Re: [smartos-discuss] migrate debian to lx branded zone
> On Dec 5, 2017, at 10:57 AM, Jussi Sallinenwrote: > > On 05/12/2017 17.29, Jussi Sallinen wrote: > >> You could also use delegated dataset for persisting data if the service >> doesn't need to be available 24/7/365 and isn't HA or not worth implementing >> such setup. > > This is not to say delegated dataset should be solely used as solution for > "persisting the data".. it's as persistent as the Computenode, it doesn't > replace backups :-) One thing I think I read about the migration tools that exist for Triton is that they didn’t (don’t?) support migrating instances with delegated datasets if that’s important to you. --- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
Re: [smartos-discuss] migrate debian to lx branded zone
> On Dec 5, 2017, at 6:26 AM, Jussi Sallinen <ju...@jus.si> wrote: > > On 05/12/2017 13.00, Artem Penner wrote: > >> It’s better to implement migration through configuration management, >> describe your instance as a code. It’s the worsted way to migrate your >> instances using rsync/dump/cp/dd/other instruments. >> so if you have database, it’s better to implement software installation in >> ansible for example and then export/import database schemas. > > Ansible, Puppet etc. is definitely the most sane way to accomplish this now > and in the future when upgrading to newer LX image etc. > It takes some time to get it all written but it the payback will be enormous > in the future in amount of time saved compared to manually installing and > configuring everything in place. > I’ll echo what others have said. Salt/Chef/Ansible/Puppet are the way to go. If you have a ton of static data that you need to migrate (think $HOME or a static web root), you might need to rsync that bit of data. But even things like databases, or if you, for example, run an IMAP server, can let the application replication take care of bringing the new instance up and in sync. -- Coy Hile coy.h...@coyhile.com --- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
Re: [smartos-discuss] sysinfo script modification question
the behavior which Dale saw is what my SMCI hosts do. I’d be interested in code to update things like the server UUID. I think my employer has used SMC’s SUM tool, but neither does it support any of my home hardware, nor do I have a license for it personally. -Coy > On Apr 4, 2017, at 11:15 AM, Richard Elling > <richard.ell...@richardelling.com> wrote: > > >> On Apr 3, 2017, at 11:37 PM, Dale Ghent <da...@elemental.org> wrote: >> >> >> I have SMCI servers that have mangled or all-zero UUIDs as well. > > very common with supermicro gear. You'll also see an occasional bogus > 00010002-0003-0004-0005-000600070008. The sysinfo code in kernel recognizes > some of these as bogus and uses a random number for hostid that is then > stored in /etc. For smartos that method doesn't work, for obvious reasons. > > A few lives back we changed this, but that code isn't a general purpose > solution. It should be easy enough to make a more general solution for modern > SmartOS > > -- richard > >> >> By "mangled", SMCI has made the extraordinarily poor choice on several of >> their X10 platforms to set the first 4 fields to 0 and the last 48 bits to >> the MAC address of one of the on-board ethernet PHYs, in an apparent "good >> enough" approach to UUID generation at the factory: >> >> [daleg@xenon]~$ smbios | grep -i uuid >> UUID: ----0cc47a09b5f2 >> [daleg@xenon]~$ dladm show-phys -m >> LINK SLOT ADDRESSINUSE CLIENT >> igb1 primary c:c4:7a:9:b5:f3no -- >> igb0 primary c:c4:7a:9:b5:f2yes igb0 >> igb3 primary c:c4:7a:9:b5:f5no -- >> igb2 primary c:c4:7a:9:b5:f4no -- >> >> [daleg@devohat]~$ smbios | grep -i uuid >> UUID: ----0cc47a7b58d8 >> [daleg@devohat]~$ dladm show-phys -m >> LINK SLOT ADDRESSINUSE CLIENT >> igb0 primary c:c4:7a:7b:58:d8 yes igb0 >> igb1 primary c:c4:7a:7b:58:d9 no -- >> ixgbe0 primary c:c4:7a:7b:5c:be yes ixgbe0 >> ixgbe1 primary c:c4:7a:7b:5c:bf yes ixgbe1 >> >> How widespread this practice is throughout their product line? I'm not sure. >> It might work from a practical standpoint insofar as it's a UUID that can be >> used to identify a particular piece of iron, but it does seem >> extraordinarily sloppy to not bother with filling out the first 80 bits >> which comprise the first 4 fields, thus reducing a 128bit UUID to a 48bit >> one. It also means that these really aren't UUIDs in spirit, because one >> could predict the UUID of a given box based only on observed or even guessed >> MAC addresses. >> >> /dale >> >>> On Apr 4, 2017, at 2:01 AM, Jorge Schrauwen <jo...