Change root password in a zone.
Dave
set of prompts like you get with sys-unconfig, but that was not so. (That is
what http://www.sun.com/bigadmin/features/articles/solaris_zones.jsp gave me the
impression I would get).
Anyway, after booting the zone, I could log into the console for the zone using
no password. But my attempts to add a root password for the zone keep failing
with 'permission denied'. Is this what is to be expected? Clearly a zone without
a root password is insecure.
apache console login: root
Last login: Thu Oct 29 14:38:53 on console
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
This Sun Netra T1 is running the FIRST RELEASE OF SOLARIS 10 (03/2005)
<SNIP>
# passwd
passwd: Changing password for root
New Password:
Re-enter new Password:
Permission denied
Zfs..
> I've set up a zone for Apache. After booting the zone, I was expecting to get a
> set of prompts like you get with sys-unconfig, but that was not so. (That is
> impression I would get).
>
> Anyway, after booting the zone, I could log into the console for the zone using
> no password. But my attempts to add a root password for the zone keep failing
> with 'permission denied'. Is this what is to be expected? Clearly a zone without
> a root password is insecure.
>
> apache console login: root
> Last login: Thu Oct 29 14:38:53 on console
> Sun Microsystems Inc. SunOS 5.10 Generic January 2005
>
> This Sun Netra T1 is running the FIRST RELEASE OF SOLARIS 10 (03/2005)
>
> <SNIP>
>
> # passwd
> passwd: Changing password for root
> New Password:
> Re-enter new Password:
> Permission denied
zlogin -C yourzone
and you will get the questions you expect to see...
Zfs..
>
> zlogin -C yourzone
>
> and you will get the questions you expect to see...
Clearly thats wrong..
Have you tried halting the zone and rebooting ?
Ian Collins
Is it? It looks correct to me!
You have to configure the zone from its console.
--
Ian Collins
Zfs..
He said he connected to the console already as per the link !
David Kirkby
I had indeed used
zlogin -C apache
to connect to my zone 'apache'. But I just got a console, where I
logged in as root with no password.
I assume from what you are all saying, that is wrong.
I would add, this is the first release of Solaris 10. Perhaps there
were bugs there, which have since been sorted out. I've applied ALL
security patches, but NONE of the reccomeneded patches. I wanted to
keep this machine as close as possible to a one running the first
release of Solaris 10, so that binaries built on it had the best
chance of running on any Solaris 10 machine. Also any problems
discovered when building binaries could be documented. (For example, /
usr/sfw/bin/gcc is pretty broken on Solaris 10 03/2005. I only
discovered this when trying to build code on it.)
I'm trying to document properly how to build the maths software Sage
on Solaris. By using a mainly unpatched system, I can document more
problems, and find the workarounds.
However, the machine is going to have multiple uses, so if a
particular patch needs applying, I will apply it, but would rather not
apply any more than necessary.
Dave
Zfs..
Yes that is wrong. When the zone is built and booted for the first
time zlogin -C is used to finalise the install.
It runs through some of the usual questions, timezone etc.. before
giving you the login console.
Without the install asking you these questions I would be seriously
worried about the condition of your zone.
Have you tried zlogin -C apache
init 6
Does it throw anything unusual to the console when it is rebooting ?
David Kirkby
I've not tried init 6, and are not in a position to try it now, as I
do not have access at the minute. I'll check in 8 hours or so.
Dave
John D Groenveld
David Kirkby <drki...@gmail.com> wrote:
>I would add, this is the first release of Solaris 10. Perhaps there
>were bugs there, which have since been sorted out. I've applied ALL
>security patches, but NONE of the reccomeneded patches. I wanted to
What does Martin Paul's PCA report as missing recommended patches?
<URL:http://www.par.univie.ac.at/solaris/pca/>
$ ./pca -X . -l missingrs
Some of the security patches will have dependencies on recommended
patches.
Those should be available to your customers for free as in free
Sun Online Account.
But if your policy is to support Solaris FCS then you should not
install any patches on your build systems and live with the bugs
by putting them in a walled sandbox.
John
groe...@acm.org
Dave
> In article <d7b1d8f5-9d4c-4c07...@m26g2000yqb.googlegroups.com>,
> David Kirkby <drki...@gmail.com> wrote:
>> I would add, this is the first release of Solaris 10. Perhaps there
>> were bugs there, which have since been sorted out. I've applied ALL
>> security patches, but NONE of the reccomeneded patches. I wanted to
>
> What does Martin Paul's PCA report as missing recommended patches?
