Search This Blog

Sunday, September 24, 2017

The DECnet-Linux Experience: It Works!

Supratim Sanyal's Blog: DECnet Linux Communication Between two Linux nodes
Ubuntu 14.04 Linux Twins FEDACH (1.553) and FOMFOR (1.554) Talk over DECnet
I was aware of an implementation of the DECnet Phase IV network protocol on the Linux kernel for quite a while now, and recently decided to take the plunge and give it a shot, with additional motivation from this inspiring Retrocomp post.

It was not going well initially because of a bad call I made to try to install ancient releases of Linux distributions from Debian and Fedora from around the time DECnet-Linux was first announced. As a result, I spent many sleepless nights trying to find the packages and dependencies for Linux distros featuring DECnet from the first few years of the new millennium.

Eventually I did what I should have started off with: check if modern Linux distributions still include DECnet-Linux. A search of the kernel of the bleeding-edge Ubuntu 17 "Zesty Zapus" looked promising; DECnet-Linux was indeed compiled right intoUbuntu 17's mainline 4.10 kernel build and the required libdnet, dnet-common and dnprogs packages were available for Ubuntu 17.

Unfortunately, Ubuntu 17's support for DECnet-Linux turned out to be dysfunctional. I created two virtual machines with Ubuntu 17 and installed the DECnet tools, but could not get any farther than the dneigh command showing the other node. FAL, Phone, sethost, etc. would simply not work and would sometimes lock up the virtual machines.

Frustrated, I posted the question to the fabulous folks at the comp.os.vms newgroup. Within a day, I had a path forward; it was clear from John E. Malmberg and "hb" that I needed to try Ubuntu 14.04 or earlier; DECnet-Linux was definitely broken after Ubuntu 14.04.

Re-energized, I proceeded to install the 32-bit release of Ubuntu 14.04.5 LTS (Trusty Tahr) on two virtual machines using the lightweight lubuntu flavor from the Desktop ISO CD image. Then apt-get install dnprogs brought in everything I needed to get DECnet-linux mostly up (the official Ubuntu 14 repositories still work at the time of writing, no need to look for mysterious archives of no-longer supported releases yet.)

However, I still had to make a couple of little tweaks to have DECnet-Linux work all the way. Here are the things I did over and after the default install of DECnet-Linux from Ubuntu 14.04 repositories.

1. The official dnprogs and family of packages from Ubuntu 14.04 repos installed versions of /usr/sbin/dnetnml and /usr/sbin/ctermd that did not work well. The dnetnml program was not responding correctly by showing executor, line, or circuit etc. characteristics when requested by other nodes. Also, attempts to SET HOST from other nodes resulted in the official ctermd program to look for a non-existent local "pty" device and fail.

To get around these problems, I downloaded the source code tarball dnprogs_2.62.tar.gz which is available in practically all Ubuntu 14 mirrors including here. I then built the entire DECnet program suite locally, and then replaced the /usr/sbin/dnetnml and /usr/sbin/ctermd binaries with the ones built locally from source.

2. The official dnprogs installation was not filling in the correct DECnet address in the file /proc/sys/net/decnet/node_address; this file always had 0.0 despite the correct DECnet executor address being defined in the /etc/decnet.conf configuration file. This was resulting in some strange behavior indicatng Linux-DECnet was not using the adjacent router node to reach nodes outside the local network, but trying to access them directly and failing. I added a simple command in the /etc/rc.local file (and made it executable and exit with 0) to force the correct DECnet address:
# -- rc.local DECnet kludge - /proc/sys/net/decnet/node_address has 0.0; force it
echo 1.554 > /proc/sys/net/decnet/node_address
# --

My two Ubuntu 14.04 virtual machines are named FEDACH and FOMFOR after the twin sons of Macha, daughter of Aodh Ruad. FEDACH has a DECnet address of 1.553 and FOMFOR has 1.554. They are now both connected to HECnet - the global hobbyist DECnet. They are configured to use DECnet on the eth1 network adapter (eth0 is dedicated to IP); the eth1 adapter has the correct MAC address corresponding to the DECnet address as required by DECnet:

1.553 => aa:00:04:00:29:06
1.554 => aa:00:04:00:2a:06

Also, as DECnet uses all available NICs by default, I modified /etc/default/decnet to have DECnet on eth1 only, and increase verbosity of logging by the dnetd daemon. In addition, I modified the /etc/decnet.conf and /etc/decnet.proxy files as recommended by DECnet-linux documentation and man pages. Here is the output of "ip address show" for eth1 on the two nodes:

FEDACH

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether aa:00:04:00:29:06 brd ff:ff:ff:ff:ff:ff
    dnet 1.553 peer 1.553/16 scope global eth1

FOMFOR

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether aa:00:04:00:2a:06 brd ff:ff:ff:ff:ff:ff
    dnet 1.554 peer 1.554/16 scope global eth1


Lastly, I created a "decnet" user account for FAL etc. to use by default as configured in /etc/decnet.proxy. Interactive logins are disabled for this "decnet" account.

Usual DECnet network access commands all work from an external OpenVMS VAX 7.3 Node:

$ MC NCP TELL FEDACH SHOW EXECUTOR CHAR


Node Volatile Characteristics as of 25-SEP-2017 00:32:23

Executor node = 1.553 (FEDACH)

Circuit                  = eth1
State                    = on
Identification           = DECnet for Linux V3.13.0-129-generic on i686


$ DIR FEDACH::

Directory FEDACH::HOME:[DECNET]

DECNET-BUILD.TGZ;1  DECNET.TXT;1        INFO.TXT;1

Total of 3 files.
$ SET HOST FEDACH::
CTERM Version 1.0.6
DECnet for Linux

fedach login:




DOWNLOADS

The DECnet-Linux configuration files for my two nodes along with the Ubuntu 14 CD ISO and dnprogs_2.62.tar.gz source files and binaries built on my nodes are available from my google drive here.


CONFIGURATION FILES

/etc/dnetd.conf (Identical for FEDACH and FOMFOR)


/etc/decnet.proxy (Identical for FEDACH and FOMFOR)



/etc/default/decnet (Identical for FEDACH and FOMFOR)



/etc/decnet.conf (FEDACH)




/etc/decnet.conf (FOMFOR)




-x-

Tuesday, September 12, 2017

DECnet Phase IV: copy node database from remote host and share it with other nodes over network with Digital DEC servers

Figure: Phase IV Consists of Eight Layers That Map to the OSI Layers
Source - Cisco Wiki | Figure: Phase IV Consists of Eight Layers That Map to the OSI Layers

DECnet Phase IV on OpenVMS VAX 7.3

To copy the nodes database from a remote host and make it available to other nodes to copy from my node, I use the command file at the bottom. Here <REMOTE-NODE> is the DECnet node name / address of the host I copy my node database from.

After copying over the remote node database from another server (a PDP-11/24 running RSX-11M Plus that serves HECnet the world-wide hobbyist DECnet in this case), I basically copy SYS$SYSTEM:NETNODE_LOCAL.DAT and SYS$SYSTEM:NETNODE_REMOTE.DAT to SYS$COMMON:[SYSEXE] and grant them world-read permission.

Before doing this, other nodes that tried to copy the node database from my node (1.559) used to get this error, which does not happen any more:
$ MC NCP TELL 1.559 LIST KNOWN NODES
Known Node Permanent Summary as of 12-SEP-2017 18:29:00
%NCP-W-FILOPE, File open error , Permanent database
%NML-E-OPENIN, error opening SYS$COMMON:[SYSEXE]NETNODE_LOCAL.DAT; as input
-RMS-E-FNF, file not found

I also played around with enabling the NML proxy before running the commands in the DCL command file at bottom. I am not sure if I had enabled the NML proxy during installation of DECnet Phase IV and if these were required, but just doing these did not solve the problem. They may be required part of the solution, though.

$ MC NCP SET EXECUTOR INCOMING PROXY ENABLE
$ MC SET OBJECT NML INCOMING PROXY ENABLE

Here is the DCL script:

$ SET PROC/PRIV=ALL
$ MC NCP copy known nodes from <REMOTE-NODE> using volatile to BOTH
$ MC NCP LIST KNOWN NODES
$ COPY/LOG/NOCONF SYS$SYSTEM:NETNODE_LOCAL.DAT SYS$COMMON:[SYSEXE]NETNODE_LOCAL.DAT
$ SET FILE/LOG/PROT=(W:R) SYS$COMMON:[SYSEXE]NETNODE_LOCAL.DAT
$ COPY/LOG/NOCONF SYS$SYSTEM:NETNODE_REMOTE.DAT SYS$COMMON:[SYSEXE]NETNODE_REMOTE.DAT
$ SET FILE/LOG/PROT=(W:R) SYS$COMMON:[SYSEXE]NETNODE_REMOTE.DAT



Saturday, September 9, 2017

From Supernova to Intel Xeon L2 CPU Cache: My Own Machine Check Event (MCE) Glitch!

Supratim Sanyal's Blog: A Supernova Causes a MCE Machine Check Event on Intel Processor
Less than thirteen and a three-quarters of a billion years ago, a star the size of about fifteen times our own sun ran out of hydrogen fuel in its core to burn into helium.

Undeterred and left with prodigious amounts of helium, it non-nonchalantly started on the helium to burn to carbon for a few billion years. Then it lit up the carbon, and spent billions of years to continue up the periodic table - aluminum, silicon, nickel, copper, lead ... all the while pushing the lighter stuff outwards in layers and getting heavier in the middle where gravity kept getting happier. In another few billion years, gravity betrayed a little smile when the star crossed over the Chandrasekhar Limit. For gravity had won again, as it always does; all the energy of the burning core could no longer hold the star up. The collapse started.

The unrelenting crush of gravity then continued to make that star's core so dense and so hot that, more importantly than human equations trying to compute it starting to fail, something had to give.

After billions of years of cooking the elements, it took barely one and a half minutes for the core to explode, lighting up the universe with such brightness that it would be clearly visible to naked human eyes in daytime when that light would reach planet Earth.

The supernova explosion scattered the periodic table into space. Some of that ejected matter coagulated into a scary collection of mostly hydrogen and carbon-based molecules which would be labeled together as "Supratim Sanyal". 

The explosion also fired off, at light speed in all directions, billions of little monsters - atomic nuclei with no electrons, alpha particles, electrons and friends. One of these - a hydrogen nucleus, which is just a proton, traveled unchallenged a few billion light years only to finally get arrested by the L2 cache of the 8th Xeon CPU in my Dell PowerEdge 2950 in the basement.

Supratim Sanyal's Blog: Machine Check Event (MCE) Error - Intel Xeon L2 Cache Error
Machine Check Event (MCE)
I have never faced a Machine Check Event before.

I logged into my old faithful and rock-solid Dell PowerEdge 2950 blade server just now, and was informed:

ABRT has detected 1 problem(s). For more info run: abrt-cli list --since 1504666020

Okay, so I ran the recommended command, and got:

# abrt-cli list --since 1504666020
id ea6720f12a431197ca717b7bcd90f43f7a92d366
reason:         mce: [Hardware Error]: Machine check events logged
time:           Thu 07 Sep 2017 07:28:16 PM UTC
cmdline:        BOOT_IMAGE=/vmlinuz-3.10.0-514.26.2.el7.x86_64 root=/dev/mapper/centos_dellpoweredge2950-root ro rd.lvm.lv=centos_dellpoweredge2950/root rd.lvm.lv=centos_dellpoweredge2950/swap rhgb quiet LANG=en_US.UTF-8
package:        kernel
uid:            0 (root)
count:          1
Directory:      /var/spool/abrt/oops-2017-09-07-19:28:16-12996-0
Reported:       cannot be reported


The Autoreporting feature is disabled. Please consider enabling it by issuing
'abrt-auto-reporting enabled' as a user with root privileges

At this point, I googled "Machine Check Event" and learned that one of the reasons a MCE could happen is cosmic rays! Unless, of course, the processor or hardware or bus or some such thing is really going bad; the PowerEdge 2950 is a decade old anyway.

The forums also recommended running "mcelog", which I did not have, but was readily available in the repos.

# yum install mcelog

Now I could run mcelog.

# mcelog
Hardware event. This is not a software error.
MCE 0
CPU 7 BANK 3
ADDR 43f883580
TIME 1504812495 Thu Sep  7 19:28:15 2017
MCG status:
MCi status:
Corrected error
Error enabled
MCi_ADDR register valid
Threshold based error status: green
MCA: Generic CACHE Level-2 Generic Error
STATUS 942000570001010a MCGSTATUS 0
MCGCAP 806 APICID 7 SOCKETID 1
CPUID Vendor Intel Family 6 Model 23

OK, so it clearly says this MCE is not software-related, and whatever it was, it was corrected. It is also probably trying to say the L2 cache on the 8th CPU misfired that time.

A few quick checks with htop, top, iotop, etc. do not indicate any issues. Therefore, I will blame it on cosmic rays this time and let it go. If hardware is indeed failing, I will know soon enough.