@blackdot.be> wrote: >>> >>> It's usually a bit and miss to be honest. I only have one of the machines I >>> run smartos on report a UUID that is not all 0. >>> Most of them are SuperMicro too, I guess it is more of a OEM BIOS verder >>> specific thing, I think they were all AMI. >>> >>> >>> >>> >>>> On 2017-04-03 23:42, Robert Mustacchi wrote: >>>>> On 4/3/17 0:22 , 강경원 wrote: >>>>> Hello. >>>>> We are testing SDC with same SMBIOS uuid servers. >>>> We recommend that you talk to your hardware vendor and have them provide >>>> tooling to fix the server's UUID. If they have the same UUID, they've >>>> not properly implemented the SMBIOS spec (though it's far from the first >>>> time we've heard of this). >>>>> So we tried to modify images's sysinfo script to test and after modifing >>>>> the >>>>> sysinfo, the fake uuid can be created successfully and can be setup. >>>>> But when we try to reboot the node, below error message is shown and >>>>> rebooting >>>>> is not working. >>>>> The only thing that we can do is ipmi power reset. >>>>> How can we avoid the errors? >>>>> svc.startd: Killing user processes. >>>>> WARNING: Error writing ufs log state >>>>> WARNING: ufs log for /usr changed state to Error >>>>> WARNING: Please umount(1M) /usr and run fsck(1M) >>>> Given what little information we have to work on, I'd suggest you >>>> review >>>> your procedure for building and modifying the live image for how you >>>> updated sysinfo to your custom version. Without knowing what you've >>>> done >>>> or not done or how you've done it, it's hard to suggest actionable >>>> steps >>>> to take. >>>> Robert >>> >>> >> >> > > -- Coy Hile coy.h...@coyhile.com --- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
Re: [smartos-discuss] Docker endpoint in SmartOS
That depends. If you're testing in VMware, it is. My headnode and lab (that are also home production) is all installed on bare metal. Sent from my iPhone > On Mar 25, 2017, at 12:00, C. R. Oldham <c...@ncbt.org> wrote: > > Sorry to be dense, and installing CoAL is the easiest way to do that? > > --cro > > >> On Mar 25, 2017, at 08:11, Coy Hile <coy.h...@coyhile.com> wrote: >> >> I believe you need Triton stack for that. It is Triton that provides the API >> for docker. >> >> Sent from my iPhone >> >>> On Mar 24, 2017, at 21:56, C. R. Oldham <c...@ncbt.org> wrote: >>> >>> Greetings, >>> >>> Is there a way to provide the Docker endpoint inside a SmartOS installation >>> without installing or running all of CoAL? I'm having trouble figuring out >>> if there are a few packages I can install to get the bare minimum of sdc-* >>> commands, or if CoAL is really the minimum set of what I would need. >>> >>> Thanks, >>> >>> --cro >>> >>> >>> >> >> > > --- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
Re: [smartos-discuss] Docker endpoint in SmartOS
I believe you need Triton stack for that. It is Triton that provides the API for docker. Sent from my iPhone > On Mar 24, 2017, at 21:56, C. R. Oldhamwrote: > > Greetings, > > Is there a way to provide the Docker endpoint inside a SmartOS installation > without installing or running all of CoAL? I'm having trouble figuring out > if there are a few packages I can install to get the bare minimum of sdc-* > commands, or if CoAL is really the minimum set of what I would need. > > Thanks, > > --cro > > > --- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
Re: [smartos-discuss] About install pkgin in global zone
> On Nov 16, 2016, at 8:37 AM, Paul Sture <smar...@techchat.ch> wrote: > > > The problem here is that no certificates are installed in the Global Zone.[1] > > Options available: > > - use 'curl -k' to download without a certificate check. In this case, > do check the downloaded file against the published md5 checksums.[2] > > - perform the download inside a native SmartOS zone. As far as I can tell, > all the base-64 and min-64 images come with certificates pre-installed. > > [1] Does anyone know how to install certificates in the GZ (without installing > pkgsrc first)? > Joyent RFD # 0042 exists to provide pkgsrc in the global zone. See https://github.com/joyent/rfd/blob/8c1d320e7fc8218015bcf2b9a5957e4f48ef823c/rfd/0042/README.md -- Coy Hile coy.h...@coyhile.com --- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
Re: [smartos-discuss] named in CentOS 7.2 LX zone - won't start normally