> <URL:http://www.par.univie.ac.at/solaris/pca/>
> $ ./pca -X . -l missingrs
Patch IR CR RSB Age Synopsis
------ -- - -- --- --- -------------------------------------------------------
119081 -- < 25 R-- 999 SunOS 5.10: CD-ROM Install Boot Image Patch
119130 -- < 33 R-- 989 SunOS 5.10: Sun Fibre Channel Device Drivers
119313 -- < 28 R-- 56 SunOS 5.10: WBEM Patch
119317 -- < 01 R-- 999 SunOS 5.10: SVr4 Packaging Commands (usr) Patch
119764 -- < 06 R-- 843 SunOS 5.10 : ipmitool patch
119986 -- < 03 R-- 999 SunOS 5.10: clri patch
120061 -- < 02 R-- 999 SunOS 5.10: glm patch
120201 -- < 05 R-- 623 X11 6.8.0: Xorg client libraries patch
121975 -- < 01 R-- 999 CDE 1.6: Xsession patch
120410 -- < 32 R-- 64 SunOS 5.10: Internet/Intranet Input Method Framework patch
121296 -- < 01 R-- 999 SunOS 5.10: fgrep Patch
124393 -- < 09 R-- 403 CDE 1.6: Dtlogin smf patch
124444 -- < 01 R-- 999 SunOS 5.10: mountd patch
127884 -- < 01 R-- 560 SunOS 5.10: awk patch
137321 -- < 01 R-- 602 SunOS 5.10: p7zip patch
138181 -- < 01 R-- 353 SunOS 5.10: ike.preshared patch
139943 -- < 01 R-- 169 SunOS 5.10: todm5819p_rmc patch
141518 -- < 04 R-- 11 SunOS 5.10: zoneinfo patch
141558 -- < 01 R-- 10 SunOS 5.10: acctcom patch
141874 -- < 04 R-- 17 SunOS 5.10: fp patch
142084 -- < 02 R-- 16 SunOS 5.10: qlc patch
142244 -- < 02 R-- 8 SunOS 5.10: hme driver patch
142346 -- < 02 R-- 8 SunOS 5.10: mem_cach patch
> Some of the security patches will have dependencies on recommended
> patches.
I used 'pca' to install the security patches, so I believe that would have
installed any recommended patches needed.
Looking at that list of recommended patches, there is nothing too relevant, though
> Those should be available to your customers for free as in free
> Sun Online Account.
This is my own personal machine. I basically want to use it for three things.
* Run a small home web server
* Use it to build Sage on an early Solaris 10 release, so it hopefully works
on any Solaris 10 machine.
* Let the occasional person have access who might want to borrow some time on
it. (For example, I let the developer of ECL, the lisp interpreter have access
to it, so he could sort out why ECL would not build on the first release of
Solaris 10. It now does build ok).
Putting these things in their own zones seems sensible.
> But if your policy is to support Solaris FCS then you should not
> install any patches on your build systems and live with the bugs
> by putting them in a walled sandbox.
Well, I wish to install the security patches. Also there is a gcc patch which is
needed, as without that, gcc is pretty broken in the early release of Solaris 10.
> John
> groe...@acm.org
John D Groenveld
>Looking at that list of recommended patches, there is nothing too
>relevant, though
Hard to say without reading each patch's README and the BugIDs.
I suspect many bugs in Sun's utilities were found when they were
used by other Sun tools.
I wouldn't be surprised if a broken awk, grep, pkginfo, etc caused
bugs in zoneadm and friends.
>This is my own personal machine. I basically want to use it for three things.
>
> * Run a small home web server
> * Use it to build Sage on an early Solaris 10 release, so it hopefully works
>on any Solaris 10 machine.
> * Let the occasional person have access who might want to borrow some time on
I forget whether you're shipping binaries.
If just source or source patches, you can put Solaris 10 FCS in a
VirtualBox walled sandbox on your Ultra 27 workstation.
John
groe...@acm.org
Dave
I should have added, I configured the zone, and save the configuration. The file is:
# cat /apache-zone.cfg
create -b
set zonepath=/secure/zones/apache
set autoboot=true
set ip-type=shared
add inherit-pkg-dir
set dir=/lib
end
add inherit-pkg-dir
set dir=/usr/sfw
end
add net
set address=192.168.1.7/24
set physical=eri0
end
I deleted the zone, then tried again, but still have the same issue. I did get
some errors during the installation of the zone though - see below.
# zonecfg -z apache -f /apache-zone.cfg
# zoneadm -z apache install
A ZFS file system has been created for this zone.
Preparing to install zone <apache>.
Creating list of files to copy from the global zone.
Copying <116387> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <950> packages on the zone.
Initialized <950> packages on zone.
Zone <apache> is initialized.
Installation of these packages generated errors: <SUNWjhrt SUNWsmbau SUNWgscr
SUNWgnome-im-client-share SUNWacroread SUNWapch2r SUNWapch2u SUNWapch2d SUNWjhdev>
The file </secure/zones/apache/root/var/sadm/system/logs/install_log> contains a
log of the zone installation.
