Re: [smartos-discuss] migrate debian to lx branded zone

2017-12-05 Thread Coy Hile 

> On Dec 5, 2017, at 10:57 AM, Jussi Sallinen  wrote:
> 
> On 05/12/2017 17.29, Jussi Sallinen wrote:
> 
>> You could also use delegated dataset for persisting data if the service 
>> doesn't need to be available 24/7/365 and isn't HA or not worth implementing 
>> such setup.
> 
> This is not to say delegated dataset should be solely used as solution for 
> "persisting the data".. it's as persistent as the Computenode, it doesn't 
> replace backups :-)


One thing I think I read about the migration tools that exist for Triton is 
that they didn’t (don’t?) support migrating instances with delegated datasets 
if that’s important to you.




---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] migrate debian to lx branded zone

2017-12-05 Thread Coy Hile 

> On Dec 5, 2017, at 6:26 AM, Jussi Sallinen <ju...@jus.si> wrote:
> 
> On 05/12/2017 13.00, Artem Penner wrote:
> 
>> It’s better to implement migration through configuration management, 
>> describe your instance as a code. It’s the worsted way to migrate your 
>> instances using rsync/dump/cp/dd/other instruments.
>> so if you have database, it’s better to implement software installation in 
>> ansible for example and then export/import database schemas.
> 
> Ansible, Puppet etc. is definitely the most sane way to accomplish this now 
> and in the future when upgrading to newer LX image etc.
> It takes some time to get it all written but it the payback will be enormous 
> in the future in amount of time saved compared to manually installing and 
> configuring everything in place.
> 

I’ll echo what others have said. Salt/Chef/Ansible/Puppet are the way to go. If 
you have a ton of static data that you need to migrate (think $HOME or a static 
web root), you might need to rsync that bit of data. But even things like 
databases, or if you, for example, run an IMAP server, can let the application 
replication take care of bringing the new instance up and in sync.



--
Coy Hile
coy.h...@coyhile.com



---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] sysinfo script modification question

2017-04-04 Thread Coy Hile 
the behavior which Dale saw is what my SMCI hosts do. I’d be interested in code 
to update things like the server UUID.  I think my employer has used SMC’s SUM 
tool, but neither does it support any of my home hardware, nor do I have a 
license for it personally.

