ExamplesHelp out by posting your favorite OpenSolaris annotated example to docs-discuss!This document is a summary of the features in OpenSolaris, with a focus on providing examples and demonstrations for each. This has been written by the following OpenSolaris Community members:
These features may be specific to OpenSolaris, Solaris 10, or even older Solaris versions; the aim is to cover what makes OpenSolaris a great OS. The origin of each feature is documented, to identify the OpenSolaris build number or Solaris release.
BARTThe Basic Audit Reporting Tool provides a database of message digest and inode details. This can be helpful for many reasons, such as intrusion detection and forensics. An example of BART detecting a change is,
# find /etc | bart create -I > etc1.bart
# ed /etc/passwd
580
1s/-/-Duper-/
w
586
q
# find /etc | bart create -I > etc2.bart
# bart compare etc1.bart etc2.bart
/etc/passwd:
size control:580 test:586
mtime control:423c07a9 test:426a5d10
contents control:e90fc4977a824822f360b0c0fb79f567 test:a8f272b513f109f233408067b7eb0e62
BART was added in Solaris Express 11/03. BART Bluprint
Commandspfiles has been enhanced to display pathnames for file descriptors, pfiles `pgrep syslog`
342: /usr/sbin/syslogd
[...]
6: S_IFREG mode:0644 dev:102,0 ino:30080 uid:0 gid:0 size:142041
O_WRONLY|O_APPEND|O_NOCTTY|O_LARGEFILE
/var/adm/messages
7: S_IFREG mode:0644 dev:102,0 ino:30079 uid:0 gid:3 size:0
O_WRONLY|O_APPEND|O_NOCTTY|O_LARGEFILE
/var/log/syslog
[...]
ls has new options for time, -e and -E, ls -E /etc/motd -rw-r--r-- 1 root sys 54 2005-01-22 10:46:06.000000000 +1100 /etc/motd
DTraceDTrace is an analysis tool that combines features of truss, apptrace, mdb, C and awk, as well as adding many unique features of it's own. It will help sys admins and delevopers troubleshoot faults and performance problems in amazing detail, and has solved many problems that were previously too difficult to identify. DTrace provides us with new tools such as lockstat, plockstat and intrstat. For example,
# intrstat 1
device | cpu0 %tim
-------------+---------------
hme#0 | 219 14.3
uata#0 | 0 0.0
^C
The CPU is spending 14% of it's time to satisfy hme0 interrupts, previously too difficult to measure! DTrace also provides a command line tool. Here we find which process is generating the most interprocessor crosscalls,
# dtrace -n 'sysinfo:::xcalls { @num[execname] = count(); }'
dtrace: description 'sysinfo:::xcalls ' matched 4 probes
^C
dtrace 105
sched 135
tar 4120
Very cool, but that's the tip of the iceberg. DTrace provides a new language, D, and at least 30,000 probes to measure. It's possible to write standalone DTrace scripts to analyse just about anying. Here we snoop disk I/O,
# iosnoop
UID PID D BLOCK SIZE COMM PATHNAME
100 15795 R 3808 8192 tar /usr/bin/eject
100 15795 R 35904 6144 tar /usr/bin/eject
100 15795 R 39828 6144 tar /usr/bin/env
100 15795 R 3872 8192 tar /usr/bin/expr
100 15795 R 21120 7168 tar /usr/bin/expr
[...]
In the above output we can see the tar command is using the disks, as well as the block number, size and pathname accessed! DTrace was added in Solaris Express 11/03. DTrace Community is the DTrace community on OpenSolaris.
gccgcc is available here,
/usr/sfw/bin/gcc -v Reading specs from /usr/sfw/lib/gcc/i386-pc-solaris2.10/3.4.3/specs Configured with: /builds/sfw10-gate/usr/src/cmd/gcc/gcc-3.4.3/configure --prefix=/usr/sfw ... Thread model: posix gcc version 3.4.3 (csl-sol210-3_4-branch+sol_rpath) # # /usr/sfw/bin/gmake gmake: *** No targets specified and no makefile found. Stop. gcc was shipped with the first Solaris 10 release. gcc
KernelGeneral Kernel features,
KstatKstat is the Kernel Statistics Facility, a single programming interface to provide module statistics to non-privileged processes. Commands like vmstat, iostat, mpstat and sar are Kstat based. There is a ton of info in Kstat, and it is very useful for developers to find all the system statistics in one place. Developers writing device drivers should include support for Kstat. Developers writing tools can use Kstat in C, Perl or shell (but preferably C :).
# man -l kstat.3kstat Sun::Solaris::Kstat kstat.1m # list C, Perl and CLI man pages
kstat.3kstat (3kstat) -M /usr/man
Sun::Solaris::Kstat (3) -M /usr/perl5/man
kstat.1m (1m) -M /usr/man
#
# kstat cpu_info:0:cpu_info0:clock_MHz # fetch a value using the CLI
module: cpu_info instance: 0
name: cpu_info0 class: misc
clock_MHz 333
Kstat Developers 1
IP FilterIP Filter is a freeware firewall written by Darren Reed of Australia. It has a simple command line interface, a lightweight look and feel, but is somewhat powerful. The following is a summary of IP Filter usage,
# ipf -Fa -f /etc/ipf/ipf.conf # load rules # ipfstat -ionh # list rules # ipnat -CF -f /etc/ipf/ipnat.conf # load NAT # ipnat -l # list NAT # vi /etc/ipf/pfil.ap # activate interface # ls /usr/share/ipfilter/examples # examples, BASIC.NAT example.10 example.2 example.6 example.sr ip_rules pool.conf BASIC_1.FW example.11 example.3 example.7 firewall mkfilters server BASIC_2.FW example.12 example.4 example.8 ftp-proxy nat-setup tcpstate example.1 example.13 example.5 example.9 ftppxy nat.eg This is a simple ruleset that blocks all inbound TCP traffic except for SSH, and allows all outbound traffic,
# cat /etc/ipf/ipf.conf pass in quick on hme0 proto tcp from any to any port = 22 keep state block return-rst in log on hme0 proto tcp from any to any pass out on hme0 proto tcp from any to any keep state # # ipfstat -ionh 0 @1 pass out on hme0 proto tcp from any to any keep state 2 @1 pass in quick on hme0 proto tcp from any to any port = ssh keep state 9 @2 block return-rst in log on hme0 proto tcp from any to any IP Filter was added in Solaris Express 2/04. IP Filter Home
IPQoSIPQoS allows us to classify packets based on various rules, and then stamp the packets with different priorities. Some rules are for port numbers, IP addresses, or UIDs (outbound), other rules called meters can check the rate of traffic. It is based on numerous RFCs, in particular RFC2475, and works best when other network devices also talk IPQoS.
# ls /etc/inet/ipqosconf.* # example configs /etc/inet/ipqosconf.1.sample /etc/inet/ipqosconf.3.sample /etc/inet/ipqosconf.2.sample # # ipqosconf -v -a /etc/inet/ipqosinit.conf # load configs # # man -l ipqos ipqosconf ipgpc tokenmt tswtclmt dscpmk flowacct ipqos (7ipp) -M /usr/share/man ipqosconf (1m) -M /usr/share/man ipgpc (7ipp) -M /usr/share/man tokenmt (7ipp) -M /usr/share/man tswtclmt (7ipp) -M /usr/share/man dscpmk (7ipp) -M /usr/share/man flowacct (7ipp) -M /usr/share/man IPQoS was added to Solaris 9 9/02. IPQoS Docs
MTB UFSMultiTerabyte UFS is a new flavor of Sun's enhanced UFS (which is based on the Fast File System, FSS + many enhancements by Sun over the years). MTB_UFS is the default for file systems greater than a terabyte, which it has been optimised for. Other commands, such as fsck and ufsdump support this new file system type. Here we use MTB_UFS on a tiny slice that normally wouldn't, so the -T is necessary to force it,
# newfs -T /dev/dsk/c0t1d0s0
newfs: construct a new file system /dev/rdsk/c0t1d0s0: (y/n)? y
/dev/rdsk/c0t1d0s0: 16839648 sectors in 16706 cylinders of 16 tracks, 63 sectors
8222.5MB in 59 cyl groups (286 c/g, 140.77MB/g, 192 i/g)
super-block backups (for fsck -F ufs -o b=#) at:
32, 288384, 576736, 865088, 1153440, 1441792, 1730144, 2018496, 2306848,
2595200,
14126208, 14414560, 14702912, 14991264, 15279616, 15567968, 15856320,
16144672, 16433024, 16721376,
Notice the cylinder groups are much larger than usual, and there are fewer inodes than normal. MTB_UFS was added in Solaris 9 8/03. findbill
OpenSSLThe OpenSSL cryptography toolkit provides commands and libraries that are needed by other software. There is a /usr/sfw/include/openssl dicectory, as well as the following command,
$ /usr/sfw/bin/openssl md5 /usr/bin/ls MD5(/usr/bin/ls)= b46d86445cb33dff0c3029730aab3a1f $ $ /usr/sfw/bin/openssl enc -aes128 -in /etc/passwd -out /tmp/passwd.aes128 $ enter aes-128-cbc encryption password: $ Verifying - enter aes-128-cbc encryption password: OpenSSL was added in Solaris Express 8/04. OpenSSL