It may be worth keeping an eye on eBay for a replacement blade server.

Thursday, September 7, 2017

OpenVMS-Linux-Windows File-Sharing over DECnet using FAL on DEC Pathworks for Windows NT 4.0

Supratim Sanyal's Blog: DEC Pathworks DECnet on Windows NT 4.0 Hobbyist System at SANYALnet Labs
DEC Pathworks: Windows NT as a DECnet node


Thanks to DECnet-Linux on my Ubuntu 14 boxes, DECnet on OpenVMS on a couple of SIMH VAX servers and DECnet on RSX-11M PLUS on a SIMH PDP-11/24 server, it is eminently possible to kick the Internet Protocol (IP) completely off a local LAN and use DECnet for logging in and sharing files across these machines. Windows was the missing piece, and I decided to throw an Windows NT 4.0 server into the mix. I could have chosen Windows 2000, XP, or later - but there is a certain charm in NT4 service-pack 6a + post 6a security rollup - a charm only felt by folks dated to the 8-bit era like me.

The saga of sharing files over DECnet from Windows NT 4.0 starts after I had DEC Pathworks 32 v7.4 up and running on my NT 4.0 workstation. At this point, ENTEE4 (DECnet address 1.557) is happily talking DECnet with two other nodes around my lab, as validated using tshark sniffing on the DECnet-dedicated network from Ubuntu 14 boxes equipped with DECnet-Linux (DECnet addresses 1.553 and 1.554). Everybody is saying hello to everyone else and it is a happy little island world.

$ tshark -i eth1
...
...
Capturing on 'eth1'
1930  39.386556        1.554 -> 1.553        DEC DNA 59 msg nr. 2 single segment, bytes this segment: 10, total so far:10
1931  39.386874        1.553 -> 1.554        DEC DNA 60 NSP data ACK message(2)
1932  39.386937        1.554 -> 1.553        DEC DNA 62 msg nr. 3 single segment, bytes this segment: 13, total so far:13
1933  39.387199        1.553 -> 1.554        DEC DNA 60 NSP data ACK message(3)
1934  39.388100        1.554 -> 1.553        DEC DNA 160 msg nr. 4 single segment, bytes this segment: 111, total so far:111
1935  39.388388        1.553 -> 1.554        DEC DNA 60 NSP data ACK message(4)
1936  39.388661        1.553 -> 1.554        DEC DNA 60 NSP disconnect initiate/confirm message
1937  39.388667        1.554 -> 1.553        DEC DNA 45 NSP disconnect initiate/confirm message
1938  39.389347        1.554 -> 1.553        DEC DNA 45 NSP disconnect initiate/confirm message
1939  39.403927        1.553 -> 1.557        DEC DNA 85 NSP connect confirm/initiate message
1940  39.404130        1.557 -> 1.553        DEC DNA 60 NSP connect acknowledgement
1941  39.460844        1.557 -> 1.553        DEC DNA 60 NSP connect confirm/initiate message
1942  39.460988        1.553 -> 1.557        DEC DNA 60 NSP link control message(no change)
1943  39.461152        1.557 -> 1.553        DEC DNA 60 NSP link control message(no change)
1944  39.461156        1.557 -> 1.553        DEC DNA 60 NSP other data ACK message
1945  39.461305        1.553 -> 1.557        DEC DNA 60 NSP other data ACK message
1946  39.461562        1.553 -> 1.557        DEC DNA 66 msg nr. 1 single segment, bytes this segment: 17, total so far:17
1947  39.461566        1.557 -> 1.553        DEC DNA 60 NSP data ACK message(1)
1948  39.462705        1.557 -> 1.553        DEC DNA 64 msg nr. 1 single segment, bytes this segment: 20, total so far:20
1949  39.462725        1.553 -> 1.557        DEC DNA 60 NSP data ACK message(1)
1950  39.462727        1.553 -> 1.557        DEC DNA 64 msg nr. 2 single segment, bytes this segment: 15, total so far:15
1951  39.462728        1.557 -> 1.553        DEC DNA 60 NSP data ACK message(2)
1952  39.492906        1.557 -> 1.553        DEC DNA 1494 msg nr. 2: start of segment, bytes this segment: 1450, total so far:1450
1953  39.492919        1.557 -> 1.553        DEC DNA 1494 msg nr. 3: continuation segment , bytes this segment: 1450, total so far:2900
1954  39.492922        1.557 -> 1.553        DEC DNA 1494 msg nr. 4: continuation segment , bytes this segment: 1450, total so far:4350
1955  39.492941        1.553 -> 1.557        DEC DNA 60 NSP data ACK message(2)
1956  39.492943        1.553 -> 1.557        DEC DNA 60 NSP data ACK message(3)
1957  39.492944        1.553 -> 1.557        DEC DNA 60 NSP data ACK message(4)
1958  39.493239        1.557 -> 1.553        DEC DNA 1494 msg nr. 5: continuation segment , bytes this segment: 1450, total so far:5800
1959  39.493242        1.557 -> 1.553        DEC DNA 1494 msg nr. 6: continuation segment , bytes this segment: 1450, total so far:7250
1960  39.493251        1.557 -> 1.553        DEC DNA 933 msg nr. 7: end of segment, bytes this segment: 889, total so far:8139
1961  39.493254        1.553 -> 1.557        DEC DNA 60 NSP data ACK message(5)
1962  39.493261        1.553 -> 1.557        DEC DNA 60 NSP data ACK message(6)
1963  39.493271        1.553 -> 1.557        DEC DNA 60 NSP data ACK message(7)
1964  39.494324        1.553 -> 1.557        DEC DNA 60 NSP disconnect initiate/confirm message
1965  39.494363        1.557 -> 1.553        DEC DNA 60 NSP disconnect initiate/confirm message
1966  39.999976        1.554 -> DECNET-Phase-IV-end-node-Hello-packets DEC DNA 50 Routing control, Endnode Hello message
...
...


Before starting FAL configuration, the two sources of information that I found extremely useful, and where all the information in this post is gleaned from, are

  • Pathworks Installation Guide (still available from Compaq here)
  • Pathworks Information Shelf installed along with Pathworks application files

Now, to get Pathworks FAL operational. First, using the Windows NT User Rights Policy manager, I added the "Log on as a batch job" right to the "Users" group. This is fairly well documented in the Pathworks installation guide. The steps are:

Supratim Sanyal's Blog: DEC Pathworks DECnet FAL configuration - Add "Log on as a batch job" right to "Users" group on Microsoft Windows NT 4.0
Add "Log on as a batch job" right to "Users" group on Microsoft Windows NT 4.0

  • Start -> Programs -> Administrative Tools -> User Manager
  • From the menu bar at top of User Manager, choose Policies -> User Rights. This will pop up a "User Rights Policy" window.
  • Click on the little checkbox at the bottom saying "Show Advanced User Rights"
  • From the "Right" drop-down list in the upper area, choose "Log on as a batch job"
  • Click "Add..." in the bottom right area. This will pop up another window titled "Add users and groups".
  • Choose "Users" in the "Names" area at the top (scroll down to see "Users").
  • Click on "Add" button in the middle. This will add "<computer-name>\Users" in the white text area in the bottom half.
  • Click "OK" at the bottom.
  • You will back at the "User rights policy" window. Click OK.
  • You will be back at the "User Manager" window. From the top menu, click User -> Exit to exit out.


Second step - I created a user called DECNET with home directory C:\DECNET and added this user to the "Users" group that we manipulated previously. The DECNET user thus has the all-important "Log on as a batch job" right.

Supratim Sanyal's Blog: DECnet Windows NT 4.0 Pathworks Setup - Add a DECNET user for Windows NT 4.0 for testing with DEC Pathworks DECnet services
Add a DECNET user for Windows NT 4.0 for testing with DEC Pathworks DECnet services

  • Start -> Programs -> Administrative Tools -> User Manager
  • From the menu bar at top of User Manager, choose "New User...". This will pop up a "New User" window. Fill in the username (DECNET), provide a password that you can remember, and clear all four check-boxes.
  • Click on "Groups" at the bottom. In the "Group Memberships" window that pops up, the user should already be a member of the "Users" group; therefore no more action here. Click on OK to return to the "New User" window.
  • Click on "Profile" at the bottom to open up the "User Environment Profile" pop-up. In the "Home Directory" section in the lower panel, change "Local Path" to "C:\DECNET". Click on OK to return to the "New User" window, and OK again.
  • You will be back at the "User Manager" window. From the top menu, click User -> Exit to exit out.
Third step - grant Administrator access to the user directory. In the prior step, the User Manager created the home directory with access permissions only for the specific user. However, for the FAL object to access the contents of the directory, we need the directory permissions set to allow full Administrator access. This is performed from an Administrator account as follows:

Supratim Sanyal's Blog: DEC Pathworks Windows NT 4.0 FAL server configuration - Give Administrators Full Control on the new home directory for the DECNET user account
Give Administrators Full Control on the new home directory for the DECNET user account


  • From Start -> Windows NT Explorer, Right-Click on the DECNET folder under C: drive.
  • Choose Properties
  • Click on the Security tab
  • Click on Permissions
  • Click on "Add" at the bottom
  • In the "Add Users and Groups" window,  choose "Administrators" in the "Names" area at the top half, and click "Add" in the middle. This will add "<computer name>\Administrators" to the "Add Names" area in the bottom half.
  • In the "Type of Access" drop-down list at the bottom, choose "Full Control"
  • Click on OK, OK and OK to exit out of the three open screens.
  • That's it; now the C:\DECNET folder has full access permissions for both the owner DECNET as well as Administrator group accounts.

Fourth step - configure FAL and NML services on Windows NT 4.0 Pathworks using Network Control Program (NCP). To do this, open a MS-DOS command prompt and issue the command "NCP" to enter the NCP prompt. Then issue NCP commands to define the File Access Listener (FAL) and the Network Management Listener (NML) objects. Keep in mind the object numbers 17 and 19 cannot be changed; they are specifically allocated to FAL and NML objects.

Supratim Sanyal's Blog: DEC Pathworks Windows NT - Configure FAL and NML server objects from NCP - DECnet
DEC Pathworks Windows NT - Configure FAL and NML server objects from NCP


C:\>NCP

Network Control Program (NCP)   V7.2.019
Copyright 1985, 2000 by Compaq Computer Corporation
NCP>DEFINE OBJECT FAL NUMBER 17 FILE C:\PW32\FAL32.EXE
NCP>DEFINE OBJECT NML NUMBER 19 FILE C:\PW32\NML32.EXE
NCP>LIST KNOWN OBJECTS

 Network Objects  Thu Sep 07 15:52:48 2017


Taskname          #    File               "Arguments"

FAL               17   C:\PW32\FAL32.EXE
NML               19   C:\PW32\NML32.EXE
NCP>EXIT


Log out of the Windows Administrator account, and log in as DECNET. Create a file called INFO.TXT in C:\DECNET to play (i.e. test) with.

All done, now we can talk to Windows NT 4.0 running Pathworks from other DECnet hosts. It all works from DECnet on OpenVMS and PDP-11/24 hosts in my hobbyist lab, and also playing around with my Ubuntu boxes running DECnet-Linux, I can use DECnet-Linux commands to access Windows NT files:

$ dndir 'entee4"DECNET password"::'

Directory of C:[DECNET]

INFO.txt

$ dntype -mblock 'entee4"decnet password"::info.txt'
 _______   ________   _________  _______   _______   ___   ___
|\  ___ \ |\   ___  \|\___   ___\\  ___ \ |\  ___ \ |\  \ |\  \
\ \   __/|\ \  \\ \  \|___ \  \_\ \   __/|\ \   __/|\ \  \\_\  \
 \ \  \_|/_\ \  \\ \  \   \ \  \ \ \  \_|/_\ \  \_|/_\ \______  \
  \ \  \_|\ \ \  \\ \  \   \ \  \ \ \  \_|\ \ \  \_|\ \|_____|\  \
   \ \_______\ \__\\ \__\   \ \__\ \ \_______\ \_______\     \ \__\
    \|_______|\|__| \|__|    \|__|  \|_______|\|_______|      \|__|

                   A SANYALnet LABS HOBBYIST SERVER

+++
| Welcome to entee4.sanyalnet.lan.
|
| This is a Microsoft Windows NT 4.0 Workstation with
| Digital DEC (Compaq) Pathworks. It speaks IP and DECnet.
+++


That concludes my experiment with a DECNET account shared using FAL server object over DECnet on a Windows NT 4.0 server running DEC Pathworks 32. Please share your experiments and results in the comments below!


Tuesday, August 15, 2017

iptables adventures

Supratim Sanyal's Blog: Linux iptables security reference example


I use iptables to secure my Linux-based internet-facing hobbyist servers. The current iptables, residing at one of these servers (sanyalnet-cloud-vps2.freeddns.org) at /etc/sysconfig/iptables, is as below.