> On Sep 2, 2016, at 4:00 PM, Chad M Stewart <c...@balius.com> wrote: > > Thank you Jorge, that was exactly what I needed. I learned more about > systemd as a result, though I still prefer SMF. :) > Who being considered compos mentis does not? -- Coy Hile coy.h...@coyhile.com --- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
Re: [smartos-discuss] Network Problem
On Sep 7, 2014, at 5:25 AM, mchile...@kannilox.com wrote: Well if that’s the issue how come my smartos setup in vmware player on my laptop is working fine with: Contrast your setup with the relevant subset of mine: # admin_nic is the nic admin_ip will be connected to for headnode zones. admin_nic=0:30:48:c8:fe:a4 #admin_ip=dhcp #admin_netmask= #admin_network=... #admin_gateway=dhcp admin_ip=172.18.2.250 admin_netmask=255.255.255.0 admin_network=... admin_gateway=172.18.2.1 headnode_default_gateway= That your laptop setups works may (and this is a guess) be a function of some indirection in vmware. Or, perhaps, the difference is that you (like me) expect the admin network to be routable. I don’t have any VMs using the admin network, but it is fully routable so that I can use it to access a node from -- Coy Hile coy.h...@coyhile.com --- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
Re: [smartos-discuss] granular control using RBAC/LDAP
On Jul 30, 2014, at 3:15 AM, Lloyd Parkes ll...@must-have-coffee.gen.nz wrote: The solution I've used the past is really quite heavyweight, so apologies in advance. I used Oracle Virtual Directory to create the LDAP entries on the fly based on information in backend LDAP (or other) systems. Since the LDAP entries are built on the fly, you should be able to arrange it so that the production cluster sees different information for the web developer than what the developer's personal dev machines see. I haven't played this particular game with OVD, but this technology does seem to be available. That’s honestly not a solution that had crossed my mind. Some convoluted overlays and such could do exactly what I want once I get around to figuring out the various rewriting bits. I’ll have to look into the OpenLDAP rewrite support. Now, because I may be able to swing something similar at $DAYJOB (where I’m saddled with both Oracle Solaris 11 (in addition to Linux and AIX) and AD as the LDAP backend (ugh!)), anybody have any ideas how to accomplish this when AD is the backend? :-) -c --- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com smime.p7s Description: S/MIME cryptographic signature
[smartos-discuss] granular control using RBAC/LDAP
Hi all, I'm currently migrating a lot of things that I would formerly have done with sudo to use RBAC on my SmartMachines and hypervisors. In LDAP, I set a user's SolarisProfAttr attribute to, eg, make uid=hile (me) have the role Primary Administrator. How are people handling the cases where these data are stored in LDAP, but users need different classes of access on different types of systems? For example, one might give a web developer the Primary Administrator role on his two or three personal dev machines, but on the production cluster, he should likely only have access to manage web-specific processes. Thanks -c -- Coy Hile coy.h...@coyhile.com --- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
[smartos-discuss] pkgsrc, sasl, and GSSAPI
Hi all, I'm looking for some guidance regarding the cyrus-sasl gssapi plugin that's currently in pkgsrc. If I understand the Makefile in pkgsrc/security/cy2-gssapi correctly it appears to interrogate which kerb implementation is installed and then builds against either MIT or Heimdal. (Is that understanding correct?) The Joyent-provided packages introduced a dependency on MIT krb5 as part of that build. All well and good, except when one wants the SASL GSSAPI plugin installed on a Heimdal KDC. So it looks like I need to spin up a build machine with Heimdal, then build that package myself (and then teach pkgin to install from a local package tarball instead of the repo?) What I would propose as a fix to this is to separate cy2-gssapi into two packages cy2-gssapi-mit and cy2-sasl-heimdal. (the two packages would be identical except for what they link against the appropriate library). For what it's worth, this is exactly what Debian does for the same functionality. They have libsasl2-modules-gssapi-heimdal and libsasl2-modules-gssapi-mit. Is this something that the community would support? I presume it would eventually go into pkgsrc-joyent? Question for Jon and others: how receptive would upstream be to accepting such a change? Thanks, -c -- Coy Hile coy.h...@coyhile.com --- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
