Looking forward to looking back.

I’m off to the Customer Engineering Conference tomorrow which
means a day on a Plane which is never something I look forward to but
after that I’m hopeful that there will be some interesting meetings
and presentations.

However my mother has managed to get me looking forward to getting
back and I have not even left. Her Father was a keen photographer and
home movie maker. He made numerous home movies spending hours cutting
them and putting titles on them all very professional from a time
when home video did not exist and even home movies were a rarity. I
remember as a child the excitement of seeing them; mostly as he would
play them backwards when rewinding them which we thought was
hilarious.

Today my mother rang to tell me that she had received the DVD onto
which my sister had arranged for all of the films to be written to.
The earlier films won’t have been played for many many years as the
film is so rare so we did not want to touch them for fear of damaging
them.

7 hours of film which I am told even includes bits of the Tour of
Italy from sometime in the early 1950s and even bits of film from my
mother’s childhood which was before the Second World War.

I can’t wait to see the glimpse into the past.

Tags: topic:[family] topic:[history]

I’m an Xpert (sic)

BigAdmin are running an Ask the Xpert(sic) session on ZFS and that Xpert is me.

Very un-British to claim to be an Xpert but someone had to do it. Sorry about the photo, taken with a self timer and never really got it right.

tags: topic:[ZFS] topic:[bigadmin]

Has ZFS just saved my data?

My new home server has had it’s first
ZFS checksum error. The problem here is that zfs has not told me
what that error was so it is impossible for me to say how bad it is,
or heaven forbid, that it could be a false positive.

It leaves lots of questions in my mind
about what ZFS does, if anything, to verify the kind of problem to
attempt to narrow down where the fault is. Need to do some reading of
the zfs source.

# zpool status

pool: tank

state: ONLINE

status: One or more devices has experienced an unrecoverable error.  An

attempt was made to correct the error.  Applications are unaffected.

action: Determine if the device needs to be replaced, and clear the errors

using ‘zpool clear’ or replace the device with ‘zpool replace’.

see: http://www.sun.com/msg/ZFS-8000-9P

scrub: scrub in progress, 0.01% done, 20h7m to go

config:

NAME        STATE     READ WRITE CKSUM

tank        ONLINE       0     0     0

mirror    ONLINE       0     0     0

c1d0s7  ONLINE       0     0     1

c5d0s7  ONLINE       0     0     0

errors: No known data errors

#

One thing I did straight away was to scrub the pool. However the
scrub never completed, just exercised the disks all weekend. Checking
the OpenSolaris
ZFS discussion forum I was hitting this bug:

6343667
need itinerary so interrupted scrub/resilver doesn’t have to start
over

Where the scrub gets restarted when
ever a snapshot is taken. Not so good if you snaphost every 10
minutes.

Tags: topic:[home server]
topic:[opensolaris] topic:[zfs]

Rain delayed.

We were off to Petworth for the same reason as last
year. Just as we left Molesey it started to rain by the time we
got to Seven Hills road, three miles at most, it was tipping it down.
We hid under a tree, a beech tree I think, it made a poor umbrella.
After just over half an hour the rain eased. One turned back and the
rest continued, through flooded roads and wet corners making for an
interesting ride.

Alas due to needing to be back by 1pm I did not make it to
Petworth. I got as far as the A281 at Tisman Common, so made it into
Sussex, then turned back to Cranleigh then Ewhurst and to Shere via
Peaslake.

Returned the usual way and made it home at 12:55 with 70 miles on
the clock.

Tags: topic:[molesey bbt] topic:[cycling]

Web Server moved to new server

The new server now serves http://planetcycling.org.
Using the bundled apache2 httpd running in a zone. Nice and easy to
get working as there is already an smf manifest.

The reasons for the zone are:

1. Paranoia. If there is security bug in the web server, the
   zone should buy some time.

   
   

2. It allows my to bring a replacement service up on another
   zone and verify that all is well before making it live. The planet
   software needs to be upgraded but this will take some time so to get
   the Qube shutdown.

   
   

3. Because I can.

   
   

Tags: topic:[home server] topic:[solaris]

ZFS @ The Cambridge Solaris User Group

Last night I went and demonstrated ZFS at the Cambridge Solaris
User Group. This was fun for 3 reasons:

1. I got to see a presentation on Xen
   by Steven Hand.

   
   

2. I got to see a presentation from Sun on Sun Ray and the
   global secure desktop.

   
   

3. I got asked some interesting questions.

   
   

Most of the interesting questions I could give good answers to but
the two that sort of stumped me were:

1. ZFS quotas and snapshots. The question boiled down to a
   requirement to have snapshots not included in the users quota.
   Otherwise you get into the situation where the user can’t delete
   anything as it is all backed by snapshots so there is no way to
   recover the space.

   
   

   Searching the ZFS mailing list on opensolaris.org
   this has come up before in this thread.
   There is even a change request already filed:

   
   

   6431277
   want filesystem-only quotas

   
   

2. Permissions on the .zfs/snaphost mountpoints.

   
   

   The problem was this. Suppose a user has a file in their home
   directory and they make it mode 644. Then a snapshot is taken. Then
   the user realises that perhaps the permissions are inappropriate and
   changes them to 600. However the old version is still in the
   .zfs/snapshot directory with mode 644, hence readable.

   
   

   It is true that this really exposes an process issue in that the
   data was public and since we don’t have mandatory access control we
   really have to trust the users to do the right thing. If someone
   came across the file in the window between being created and the
   permissions being fixed the data is out. However, in the real world,
   the snapshot increases the risk.

   
   

   I’m left wondering if you should be able to set and ACL on the
   .zfs and or .zfs/snapshot directory so that only the “owner”
   or owners of the file system could access the directory.

   
   

   6338043
   need a method to access snapshots in alternate locations

   
   

   Seems to be a starting point, in that you could mount the
   snapshots under a directory of your choice with an ACL, but that
   would be a hack. Need to start this discussion over on the the ZFS
   discussion forum.

   
   

All in all a pleasant evening even if I did not get home until
after midnight. As I was leaving the event one of the locals was
carrying his pannier to his bike to ride home and I actually thought
it would have been cool to have brought the bike up by train and then
ride home through the night. Only 100 miles. Luckily I did not think
of this earlier!

Tags: topic:[ZFS] topic:[solaris]

Good Morning Build 48

Build 48 is running on the Sun Ray server. Seems to have bug 6436088 fixed.

: estale.eu IA 3 $; uname -a

SunOS estale 5.11 snv_48 sun4u sparc SUNW,Sun-Fire

: estale.eu IA 4 $;

Tags: topic:[good morning build] topic:[nevada] topic:[OpenSolaris]

Perfect Cycling morning

Just four riders this morning, which was a shame as it was a
perfect morning for cycling.

It was with great pleasure that someone else suggested we go to
the Devil’s Punch Bowl. One of my favourite rides as it is a real out
and back ride rather than a loop. I’ve always preferred to go
somewhere on my bike rather than just potter or race around a
circular route with no real purpose. Also that the ride is a decent
distance makes it feel more worthwhile.

70 miles @ what I was amazed to discover on returning home was
17.2 mph average. I thought we were taking it easier!

Now if I had remembered that my new phone has a camera I could
have snapped some photos.

Tags: topic:[molesey bbt] topic:[cycling]

Good bye talker, jabber and thank you

This week my part of the business actually made concrete progress
to simplified our business.

For a few years, like over 10, we have been using instant
messaging to communicate between all the teams. We have a Jabber
network, a home grown chat system called Talker plus IRC and more
recently IT provided an instance of the Sun Instant messaging server
for all of Sun.

Last Monday we began to move over to the IT service with the
jabber network being decommissioned this Monday and the Talker rooms
next Monday. No more will it be like having four phone systems none
of which would really talk to the other. It is true that the SunIM
service and the jabber service could have been federated but that
would not have given use the ease of use and ease of finding contacts
we needed to support our customers.

I would however like to thank all those who implemented and have
been looking after those networks, mostly in their “spare”
time. Talker and jabber were invaluable.

So Peter and Paul my thanks to you and everyone who helped you
out.

Tags: topic:[instant messaging]

exim and pam authetication meets privileges

For reasons that I will go into later the new home server is using
exim for it’s mail transport rather than the standard sendmail. I
wanted to be able to authenticate users sending email using their
login and password from the local password and shadow files. This is
a snip with exim with the following in the exim.conf file:

plain:

driver = plaintext

public_name = PLAIN

server_condition = "${if pam{$2:$3}{1}{0}}"

server_set_id = $2

login:

driver = plaintext

public_name = LOGIN

server_prompts = "Username:: : Password::"

server_condition = "${if pam{$1:$2}{1}{0}}"

server_set_id = $1

or so I thought. Since exim is security conscious it runs as it’s
own user and not as root so it is unable to read the /etc/shadow file
so no matter what you enter as you login you can’t. My quick solution
to this was to give the exim daemon permission to read all files
using privileges. So the start script now does:

ppriv -s PI+file_dac_read -e $DAEMON $EXIM_PARAMS

Which allows it to read any file on the system which is a risk but
not as great a risk as having it run as root. I look forward to
someone telling me a better way.

Tags: topic:[solaris] topic:[home server]