This particular server runs on CentOS 7. The iptables rules provide basic network exploit protection from syn flood, nul, christmas and fragmented packets and adds rate-limited DDOS flood protection for ssh, telnet, smtp, dns, http, pop3, ntp, IMAP, https, smtps, starttls, imap-ssl/tls, pop-ssl/tls, dovecot, sieve, managesieve, DECnet bridge (HECnet), stunnel, syslog etc. ports that are usual for any internet-facing server providing public services. It has the following open ports for the services it provides:
  • ssh
  • telnet, forwarded to CLOUDY VAX - the hosted DECVAX-11/780 SIMH simulated Digital VAX server running OpenVMS 7.3
  • SMTP (authenticated, not public)
  • DNS - this DNS server blocks advertising and tracking websites as well as malware
  • http - a basic static web-site is hosted on this server; also reachable over the TOR network at fz2koi5kviaph4bl.onion)
  • POP (authenticated, not public)
  • NTP - this server is an official stratum-2 public NTP server listed ntp.org and is a member of the NTP Pool Project
  • IMAP (authenticated, not public)
  • https (currently unused)
  • STARTTLS / SMTPS (authenticated, not public)
  • IMAP SSL/TLS (authenticated, not public)
  • POP SSL/TLS (authenticated, not public)
  • Dovecot Sieve / ManageSieve
  • DECnet bridge connecting QCOCAL (SIMH MicroVAX 3900/OpenVMS 7.3 at home), JUICHI (SIMH DEC PDP-11/24 RSX-11M PLUS at home) and CLOUDY VAX (SIMH VAX-11/780 OpenVMS 7.3) to HECnet the global hobbyist DECnet network
  • TOR Proxy service (authenticated, not public)
  • stunnel (secure tunnel) service to syslog daemon for encrypted remote logging
  • syslog
  • TOR relay node (this server is a TOR relay-only node, not a TOR exit node; no TOR traffic is logged at all on this server)





Sunday, August 13, 2017

How to find Solaris device name of NTFS partition on external USB hard drive HDD storage

Instead of running GParted as described in my post on Oracle Solaris 11.3 64-bit installation steps, here is a quicker command-line way to identify the device name corresponding to a NTFS partition on an external USB hard drive connected to a Oracle Solaris 11.3 system.

Unlike my previous post that applies to OpenIndiana, this post applies to true Oracle Solaris 11.3 64 bit.

STEP 1 - Use rmformat and fdisk to identify the device name for the NTFS partition


$ rmformat -l
Looking for devices...
     1. Logical Node: /dev/rdsk/c1t1d0p0
        Physical Node: /pci@0,0/pci-ide@1,1/ide@0/sd@1,0
        Connected Device: VBOX     CD-ROM           1.0
        Device Type: <Unknown>
        Bus: IDE
        Size: <Unknown>
        Label: <Unknown>
        Access permissions: <Unknown>
     2. Logical Node: /dev/rdsk/c2t0d0p0
        Physical Node: /pci@0,0/pci106b,3f@6/storage@1/disk@0,0
        Connected Device: WD       My Book 1110     1030
        Device Type: Removable
        Bus: USB
        Size: 1430.1 GB
        Label: <Unknown>
        Access permissions: <Unknown>
     3. Logical Node: /dev/rdsk/c2t0d1p0
        Physical Node: /pci@0,0/pci106b,3f@6/storage@1/disk@0,1
        Connected Device: WD       Virtual CD 1110  1030
        Device Type: CD Reader
        Bus: USB
        Size: 668.0 MB
        Label: <None>
        Access permissions: <Unknown>
$ sudo fdisk /dev/rdsk/c2t0d0p0
Password:
             Total disk size is 60771 cylinders
             Cylinder size is 48195 (512 byte) blocks

                                               Cylinders
      Partition   Status    Type          Start   End   Length    %
      =========   ======    ============  =====   ===   ======   ===
          1                 IFS: NTFS         0  60771    60772    100

SELECT ONE OF THE FOLLOWING:
   1. Create a partition
   2. Specify the active partition
   3. Delete a partition
   4. Change between Solaris and Solaris2 Partition IDs
   5. Edit/View extended partitions
   6. Exit (update disk configuration and exit)
   7. Cancel (exit without updating disk configuration)
Enter Selection: 7


This tells us the NTFS partition is the first partition on raw device /dev/rdsk/c2t0d0p0. Therefore, the device name for our NTFS partition will be disk partition /dev/dsk/c2t0d0p1 (without the "r" for raw device under /dev).

STEP 2 - Mount it!

$ mkdir /media/USB-Storage
$ sudo /usr/bin/lowntfs-3g -o uid=21,gid=21 /dev/dsk/c2t0d0p1 /media/USB-Storage/

And presto, we can now see the NTFS partition files at /media/USB-Storage.

Installing ntfs-3g on Solaris without introducing instability and kernel panics is tricky. I ended up building ntfs-3g from sources to get a rock-solid stable Oracle Solaris 11.3 server with NTFS-3g; I have documented my approach in a separate post in the section Install the Tools to Mount NTFS Volume: FUSE and NTFS-3G for Solaris 11.



Thursday, August 10, 2017

My tshark cheat-sheet

Supratim Sanyal's Blog: Wireshark


Ever-evolving list of tshark command lines I use for various purposes, with a goal of avoiding trolling through wireshark and tcpdump man pages every time to find the filters. Generally adding a -V, -VV or -VVV switch increases verbosity levels. I also usually prepend the tshark command with nice -n 19 ionice -c3 to try to minimize processor (CPU) and disk I/O usage when running tshark.


  • Monitor DECnet-UDP bridged traffic to HECnet. The following is for the VPS hosting CLOUDY:: and JUICHI:: which bridges DECnet over UDP to HECnet update host and QCOCAL:: hosted on sanyalnet-openvms-vax.freeddns.org (described in my post here):
    # tshark -i ens33 -f "host psilo.update.uu.se" -f "host sanyalnet-openvms-vax.freeddns.org" -f "udp port 4711" -f "udp port 4712"
  • Capture all NTP traffic:
    # tshark -i ens33 -f "udp port 123"
  • Capture all NTP server traffic. This mostly logs NTP time served by this server to other hosts.
    # tshark -i ens33 -f "udp port 123" | grep "server"
  • To capture all NTP traffic for this host serving time to other hosts, grep like follows:
    # tshark -i ens33 -f "udp port 123" | egrep "64.137.162.139 ->" | grep server
  • Capture all NTP client traffic. This mostly logs NTP traffic that synchronizes this host from remote clock source hosts.
    # tshark -i ens33 -f "udp port 123" | grep "client"
  • Capture all traffic to SanyalCraft Minecraft server (on port 25565) and our experimental Minecraft server on port 25566:
    # tshark -i ens33 -f "tcp port 25565" -f "tcp port 25566" 

Friday, June 9, 2017

Fun with Oracle Solaris 11.3 SunOS 5.11 on 64-bit Intel x86 - SNMP, NTP, FTP, Web, SMB Servers and more with NTFS support

Supratim Sanyal's Blog: Oracle Solaris 11.3 Intel x86 64-bit gnome desktop environment
Oracle Solaris 11.3 gnome desktop

The allure of a hobbyist server running the "official" version of the legendary Solaris operating system has been growing stronger while I have been playing with openindiana open-source community-driven illumos distribution for a couple of years now primarily as a central storage server for devices across our home networks to share files, and secondarily for having fun with a true Solaris derived environment.

Oracle, the current owners of Solaris, seem to be allowing hobbyist installations of authentic Solaris perfectly legally for non-commercial non-production deployment ("evaluation") via free Oracle Technology Network (OTN) memberships. Best of all, Oracle provide downloads of pre-built and configured Oracle Solaris 11.3 VirtualBox VMs based on the Solaris 11.3 live installation media ready to install and configure, including a complete gnome-derived graphical desktop environment.

Supratim Sanyal's Blog: Free Download Oracle Solaris 11.3 Live Media Installation with Desktop EnvironmentVirtualBox VM Virtual Machine (SunOS 5.11)
Download Oracle Solaris 11.3 Live Media Installation with Desktop EnvironmentVirtualBox VM

I finally gave in to temptation and went ahead to download Oracle Solaris 11.3 VM Template for Oracle VM VirtualBox to give  official Solaris 11.3 a spin. The download extracts to a 1.83 GB sol-11_3-vbox.ova file that is readily imported by Oracle VirtualBox and boots neatly to an awesome Solaris 11 desktop.

Supratim Sanyal's Blog: Oracle OTN Solaris 11.3 Certificate and Key for Authenticating Access to Solaris Repositories
Oracle OTN Solaris 11.3 Certificate and Key for Authenticating Access to Solaris Repositories

There is no need to sign up with OTN to download the Solaris 11 VM. However, I did sign up with OTN to access pkg-register.oracle.com to obtain for free a key file "pkg.oracle.com.key.pem"and certificate "pkg.oracle.com.certificate.pem" that enabled access to the repositories "Oracle Developer Studio Tools and Oracle Solaris Studio Release" and "Oracle Solaris Cluster 4".

Supratim Sanyal's Blog: Official Solaris 11.3 OTN Repository Accesses Granted via OTN membership
Official Solaris 11.3 OTN Repository Accesses Granted via OTN membership

Instructions on doing this are clearly documented and accessed by clicking on the "Show Details" button next to repositories that access has been granted to via OTN; basically just save the two .pem files to disk and use these commands as root (or use sudo from a user account) to add the repositories to the Solaris 11 package manager:

# pkg set-publisher -k pkg.oracle.com.key.pem -c pkg.oracle.com.certificate.pem -G "*" -g https://pkg.oracle.com/solarisstudio/release solarisstudio

# pkg set-publisher -k pkg.oracle.com.key.pem -c pkg.oracle.com.certificate.pem -G "*" -g https://pkg.oracle.com/ha-cluster/release ha-cluster

The package manager will now list additional repositories solarisstudio and ha-cluster. Subequent pkg update commands include these additional repositories.

Supratim Sanyal's Blog: Solaris 11 Additional Package Repositories in Package Manager
Solaris 11 Additional Package Repositories in Package Manager  

However, at the end of the day, I did not install any of the packages made available to me now via the "Oracle Developer Studio Tools and Oracle Solaris Studio Release" and "Oracle Solaris Cluster 4" repositories because a complete suite of GNU C, C++ and FORTRAN development tools is included with the release in the default "solaris" repository and I am far more familiar with gcc than Solaris compilers.

In fact, it appears Oracle has included a great set of "FOSS" (Free and Open Source Software) for evaluation with this Solaris 11.3 release, with a goal of formalizing the FOSS collection into the upcoming release of Solaris 12. Here is more information on selected FOSS evaluation packages for Oracle Solaris.

Basic Solaris 11 Hardening for Increased Security

I always harden my operating systems before deployment, and found some tips on basic hardening of the already-very-secure Solaris 11 operating system at Oracle's Official Guide as well as documented experiences of others. The following are the Solaris hardening steps I performed.

Edit /etc/system and add the following two lines at the bottom of the file:
set noexec_user_stack=1
set noexec_user_stack_log=1

The default installation comes with package signature policy set to "verify", which is good:

root@solaris11-3:~# pkg property signature-policy
PROPERTY         VALUE
signature-policy verify

However, we would like to enforce the stricter signature policy of "require-signatures" for packages from the official repositories, which in our case are:

root@solaris11-3:~# pkg publisher
PUBLISHER                   TYPE     STATUS P LOCATION
solaris                     origin   online F http://pkg.oracle.com/solaris/release/
solarisstudio               origin   online F https://pkg.oracle.com/solarisstudio/release/
ha-cluster                  origin   online F https://pkg.oracle.com/ha-cluster/release/

To set "require-signatures" policy and verify for each of our repositories one by one:

root@solaris11-3:~# pkg set-publisher --set-property signature-policy=require-signatures solaris
root@solaris11-3:~# pkg publisher solaris

            Publisher: solaris
           ...
           Properties:
                       signature-policy = require-signatures
root@solaris11-3:~# pkg set-publisher --set-property signature-policy=require-signatures solarisstudio
root@solaris11-3:~# pkg publisher solarisstudio

            Publisher: solarisstudio
           ...
           Properties:
                       signature-policy = require-signatures
root@solaris11-3:~# pkg set-publisher --set-property signature-policy=require-signatures ha-cluster
root@solaris11-3:~# pkg publisher ha-cluster

            Publisher: ha-cluster
           ...
           Properties:
                       signature-policy = require-signatures

