis 1.7 active CPU/Memory Diagnosis
cpumem-retire 1.1 active CPU/Memory Retire Agent
disk-transport 1.0 active Disk Transport Agent
eft 1.16 active eft diagnosis engine
ext-event-transport 0.1 active External FM event transport
fabric-xlate 1.0 active Fabric Ereport Translater
fmd-self-diagnosis 1.0 active Fault Manager Self-Diagnosis
fps-transport 1.0 active Solaris FP-Scrubber
io-retire 1.0 active I/O Retire Agent
snmp-trapgen 1.0 active SNMP Trap Generation Agent
sysevent-transport 1.0 active SysEvent Transport Agent
syslog-msgs 1.0 active Syslog Messaging Agent
zfs-diagnosis 1.0 active ZFS Diagnosis Engine
zfs-retire 1.0 active ZFS Retire Agent
Listing Faults on Platforms
The faults on a system can be listed.

v890/root# fmadm faulty
Solaris Diagostics

Not all diagnostics are managed through the Fault Management system via Service Management facility. There are still some hardware features which can only be seen via the Print Diagnostics command (such as fan speed.) The "prtdiag" command gives visibility to these components.

v890/user$ prtdiag -v
System Configuration: Sun Microsystems sun4u Sun Fire V890
System clock frequency: 150 MHz
Memory size: 32768 Megabytes

========================= CPUs ===============================================

Brd CPU MHz MB Impl. Mask
--- ----- ---- ---- ------- ----
A 0, 16 1500 32.0 US-IV+ 2.2
B 1, 17 1500 32.0 US-IV+ 2.1
A 2, 18 1500 32.0 US-IV+ 2.2
B 3, 19 1500 32.0 US-IV+ 2.1

========================= Memory Configuration ===============================

Logical Logical Logical
MC Bank Bank Bank DIMM Interleave Interleaved
Brd ID num size Status Size Factor with
---- --- ---- ------ ----------- ------ ---------- -----------
A 0 0 2048MB no_status 1024MB 8-way 0
A 0 1 2048MB no_status 1024MB 8-way 0
A 0 2 2048MB no_status 1024MB 8-way 0
A 0 3 2048MB no_status 1024MB 8-way 0
B 1 0 2048MB no_status 1024MB 8-way 1
B 1 1 2048MB no_status 1024MB 8-way 1
B 1 2 2048MB no_status 1024MB 8-way 1
B 1 3 2048MB no_status 1024MB 8-way 1
A 2 0 2048MB no_status 1024MB 8-way 0
A 2 1 2048MB no_status 1024MB 8-way 0
A 2 2 2048MB no_status 1024MB 8-way 0
A 2 3 2048MB no_status 1024MB 8-way 0
B 3 0 2048MB no_status 1024MB 8-way 1
B 3 1 2048MB no_status 1024MB 8-way 1
B 3 2 2048MB no_status 1024MB 8-way 1
B 3 3 2048MB no_status 1024MB 8-way 1

========================= IO Cards =========================

Bus Max
IO Port Bus Freq Bus Dev,
Brd Type ID Side Slot MHz Freq Func State Name Model
---- ---- ---- ---- ---- ---- ---- ---- ----- -------------------------------- ----------------------
I/O PCI 8 B 3 33 33 2,0 ok lpfc-pci10df,f900/sd (block) LP9002L
I/O PCI 9 B 5 33 33 3,0 ok fibre-channel-pci10df,f900.10df.+ LP9002L
I/O PCI 9 B 4 33 33 4,0 ok pci-pci8086,b154.0/network (netw+ PCI-BRIDGE
I/O PCI 9 B 4 33 33 0,0 ok network-pci108e,abba.11 SUNW,pci-ce/pci-bridge

No failures found in System

========================= Environmental Status =========================

System Temperatures (Celsius):
Device Temperature Status
CPU0 60 OK
CPU1 54 OK
CPU2 55 OK
CPU3 53 OK
MB 24 OK
DBP0 19 OK


Front Status Panel:
Keyswitch position: NORMAL

System LED Status:





Disk Status:
Presence Fault LED Remove LED


Fan Bank :

Bank Speed Status Fan State
( RPMS )
---- -------- --------- ---------


Power Supplies:
Current Drain:
Supply Status Fan Fail Temp Fail CS Fail 3.3V 5V 12V 48V
------ ------------ -------- --------- ------- ---- -- --- ---
PS0 GOOD 6 3 2 4
PS1 GOOD 6 3 2 4
PS2 GOOD 6 3 2 4

========================= HW Revisions =======================================

System PROM revisions:
OBP 4.30.4 2009/08/19 07:21

IO ASIC revisions:
Model ID Status Version
-------- ---- ------ -------
Schizo 8 ok 7
Schizo 9 ok 7

Sun/Oracle - Leading in Tape Storage

Sun/Oracle - Leading in Tape Storage

Oracle just released the best tape drive unit on the market today, for Government, Managed Services, and Enterprises.

Tape Systems

The old portable cassette players, with tapes, were very reliable when driving, jogging, or even playing at home. Older had disk based iPods would experience skips when one goes out jogging, but quickly started to put portable cassettes out of business. Of course, flash media is now replacing spinning fixed disk systems, but the capacity is not quite there to replace rotating fixed media for larger capacity systems.

Tape was the media of choice over the years for many reasons:
  • extremely high capacity
  • extreme long term media durability
  • extreme shock resistance
  • wide environmental operating factors
  • excellent portability
  • low cost
There is a reason why tape has been so widely used in the Space Program - the reliability of long term use on satellites and craft like the Space Shuttle.

Transferring data from a hard disk during a jog will cause a skip. Transferring data from a spinning disk under massive G-Force of a space craft launch, you are likely to get a crash.

Disks were getting more portable with the ability to auto-park heads to better absorb shock, disks could spin down to avoid shock issues, and the storage was surpassing tapes. Tape storage solution seemed to show little benefit in modern era.

StorageTek T10000C

With native storage on had disks topping out at 2 Terbytes, there seemed like little hope for tape.

The StorageTek T10000C was released from Oracle, who purchased Sun, who purchased StorageTek - the premier vendor of Tape Archive systems in data centers. This latest product turned back the clock on data center history:
  • 5 Terbyte performance
    (over doubling the maximum capacity of spinning rust on a fixed disk)
  • Built in Encryption
    (for securing of data on the cartridges)
  • Sustained 240 Megabytes / Second transfer rate
    (2x faster than copeting tape systems, 360MB/sec compressed transfer rate, out-performs inexpensive fixed-disk solutions)
  • Exabyte Storage Capacity in a Library
    (worlds largest tape library storage capacity)
  • WORM Capability
    (to provide auditing of systems in government compliance)
  • Extremely Energy Efficient
    (200x more energy efficient than low end disk arrays since tapes do not have to draw power to store data or remain spinning.)
  • Inexpensive Large Capacity Backups
    (up to15x less expensive than low-end disk arrays)
  • Long Life Expectancy
    (30+ years media archive life)
Network Management Connection

In an era where Network Management Centers are centralized and managing customers world-wide, governments require the interactions of system analysts to be archived and stored for long periods of time. Often, these interactions require video streaming from a desktop screen in a Windowing environment.

Writing this archive data to disk does not pass an audit, since someone can come along and delete a file. Encrypting the data becomes important, for long term storage. Massive media requirements are driven by screen video capture.

The StorageTek T10000C will meet the requirements of the strictest audit, the streaming throughput of the largest managed services center, the capacity for the highest definition monitors, and the lowest cost requirements of those large centers.

Don't miss your opportunity to simplify life in your managed services data center.