Re: [smartos-discuss] SMF Manifests for some pkgsrc packages
Quoting Alain O'Dea via smartos-discusshttps://github.com/joyent/pkgsrc/pull/205 smartos-discuss@lists.smartos.org: Commits from upstream with external bug IDs can coincidentally close your Pull Request due to weird Github-isms, so keep an eye on the email notifications and reopen the PR if it is closed by accident. You can highlight/announce your PRs here if desired or @ mention myself or other SmartOS folks you'd like to review the changes on Github itself. https://github.com/joyent/pkgsrc/pull/205 for OpenLDAP Server https://github.com/joyent/pkgsrc/pull/206 for the various heimdal services. -c -- Coy Hile coy.h...@coyhile.com --- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
Re: [smartos-discuss] Samba3/AD in a zone - PKCS 11 problems
On Jun 6, 2014, at 1:28 AM, Nicholas Lee via smartos-discuss smartos-discuss@lists.smartos.org wrote: Kerberos seems to be working: [root@base2 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@corp.kpac.co.nz Valid startingExpiresService principal 06/06/14 16:13:08 06/07/14 02:13:10 krbtgt/corp.kpac.co...@corp.kpac.co.nz renew until 06/13/14 16:13:08 I’ve had this much working; it was just a matter of dropping a working krb5.conf in place (and putting pam_krb5 as sufficient in auth in the relevant PAM stacks.) I use Heimdal as my KDC; that works fine as well, and OpenLDAP for the LDAP bits. I can’t speak to Samba (or using AD as the KDC for that matter), but Kerberos certainly works. --- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com smime.p7s Description: S/MIME cryptographic signature
Re: [smartos-discuss] joyent's convertvm and OVAs with multiple disks
On Apr 17, 2014, at 10:52 PM, Ian Collins smartos-discuss@lists.smartos.org wrote: Coy Hile wrote: I guess the other option I have is to run qemu-convert-disk (or whatever it’s called) individually for each disk in the OVF and then build the metadata for the dsmanifest myself. qemu-img convert is probably the best option. What OS are they running? I have a documented process for migrating windoze vmdk images from VmWare I'm happy to share. They are probably running some variant of linux; in this case it’s a virtual Bluecoat. The other one that I’ve used in the past is Juniper’s virtual Pulse Concentrator, but I believe I’ll be building out a standard OpenVPN concentrator instead of redeploying that device going forward. --- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
[smartos-discuss] joyent's convertvm and OVAs with multiple disks
Hi all, I’ve come across a couple of vendor-provided Virtual Appliances that I would like to be able to deploy using SmartOS rather than having to keep a token ESXi box lying around. Looking at the code on github, convertvm states that it only supports a single vmdk; however, it appears to wrap the bits that convert disks from vmdm - zvol in, effectively a for disk in ovf construct (just as it does parsing networks from the metadata.) Can any of you who speaks Node better than I — or JavaScript in general, for that matter — see a reason why one couldn’t just comment out lines 54-57 in convertvm/lib/formats/ovf.js I guess the other option I have is to run qemu-convert-disk (or whatever it’s called) individually for each disk in the OVF and then build the metadata for the dsmanifest myself. Thanks, -c --- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
Re: [smartos-discuss] Modifying /etc/opt
On Mar 21, 2014, at 2:24 PM, Elijah Wright eli...@joyent.com wrote: I think that if I were going to do this in the way you suggest - by editing the miniroot of an image, and hacking the scripts - I'd probably choose to do it here: https://github.com/joyent/smartos-overlay/blob/master/lib/svc/method/fs-joyent Which eventually ends up in /lib/svc/method/fs-joyent --e I was actually going to ask something similar, but I never got around to it. would the community at large see benefit to updating fs-joyent to do the LOFS mount dance with /etc/krb5 like we do /etc/ssh so that those providers who wish to can use Kerberos easily? (Yes, Ben, you and I agree on many things; SSO between systems of equivalent security policy is not one of them.) -C --- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com