PAMThe Pluggable Authentication Module provides a single authentication point for applications, and sysadmins the ability to change or enhance how authentication is performed. Extra modules can be written in C, placed in /usr/lib/security, and activated by editing /etc/pam.conf. For example, the following are the modules that allow rlogin to use trusts,
# grep rhosts /etc/pam.conf rlogin auth sufficient pam_rhosts_auth.so.1 rsh auth sufficient pam_rhosts_auth.so.1 PAM was added in Solaris 2.6. PAM Docs
Patch ManagerPatch Manager provides many ways to automatically manage patches on a server, depending on what strategy is suitable for the environment. Different methods include seperate analysis then download then install steps, or full automation with an "update". The following shows the configurables, then a portion of an analysis run,
# smpatch get patchpro.backout.directory - "" patchpro.download.directory - /var/sadm/spool patchpro.install.types - rebootafter:reconfigafter:standard patchpro.patch.source https://updateserver.sun.com/solaris/ https://updateserver.sun.com/solaris/ patchpro.patchset - patchdb patchpro.proxy.host mars "" patchpro.proxy.passwd **** **** patchpro.proxy.port 8080 8080 patchpro.proxy.user - "" patchpro.sun.passwd **** **** patchpro.sun.user yourlogin "" # # smpatch analyze 119146-01 SunOS 5.10_x86: usr/snadm/lib Patch 119253-01 SunOS 5.10_x86: System Administration Applications Patch 119316-01 SunOS 5.10_x86: Solaris Management Applications Patch 119314-01 SunOS 5.10_x86: WBEM Patch [...] Patch Manager was added in Solaris Express 6/04. Patch Manager Docs
SMFThe Solaris Management Framework replaces the usual boot scripts found under /etc/rcS.d/S*... It provides many advantages: faster booting - as services can be started in parallel across CPUs, dependancy checking, excellent logs during boot, a central configuration location, and a simple interface. In this above example, we disable ssh using "svcadm" and check the status using "svcs". The change will persist across reboots.
# ssh 0 The authenticity of host '0 (0.0.0.0)' can't be established. RSA key fingerprint is 3e:97:ab:fe:18:2e:1a:1f:6a:39:6e:f7:19:bd:43:85. Are you sure you want to continue connecting (yes/no)? ^C # svcadm disable ssh # ssh 0 ssh: connect to host 0 port 22: Connection refused # svcs ssh STATE STIME FMRI disabled 11:04:22 svc:/network/ssh:default In the following example, there is a fault with the network card during boot. Many services are now offline, and "svcs -xv" is used to determine the root cause of the problem,
# svcs -xv
svc:/network/physical:default (physical network interfaces)
State: maintenance since Sun Apr 24 11:13:36 2005
Reason: Start method exited with $SMF_EXIT_ERR_CONFIG.
See: http://sun.com/msg/SMF-8000-KS
See: man -M /usr/share/man -s 1M ifconfig
See: /etc/svc/volatile/network-physical:default.log
Impact: 8 dependent services are not running:
svc:/milestone/network:default
svc:/network/nfs/nlockmgr:default
svc:/network/nfs/client:default
svc:/network/nfs/status:default
svc:/network/nfs/cbd:default
svc:/network/nfs/mapid:default
svc:/network/ipfilter:default
svc:/network/ssh:default
The logfile make it clear what is wrong. When the fault is fixed and network/physical is reenabled, all the offline services immediatly start. SMF is really smart and saves a lot of typing. SMF (also called the Solaris Service Manager) was introduced Solaris Express 10/04. SMF Quickstart
Solaris Cryptographic FrameworkThe Solaris Cryptographic Framework is based on the Public Key Cryptographic Standard PKCS11 from RSA Security. It allows sysadmins to administer encryption provided by software libraries or hardware cards, and provides developers with a stardard API for adding to the framework. The cryptoadm command can be used list all providers, install or uninstall software providers, and enable or disable hardware providers. One immediate benifit of the Solaris Cryptographic Framework is the addition of the commands digest and encrypt,
$ digest
digest: usage: digest -l | [-v] -a <algorithm> [file...]
$ digest -v -a md5 /usr/bin/ls
md5 (/usr/bin/ls) = b46d86445cb33dff0c3029730aab3a1f
$
$ encrypt
encrypt: usage: encrypt -l | -a <algorithm> [-k <keyfile>] [-i <infile>]
[-o <outfile>]
$
$ encrypt -l
Algorithm Keysize: Min Max (bits)
------------------------------------------
aes 128 128
arcfour 8 128
des 64 64
3des 192 192
PS. MD5 and SHA1 may be insecure, check recent articles on collisions. Good thing we have the Solaris Cryptographic Framework, as it is easy to upgrade these algorithms. :) The Solaris Cryptographic Framework was added in stages, from Solaris Express 9/03 to Solaris Express 6/04. BigAdmin Xperts
StarOffice 7StarOffice 7 is a fast and very capable word processor suite. It can import and export to all of the popular file formats, plus it's own formats generate nicely small files. The first time StarOffice is executed it configures itself, then it behaves as normal,
$ /usr/bin/soffice -h StarOffice 7 645m52(Build:8824) Usage: soffice [options] [documents...] StarOffice was added to the Solaris 10 release. StarOffice 7
TCP MDTTCP MultaData Transmit allows TCP/IP to aggregate packets sent to the network device driver, reducing the overhead of switching between these modules. This increases network performance. Testing using TTCP (Test TCP) on an busy UltraSPARC 10 with TCP MDT turned on and then off,
# java ttcp -n 32768 -t 192.168.1.1
Transmit: buflen= 8192 nbuf= 32768 port= 5001
Transmit connection:
Socket[addr=alfa/192.168.1.1,port=5001,localport=33398].
Transmit: 268435456 bytes in 29776 milli-seconds = 9015.162 KB/sec (72121.3 Kbps).
#
# ndd -set /dev/ip ip_multidata_outbound 0
#
# java ttcp -n 32768 -t 192.168.1.1
Transmit: buflen= 8192 nbuf= 32768 port= 5001
Transmit connection:
Socket[addr=alfa/192.168.1.1,port=5001,localport=33391].
Transmit: 268435456 bytes in 34520 milli-seconds = 7776.23 KB/sec (62209.84 Kbps).
When TCP MDT is turned on we get 9.0 Mb/s, and when off 7.7 Mb/s. The more loaded the server is, the greater the difference. TCP MDT was added in the Solaris 9 8/03 release.
WebminWebmin is a freeware GUI that allows easy administration of common tasks. To activate webmin,
# /usr/sfw/bin/webminsetup Login name (default root): Web server port (default 10000): Use SSL? [y,n,?,q] y *********************************************************************** * Welcome to the Webmin setup script, version 1.170 * *********************************************************************** Webmin is a web-based interface that allows Unix-like operating systems and common Unix services to be easily administered. [...] Then connect to https://localhost:10000 in your browser to start webmin. New modules exist for SMF and IP Filter. webmin was added in Solaris Express 11/04. Webmin
ZFSZFS is both a volume manager and a file system, and is the world's most advanced file system technology. Its numerous features include checksums on all data, 128-bit capacity, dynamic striping, incredible ease of use, and excellent performance. There are two main commands for administering ZFS: zpool and zfs. Here, a single zpool command is issued to take four 75 Gbyte disks and create a mirrored, checksumed, dynamically-striped pool of storage, called "fast". The next two zpool commands observe the state of the pool. # zpool create fast mirror c1t0d0 c1t1d0 mirror c1t2d0 c1t3d0
#
# zpool list
NAME SIZE USED AVAIL CAP HEALTH ALTROOT
pool 149.1G 2.92M 149.1G 0% ONLINE -
#
# zpool status
pool: fast
state: ONLINE
scrub: none requested
config:
NAME STATE READ WRITE CKSUM
fast ONLINE 0 0 0
mirror ONLINE 0 0 0
c1t0d0 ONLINE 0 0 0
c1t1d0 ONLINE 0 0 0
mirror ONLINE 0 0 0
c1t2d0 ONLINE 0 0 0
c1t3d0 ONLINE 0 0 0
errors: No known data errors
After creating a storage pool, file systems can be created that use that pool. Here the zfs command is used to create a file system called "fast/home", which has a 20 Gbyte quota, compresses data (for both greater capacity and improved I/O throughput), and is mounted on /export/home. # zfs create fast/home # zfs set mountpoint=/export/home fast/home # zfs set compression=on fast/home # zfs set quota=20G fast/home # zfs list NAME USED AVAIL REFER MOUNTPOINT fast 91.0K 149.1G 9.5K /fast fast/home 8K 20.0G 8K /fast/home # # df -F zfs -h Filesystem size used avail capacity Mounted on fast/home 20G 9K 20G 1% /export/home fast 149G 91K 149G 1% /fast ZFS is already in OpenSolaris, and will be part of the Solaris 10 6/06 release. ZFS Community OpenSolaris ZFS Community.ZFS Learning Center introduces ZFS. ZFS Release Announcement for the Solaris 10 6/06 release. ZFS Article Sun's ZFS article. ZFS For Home discusses using ZFS for home use. ZFS vs LVM compares differences between ZFS and Linux LVM. Also see the manpages for zpool and zfs, which are an excellent reference and include many examples.