The default Solaris 11.3 installation seems to enable a huge list of network services:

root@solaris11-3:~# svcs | grep network
online         20:27:57 svc:/network/connectx/unified-driver-post-upgrade:default
online         20:27:58 svc:/network/socket-config:default
online         20:28:37 svc:/network/netcfg:default
online         20:28:39 svc:/network/tcp/congestion-control:cubic
online         20:28:45 svc:/network/tcp/congestion-control:highspeed
online         20:28:45 svc:/network/sctp/congestion-control:vegas
online         20:28:46 svc:/network/sctp/congestion-control:newreno
online         20:28:46 svc:/network/sctp/congestion-control:highspeed
online         20:28:46 svc:/network/tcp/congestion-control:newreno
online         20:28:46 svc:/network/sctp/congestion-control:cubic
online         20:28:46 svc:/network/tcp/congestion-control:vegas
online         20:28:49 svc:/network/ib/ib-management:default
online         20:29:02 svc:/network/tcp/tcpkey:default
online         20:29:06 svc:/network/smb:default
online         20:29:11 svc:/network/datalink-management:default
online         20:29:19 svc:/network/ipsec/ipsecalgs:default
online         20:29:24 svc:/network/ip-interface-management:default
online         20:29:34 svc:/network/eoib/eoib-post-upgrade:default
online         20:29:41 svc:/network/loopback:default
online         20:29:46 svc:/network/ipmp:default
online         20:30:44 svc:/network/ilomconfig-interconnect:default
online         20:30:44 svc:/network/uucp-lock-cleanup:default
online         20:30:54 svc:/network/npiv_config:default
online         20:31:08 svc:/network/physical:upgrade
online         20:31:11 svc:/network/install:default
online         20:31:11 svc:/network/location:upgrade
online         20:31:25 svc:/network/physical:default
online         20:31:32 svc:/network/location:default
online         20:31:38 svc:/network/ipsec/policy:default
online         20:31:39 svc:/milestone/network:default
online         20:31:45 svc:/network/initial:default
online         20:31:46 svc:/network/iptun:default
online         20:31:49 svc:/network/netmask:default
online         20:31:49 svc:/network/nfs/fedfs-client:default
online         20:31:50 svc:/network/dns/client:default
online         20:31:53 svc:/network/service:default
online         20:31:59 svc:/network/iscsi/initiator:default
online         20:32:00 svc:/network/ntp:default
online         20:32:40 svc:/network/shares:default
online         20:33:11 svc:/network/routing-setup:default
online         20:33:41 svc:/network/rpc/bind:default
online         20:33:43 svc:/network/inetd:default
online         20:33:51 svc:/network/rpc/gss:default
online         20:33:52 svc:/network/rpc/smserver:default
online         20:33:57 svc:/network/routing/ndp:default
online         20:33:58 svc:/network/ssh:default
online         20:34:08 svc:/network/sendmail-client:default
online         20:34:10 svc:/network/smtp:sendmail

At the least, I disabled the sendmail-related services because I will configure postfix later as my email transport service, and also disabled services related to rpc and nfs; there are surely many other services in the list above that we can disable for a hobbyist installation later.

root@solaris11-3:~# svcadm disable /network/smtp:sendmail
root@solaris11-3:~# svcadm disable /network/sendmail-client
root@solaris11-3:~# svcadm disable /network/nfs/fedfs-client
root@solaris11-3:~# svcadm disable /network/rpc/bind
root@solaris11-3:~# svcadm disable /network/rpc/gss
root@solaris11-3:~# svcadm disable /network/rpc/smserver
root@solaris11-3:~# svcadm disable svc:/network/nis/client

Tighten up the login process by editing /etc/default/login and changing the following parameters as described:

# TIMEOUT sets the number of seconds (between 0 and 900) to wait before
# abandoning a login session.
#
#TIMEOUT=300
# -- Change to abandon idle sessions after 15 minutes - Supratim
TIMEOUT=900
...
...
# SLEEPTIME controls the number of seconds that the command should
# wait before printing the "login incorrect" message when a
# bad password is provided.  The range is limited from
# 0 to 5 seconds.
#
#SLEEPTIME=4
# Max this out to discourage continues dictionary attacks - Supratim
SLEEPTIME=5

# DISABLETIME  If present, and greater than zero, the number of seconds
# login will wait after RETRIES failed attempts or the PAM framework returns
# PAM_ABORT. Default is 20. Minimum is 0. No maximum is imposed.
#
#DISABLETIME=20
# Bump up to ten minutes, i.e. if you got the password wrong three times in a
row, wait ten minutes for login prompt to reappear - Supratim
DISABLETIME=600

# RETRIES determines the number of failed logins that will be
# allowed before login exits. Default is 5 and maximum is 15.
# If account locking is configured (user_attr(4)/policy.conf(4))
# for a local user's account (passwd(4)/shadow(4)), that account
# will be locked if failed logins equals or exceeds RETRIES.
#
#RETRIES=5
# If you know the password, you should not need more than three tries - Supratim
RETRIES=3
#
# The SYSLOG_FAILED_LOGINS variable is used to determine how many failed
# login attempts will be allowed by the system before a failed login
# message is logged, using the syslog(3) LOG_NOTICE facility.  For example,
# if the variable is set to 0, login will log -all- failed login attempts.
#
#SYSLOG_FAILED_LOGINS=5
# Yes we want to log ALL failed attempts - Supratim
SYSLOG_FAILED_LOGINS=0

We then harden the ssh daemon that is perhaps the most frequently used service for logging into the Solaris server from other internet or intranet hosts. Here is the /etc/ssh/sshd_config file I use for ssh server configuration. It incorporates many tips about securing ssh, as you can see in the comments. You can probably use this file straightaway as-is.

You should also put some sort of notice in /etc/issue file that is presented as a Banner to ssh login users during the login process. In addition, you should also put something appropriate in the /etc/motd file that is presented to the user by the system scripts that run automatically after login. Oracle provides some nice examples and more details about these files here.

To have the modified ssh server configuration file take effect and make sure it starts up:

root@solaris11-3:/etc/ssh# svcadm refresh ssh
root@solaris11-3:/etc/ssh# svcadm restart ssh
root@solaris11-3:/etc/ssh# svcs -xv ssh
svc:/network/ssh:default (SSH server)
 State: online since May 28, 2017 11:58:55 PM UTC
   See: man -M /usr/share/man -s 1M sshd
   See: /var/svc/log/network-ssh:default.log
Impact: None.

Enable additional audit logging of privileged actions. Replace <admin-user> with the non-root username you created while installing Solaris (as you know, root is a role in Solaris, not a username).

root@solaris11-3:~# usermod -K audit_flags=cusa:no <admin-user>
UX: usermod: <admin-user> is currently logged in, some changes may not take effect until next login.
root@solaris11-3:~# rolemod -K audit_flags=cusa:no root
root@solaris11-3:~# auditconfig -setpolicy +argv
root@solaris11-3:~# auditconfig -setpolicy +arge

Enable TCP Wrappers in general for inetd based network services:

root@solaris11-3:~# inetadm -M tcp_wrappers=TRUE

You should have a reasonably secure Solaris 11.3 server at this point, good enough to handle an internet-facing network.

Relax Default Solaris 11 Password Rules

As a purely personal preference, I do not like operating system enforcement of secure password rules. Problems with weak passwords are always due to human stupidity, and we should not call on machines to compensate. Solaris 11.3 default password rules require at least one numeric digit.

I relaxed this rule by editing the file /etc/default/passwd to explicitly specify MINNONALPHA=0 instead of the commented-out default of #MINNONALPHA=1 and tested this change by using the passwd command to temporarily set both the user and root passwords to not contain any digits before setting them back to strong secure passwords.

Enable Solaris 11 SNMP Agent

I run a Pandora FMS server to monitor the various networks in my home and on the internet. The Pandora FMS server is configured with Recon tasks that auto-discover hosts on the networks, and SNMP is then used extensively to poll the hosts. In general, an SNMP agent running on any host is often useful in quick monitoring or troubleshooting tasks.

Supratim Sanyal's Blog: Solaris 11.3 SNMP daemon agent net-snmp
Solaris 11.3 SNMP agent Net-SNMP

The Solaris 11.3 gnome desktop environment conveniently comes with a shortcut "Add More Software" which launches the Package Manager. Not knowing what, if any, SNMP package was already installed, I launched the Package Manager and typed in "SNMP" in the search box. To my pleasant surprise, Net-SNMP agent files and libraries which I am quite familiar with from the Linux world along with Fault Management SNMP agent plugins and MIB and SNMP Notification daemon for system events were already installed. I just had to configure and start the Net-SNMP service up.

The Net-SNMP configuration files on Solaris 11 reside in the directory /etc/net-snmp/snmp. I backed up and changed the main configuration file /etc/net-snmp/snmp/snmpd.conf to have the following very simple configuration, where mycommunitystring stands for the actual community string needed to access this agent securely.

# snmpd.conf
# - All private IPs allowed with community mycommunitystring

com2sec local   10.0.0.0/8      mycommunitystring
com2sec local   172.16.0.0/12   mycommunitystring
com2sec local   192.168.0.0/16  mycommunitystring
com2sec local   127.0.0.1       mycommunitystring

group MyROGroup v1         local
group MyROGroup v2c        local
group MyROGroup usm        local
view all    included  .1                               80
access MyROGroup "" any     noauth    exact  all    none   none

syslocation tatooine
syscontact Admin {supratim at riseup dot net}

# Send traps to Pandora FMS Server
trapsink 10.100.0.10
trapcommunity mycommunitystring

Configuration being done, it was time to start the SNMP service up. A quick check showed the service was not enabled by the default installation:

root@solaris11-3:~# svcs -xv net-snmp
svc:/application/management/net-snmp:default (net-snmp SNMP daemon)
 State: disabled since May 27, 2017 04:44:29 PM UTC
Reason: Disabled by an administrator.
   See: http://support.oracle.com/msg/SMF-8000-05
   See: man -M /usr/share/man/ -s 8 snmpd
   See: /var/svc/log/application-management-net-snmp:default.log
Impact: This service is not running.

To enable and start the service up:

root@solaris11-3:~# svcadm refresh net-snmp
root@solaris11-3:~# svcadm enable net-snmp

Check to make sure service is now running:

root@solaris11-3:~# svcs -xv net-snmp
svc:/application/management/net-snmp:default (net-snmp SNMP daemon)
 State: online since May 27, 2017 07:34:31 PM UTC
   See: man -M /usr/share/man/ -s 8 snmpd
   See: /var/svc/log/application-management-net-snmp:default.log
Impact: None.

Walk the MIB from another host querying the Solaris 11 host (10.200.0.50):

$ snmpwalk -c mycommunitystring -v2c 10.200.0.50 ISO | grep -i solaris
SNMPv2-MIB::sysDescr.0 = STRING: SunOS solaris11-3.sanyalnet.lan 5.11 11.3 i86pc
SNMPv2-MIB::sysName.0 = STRING: solaris11-3.sanyalnet.lan
HOST-RESOURCES-MIB::hrSWRunParameters.679 = STRING: "-g -d /dev/console -l console -m ldterm,ttcompat -h -p solaris"
HOST-RESOURCES-MIB::hrSWRunParameters.739 = STRING: "-g -d /dev/vt/6 -l console -m ldterm,ttcompat -h -p solaris11-"
HOST-RESOURCES-MIB::hrSWRunParameters.741 = STRING: "-g -d /dev/vt/2 -l console -m ldterm,ttcompat -h -p solaris11-"
HOST-RESOURCES-MIB::hrSWRunParameters.751 = STRING: "-g -d /dev/vt/3 -l console -m ldterm,ttcompat -h -p solaris11-"
HOST-RESOURCES-MIB::hrSWRunParameters.752 = STRING: "-g -d /dev/vt/5 -l console -m ldterm,ttcompat -h -p solaris11-"
HOST-RESOURCES-MIB::hrSWRunParameters.753 = STRING: "-g -d /dev/vt/4 -l console -m ldterm,ttcompat -h -p solaris11-"
HOST-RESOURCES-MIB::hrSWRunParameters.1205 = STRING: "-Djava.security.policy=/usr/share/vpanels/java.policy com.oracle.solaris.v"
HOST-RESOURCES-MIB::hrSWInstalledName.169 = STRING: "SUNWopensolaris-backgrounds"
HOST-RESOURCES-MIB::hrSWInstalledName.501 = STRING: "SUNWopensolaris-backgrounds-xtra"


Forward SYSLOG to Remote SYSLOG SERVER over Secure Tunnel


I run a central syslog server on a VPS in the cloud where I send the system logs from all of my servers. I use the stunnel secure-tunnel utility to forward log entries securely over the internet as described in this post.

The configuration file for syslog daemon on Solaris 11.3 is /etc/syslog.conf. I edited the file to enable forwarding of system log entries to the local LAN endpoint server for the stunnel (10.42.2.1) which forwards them in turn securely to the remote VPS central syslog server. I also adjusted entries for the auth facility to log authorization failures suitably for use with the fail2ban tool that I have discussed in detail in this post.

Here is my complete syslog.conf file. Important: The delimiters in the middle of the lines have to be TAB characters, SPACEs do not work!