-Coy

> On Apr 4, 2017, at 11:15 AM, Richard Elling 
> <richard.ell...@richardelling.com> wrote:
> 
> 
>> On Apr 3, 2017, at 11:37 PM, Dale Ghent <da...@elemental.org> wrote:
>> 
>> 
>> I have SMCI servers that have mangled or all-zero UUIDs as well.
> 
> very common with supermicro gear. You'll also see an occasional bogus 
> 00010002-0003-0004-0005-000600070008. The sysinfo code in kernel recognizes 
> some of these as bogus and uses a random number for hostid that is then 
> stored in /etc. For smartos that method doesn't work, for obvious reasons. 
> 
> A few lives back we changed this, but that code isn't a general purpose 
> solution. It should be easy enough to make a more general solution for modern 
> SmartOS
> 
>  -- richard
> 
>> 
>> By "mangled", SMCI has made the extraordinarily poor choice on several of 
>> their X10 platforms to set the first 4 fields to 0 and the last 48 bits to 
>> the MAC address of one of the on-board ethernet PHYs, in an apparent "good 
>> enough" approach to UUID generation at the factory:
>> 
>> [daleg@xenon]~$ smbios | grep -i uuid
>> UUID: ----0cc47a09b5f2
>> [daleg@xenon]~$ dladm show-phys -m
>> LINK SLOT ADDRESSINUSE CLIENT
>> igb1 primary  c:c4:7a:9:b5:f3no   --
>> igb0 primary  c:c4:7a:9:b5:f2yes  igb0
>> igb3 primary  c:c4:7a:9:b5:f5no   --
>> igb2 primary  c:c4:7a:9:b5:f4no   --
>> 
>> [daleg@devohat]~$ smbios | grep -i uuid
>> UUID: ----0cc47a7b58d8
>> [daleg@devohat]~$ dladm show-phys -m
>> LINK SLOT ADDRESSINUSE CLIENT
>> igb0 primary  c:c4:7a:7b:58:d8   yes  igb0
>> igb1 primary  c:c4:7a:7b:58:d9   no   --
>> ixgbe0   primary  c:c4:7a:7b:5c:be   yes  ixgbe0
>> ixgbe1   primary  c:c4:7a:7b:5c:bf   yes  ixgbe1
>> 
>> How widespread this practice is throughout their product line? I'm not sure. 
>> It might work from a practical standpoint insofar as it's a UUID that can be 
>> used to identify a particular piece of iron, but it does seem 
>> extraordinarily sloppy to not bother with filling out the first 80 bits 
>> which comprise the first 4 fields, thus reducing a 128bit UUID to a 48bit 
>> one. It also means that these really aren't UUIDs in spirit, because one 
>> could predict the UUID of a given box based only on observed or even guessed 
>> MAC addresses.
>> 
>> /dale
>> 
>>> On Apr 4, 2017, at 2:01 AM, Jorge Schrauwen <jo...@blackdot.be> wrote:
>>> 
>>> It's usually a bit and miss to be honest. I only have one of the machines I 
>>> run smartos on report a UUID that is not all 0.
>>> Most of them are SuperMicro too, I guess it is more of a OEM BIOS verder 
>>> specific thing, I think they were all AMI.
>>> 
>>> 
>>> 
>>> 
>>>> On 2017-04-03 23:42, Robert Mustacchi wrote:
>>>>> On 4/3/17 0:22 , 강경원 wrote:
>>>>> Hello.
>>>>> We are testing SDC with same SMBIOS uuid servers.
>>>> We recommend that you talk to your hardware vendor and have them provide
>>>> tooling to fix the server's UUID. If they have the same UUID, they've
>>>> not properly implemented the SMBIOS spec (though it's far from the first
>>>> time we've heard of this).
>>>>> So we tried to modify images's sysinfo script to test and after modifing 
>>>>> the
>>>>> sysinfo, the fake uuid can be created successfully and can be setup.
>>>>> But when we try to reboot the node, below error message is shown and 
>>>>> rebooting
>>>>> is not working.
>>>>> The only thing that we can do is ipmi power reset.
>>>>> How can we avoid the errors?
>>>>> svc.startd: Killing user processes.
>>>>> WARNING: Error writing ufs log state
>>>>> WARNING: ufs log for /usr changed state to Error
>>>>> WARNING: Please umount(1M) /usr and run fsck(1M)
>>>> Given what little information we have to work on, I'd suggest you
>>>> review
>>>> your procedure for building and modifying the live image for how you
>>>> updated sysinfo to your custom version. Without knowing what you've
>>>> done
>>>> or not done or how you've done it, it's hard to suggest actionable
>>>> steps
>>>> to take.
>>>> Robert
>>> 
>>> 
>> 
>> 
> 
> 

--
Coy Hile
coy.h...@coyhile.com


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] Docker endpoint in SmartOS

2017-03-25 Thread Coy Hile 
That depends. If you're testing in VMware, it is. My headnode and lab (that are 
also home production) is all installed on bare metal.

Sent from my iPhone

> On Mar 25, 2017, at 12:00, C. R. Oldham <c...@ncbt.org> wrote:
> 
> Sorry to be dense, and installing CoAL is the easiest way to do that?
> 
> --cro
> 
> 
>> On Mar 25, 2017, at 08:11, Coy Hile <coy.h...@coyhile.com> wrote:
>> 
>> I believe you need Triton stack for that. It is Triton that provides the API 
>> for docker. 
>> 
>> Sent from my iPhone
>> 
>>> On Mar 24, 2017, at 21:56, C. R. Oldham <c...@ncbt.org> wrote:
>>> 
>>> Greetings,
>>> 
>>> Is there a way to provide the Docker endpoint inside a SmartOS installation 
>>> without installing or running all of CoAL?  I'm having trouble figuring out 
>>> if there are a few packages I can install to get the bare minimum of sdc-* 
>>> commands, or if CoAL is really the minimum set of what I would need.
>>> 
>>> Thanks,
>>> 
>>> --cro
>>> 
>>> 
>>> 
>> 
>> 
> 
> 