ZonesA zone is a virtual instance of Solaris. Zones are great for isolation of network serives, sharing resources on a large server, or creating development environments. Each zone has it's own root password, it's own /etc and /var files, and it's own OS files if installed in that way. In the following, a zone is created that by default will share (lofs ro) most of the OS with the global zone (the root install),
# zonecfg -z small-zone small-zone: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:small-zone> create zonecfg:small-zone> set autoboot=true zonecfg:small-zone> set zonepath=/export/small-zone zonecfg:small-zone> add net zonecfg:small-zone:net> set address=192.168.2.101 zonecfg:small-zone:net> set physical=hme0 zonecfg:small-zone:net> end zonecfg:small-zone> verify zonecfg:small-zone> exit # mkdir /export/small-zone # chmod 700 /export/small-zone # zoneadm -z small-zone install Preparing to install zone <small-zone>. Creating list of files to copy from the global zone. Copying <2574> files to the zone. [...] A single server may run many zones, each can be rebooted independantly to the global zone. Here we list all the zones and login to one of them,
# zoneadm list -cv
ID NAME STATUS PATH
0 global running /
1 workzone4 running /export/workzone4
2 workzone3 running /export/workzone3
3 workzone2 running /export/workzone2
4 workzone1 running /export/workzone1
#
# zlogin workzone1
[Connected to zone 'workzone1' pts/2]
Last login: Tue Apr 19 09:39:57 on pts/2
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
Welcome to Sol10_Generic on sfe2900
#
Resource control is possible for CPU and Memory in a variety of ways. The Fair Share Schedular can divide CPU resources between busy zones depending on ratios. The following demonstrates the result of attempting to give workzone1 60%, workzone2 30% and workzone3 10% of the CPUs,
# prstat -Z
PID USERNAME SIZE RSS STATE PRI NICE TIME CPU PROCESS/NLWP
2008 root 4000K 1168K cpu513 28 0 0:02:11 3.7% cpuhog.pl/1
2018 root 4000K 1168K cpu1 32 0 0:02:11 3.7% cpuhog.pl/1
[...]
ZONEID NPROC SIZE RSS MEMORY TIME CPU ZONE
2 51 182M 93M 0.5% 0:37:27 59% workzone1
4 51 182M 92M 0.5% 0:16:25 30% workzone2
3 51 183M 93M 0.5% 0:16:30 10% workzone3
0 61 359M 194M 1.1% 0:00:11 0.1% global
1 34 116M 72M 0.4% 0:00:12 0.0% workzone4
Total: 248 processes, 659 lwps, load averages: 51.19, 40.28, 20.52
Zones was released with Solaris Express 2/04. Zones Community
OpenSolaris Zones Community. GuidelinesEach section is a summary so try to be brief - get to the point and provide a small example if possible. Make sure the subject fits on one screen (ok, DTrace, Zones and ZFS may be exceptions to that!). Add the release that this feature was added, and a short list of related websites. More detailed examples can be created as extra wiki enties, and linked to in the list of links.
History23-Apr-05 This site was created - Brendan. 23-Apr-05 Added DTrace, TCP MDT, Webmin, IP Filter, gcc, commands, MTB UFS, SCF sections - Brendan. 24-Apr-05 Added Zones, StarOffice 7, Patch Manager, BART, IPQoS, SMF, Kstat, PAM sections - Brendan. 11-Nov-05 Moved contents section to end for readability and changed title - Michelle. 21-May-06 Some updates, including ZFS - Brendan. 27-Apr-07 Moved content, removed Features heading, added instructions - Michelle |
BART Blueprint