#
# Copyright (c) 1991, 2014, Oracle and/or its affiliates. All rights reserved.
#
# syslog configuration file.
#
# This file is processed by m4 so be careful to quote (`') names
# that match m4 reserved words.  Also, within ifdef's, arguments
# containing commas must be quoted.
#

# -- Supratim's Remote syslog hosts
# - Forward to CentOS which in turn forwards to VPS and Papertrailapp
# - White space delimiter has to be TABs for this to work; SPACEs do not work!
*.debug         @10.42.2.1
# --

*.err;kern.notice;auth.notice                   /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit        /var/adm/messages

*.alert;kern.err;daemon.err                     operator
*.alert                                         root

*.emerg                                         *

# if a non-loghost machine chooses to have authentication messages
# sent to the loghost machine, un-comment out the following line:
# Required for fail2ban
auth.notice                     ifdef(`LOGHOST', /var/log/authlog, @loghost)
auth.info                       /var/adm/auth.log

mail.debug                      ifdef(`LOGHOST', /var/log/syslog, @loghost)

#
# non-loghost machines will use the following lines to cause "user"
# log messages to be logged locally.
#
ifdef(`LOGHOST', ,
user.err                                        /dev/sysmsg
user.err                                        /var/adm/messages
user.alert                                      `root, operator'
user.emerg                                      *
)


After editing the syslog.conf configuration file, create an empty /var/adm/auth.log file (it is not created by syslog even if configured in the config file), and refresh and restart the syslog daemon:

root@solaris11-3:/etc# touch /var/adm/auth.log
root@solaris11-3:/etc# svcadm refresh system-log
root@solaris11-3:/etc# svcadm restart system-log
root@solaris11-3:/etc# svcs -xv system-log
svc:/system/system-log:default (system log)
 State: online since May 27, 2017 08:39:29 PM UTC
   See: man -M /usr/share/man -s 1M syslogd
   See: /var/svc/log/system-system-log:default.log
Impact: None.


Enable Solaris 11 NTP Time Synchronization Service

A quick check against the Solaris 11 package manager again reveals good news - a NTP v4 daemon is already installed. I just have to configure it to be able to keep the Solaris clock synchronized.

Supratim Sanyal's Blog: Solaris 11 NTP v4 Network Time Synchronization server and client daemon
Solaris 11 NTP v4 daemon

The Solaris 11 NTP configuration file is /etc/inet/ntp.conf. The initial installation includes two templates in that directory: /etc/inet/ntp.client  and /etc/inet/ntp.server,the intent being one of them can be used as the starting point of the final ntp.conf file. But, I already have a fully functional Solaris 11 NTP configuration file as described in this post, and simply dropped my working ntp.conf into /etc/inet/ directory.

I then checked to make sure the NTP service has not already been started automatically yet:

root@solaris11-3:/etc/inet# svcs -xv ntp
svc:/network/ntp:default (Network Time Protocol (NTP) Version 4)
 State: disabled since Sat May 27 16:44:31 2017
Reason: Disabled by an administrator.
   See: http://support.oracle.com/msg/SMF-8000-05
   See: man -M /usr/share/man -s 1M ntpd
   See: man -M /usr/share/man -s 4 ntp.conf
   See: man -M /usr/share/man -s 1M ntpq
   See: /var/svc/log/network-ntp:default.log
Impact: This service is not running.

I then refresh and enable the NTP service, and confirm it is now running.

root@solaris11-3:/etc/inet# ls -l /etc/inet/ntp.conf
-rw-r--r--   1 root     root        3267 May 27 23:08 /etc/inet/ntp.conf
root@solaris11-3:/etc/inet# svcadm refresh ntp
root@solaris11-3:/etc/inet# svcadm enable ntp
root@solaris11-3:/etc/inet# svcs -xv ntp 
svc:/network/ntp:default (Network Time Protocol (NTP) Version 4)
 State: online since Sat May 27 23:12:26 2017
   See: man -M /usr/share/man -s 1M ntpd
   See: man -M /usr/share/man -s 4 ntp.conf
   See: man -M /usr/share/man -s 1M ntpq
   See: /var/svc/log/network-ntp:default.log
Impact: None.

ntpd errors "frequency error -512 PPM exceeds tolerance 500 PPM" in system log

I have observed entries like "frequency error -512 PPM exceeds tolerance 500 PPM" in my openindiana system logs at /var/adm/messages regularly, and this was also happening on my new Solaris 11.3 system log. Here are typical examples of this:

May 28 10:37:46 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -511 PPM exceeds tolerance 500 PPM
May 28 10:45:48 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -511 PPM exceeds tolerance 500 PPM
May 28 10:45:52 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 11:03:31 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 11:18:18 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 11:28:19 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 11:54:23 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 12:04:27 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 12:18:04 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM
May 28 12:30:23 solaris11-3.sanyalnet.lan ntpd[556]: [ID 702911 daemon.notice] frequency error -512 PPM exceeds tolerance 500 PPM

My guess is the Solaris family of kernels do not like to be stuck inside virtual machines, and NTP's 500 PPM tolerance is regularly exceeded in Solaris virtual machines.

Adding the following tinker panic 0 line at the top of /etc/inet/ntp.conf file may help, according to some online posts that I found. However, it does not solve the issue, and I am still looking for a resolution. I am not overly concerned because the logs seem to indicate these are notices (daemon.notice), not errors.

# -----
# Workaround for unstable clock in virtual machine
# -----
tinker panic 0

Warning: Trying the advice on this Oracle blog post to modify /etc/system to attempt to increase "the system clock tick rate from the default of 100 per second to 1,000 per second, effectively changing the clock resolution from 10ms to 1ms" by adding set hires_tick=1 by itself, as well as followed by set hires_hz=10000 hang the Solaris boot-up process. Do not try these. I had fortunately taken a boot image backup using the beadm create command before trying these and failing, and was able to recover and will not attempt these changes in /etc/system ever again.

Install gnu C, C++, Objective C and FORTRAN Development Environment

Supratim Sanyal's Blog: Free GNU C C++ Compilers and Development Environment Installation on Solaris 11
GNU Development Environment for Solaris 11 Group Package Installation


Launch the Package Manager and select "All Publishers" in the Publisher drop-down list. Then navigate to Meta Packages -> Group Packages on the left pane. Find the group package "developer-gnu" in the list of group packages on the right pane. Check the selection box at the left of that package, and click the Install/Update button at the top. That's it, when installation finishes, the familiar GNU C and C++ compilers and build tools will be available, along with Fortran and Objective C.

I did a quick check of the C++ compiler, and it all looked good with gcc 4.8.2 compiler working:

user@solaris11-3:~$ gcc --version
gcc (GCC) 4.8.2
Copyright (C) 2013 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

user@solaris11-3:~$ g++ --version
g++ (GCC) 4.8.2
Copyright (C) 2013 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

user@solaris11-3:~$ gmake --version
GNU Make 3.82
Built for i386-pc-solaris2.11
Copyright (C) 2010  Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

user@solaris11-3:~$ cat hello.cpp
#include <iostream>
using namespace std;

int main()
{
        std::cout << "hello world!\n";
        return 0;
}

user@solaris11-3:~$ g++ -o hello hello.cpp

user@solaris11-3:~$ ./hello
hello world!

Install and Configure FTP Server on Solaris 11 with Anonymous FTP Access


The default Solaris 11.3 VirtualBox image did not come pre-installed with a FTP server. I found FTP Server and Utilities" in the Package Manager and installed it.

Supratim Sanyal's Blog: Solaris 11 FTP Server Package Installation (ProFTP)
Solaris 11 FTP Server Package Installation

The FTP server installed is proftpd, which uses the main configuration file /etc/proftpd.conf.

My goal was to deploy a simple anonymous FTP server with read-only access to clients. The basic onfiguration file made available here for establishing "a single server and a single anonymous login" fit the bill perfectly, more so as the Solaris package installer for FTP did create the required "ftp" account and the "nobody" account was already present. as seen in /etc/passwd.

I took a backup of the file and dropped in the basic proftpd.conf in, and restarted the service. However, the service did not start up at this first attempt:

root@solaris11-3:/etc# svcadm refresh ftp
root@solaris11-3:/etc# svcadm enable ftp
root@solaris11-3:/etc# svcs -xv ftp
svc:/network/ftp:default (FTP server)
 State: maintenance since May 30, 2017 12:31:02 PM UTC
Reason: Start method failed repeatedly, last exited with status 1.
   See: http://support.oracle.com/msg/SMF-8000-KS
   See: man -M /usr/share/man -s 1M proftpd
   See: file://usr/share/doc/proftpd/
   See: /var/svc/log/network-ftp:default.log
Impact: This service is not running.
root@solaris11-3:/etc# cat /var/svc/log/network-ftp:default.log
[ May 30 04:30:17 Disabled. ]
[ May 30 04:30:37 Rereading configuration. ]
[ May 30 12:30:47 Rereading configuration. ]
[ May 30 12:30:54 Enabled. ]
[ May 30 12:30:55 Executing start method ("/usr/lib/inet/proftpd"). ]
2017-05-30 12:30:55,679 solaris11-3.sanyalnet.lan proftpd[3482]: fatal: unknown configuration directive 'DisplayFirstChdir' on line 58 of '/etc/proftpd.conf'
[ May 30 12:30:59 Method "start" exited with status 1. ]

The problematic "DisplayFirstChdir" directive seems to enable display of a ".message" file in each newly chdired directory. I did not really care about this feature, and commented out the "DisplayFirstChdir" directive in the configuration file, and retried. Note: On Solaris 11, a service in maintenance needs to be taken out of maintenance by disabling and enabling it again after fixing the issues that put it into maintenance.

root@solaris11-3:/etc# svcadm disable ftp
root@solaris11-3:/etc# svcadm refresh ftp
root@solaris11-3:/etc# svcadm enable ftp
root@solaris11-3:/etc# svcs -xv ftp
svc:/network/ftp:default (FTP server)
 State: offline* transitioning to online since May 30, 2017 12:39:31 PM UTC
Reason: Start method is running.
   See: http://support.oracle.com/msg/SMF-8000-C4
   See: man -M /usr/share/man -s 1M proftpd
   See: file://usr/share/doc/proftpd/
   See: /var/svc/log/network-ftp:default.log
Impact: This service is not running.
root@solaris11-3:/etc# svcs -xv ftp
svc:/network/ftp:default (FTP server)
 State: online since May 30, 2017 12:39:46 PM UTC
   See: man -M /usr/share/man -s 1M proftpd
   See: file://usr/share/doc/proftpd/
   See: /var/svc/log/network-ftp:default.log
Impact: None.

The FTP server now came up. However, a quick test to login to the FTP server with anonymous account still failed, showing the following error in /var/adm/authlog:

USER ftp (Login failed): User in /etc/ftpusers

It turns out the error message is perfect; default installation includes the user "ftp" in the list of users to deny FTP service to in the file /etc/ftpusers. The "anonymous" FTP user is an alias of this "ftp" user in /etc/proftpd.conf. So I edited the /etc/ftpusers file and deleted the "ftp" user from it, and retried to log in to the FTP server as anonymous:

Compaq-Presario-CQ61] ➤ ftp 10.200.0.50
Connected to 10.200.0.50.
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [::ffff:10.200.0.50]
Name (10.200.0.50:user): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: @
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
lrwxrwxrwx   1 root     root            9 Oct  7  2015 bin -> ./usr/bin
drwxr-xr-x   5 root     sys             9 Oct  7  2015 boot
drwxr-xr-x   2 root     root            3 Oct  7  2015 cdrom
drwxr-xr-x 200 root     sys           200 May 30 01:33 dev
drwxr-xr-x   4 root     sys            12 May 30 01:33 devices
drwxr-xr-x  97 root     sys           195 May 30 12:56 etc
drwxr-xr-x   3 root     sys             3 May 27 15:18 export
dr-xr-xr-x   2 root     root            2 Oct  6  2015 home
drwxr-xr-x  19 root     sys            19 Oct  7  2015 kernel
drwxr-xr-x  12 root     bin           335 May 27 21:06 lib
drwxr-xr-x   2 root     root            3 May 30 01:42 media
drwxr-xr-x   2 root     sys             2 Oct  7  2015 mnt
dr-xr-xr-x   2 root     root            2 Oct  7  2015 net
dr-xr-xr-x   2 root     root            2 Oct  7  2015 nfs4
drwxr-xr-x   5 root     sys             5 Oct  7  2015 opt
drwxr-xr-x   5 root     sys             5 Oct  6  2015 platform
dr-xr-xr-x 124 root     root       480032 May 30 12:57 proc
drwx------   8 root     root           14 May 29 13:18 root
drwxr-xr-x   3 root     root            3 Oct  7  2015 rpool
lrwxrwxrwx   1 root     root           10 Oct  7  2015 sbin -> ./usr/sbin
drwxr-xr-x   7 root     root            7 Oct  7  2015 system
drwxrwxrwt  16 root     sys          1542 May 30 12:30 tmp
drwxr-xr-x  33 root     sys            45 May 28 05:10 usr
drwxr-xr-x  41 root     sys            48 May 27 21:05 var
-r--r--r--   1 root     root       277648 Oct  6  2015 zvboot
226 Transfer complete
ftp> pwd
257 "/" is the current directory
ftp> bye
221 Goodbye.