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] Docker endpoint in SmartOS

2017-03-25 Thread Coy Hile 
I believe you need Triton stack for that. It is Triton that provides the API 
for docker. 

Sent from my iPhone

> On Mar 24, 2017, at 21:56, C. R. Oldham  wrote:
> 
> Greetings,
> 
> Is there a way to provide the Docker endpoint inside a SmartOS installation 
> without installing or running all of CoAL?  I'm having trouble figuring out 
> if there are a few packages I can install to get the bare minimum of sdc-* 
> commands, or if CoAL is really the minimum set of what I would need.
> 
> Thanks,
> 
> --cro
> 
> 
> 


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] About install pkgin in global zone

2016-11-16 Thread Coy Hile 

> On Nov 16, 2016, at 8:37 AM, Paul Sture <smar...@techchat.ch> wrote:
> 
> 
> The problem here is that no certificates are installed in the Global Zone.[1]
> 
> Options available:
> 
> - use 'curl -k' to download without a certificate check. In this case,
> do check the downloaded file against the published md5 checksums.[2]
> 
> - perform the download inside a native SmartOS zone. As far as I can tell,
> all the base-64 and min-64 images come with certificates pre-installed.
> 
> [1] Does anyone know how to install certificates in the GZ (without installing
> pkgsrc first)?
> 

Joyent RFD # 0042 exists to provide pkgsrc in the global zone.  See

https://github.com/joyent/rfd/blob/8c1d320e7fc8218015bcf2b9a5957e4f48ef823c/rfd/0042/README.md


--
Coy Hile
coy.h...@coyhile.com



---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] named in CentOS 7.2 LX zone - won't start normally

2016-09-02 Thread Coy Hile 

> On Sep 2, 2016, at 4:00 PM, Chad M Stewart <c...@balius.com> wrote:
> 
> Thank you Jorge, that was exactly what I needed.  I learned more about 
> systemd as a result, though I still prefer SMF.  :)
> 

Who being considered compos mentis does not?

--
Coy Hile
coy.h...@coyhile.com



---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] Network Problem

2014-09-07 Thread Coy Hile via smartos-discuss 

On Sep 7, 2014, at 5:25 AM, mchile...@kannilox.com wrote:

 Well if that’s the issue how come my smartos setup in vmware player on my 
 laptop is working fine with:

Contrast your setup with the relevant subset of mine:

# admin_nic is the nic admin_ip will be connected to for headnode zones.
admin_nic=0:30:48:c8:fe:a4
#admin_ip=dhcp
#admin_netmask=
#admin_network=...
#admin_gateway=dhcp
admin_ip=172.18.2.250
admin_netmask=255.255.255.0
admin_network=...
admin_gateway=172.18.2.1

headnode_default_gateway=

That your laptop setups works may (and this is a guess) be a function of some 
indirection in vmware.  Or, perhaps, the difference is that you (like me) 
expect the admin network to be routable.  I don’t have any VMs using the admin 
network, but it is fully routable so that I can use it to access a node from 


--
Coy Hile
coy.h...@coyhile.com



---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] granular control using RBAC/LDAP

2014-07-30 Thread Coy Hile via smartos-discuss 

On Jul 30, 2014, at 3:15 AM, Lloyd Parkes ll...@must-have-coffee.gen.nz wrote:

 The solution I've used the past is really quite heavyweight, so apologies in 
 advance. I used Oracle Virtual Directory to create the LDAP entries on the 
 fly based on information in backend LDAP (or other) systems. Since the LDAP 
 entries are built on the fly, you should be able to arrange it so that the 
 production cluster sees different information for the web developer than what 
 the developer's personal dev machines see. I haven't played this particular 
 game with OVD, but this technology does seem to be available. 
 

