Blog O’ Matty

I recently needed to grow a Solaris UFS file system, and accomplished this with the growfs(1m) utility. The growfs(1m) utility takes two arguments. The first argument to growfs ( the value passed to “-M” ) is the mount point of the file system to grow. The second argument is the raw device that backs this mount point. The following example will grow “/test” to the maximum size available on the meta device d100:

$ growfs -M /test /dev/md/rdsk/d100

$ newfs -N /dev/md/dsk/d100
/dev/md/rdsk/d0: 232331520 sectors in 56944 cylinders of 16 tracks, 255 sectors
113443.1MB in 2191 cyl groups (26 c/g, 51.80MB/g, 6400 i/g)

This will report the number of sectors, cylinders and MBs that would be allocated if a new file system was created on meta device d100. As always, test everything on a non critical system prior to making changes to critical boxen.

I constantly find myself generating checksums, and for some reason each Operating System likes to implement their open message digest command ( if they provide one at all ). If your system is missing a digest command, you can use the openssl utility to generate one-time hashes. OpenSSL supports the SHA1, MD5 and RIPEMD160 algorithms, and accepts one or more files as arguments:

$ openssl md5 passwd
MD5(passwd)= eb1e5c787c3d85b9cf214c70c1095934

$ openssl sha1 passwd
SHA1(passwd)= 1163c343091756010a77f95068aca4c4e360b932

$ openssl rmd160 passwd
RIPEMD160(passwd)= c5c52bd8506740387691c4b0eb606ad0ffe778d6

$ openssl rmd160 passwd passwd /etc/services
RIPEMD160(passwd)= c5c52bd8506740387691c4b0eb606ad0ffe778d6
RIPEMD160(passwd)= c5c52bd8506740387691c4b0eb606ad0ffe778d6
RIPEMD160(/etc/services)= c5c52bd8506740387691c4b0eb606ad0ffe778d6

$ cat passwd | openssl md5
eb1e5c787c3d85b9cf214c70c1095934

The OpenSSL source code can be downloaded from the main OpenSSL website:

http://www.openssl.org/source/

I was reading through Planet Sun, and came across Pete Shanahan’s fuser trick. This trick can be used to get the process name of each PID accessing a file system:

$ ps -o pid,ppid,rss,args -p “$(fuser / 2>/dev/null)”

  PID  PPID  RSS COMMAND
    0     0    0 sched
    1     0  776 /etc/init -
    2     0    0 pageout
    3     0    0 fsflush
   49     1 1376 /usr/lib/sysevent/syseventd
   56     1 1904 /usr/lib/picl/picld
  127     1 1136 /usr/sbin/inetd -s
  229     1  816 /bin/sh /usr/local/mysql/bin/safe_mysqld --user=mysql --bind-address=127.0.0.1
  165     1  696 /usr/lib/utmpd
  250     1 1280 /usr/lib/ssh/sshd
18312   250 3224 /usr/lib/ssh/sshd
  255     1 1160 /usr/lib/saf/ttymon -g -h -p winnie console login:  -T sun -d /dev/console -l c
  204     1 1824 /usr/sbin/mdmonitord
  251     1 4064 /usr/local/openldap/libexec/slapd -f /usr/local/openldap-common/etc/slapd.conf
 2001     1 1736 /usr/sbin/syslogd -t

Thanks for the awesome trick Pete!

I just noticed that my article titled Monitoring and Managing Linux Software RAID was posted to the SysAdmin website. This article provides an introduction to RAID (MD) support under Linux. I hope to blog about madm in a future post.

fink is an open source package manager for OS X. The fink command allows packages be be installed, removed, and updated relatively easily. As of this writing, there were 2048 open source packages available:

$ fink list | wc -l
2048

$ fink selfupdate

To list all of the available packges, fink can be run with the “list” option:

$ fink list | grep gnupg
gnupg 1.2.4-1 Gnu privacy guard - A Free PGP replacement
gnupg-idea 1.11-4 Gnu privacy guard (v 1.2.4) with IDEA cipher support

$ fink install gnupg

This will download, compile and install gnupg under “/sw.” If you wish to remove an installed package, you can use the “purge” or “remove” options:

$fink remove gnupg

Further information can be obtained by running fink with the “–help” option, or by reading through the documentation on the fink website.