Anonymous login to the proftpd FTP server now worked, but exposing all these directories to anonymous users is obviously not a good thing. The /etc/passwd file did specify / as the login directory for the "ftp" user.

ftp:x:21:21:FTPD Reserved UID:/:

I changed the home directory of the "ftp" user to /media for now since I am not at the point of mounting devices at /media yet.

ftp:x:21:21:FTPD Reserved UID:/media:

Finally, I dropped a MP3 file from the internet archive into /media/ and retried anonymous FTP, and verified it works as expected.

$ ftp 10.200.0.50
Connected to 10.200.0.50.
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [::ffff:10.200.0.50]
Name (10.200.0.50:rumtuk): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: @
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
Torley_Wong-1981_A.D..mp3
226 Transfer complete
27 bytes received in 0.0026 seconds (10.08 Kbytes/s)
ftp> bin
200 Type set to I
ftp> hash
Hash mark printing on (8192 bytes/hash mark).
ftp> get Torley_Wong-1981_A.D..mp3
200 PORT command successful
150 Opening BINARY mode data connection for Torley_Wong-1981_A.D..mp3 (4487168 bytes)
####################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################################
226 Transfer complete
local: Torley_Wong-1981_A.D..mp3 remote: Torley_Wong-1981_A.D..mp3
4487168 bytes received in 1.4 seconds (3088.44 Kbytes/s)
ftp> bye
221 Goodbye.

If you wish, you can additionally follow the instructions here to protect the FTP network service using TCP Wrappers module of ProFTPD (Solaris 11 hardening step).

Configure a Public Passwordless Workgroup-Mode Samba SMB CIFS Server for Sharing Files in Private Networks


A primary purpose of my Solaris 11 installation is to be a shared network drive and file server for all the computers and devices in our home. Specifically, an external USB Hard Disk will be made available as a SMB/CIFS share across the network. No credentials will be required to access this share from any computer on the home subnets as long as the SMB client IP address is in the private address space.

I used the network/samba package because it is independent of ZFS-level sharing features of the
The network/samba package is not the same as service/filesystem/smb package. If you have the service/filesystem/smb package installed, you need to at least disable it using the svcadm disable command first before installing network/samba.
root@solaris11-3:~# svcs -xv smb
svc:/network/smb:default (SMB properties)
 State: online since May 31, 2017 02:52:35 AM UTC
   See: man -M /usr/share/man -s 4 smb
   See: /system/volatile/network-smb:default.log
   See: /var/svc/log/network-smb:default.log
Impact: None.
root@solaris11-3:~# svcadm disable smb

Supratim Sanyal's Blog: Solaris 11 Samba SMB/CIFS File Server Package
Solaris 11 Samba SMB/CIFS File Server Package

With these goals, I fired up the package manager and searched for "samba". I then installed the "network/samba" package from the search results. Alternatively the GUI can be avoided and the same can be done from the command line using the pkg install command like so:
root@solaris11-3:~# pkg install network/samba
           Packages to install:  2
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                2/2     3038/3038  104.6/104.6  433k/s

PHASE                                          ITEMS
Installing new actions                     2600/3302
Installing new actions                     3302/3302
Updating package state database                 Done
Updating package cache                           0/0
Updating image state                            Done
Creating fast lookup database                   Done
Updating package cache                           3/3


Please keep in mind the network/samba package ("samba - A Windows SMB/CIFS fileserver for UNIX") is not the same as service/filesystem/smb package ("SMB/CIFS server libraries and commands"). If you have the service/filesystem/smb package installed, you need to at least disable it using the svcadm disable command before installing network/samba:
root@solaris11-3:~# svcs -xv smb
svc:/network/smb:default (SMB properties)
 State: online since May 31, 2017 02:52:35 AM UTC
   See: man -M /usr/share/man -s 4 smb
   See: /system/volatile/network-smb:default.log
   See: /var/svc/log/network-smb:default.log
Impact: None.
root@solaris11-3:~# svcadm disable smb

The Samba server configuration file is /etc/samba/smb.conf. I created a /etc/samba/smb.conf with the following simple contents to enable a public share:

# -----
# /etc/samba/smb.conf
# Simple Samba/CIFS server configuration for unauthenticated shared network drive
# accessible from intranet private IP address space
# For network/samba package on Solaris 11.3 (SunOS 5.11)
# Supratim Sanyal, May 31, 2017
# -----

[global]
   workgroup = ENTERPRISE
   server string = SANYALnet Solaris 11.3 LAN Samba/CIFS Shared Drive
   hosts allow = 10.0.0.0/255.0.0.0,172.16.0.0/255.240.0.0,192.168.0.0/255.255.0.0
   log file = /var/log/samba/log.%m
   max log size = 50
   map to guest = bad user

   # Disable printer support
   disable spoolss = yes
   load printers = no
   printing = bsd
   printcap name = /dev/null

[sanyalnet-shared]
   path = /media/USB-Storage/sanyalnet-shared
   public = yes
   only guest = yes
   writable = yes
   printable = no
   guest ok = yes
   read only = no


I then created the log directory and set global read-write permissions on the shared directory:

root@solaris11-3:/etc/samba# mkdir /var/log/samba
root@solaris11-3:/etc/samba# chmod 777 /media

Then I refreshed, started and verified the samba service.

root@solaris11-3:/etc/samba# svcadm refresh samba
root@solaris11-3:/etc/samba# svcadm enable samba
root@solaris11-3:/etc/samba# svcs -xv samba
svc:/network/samba:default (SMB file server)
 State: offline* transitioning to online since May 31, 2017 04:31:55 PM UTC
Reason: Start method is running.
   See: http://support.oracle.com/msg/SMF-8000-C4
   See: man -M /usr/share/man -s 1m smbsmbd
   See: man -M /usr/share/man -s 4 smb.conf
   See: /var/svc/log/network-samba:default.log
Impact: This service is not running.
root@solaris11-3:/etc/samba# svcs -xv samba
svc:/network/samba:default (SMB file server)
 State: online since May 31, 2017 04:32:06 PM UTC
   See: man -M /usr/share/man -s 1m smbsmbd
   See: man -M /usr/share/man -s 4 smb.conf
   See: /var/svc/log/network-samba:default.log
Impact: None.


Finally, I successfully verified the shared drive is visible and I could transfer files from and to the shared drive from a Windows 10 workstation on the same network.

Supratim Sanyal's Blog: Samba SMB CIFS Server Share hosted on Solaris 11 Accessed from Windows 10
Samba Server hosted on Solaris 11 Accessed from Windows 10


Configure Solaris 11.3 as a http web server using Apache httpd daemon


Supratim Sanyal's Blog: Web page served by Apache httpd web-server on Solaris 11
Web page served by Apache httpd web-server on Solaris 11

The Oracle Solaris 11.3 VirtualBox Virtual Machine came with Apache web server installed at the directory /usr/apache2/2.2 with the configuration files in /etc/apache2/2.2 and the DocumentRoot (web-root) directory for the default website configured to be at /var/apache2/2.2/htdocs. The primary configuration file is at /etc/apache2/2.2/httpd.conf. The version of Apache httpd daemon installed is 2.2.31:

root@solaris11-3:~# /usr/apache2/2.2/bin/httpd -v
Server version: Apache/2.2.31 (Unix)
Server built:   Sep 24 2015 08:41:55

I enhanced the Apache configuration file /etc/apache2/2.2/httpd.conf for a bit of added security mostly following this article. Here is my complete /etc/apache2/2.2/httpd.conf:


Then I commented out the following lines from both the 32-bit and 64-bit Apache module configuration files /etc/apache2/2.2/conf.d/modules-32.load and /etc/apache2/2.2/conf.d/modules-64.load to disable the DAV and Info modules:

#LoadModule dav_module libexec/mod_dav.so
#LoadModule info_module libexec/mod_info.so
#LoadModule dav_fs_module libexec/mod_dav_fs.so

For added security, I changed the owner of the Apache installation directory tree from root:sys to the non-privileged Apache daemon user and took out all world permissions from the Apache binary and configuration directories:

root@solaris11-3:~# chown -R webservd:webservd /usr/apache2

root@solaris11-3:~# chmod -R 750 /usr/apache2/2.2/bin /etc/apache2/2.2

I then simply put in my custom index.html and all associated files into /var/apache2/2.2/htdocs. Then I refreshed and enabled the http service and have a functional web server on Solaris 11.

root@solaris11-3:~# svcadm disable http
root@solaris11-3:~# svcadm refresh http
root@solaris11-3:~# svcadm enable http
root@solaris11-3:~# svcs -xv http
svc:/network/http:apache22 (Apache 2.2 HTTP server)
 State: online since May 31, 2017 08:52:28 PM UTC
   See: man -M /usr/apache2/2.2/man -s 8 httpd
   See: http://httpd.apache.org
   See: /var/svc/log/network-http:apache22.log
Impact: None.

The access and error logs are written to /var/apache2/2.2/logs as configured in /etc/apache2/2.2/httpd.conf.

TAKE A BACKUP!

At this point taking a backup is extremely important, since the next steps are dangerous because we will be playing with external USB hard disks. You can take a backup of the entire Virtual Machine as well as use the beadm create and beadm activate commands twice to create a boot environment to fall back to if the 2nd (more recent) environment is hosed, i.e. something like
root@solaris11-3:~# beadm create -d "baseline before USB HDD support" BeforeExtHDD
root@solaris11-3:~# beadm create -d "USB HDD experiment" ExtHDDExperimental
root@solaris11-3:~# beadm activate ExtHDDExperimental
root@solaris11-3:~# reboot

This way, if the External Hard Disk mounting attempts result in a kernel that keeps panicking, you can choose a prior boot environment from the grub menu.


MOUNTING EXTERNAL USB HDD WITH WINDOWS 95 / FAT 32 FILE SYSTEM FOR READING AND WRITING ON SOLARIS 11.3

Install VirtualBox Guest Additions

In a nutshell, for an external USB drive to work seamlessly at USB 2.0 speeds with VirtualBox Solaris 11.3 virtual machine, we need to install the companion version of VirtualBox Guest Additions corresponding to the installed version of Oracle VirtualBox host software itself, on both the VirtualBox host software installation and the Solaris 11.3 virtual machine that runs under the VirtualBox virtualization  environment.

To get USB 2.0 transfer speeds from an external USB hard disk, I needed to upgrade the VirtualBox Guest Additions included in the Oracle Solaris 11.3 Oracle VirtualBox VM to the same version as my installed VirtualBox release on the host computer. I had already installed the extension pack on the VirtualBox host software right after installing VirtualBox itself by downloading and double-clicking "Oracle_VM_VirtualBox_Extension_Pack-5.1.22-115126.vbox-extpack" corresponding to the installed version of VirtualBox.

However, the Solaris 11.3 virtual appliance had an older version of VirtualBox Guest Additions. I first uninstalled the obsolete VirtualBox Guest Additions package from the Solaris 11.3 VM:

root@solaris11-3:~# pkginfo | grep -i guest
application SUNWvboxguest                    Oracle VM VirtualBox Guest Additions
root@solaris11-3:~# pkgrm SUNWvboxguest

The following package is currently installed:
   SUNWvboxguest  Oracle VM VirtualBox Guest Additions
                  (i386) 5.0.4,REV=r102546.2015.09.08.10.07

Do you want to remove this package? [y,n,?,q] y

## Removing installed package instance <SUNWvboxguest>

This package contains scripts which will be executed with super-user
permission during the process of removing this package.