That’s honestly not a solution that had crossed my mind.  Some convoluted 
overlays and such could do exactly what I want once I get around to figuring 
out the various rewriting bits.  I’ll have to look into the OpenLDAP rewrite 
support.  Now, because I may be able to swing something similar at $DAYJOB 
(where I’m saddled with both Oracle Solaris 11 (in addition to Linux and AIX) 
and AD as the LDAP backend (ugh!)), anybody have any ideas how to accomplish 
this when AD is the backend? :-)

-c


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com


smime.p7s
Description: S/MIME cryptographic signature

[smartos-discuss] granular control using RBAC/LDAP

2014-07-29 Thread Coy Hile via smartos-discuss 

Hi all,

I'm currently migrating a lot of things that I would formerly have  
done with sudo to use RBAC on my SmartMachines and hypervisors.  In  
LDAP, I set a user's SolarisProfAttr attribute to, eg, make uid=hile  
(me) have the role Primary Administrator.  How are people handling the  
cases where these data are stored in LDAP, but users need different  
classes of access on different types of systems?  For example, one  
might give a web developer the Primary Administrator role on his two  
or three personal dev machines, but on the production cluster, he  
should likely only have access to manage web-specific processes.


Thanks
-c
--
Coy Hile
coy.h...@coyhile.com


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

[smartos-discuss] pkgsrc, sasl, and GSSAPI

2014-07-24 Thread Coy Hile via smartos-discuss 


Hi all,

I'm looking for some guidance regarding the cyrus-sasl gssapi plugin  
that's currently in pkgsrc.  If I understand the Makefile in  
pkgsrc/security/cy2-gssapi correctly it appears to interrogate which  
kerb implementation is installed and then builds against either MIT or  
Heimdal. (Is that understanding correct?) The Joyent-provided packages  
introduced a dependency on MIT krb5 as part of that build.  All well  
and good, except when one wants the SASL GSSAPI plugin installed on a  
Heimdal KDC.  So it looks like I need to spin up a build machine with  
Heimdal, then build that package myself (and then teach pkgin to  
install from a local package tarball instead of the repo?)


What I would propose as a fix to this is to separate cy2-gssapi into  
two packages cy2-gssapi-mit and cy2-sasl-heimdal.  (the two packages  
would be identical except for what they link against the appropriate  
library).  For what it's worth, this is exactly what Debian does for  
the same functionality.  They have libsasl2-modules-gssapi-heimdal and  
libsasl2-modules-gssapi-mit.


Is this something that the community would support?  I presume it  
would eventually go into pkgsrc-joyent?  Question for Jon and others:  
how receptive would upstream be to accepting such a change?


Thanks,
-c
--
Coy Hile
coy.h...@coyhile.com


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] SMF Manifests for some pkgsrc packages

2014-06-21 Thread Coy Hile via smartos-discuss 


Quoting Alain O'Dea via  
smartos-discusshttps://github.com/joyent/pkgsrc/pull/205  
smartos-discuss@lists.smartos.org:




Commits from upstream with external bug IDs can coincidentally close
your Pull Request due to weird Github-isms, so keep an eye on the email
notifications and reopen the PR if it is closed by accident.

You can highlight/announce your PRs here if desired or @ mention myself
or other SmartOS folks you'd like to review the changes on Github
itself.



https://github.com/joyent/pkgsrc/pull/205

for OpenLDAP Server

https://github.com/joyent/pkgsrc/pull/206

for the various heimdal services.