# zoneadm -z apache boot# zlogin -C apache
[Connected to zone 'apache' console]
apache console login: root
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
This Sun Netra T1 is running the FIRST RELEASE OF SOLARIS 10 (03/2005)
Very few patches have been applied to this system, to keep it as close to
the 03/2005 release as possible, though the following have been applied.
* All security patches
<SNIP>
As you can see, for some reason it just lets me in as root, with no
configuration to be done.
Dave
Dave
> In article <4aeb...@212.67.96.135>, Dave <f...@coo.com> wrote:
>> Looking at that list of recommended patches, there is nothing too
>> relevant, though
>
> Hard to say without reading each patch's README and the BugIDs.
>
> I suspect many bugs in Sun's utilities were found when they were
> used by other Sun tools.
>
> I wouldn't be surprised if a broken awk, grep, pkginfo, etc caused
> bugs in zoneadm and friends.
I guess you are right. I was keen to not patch it more than necessary, so I
could document any patches that need to be applied.
>> This is my own personal machine. I basically want to use it for three things.
>>
>> * Run a small home web server
>> * Use it to build Sage on an early Solaris 10 release, so it hopefully works
>> on any Solaris 10 machine.
>> * Let the occasional person have access who might want to borrow some time on
> I forget whether you're shipping binaries.
I want to make a SPARC binary available.
> If just source or source patches, you can put Solaris 10 FCS in a
> VirtualBox walled sandbox on your Ultra 27 workstation.
But that is the x86 version, not the SPARC version. I know for a fact Sage will
*not* build on OpenSolaris - I do not know about Solaris 10 on x86. An
OpenSolaris port is next on my list, once I'm more happy with the SPARC port.
Dave.
Ian Collins
>
> This Sun Netra T1 is running the FIRST RELEASE OF SOLARIS 10 (03/2005)
> Very few patches have been applied to this system, to keep it as close to
> the 03/2005 release as possible, though the following have been applied.
Why do you want to use such an early release? Unless the stuff you are
building uses private interfaces specific to that release, you shouldn't
have to.
--
Ian Collins
John D Groenveld
>I want to make a SPARC binary available.
Create a Solaris 9 branded zone in a well-updated Solaris 10
or OpenSolaris installation on your SPARC-based Netra.
Binaries created there should just work on any Solaris 10
SPARC installation.
John
groe...@acm.org
Zfs..
Exactly this.
The latest release is always "better" is what I have found..
Zfs..
>
> As you can see, for some reason it just lets me in as root, with no
> configuration to be done.
>
> Dave
Did you reboot using init 6 from the console ? Any weirdness ?
What does svcs -xv say ?
Richard B. Gilbert
Perhaps he is distributing the binaries to customers and wants to
support ALL versions of Solaris 10. A binary built on any later version
will usually not run on an earlier version. You will probably find
people building on Solaris 8 or 9 for the same reason; they want to be
able to run the binary on *any* "reasonably recent" version. I keep a
workstation at S8 in case I want to build and distribute something.
Richard B. Gilbert
That's generally the reason for new releases; they offer some
combination of fixes and new features.
OTOH, if you want to distribute a software product, you generally want
it to run on as many existing systems as possible. So you keep a
Solaris 8 system around to build binaries that will run on 8, 9 and 10
and maybe 11 if that ever hits the streets.
Ian Collins
Yes, but this is within a release.
--
Ian Collins
Dave
When I asked on here some weeks back, the general opinion was that if you create
something on a late release of Solaris 10, it might not work on an earlier
release of Solaris 10. Hence it is safer to build it on the first release.
Since all the code is user land stuff, no device drivers or anything at a very
low level, I doubt it would in fact make much difference. But attempting to
build on an early release did uncover the fact the lisp interpreter would not
build, so if someone tried to build from source, there would have been an issue.
That has now been resolved, but it can't do any harm to check on the first and
last releases.
Dave
Chris Ridd
> When I asked on here some weeks back, the general opinion was that if
> you create something on a late release of Solaris 10, it might not work
> on an earlier release of Solaris 10. Hence it is safer to build it on
> the first release.
>
> Since all the code is user land stuff, no device drivers or anything at
> a very low level, I doubt it would in fact make much difference. But
Actually it definitely will make a difference. If you build against
libresolv.so.1 in 10u4, the binary will not run in earlier updates.
It'll run in later updates of course.
Been there, got the scars to prove it...
--
Chris
Dave
Thank you. You have confirmed what I thought.
I know a Solaris 8 container might offer a solution, but I've no idea if this
software will build under Solaris 8. I know some hacks were added to build it
under 9, but I'm not convinced the person doing them had much idea what he was
doing, so I would not be surprised if there were issues if I tried to build in a
Solaris 8 container. But that is an option to look at. This machine is too
old/slow to really do what I want. I have access to faster machines, so could
add a container to one of them.