As a UNIX and network guy, I try to optimize systems and networks to deliver the most bang for the buck. I recently came across the following post on the Mozilla Zine web forums:

http://forums.mozillazine.org/viewtopic.php?t=53650

This link covers several tunables for Firefox, several of which can significantly speedup page load times (especially when you have a tabbed list of news sites):

network.http.max-connections: This value controls the maximum number of outbound TCP connections. network.http.max-connections accepts an integer value and defaults to 24.

network.http.max-connections-per-server: This value controls the number of concurrent requests to a single site. For sites that contains hundreds of URIs in a single page, this should speedup page load times (barring the remote site isn’t rate limiting inbound connections). network.http.max-connections-per-server accepts an integer value and defaults to 8.

network.http.max-persistent-connections-per-server && network.http.max-persistent-connections-per-proxy: These values control the number of persistent HTTP connections that can be maintainted to a website. Both parameters accept integer values and default to 2 and 4.

network.http.pipelining && network.http.proxy.pipelining: These values control the HTTP 1.1 pipelining feature, which allows multiple HTTP requests to be requested at connection setup. Both parameters accept boolean “true”/”false” values and default to “false.”

network.http.pipelining.maxrequests: This value controls the number of requests that will be issued at connection setup. network.http.pipelining.maxrequests accepts an integer value and defaults to 4.

You can tweak these settings by typing “about:config” into the Firefox navigation toolbar, or by directly editing the user.js preferences file. I picked my current values by adjusting the current values, clearing the cache, and calculating the time it took Firefox to load 50 tabs. I was able to cut 14 seconds off my news site load time by doubling, and sometimes tripling the default values :)

I setup several Solaris systems to authenticate via LDAP last year, and periodically get the following error message in /var/adm/messages:

Dec 21 08:44:17 sparky nscd[1174]: [ID 293258 user.error] libsldap: Status: 4 Mesg: Service search
descriptor for service ‘passwd’ contains filter, which can not be used for service ‘user_attr’.

We use SSDs (service search descriptors) to tailor the search string that is sent to the directory server. This allows us to tailor who can and cannot login to our Solaris systems. After doing some digging, it looks like the following search descriptors are required to make libsldap.so happy:

NS_LDAP_SERVICE_SEARCH_DESC= user_attr:ou=people,dc=daemons,dc=net?one?&(acctActive=yes)
NS_LDAP_SERVICE_SEARCH_DESC= audit_user:ou=people,dc=daemons,dc=net?one?&(acctACtive=yes)

Since we use sudo instead of RBAC, I am still researching why the secure LDAP client queries the directory server for the user_attr information. Hopefully I can find an answer in RFC 2307 ( An approach to using LDAP as a network information service), or the documentation on docs.sun.com.

Numerous people have posted to the Apple discussion board regarding “site not found” errors, and web browsers requiring two attempts to load a page. This was REALLY annoying me, so I started doing some digging to see what was wrong. When I broke out tcpdump, I noticed that OS X was sending AAAA record ( these are the IPv6 equivalent to an IPv4 A record ) requests to my DNS server:

$ sudo tcpdump -i en1 -vvvv -n -e port 53

[ ... ]

08:51:49.710240 00:0d:93:83:1d:73 > 00:03:ba:05:9d:9f, ethertype IPv4 (0x0800), length 73: IP (tos 0x0, ttl 64, id 29629, offset 0, flags [none], length: 59) 192.168.1.8.49428 > 192.168.1.1.53: [udp sum ok] 20324+ AAAA? www.apple.com. (31)

08:51:49.712412 00:03:ba:05:9d:9f > 00:0d:93:83:1d:73, ethertype IPv4 (0x0800), length 171: IP (tos 0x0, ttl 64, id 20532, offset 0, flags [none], length: 157) 192.168.1.1.53 > 192.168.1.8.49428: 20324 q: AAAA? www.apple.com. 1/1/0 www.apple.com. CNAME[|domain]

Now, why Safari is causing the name resolution libraries to query “www.apple.com” when I visit www.cnn.com is beyond me ( I will have to do some more digging). Since I am on a pure IPv4 network, I tried disabling IPv6 in the network preferences tab to see if it would stop sending AAAA record requests. This was not the case, and I still had trouble loading pages. While reviewing the latest errata on the OpenBSD errata page, I came across the following:

“BIND contains a bug which results in BIND trying to contact nameservers via IPv6, even in cases where IPv6 connectivity is non-existent. This results in unneccessary timeouts and thus slow DNS queries.”

Well hot dog, this seems to align with what I was seeing and experiencing!!!! I applied the patch to my OpenBSD name server, restarted named, and the problem seems to be fixed. Several of the folks on the discussion board also mentioned hard coding the DNS servers, which may or may not fix the issue ( if this is a BIND specific issue, then your ISP will need to patch their servers). Once I get some additional time, I will check to see if this is BIND or OpenBSD specific. Stay tuned!