Do you want to continue with the removal of this package [y,n,?,q] y
## Verifying package <SUNWvboxguest> dependencies in global zone
## Processing package information.
## Executing preremove script.
Removing VirtualBox service...
Removing VirtualBox kernel modules...
Device busy
Cannot unload module: vboxms
Will be unloaded upon reboot.
VirtualBox pointer integration module unloaded.
Device busy
Cannot unload module: vboxguest
Will be unloaded upon reboot.
VirtualBox guest kernel module unloaded.
Restoring X.Org...
Done.
## Removing pathnames in class <manifest>
## Removing pathnames in class <none>
/var/svc/manifest/application/virtualbox
/usr/share/gnome/autostart/vboxclient.desktop
/usr/sbin/vboxmslnk
/usr/lib/xorg/modules/drivers/vboxvideo_drv.so
/usr/lib/amd64/VBoxOGLpassthroughspu.so
/usr/lib/amd64/VBoxOGLpackspu.so
/usr/lib/amd64/VBoxOGLfeedbackspu.so
/usr/lib/amd64/VBoxOGLerrorspu.so
/usr/lib/amd64/VBoxOGLcrutil.so
/usr/lib/amd64/VBoxOGLarrayspu.so
/usr/lib/amd64/VBoxOGL.so
/usr/lib/VBoxOGLpassthroughspu.so
/usr/lib/VBoxOGLpackspu.so
/usr/lib/VBoxOGLfeedbackspu.so
/usr/lib/VBoxOGLerrorspu.so
/usr/lib/VBoxOGLcrutil.so
/usr/lib/VBoxOGLarrayspu.so
/usr/lib/VBoxOGL.so
/usr/kernel/fs/vboxfs
/usr/kernel/fs/amd64/vboxfs
/usr/kernel/drv/vboxms.conf
/usr/kernel/drv/vboxms
/usr/kernel/drv/vboxguest.conf
/usr/kernel/drv/vboxguest
/usr/kernel/drv/amd64/vboxms
/usr/kernel/drv/amd64/vboxguest
/usr/bin/VBoxService
/usr/bin/VBoxControl
/usr/bin/VBoxClient-all
/usr/bin/VBoxClient
/opt/VirtualBoxAdditions/x11restore.pl
/opt/VirtualBoxAdditions/x11config15sol.pl
/opt/VirtualBoxAdditions/vboxmslnk
/opt/VirtualBoxAdditions/vboxguest.sh
/opt/VirtualBoxAdditions/vboxclient.desktop
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_71.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_70.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_19.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_18.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_17.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_16.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_15.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_14.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_13.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_117.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_114.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_113.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_112.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_111.so
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_110.so
/opt/VirtualBoxAdditions/i386/vboxmslnk
/opt/VirtualBoxAdditions/i386/vboxfsmount
/opt/VirtualBoxAdditions/i386/pam_vbox.so
/opt/VirtualBoxAdditions/i386/VBoxService
/opt/VirtualBoxAdditions/i386/VBoxControl
/opt/VirtualBoxAdditions/i386/VBoxClient
/opt/VirtualBoxAdditions/i386
/opt/VirtualBoxAdditions/amd64/vboxmslnk
/opt/VirtualBoxAdditions/amd64/vboxfsmount
/opt/VirtualBoxAdditions/amd64/pam_vbox.so
/opt/VirtualBoxAdditions/amd64/VBoxService
/opt/VirtualBoxAdditions/amd64/VBoxControl
/opt/VirtualBoxAdditions/amd64/VBoxClient
/opt/VirtualBoxAdditions/amd64
/opt/VirtualBoxAdditions/VBoxService
/opt/VirtualBoxAdditions/VBoxISAExec
/opt/VirtualBoxAdditions/VBoxControl
/opt/VirtualBoxAdditions/VBoxClient
/opt/VirtualBoxAdditions/VBox.sh
/opt/VirtualBoxAdditions/LICENSE
/opt/VirtualBoxAdditions/1099.vboxclient
/opt/VirtualBoxAdditions
/etc/fs/vboxfs/mount
/etc/fs/vboxfs
/dev/vboxguest
## Updating system information.

Removal of <SUNWvboxguest> was successful.

A couple of kernel modules were busy and could not be unloaded as highlighted above. However, according to the messages, they "will be unloaded upon reboot". I wanted a complete uninstallation of the shipped VirtualBox Guest Additions before installing the new version to avoid conflicts with active kernel modules from the old version while installing the new version, and rebooted:

root@solaris11-3:~# reboot

Once Solaris 11.3 returned after reboot, I used VirtualBox's "Devices" menu to select "Insert Guest Additions CD Image". As soon as I did this, the virtual Guest Additions CD was auto-mounted at /media/VBOXADDITIONS_5.1.22_115126 and new icon was added to the Desktop. I then installed the package VBoxSolarisAdditions.pkg from /media/VBOXADDITIONS_5.1.22_115126.

root@solaris11-3:/media/VBOXADDITIONS_5.1.22_115126# ls -l
total 102841
dr-xr-xr-x   2 root     root        2048 Apr 28 15:35 32Bit
dr-xr-xr-x   2 root     root        2048 Apr 28 15:35 64Bit
-r-xr-xr-x   1 root     root         647 Aug 16  2016 AUTORUN.INF
-r-xr-xr-x   1 root     root        6381 Apr 28 16:27 autorun.sh
dr-xr-xr-x   2 root     root        2048 Apr 28 15:35 cert
dr-xr-xr-x   2 root     root        4096 Apr 28 15:35 OS2
-r-xr-xr-x   1 root     root        4824 Apr 28 16:27 runasroot.sh
-r-xr-xr-x   1 root     root     8140237 Apr 28 16:27 VBoxLinuxAdditions.run
-r-xr-xr-x   1 root     root     17782784 Apr 28 17:28 VBoxSolarisAdditions.pkg
-r-xr-xr-x   1 root     root     16400296 Apr 28 16:35 VBoxWindowsAdditions-amd64.exe
-r-xr-xr-x   1 root     root     10039072 Apr 28 16:29 VBoxWindowsAdditions-x86.exe
-r-xr-xr-x   1 root     root      268496 Apr 28 16:27 VBoxWindowsAdditions.exe
root@solaris11-3:/media/VBOXADDITIONS_5.1.22_115126# pkgadd -d VBoxSolarisAdditions.pkg

The following packages are available:
  1  SUNWvboxguest     Oracle VM VirtualBox Guest Additions
                       (i386) 5.1.22,REV=r115126.2017.04.28.18.28

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:

Processing package instance <SUNWvboxguest> from </media/VBOXADDITIONS_5.1.22_115126/VBoxSolarisAdditions.pkg>

Oracle VM VirtualBox Guest Additions(i386) 5.1.22,REV=r115126.2017.04.28.18.28
Oracle Corporation
Using </> as the package base directory.
## Processing package information.
## Processing system information.
## Verifying package dependencies.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

This package contains scripts which will be executed with super-user
permission during the process of installing this package.

Do you want to continue with the installation of <SUNWvboxguest> [y,n,?] y

Installing Oracle VM VirtualBox Guest Additions as <SUNWvboxguest>

## Installing part 1 of 1.
/etc/fs/vboxfs/mount <symbolic link>
/opt/VirtualBoxAdditions/1099.vboxclient
/opt/VirtualBoxAdditions/LICENSE
/opt/VirtualBoxAdditions/VBox.sh
/opt/VirtualBoxAdditions/amd64/VBoxClient.Z
/opt/VirtualBoxAdditions/amd64/VBoxControl.Z
/opt/VirtualBoxAdditions/amd64/VBoxService.Z
/opt/VirtualBoxAdditions/amd64/pam_vbox.so
/opt/VirtualBoxAdditions/amd64/vboxfs
/opt/VirtualBoxAdditions/amd64/vboxfs_s10
/opt/VirtualBoxAdditions/amd64/vboxfsmount
/opt/VirtualBoxAdditions/amd64/vboxmslnk
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_110.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_111.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_112.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_113.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_114.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_117.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_118.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_13.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_14.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_15.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_16.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_17.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_18.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_19.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_70.so.Z
/opt/VirtualBoxAdditions/amd64/vboxvideo_drv_71.so.Z
/opt/VirtualBoxAdditions/i386/VBoxClient.Z
/opt/VirtualBoxAdditions/i386/VBoxControl.Z
/opt/VirtualBoxAdditions/i386/VBoxService.Z
/opt/VirtualBoxAdditions/i386/pam_vbox.so
/opt/VirtualBoxAdditions/i386/vboxfs
/opt/VirtualBoxAdditions/i386/vboxfs_s10
/opt/VirtualBoxAdditions/i386/vboxfsmount
/opt/VirtualBoxAdditions/i386/vboxmslnk
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_110.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_111.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_112.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_113.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_114.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_117.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_118.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_13.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_14.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_15.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_16.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_17.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_18.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_19.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_70.so.Z
/opt/VirtualBoxAdditions/i386/vboxvideo_drv_71.so.Z
/opt/VirtualBoxAdditions/solaris_xorg.conf
/opt/VirtualBoxAdditions/solaris_xorg_modeless.conf
/opt/VirtualBoxAdditions/vbox_vendor_select
/opt/VirtualBoxAdditions/vboxclient.desktop
/opt/VirtualBoxAdditions/vboxguest.sh
/opt/VirtualBoxAdditions/vboxmslnk
/opt/VirtualBoxAdditions/x11config15sol.pl
/opt/VirtualBoxAdditions/x11restore.pl
/usr/bin/VBoxClient <symbolic link>
/usr/bin/VBoxClient-all <symbolic link>
/usr/bin/VBoxControl <symbolic link>
/usr/bin/VBoxService <symbolic link>
/usr/kernel/drv/amd64/vboxguest
/usr/kernel/drv/amd64/vboxms
/usr/kernel/drv/vboxguest
/usr/kernel/drv/vboxguest.conf
/usr/kernel/drv/vboxms
/usr/kernel/drv/vboxms.conf
/usr/lib/VBoxOGL.so
/usr/lib/VBoxOGLarrayspu.so
/usr/lib/VBoxOGLcrutil.so
/usr/lib/VBoxOGLerrorspu.so
/usr/lib/VBoxOGLfeedbackspu.so
/usr/lib/VBoxOGLpackspu.so
/usr/lib/VBoxOGLpassthroughspu.so
/usr/lib/amd64/VBoxOGL.so
/usr/lib/amd64/VBoxOGLarrayspu.so
/usr/lib/amd64/VBoxOGLcrutil.so
/usr/lib/amd64/VBoxOGLerrorspu.so
/usr/lib/amd64/VBoxOGLfeedbackspu.so
/usr/lib/amd64/VBoxOGLpackspu.so
/usr/lib/amd64/VBoxOGLpassthroughspu.so
/usr/sbin/vboxmslnk <symbolic link>
[ verifying class <none> ]
/opt/VirtualBoxAdditions/VBoxClient <linked pathname>
/opt/VirtualBoxAdditions/VBoxControl <linked pathname>
/opt/VirtualBoxAdditions/VBoxISAExec <linked pathname>
/opt/VirtualBoxAdditions/VBoxService <linked pathname>
[ verifying class <manifest> ]
## Executing postinstall script.
Uncompressing files...
Configuring VirtualBox guest kernel module...
VirtualBox guest kernel module loaded.
VirtualBox pointer integration module loaded.
Creating links...
Installing video driver for X.Org 1.14.5...
Configuring client...
Installing 64-bit shared folders module...
Installing 32-bit shared folders module...
Configuring services (this might take a while)...
Enabling services...
Updating boot archive...
Done.
Please re-login to activate the X11 guest additions.
If you have just un-installed the previous guest additions a REBOOT is required.

Installation of <SUNWvboxguest> was successful.
root@solaris11-3:/media/VBOXADDITIONS_5.1.22_115126# cd
root@solaris11-3:~#

Connect External Hard Disk with NTFS Formatted Volume to Solaris 11.3 and find device name


I shut Solaris 11.3 down from the desktop GUI and connected an NTFS-formatted Western Digital USB disk drive to a USB port on the VM host, reconfiguring the VM to connect the USB drive to Solaris 11 over USB 2.0.

Supratim Sanyal's Blog: Oracle VirtualBox USB 2.0 EHCI Controller Configuration for Solaris 11.3 Virtual Machine - 1.5TB Western Digital MyBook
Oracle VirtualBox USB 2.0 EHCI Controller Configuration for Solaris 11.3 Virtual Machine
I then launched the Solaris 11.3 virtual machine, logged in and ran the Applications -> System Tools -> GParted Partition Editor tool. GParted took some time to scan the attached drives for partitions, after which I could select the external USB drive from a drop-down list at the top right corner. From the information presented, the device name for the USB drive is /dev/dsk/c3t0d0p1.

Supratim Sanyal's Blog: GParted on Solaris 11.3 Showing NTFS volume on external USB Hard Drive
GParted on Solaris 11.3 Showing NTFS volume on external USB Hard Drive

Install the Tools to Mount NTFS Volume: FUSE and NTFS-3G for Solaris 11

Now that I know the name of the device corresponding to the Windows NTFS volume on the external USB hard disk, I proceeded to install the software tools needed to mount it on Solaris 11.3.

Adding SFE Solaris 11 Repo

The software needed to mount NTFS volumes on Solaris 11 are available for free from SFE - Software Packages for Solaris, OpenIndiana and OmniOS, To get access to the software, I launched the Package Manager from the desktop icon and first added the Solaris 11 IPS Packages Repository as a publisher using File -> Add Publisher... with the URI http://sfe.opencsw.org/localhosts11.

Supratim Sanyal's Blog: Adding Solaris 11 SFE Repository to Package Manager using Publisher URI
Adding Solaris 11 SFE Repository to Package Manager using Publisher URI
On clicking "Add", the Package Manager downloads, refreshes and caches the new catalog, and reports success in a pop-up window when all done.

Install fusefs on Oracle Solaris 11.3 to read/write NTFS volumes

To install FUSE (File System in User Space), I searched for "fuse" in the Package Manager searchbox at the top right, checked the fusefs from publisher localhosts11 and library/libfuse from publisher solaris check-boxes, and clicked on "Install/Update". I then clicked Proceed on the Install Confirmation pop-up.

Supratim Sanyal's Blog: Install FUSE file system and FuseFS libraries on Solaris 11
Install FUSE file system and FuseFS libraries on Solaris 11
After installing fusefs, I rebooted the system just to start clean since fusefs is a kernel module.