-c
--
Coy Hile
coy.h...@coyhile.com


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] Samba3/AD in a zone - PKCS 11 problems

2014-06-06 Thread Coy Hile via smartos-discuss 

On Jun 6, 2014, at 1:28 AM, Nicholas Lee via smartos-discuss 
smartos-discuss@lists.smartos.org wrote:

 
 Kerberos seems to be working:
 
 [root@base2 ~]# klist
 Ticket cache: FILE:/tmp/krb5cc_0
 Default principal: administra...@corp.kpac.co.nz
 
 Valid startingExpiresService principal
 06/06/14 16:13:08  06/07/14 02:13:10  krbtgt/corp.kpac.co...@corp.kpac.co.nz
 renew until 06/13/14 16:13:08


I’ve had this much working; it was just a matter of dropping a working 
krb5.conf in place (and putting pam_krb5 as sufficient in auth in the relevant 
PAM stacks.)  I use Heimdal as my KDC; that works fine as well, and OpenLDAP 
for the LDAP bits. I can’t speak to Samba (or using AD as the KDC for that 
matter), but Kerberos certainly works.


---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com


smime.p7s
Description: S/MIME cryptographic signature

Re: [smartos-discuss] joyent's convertvm and OVAs with multiple disks

2014-04-18 Thread Coy Hile 

On Apr 17, 2014, at 10:52 PM, Ian Collins smartos-discuss@lists.smartos.org 
wrote:

 Coy Hile wrote:
 I guess the other option I have is to run qemu-convert-disk (or whatever 
 it’s called) individually for each disk in the OVF and then build the 
 metadata for the dsmanifest myself.
 
 qemu-img convert is probably the best option. What OS are they running?  I 
 have a documented process for migrating windoze vmdk images from VmWare I'm 
 happy to share.
 

They are probably running some variant of linux; in this case it’s a virtual 
Bluecoat.  The other one that I’ve used in the past is Juniper’s virtual Pulse 
Concentrator, but I believe I’ll be building out a standard OpenVPN 
concentrator instead of redeploying that device going forward.



---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

[smartos-discuss] joyent's convertvm and OVAs with multiple disks

2014-04-17 Thread Coy Hile 
Hi all,

I’ve come across a couple of vendor-provided Virtual Appliances that I would 
like to be able to deploy using SmartOS rather than having to keep a token ESXi 
box lying around.  Looking at the code on github, convertvm states that it only 
supports a single vmdk; however, it appears to wrap the bits that convert disks 
from vmdm - zvol in, effectively a for disk in ovf construct (just as it does 
parsing networks from the metadata.)

Can any of you who speaks Node better than I — or JavaScript in general, for 
that matter — see a reason why one couldn’t just comment out lines 54-57 in 

convertvm/lib/formats/ovf.js

I guess the other option I have is to run qemu-convert-disk (or whatever it’s 
called) individually for each disk in the OVF and then build the metadata for 
the dsmanifest myself.

Thanks,
-c

---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com

Re: [smartos-discuss] Modifying /etc/opt

2014-03-21 Thread Coy Hile 

On Mar 21, 2014, at 2:24 PM, Elijah Wright eli...@joyent.com wrote:

 
 I think that if I were going to do this in the way you suggest - by editing 
 the miniroot of an image, and hacking the scripts - I'd probably choose to do 
 it here:
 
 https://github.com/joyent/smartos-overlay/blob/master/lib/svc/method/fs-joyent
 
 Which eventually ends up in /lib/svc/method/fs-joyent
 
 --e
 
 


I was actually going to ask something similar, but I never got around to it.  
would the community at large see benefit to updating fs-joyent to do the LOFS 
mount dance with /etc/krb5 like we do /etc/ssh so that those providers who wish 
to can use Kerberos easily?  (Yes, Ben, you and I agree on many things; SSO 
between systems of equivalent security policy is not one of them.)

-C

---
smartos-discuss
Archives: https://www.listbox.com/member/archive/184463/=now
RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00
Modify Your Subscription: 
https://www.listbox.com/member/?member_id=25769125id_secret=25769125-7688e9fb
Powered by Listbox: http://www.listbox.com