[OmniOS-discuss] SSH versions on global and non-global zones

2015-12-11 Thread Philip Yuengling 
It seems that when installing LTS 151014 from the kayak image the global
gets OpenSSH_7.1p1, but non-global zones get Sun_SSH_1.5.

Obviously some work can be done to get them to match, but it may be good to
have them match from the start?  Or am I missing something.
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] SSH versions on global and non-global zones

2015-12-11 Thread Dan McDonald 

> On Dec 11, 2015, at 3:25 PM, Philip Yuengling  
> wrote:
> 
> It seems that when installing LTS 151014 from the kayak image the global gets 
> OpenSSH_7.1p1, but non-global zones get Sun_SSH_1.5.
> 
> Obviously some work can be done to get them to match, but it may be good to 
> have them match from the start?  Or am I missing something.

Huh... I had NO idea it would do that.  I assumed (probably incorrectly) that 
the NGZs would get "entire" just like the global one would.


Ahhh, I see the problem:


https://github.com/omniti-labs/pkg5/blob/omnios/src/brand/pkgcreatezone#L545

"entire" populates the global zone.  Whatever is in pkgcreatezone works for 
ipkg & lipkg zones.

"entire" can support both, and due to IPS's rules (higher version number wins), 
OpenSSH7.1 beats SunSSH0.151xxx.

Not sure if patching pkgcreatezone is the best option OR if we should 
inherit-from-global more intelligently in the pkgcreatezone script.

Thanks for finding this!
Dan

___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] SSH versions on global and non-global zones

2015-12-11 Thread Eric Sproul 
On Fri, Dec 11, 2015 at 3:38 PM, Dan McDonald  wrote:
> Huh... I had NO idea it would do that.  I assumed (probably incorrectly) that 
> the NGZs would get "entire" just like the global one would.
>
>
> Ahhh, I see the problem:
>
> 
> https://github.com/omniti-labs/pkg5/blob/omnios/src/brand/pkgcreatezone#L545
>
> "entire" populates the global zone.  Whatever is in pkgcreatezone works for 
> ipkg & lipkg zones.
>
> "entire" can support both, and due to IPS's rules (higher version number 
> wins), OpenSSH7.1 beats SunSSH0.151xxx.
>
> Not sure if patching pkgcreatezone is the best option OR if we should 
> inherit-from-global more intelligently in the pkgcreatezone script.

This is fallout from our abuse of entire.  The ipkg brand scripts
assume entire is just an incorporation, so they explicitly install a
bunch of basic packages (including ssh).  I'd like to see us try to
undo that early mistake (for which I'm partly to blame!) and get back
to having "slim_install" fill the role that we forced "entire" into
back at the beginning, when we didn't fully understand what
distro_const was actually doing.

We (Circonus) can work around this for now, and make it part of our
'014 zone bootstrap process to switch out ssh daemons.

Eric
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss