If you use SSH to access remote servers, the ssh client will prompt you each time you connect to a new server, and ask you to accept the servers host key:
$ ssh mail.me.net
The authenticity of host ‘mail.me.net (1.2.3.4)’ can’t be established. RSA key fingerprint is 72:c6:5f:e7:85:c8:23:5f:c6:c9:99:88:dd:aa:bb:dd. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ‘mail.me.net,1.2.3.4’ (RSA) to the list of known hosts. matty@mail.me.net’s password:
How do you determine if the fingerprint presented is valid? The easiest way to validate the key is to login to the server through the console and run the ssk-keygen utility with the “-l” (list fingerprint) and “-f” (file to check) options:
$ ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub
2048 72:c6:5f:e7:85:c8:23:5f:c6:c9:99:88:dd:aa:bb:dd
ssh_host_rsa_key.pub
If you can’t access the console, you can ask someone who already has access to read off the ssh-keygen output. While it’s a bit of a pain, it is a small step in the name of secure access.
I am using an Intel PRO/100 Ethernet inteface in one of the servers I manage, and it is supported by the X64 Solaris 10 Operating System. I recently had to hard code and Intel PRO/100 interface (the Intel PRO/100 is managed by the iprb device driver) to 100 Mb/s full duplex, but it wasn’t visible when I ran the ndd utility:
$ ndd -get /dev/iprb \?
operation failed: Invalid argument
I read through the iprb manual page, which discusses hard coding the interface settings in the device driver configuration files. After googling to see which file they were referring to, I found a reference to /kernel/drv/iprb.conf. To set each iprb instance in the server to 100 Mb/s full duplex, the driver type, instance number, speed and duplex parameters can be added to /kernel/drv/iprb.conf:
$ cat /kernel/drv/iprb.conf
name="iprb” parent="pseudo” instance=0 speed=100 full-duplex=1;
name="iprb” parent="pseudo” instance=1 speed=100 full-duplex=1;
In order for the settings to take effect, the device driver needs to be reloaded, or the server rebooted. To verify that the settings took effect, the Solaris dladm utility can be used:
$ dladm show-dev
iprb0 link: unknown speed: 100 Mbps duplex: unknown iprb1 link: unknown speed: 100 Mbps duplex: unknown
I dig the dladm utility, and will have to blog about it in a future post.
After reading UNIX file systems, I got to be a bit of a file system junkie. The book does a good job of covering file system design, the block I/O interfaces, caching, the VFS and VNODE abstractions, and the implementation of FFS, VxFS and EXT3. The book piqued my interest in file systems, so I started doing some research on intelligent I/O schedulers and prefetch algorithms. Performing this research has helped me on numerous occassions with understand how to tailor workloads for a given file system and storage subsystem. Since intelligent prefetch is crucial for getting optimum read performance from a file system, and the name prefetch sounded kinda nifty, I decided to register a domain named prefetch.net. Viva la fetch o’ pre!
I have written several times about the deficiencies in Sun’s smpatch utility. While attempting to use the broken sconadm utility to register a new server this weekend, I got the following error:
$ sconadm register -a -r RegistrationProfile
sconadm is running
Authenticating user ...