Install ntfs-3g on Oracle Solaris 11.3 to read/write NTFS volumes

Installing ntfs-3g turned out to be a bit tricky, and I had to build and install it from the source package. The problem with the ntfs-3g binary package is it includes the tools in the ntfsprogs package which was already installed in the Oracle Solaris 11.3 VirtualBox Virtual Machine distribution. Trying to uninstall ntfsprogs threw up dependencies on GParted and partition manager tools that I did not want to uninstall in turn because they are so useful. Building and installing ntfs-3g from source actually overwrites the ntfsprogs tools without requiring complex resolution of dependencies by uninstalling useful programs.

I installed the ntfs-3g/src source package from the SFE localhosts11 repository using the package manager.

Supratim Sanyal's Blog: NTFS-3G Source Package Installation on Solaris 11.3 for Read-Write NTFS Volume Support
NTFS-3G Source Package Installation on Solaris 11.3

Installing the ntfs-3g source package ntfs-3g/src using the Package Manager basically dropped the compressed source tarball at /usr/src/SFEntfs-3g-2016.2.22AR.2/SOURCES/ntfs-3g_ntfsprogs-2016.2.22AR.2.tgz. I uncompressed, built and installed ntfs-3g from this source tarball:

root@solaris11-3:~# cd /usr/src/SFEntfs-3g-2016.2.22AR.2/SOURCES
root@solaris11-3:/usr/src/SFEntfs-3g-2016.2.22AR.2/SOURCES# tar xvzf ntfs-3g_ntfsprogs-2016.2.22AR.2.tgz
root@solaris11-3:/usr/src/SFEntfs-3g-2016.2.22AR.2/SOURCES# cd ntfs-3g_ntfsprogs-2016.2.22AR.2
root@solaris11-3:/usr/src/SFEntfs-3g-2016.2.22AR.2/SOURCES/ntfs-3g_ntfsprogs-2016.2.22AR.2# ./configure
root@solaris11-3:/usr/src/SFEntfs-3g-2016.2.22AR.2/SOURCES/ntfs-3g_ntfsprogs-2016.2.22AR.2# make
root@solaris11-3:/usr/src/SFEntfs-3g-2016.2.22AR.2/SOURCES/ntfs-3g_ntfsprogs-2016.2.22AR.2# make install

Here is a log of the complete terminal session of building ntfs-3g on Solaris from source and installing it.


Mounting the NTFS Volume

The device name for the NTFS partition of the external USB drive is /dev/dsk/c3t0d0p1  as I had found by running GParted previously. With fusefs and ntfs-3g now installed, we can now finally mount the NTFS volume from the USB disk on a directory:

root@solaris11-3:~# mkdir /media/USB-Storage
root@solaris11-3:~# lowntfs-3g /dev/dsk/c3t0d0p1 /media/USB-Storage/
The disk contains an unclean file system (0, 0).
The file system wasn't safely closed on Windows. Fixing.

The "The disk contains an unclean file system (0, 0). The file system wasn't safely closed on Windows. Fixing." message typically happens during mounting a NTFS volume on Solaris 11.3 using lowntfs-3g or ntfs-3g if the volume was previously mounted on Windows and Windows was shut down in the "hybrid" fast-startup (fastboot) mode.

A quick test to make sure we can write to and read from the NTFS volume, and we are all set on a read-write NTFS volume mounted on Solaris 11.3 using fuse and ntfs-3g.

root@solaris11-3:~# mount
...
/media/USB-Storage on /devices/pci@0,0/pci8086,265c@b/storage@1/disk@0,0:r read/write/nosetuid/nodevices/rstchown/dev=5080000 on Fri Jun  9 03:30:14 2017
root@solaris11-3:~# cp /etc/release /media/USB-Storage/
root@solaris11-3:~# ls -l /media/USB-Storage/
total 305
drwxrwxrwx   1 root     root           0 Jun  2 23:54 $RECYCLE.BIN
-rwxrwxrwx   1 root     root         187 Jun  9 03:37 release
drwxrwxrwx   1 root     root      151552 Jun  7 19:16 sanyalnet-shared
drwxrwxrwx   1 root     root        4096 Jun  2 23:55 System Volume Information

Once the NTFS volume is mounted and available, Solaris 11.3 even places an icon for the new NTFS volume on the desktop automatically. Double-clicking on this new icon opens up File Browser showing the files contained in the NTFS volume:

Desktop Icon for External USB Hard Disk NTFS Volume on Solaris 11.3

Auto-mount NTFS volume on Solaris 11.3 using ntfs-3g and fuse

To mount the USB HDD automatically on reboot of Solaris 11.3, I created a file /etc/rc.local with the following contents

# ---
# /etc/rc.local
#
# Commands to execute at end of boot
# This is a linked from /etc/rc3.d/S99local
# Solaris 11 still supports this
# ---
/usr/bin/lowntfs-3g /dev/dsk/c3t0d0p1 /media/USB-Storage/

and then placed a symbolic link from /etc/rc3.d/S99local to /etc/rc.local 

# chmod +x /etc/rc.local
# ln -s /etc/rc.local /etc/rc3.d/S99local
# ls -l /etc/rc.local /etc/rc3.d/S99local
-rwxr-xr-x   1 root     root         357 Jan 23 19:30 /etc/rc.local
lrwxrwxrwx   1 root     root          13 Jan 20 19:12 /etc/rc3.d/S99local -> /etc/rc.local

Then I rebooted and verified if the auto-mount on boot worked.

root@solaris11-3:~# uptime
  1:48pm  up 13 min(s),  2 users,  load average: 2.64, 1.84, 1.01
root@solaris11-3:~# dmesg | grep lowntfs
Jun  9 13:44:18 solaris11-3.sanyalnet.lan lowntfs-3g[970]: [ID 702911 daemon.notice] Version 2016.2.22AR.2 integrated FUSE 27
Jun  9 13:44:18 solaris11-3.sanyalnet.lan lowntfs-3g[970]: [ID 702911 daemon.notice] Requested device /dev/dsk/c3t0d0p1 canonicalized as /devices/pci@0,0/pci8086,265c@b/storage@1/disk@0,0:r
Jun  9 13:44:18 solaris11-3.sanyalnet.lan lowntfs-3g[970]: [ID 702911 daemon.notice] Mounted /devices/pci@0,0/pci8086,265c@b/storage@1/disk@0,0:r (Read-Write, label "WD My Book 1110 External HDD USB", NTFS 3.1)
Jun  9 13:44:18 solaris11-3.sanyalnet.lan lowntfs-3g[970]: [ID 702911 daemon.notice] Cmdline options:
Jun  9 13:44:18 solaris11-3.sanyalnet.lan lowntfs-3g[970]: [ID 702911 daemon.notice] Mount options: allow_other,nonempty,relatime,fsname=/devices/pci@0,0/pci8086,265c@b/storage@1/disk@0,0:r
Jun  9 13:44:18 solaris11-3.sanyalnet.lan lowntfs-3g[970]: [ID 702911 daemon.notice] Ownership and permissions disabled, configuration type 6
root@solaris11-3:~# mount | grep -i USB-Storage
/media/USB-Storage on /devices/pci@0,0/pci8086,265c@b/storage@1/disk@0,0:r read/write/nosetuid/nodevices/rstchown/dev=5080000 on Fri Jun  9 13:44:18 2017
root@solaris11-3:~# ls -l /media/USB-Storage/
total 305
drwxrwxrwx   1 root     root           0 Jun  2 23:54 $RECYCLE.BIN
-rwxrwxrwx   1 root     root         187 Jun  9 03:37 release
drwxrwxrwx   1 root     root      151552 Jun  7 19:16 sanyalnet-shared
drwxrwxrwx   1 root     root        4096 Jun  2 23:55 System Volume Information

Looks like everything worked and we are all set!


Configure final IP v4 address and Default Routing Gateway

I reconfigured Solaris 11 networking to the final production IP v4 address and gateway, based on excellent online documentation provided by Oracle including Creating Persistent (Static) Routes and Configuring IP Interfaces. I have no use for IPv6 which I did not configure.


Configure Solaris 11.3 IP Address

root@solaris11-3:~# dladm show-phys
LINK              MEDIA                STATE      SPEED  DUPLEX    DEVICE
net0              Ethernet             up         1000   full      e1000g0
root@solaris11-3:~# dladm show-link
LINK                CLASS     MTU    STATE    OVER
net0                phys      1500   up       --
root@solaris11-3:~# ipadm show-if
IFNAME     CLASS    STATE    ACTIVE OVER
lo0        loopback ok       yes    --
net0       ip       ok       yes    --
root@solaris11-3:~# ipadm show-addr
ADDROBJ           TYPE     STATE        ADDR
lo0/v4            static   ok           127.0.0.1/8
net0/v4           static   ok           10.200.0.50/24
lo0/v6            static   ok           ::1/128
net0/v6           addrconf ok           fe80::a00:27ff:fe11:52f/10
root@solaris11-3:~# ipadm delete-ip net0
root@solaris11-3:~# ipadm show-addr
ADDROBJ           TYPE     STATE        ADDR
lo0/v4            static   ok           127.0.0.1/8
lo0/v6            static   ok           ::1/128
root@solaris11-3:~# ipadm create-ip net0
root@solaris11-3:~# ipadm create-addr -T static -a 10.42.2.3/24 net0/v4
root@solaris11-3:~# ipadm show-addr
ADDROBJ           TYPE     STATE        ADDR
lo0/v4            static   ok           127.0.0.1/8
net0/v4           static   ok           10.42.2.3/24
lo0/v6            static   ok           ::1/128



Configure Solaris 11.3 Routing Default Gateway

root@solaris11-3:~# route -p show
persistent: route add default 10.200.0.1
root@solaris11-3:~# route -p flush
delete persistent net default: gateway 10.200.0.1
default              10.200.0.1           done
root@solaris11-3:~# route -p show
No persistent routes are defined
root@solaris11-3:~# route -p add default 10.42.2.1
add net default: gateway 10.42.2.1
add persistent net default: gateway 10.42.2.1
root@solaris11-3:~# route -p show
persistent: route add default 10.42.2.1


The completed reconfigured network configuration looks like this.

root@solaris11-3:~# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000
net0: flags=100001000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,PHYSRUNNING> mtu 1500 index 2
        inet 10.42.2.3 netmask ffffff00 broadcast 10.42.2.255
        ether 8:0:27:11:5:2f
lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 index 1
        inet6 ::1/128
net0: flags=120002000840<RUNNING,MULTICAST,IPv6,PHYSRUNNING> mtu 1500 index 2
        inet6 ::/0
        ether 8:0:27:11:5:2f

root@solaris11-3:~# netstat -rn

Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use     Interface
-------------------- -------------------- ----- ----- ---------- ---------
default              10.42.2.1            UG        6       3228
10.42.2.0            10.42.2.3            U         5       1550 net0
127.0.0.1            127.0.0.1            UH        2          4 lo0

Routing Table: IPv6
  Destination/Mask            Gateway                   Flags Ref   Use    If
--------------------------- --------------------------- ----- --- ------- -----
::1                         ::1                         UH      2      32 lo0


Wrapping Up


Install fail2ban with intrusion reporting to blocklist.de


I installed and configured fail2ban with reporting to my existing server account at blocklist.de by first executing:

root@solaris11-3:~# pkg install network/fail2ban
           Packages to install:  1
            Services to change:  1
       Create boot environment: No
Create backup boot environment: No

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                                1/1         99/99      0.1/0.1 47.8k/s

PHASE                                          ITEMS
Installing new actions                       134/134
Updating package state database                 Done
Updating package cache                           0/0
Updating image state                            Done
Creating fast lookup database                   Done
Updating package cache                           4/4
root@solaris11-3:~# svcs -xv fail2ban
svc:/network/fail2ban:default (?)
 State: disabled since June 10, 2017 06:52:11 PM UTC
Reason: Disabled by an administrator.
   See: http://support.oracle.com/msg/SMF-8000-05
   See: /var/svc/log/network-fail2ban:default.log
Impact: This service is not running.
root@solaris11-3:~# svcadm refresh fail2ban
root@solaris11-3:~# svcadm enable fail2ban
root@solaris11-3:~# svcs -xv fail2ban
svc:/network/fail2ban:default (?)
 State: online since June 10, 2017 06:53:35 PM UTC
   See: /var/svc/log/network-fail2ban:default.log
Impact: None.

and then grabbed action.d/blocklist_de.local from here. I then took help from my prior post about Fail2Ban on openindiana "Fail2Ban Intrusion Prevention on Solaris 11 OPENINDIANA SunOS 5.11 Illumos with Reporting to Blocklist.de" to configure it with full reporting capability to blocklist.de.


Other final reconfiguration


I then reconfigured the ProFTP FTP server to use a folder on the external USB drive as ftproot. Finally I zeroed out the empty space on the ZFS file system and compacted the virtual machine hard drive, took a backup and put it into production at http://sanyal.duckdns.org:81.







Recommended Products from Amazon