Dave
Ian Collins
Ah, OK. I've only ever been bitten when I used a private library
(libzfs) and I've only used a mix of updates 5,6 and 7.
--
Ian Collins
Dave
> I've set up a zone for Apache. After booting the zone, I was expecting
> to get a set of prompts like you get with sys-unconfig, but that was not
> so. (That is what
> http://www.sun.com/bigadmin/features/articles/solaris_zones.jsp gave me
> the impression I would get).
>
> Anyway, after booting the zone, I could log into the console for the
> zone using no password. But my attempts to add a root password for the
> zone keep failing with 'permission denied'. Is this what is to be
> expected? Clearly a zone without a root password is insecure.
I've tried this many times now, and always get the same result. I noticed there
were errors in installing some packages
# zonecfg -z apache -f /apache-zone.cfg
# zoneadm -z apache install
A ZFS file system has been created for this zone.
Preparing to install zone <apache>.
Creating list of files to copy from the global zone.
Copying <116387> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <950> packages on the zone.
Initialized <950> packages on zone.
Zone <apache> is initialized.
Installation of these packages generated errors: <SUNWjhrt SUNWsmbau SUNWgscr
SUNWgnome-im-client-share SUNWacroread SUNWapch2r SUNWapch2u SUNWapch2d SUNWjhdev>
The file </secure/zones/apache/root/var/sadm/system/logs/install_log> contains a
log of the zone installation.
# zoneadm -z apache boot# zlogin -C apache
[Connected to zone 'apache' console]
apache console login: root
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
I've tried:
1) Install ALL the reccomened patches using 'pca'
That did not clear the issue. It still boots to a root shell, with no options
like you get if one runs sys-unconfig.
2) Setting 'zoned=on' on the zfs file system used to house the zone, as I was on
occasion getting the error reported at
http://unixwear.blogspot.com/2008/05/zfs-dataset-inside-non-global-zone.html
The suggest there did not work.
3) Changed the file system where the zone was stored from a ZFS file system to
UFS file system.
4) Remove the packages SUNWjhrt SUNWsmbau SUNWgscr SUNWgnome-im-client-share
SUNWacroread SUNWapch2r SUNWapch2u SUNWapch2d SUNWjhdev from the global zone, as
the 'zoneadm install' reported problems with those. I did not take care to
include all their dependances. I do not think any looked too useful for a server
- acrobat, samba, Gnome etc.
Still the thing will not work.
5) Renamed the zone from 'apache' to 'myzone' just in case a screed up zone name
'apache' was stopping a new 'apache' zone being made.
One issue I do note is that I do not have console access to the server. I have
to ssh to it from another machine. Hence the suggested method of leaving the
console (~.) actually breaks the ssh connection to the server.
I can actually hook up console access, but it means a bit of messing around, as
the server is in my garage.
Any ideas what else I might try to get a zone configured on this first release
of Solaris 10?
I've saved the configuration to a file, the contents of which are below. Perhaps
someone can see something wrong with that.
# cat /apache.cfg
create -b
set zonepath=/zones/myzone
set autoboot=true
set ip-type=shared
add inherit-pkg-dir
set dir=/lib
end
add inherit-pkg-dir
set dir=/platform
end
add inherit-pkg-dir
set dir=/sbin
end
add inherit-pkg-dir
set dir=/usr
end
add net
set address=192.168.1.7/24
set physical=eri0
end
Dave
Chris Ridd
> I know a Solaris 8 container might offer a solution, but I've no idea
> if this software will build under Solaris 8. I know some hacks were
> added to build it under 9, but I'm not convinced the person doing them
> had much idea what he was doing, so I would not be surprised if there
> were issues if I tried to build in a Solaris 8 container. But that is
> an option to look at. This machine is too old/slow to really do what I
> want. I have access to faster machines, so could add a container to one
> of them.
You might find the cost of running a Solaris 8 container is too high.
You are required to buy premium software support for the machine, and
then a subscription for each branded container. This worked out to be
about �2000 per annum for us.
It isn't really meant for small developers trying to retain the ability
to build for Solaris 8 on hardware made this century, but if you're a
shop trying to keep a Solaris 8 system in production it is much more of
a no-brainer.
--
Chris
Dave
Oh, I assumed it was free!
Sun are actually sponsoring the Sage project (they donated a T5240), and have
taken quite a bit of interest in it. See for example the Sun web site.
http://www.sun.com/customers/servers/univ_washington.xml
So it's possible software cost would not be an issue. It does not need to be run
on my own personal machine in the UK (as this is doing), but could be put on a
more powerful machine at the University of Washington in the USA.
Dave