Exception in thread "main" java.lang.reflect.UndeclaredThrowableException
at $Proxy5.getOfferingInstanceName(Unknown Source)
at com.sun.cns.basicreg.cacao.SWUPOMCacaoAdapter.getSWUPOfferingInstanceMBean(SWUPOMCacaoAdapter.java:145)
at com.sun.cns.basicreg.cacao.SWUPOMCacaoAdapter.setSWUPPortalEnabled(SWUPOMCacaoAdapter.java:301)
at com.sun.cns.basicreg.BasicRegCLI.run(BasicRegCLI.java:758)
at com.sun.cns.basicreg.BasicRegCLI.main(BasicRegCLI.java:562) Caused by: javax.management.InstanceNotFoundException:com.sun.scn:name=SWUPOfferingFactory,assetSubProfile=TODO,host=10.10.2.4,assetProfile=OperatingSystem,scnType=OfferingFactory,Vendor=Sun Microsystems Inc
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.getMBean(DefaultMBeanServerInterceptor.java:1010)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.getClassLoaderFor(DefaultMBeanServerInterceptor.java:1349)
at com.sun.jmx.mbeanserver.JmxMBeanServer.getClassLoaderFor(JmxMBeanServer.java:1300)
at com.sun.jdmk.interceptor.DefaultMBeanServerInterceptor.getClassLoaderFor(DefaultMBeanServerInterceptor.java:285)
at com.sun.cacao.agent.DispatchInterceptor.getClassLoaderFor(DispatchInterceptor.java:474)
at com.sun.cacao.agent.auth.impl.AccessControlInterceptor.getClassLoaderFor(AccessControlInterceptor.java:427)
at com.sun.jdmk.JdmkMBeanServerImpl.getClassLoaderFor(JdmkMBeanServerImpl.java:1130)
at com.sun.cacao.common.instrum.impl.InstrumDefaultForwarder.getClassLoaderFor(InstrumDefaultForwarder.java:153)
at javax.management.remote.rmi.RMIConnectionImpl$4.run(RMIConnectionImpl.java:1306)
at java.security.AccessController.doPrivileged(Native Method)
at javax.management.remote.rmi.RMIConnectionImpl.getClassLoaderFor(RMIConnectionImpl.java:1303)
at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:766)
at sun.reflect.GeneratedMethodAccessor20.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:294)
at sun.rmi.transport.Transport$1.run(Transport.java:153)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Transport.java:149)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:460)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:701)
at java.lang.Thread.run(Thread.java:595)
at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:247)
at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:223)
at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:126)
at com.sun.jmx.remote.internal.PRef.invoke(Unknown Source)
at javax.management.remote.rmi.RMIConnectionImpl_Stub.invoke(Unknown Source)
at javax.management.remote.rmi.RMIConnector$RemoteMBeanServerConnection.invoke(RMIConnector.java:969)
at javax.management.MBeanServerInvocationHandler.invoke(MBeanServerInvocationHandler.java:201)
... 5 more
The Solaris patch management forums seem to indicate that a fair number of people are running into this problem, but unfortunately no solutions are available to address this. I can understand having bugs creep into software, but I am starting to wonder if anyone at Sun is actually doing QE on the patchrpo utilities? Anyone care to wager a guess at what that java stack trace means? ;)
Each process that is started on a Linux and Solaris hosts contains a default environment. This environment contains several variables such as the PATH to search for executables, a HOME variable to indicate where a users home directory is located, and variables such as LANG to describe the locale in use. The variables are unique to the shell in use (I recently learned that not all shells set HOSTNAME), and can be adjusted with the the bash export command, or the csh setenv command. After a process starts, it is sometimes useful to be able to view the environment of a process. On Solaris hosts, you can see the environment of a process by invoking pargs with the “-e” (print the environment) option:
$ pargs -e 18167
18167: /usr/lib/ssh/sshd
envp[0]: LANG=C
envp[1]: PATH=/usr/sbin:/usr/bin
envp[2]: SMF_FMRI=svc:/network/ssh:default
envp[3]: SMF_METHOD=/lib/svc/method/sshd start
envp[4]: SMF_RESTARTER=svc:/system/svc/restarter:default
envp[5]: TZ=US/Eastern
On Linux hosts, you can cat /proc/$PID/environ, where $PID is the process id you are interested in:
$ cd /proc/self
$ cat environ
USER=mattyLOGNAME=mattyHOME=/home/mattyPATH=/usr/bin:/bin:/usr/sbin:/sbin
MAIL=/var/mail/mattySHELL=/bin/bashSSH_CLIENT=10.10.1.10 49550 22
SSH_CONNECTION=10.10.1.10 49550 10.10.1.11 22SSH_TTY=/dev/pts/0TERM=xterm-color
The Solaris output is a bit prettier, but they both contain the information you need to derive the environment of a process.