Feb 272010
 

One of the great things about OpenSolaris is that the archaic packaging tools have been replaced with something that looks like it may be a little better; one of the disadvantages is that trying to install packages from something like OpenCSW is a little awkward when the first command fails.

Given that I’ve just to hunt around for the details a second time, it is worth working up the basics into something that can be added here. Firstly we need to install the commands necessary to support the old packages :-

pkg install SUNWpkgcmds
pkg install SUNWwget

Now that has been done, it should be possible to install the OpenCSW package command using pkgadd :-

pkgadd -d http://www.opencsw.org/pkg_get.pkg
Jan 072010
 

For various reasons I have decided that I need to install mod_security2 on my personal web server. This is a Solaris zone running on an OpenSolaris global zone with various bits of software provisioned by OpenCSW. Unfortunately (or fortunately at least from the point of view that I get to do something interesting), mod_security2 is not something provided by OpenCSW.

For even more various reasons, I decided to “formalise” my notes on building, installing, and configuring mod_security2.

Before attempting to build mod_security2, it is important to have a functional build environment. This includes :-

  • Installing the apache2_devel package from OpenCSW (pkg-get -i apache2_devel)
  • Installing the gcc3 package from OpenCSW
  • Installing the following OpenSolaris packages (pkg install XXX) :- SUNWhea, SUNWarc, SUNWbtool
  • Installing the SunStudio package from Sun. It may be possible that gcc3 is not necessary with this installed, but I ended up with both so advise you too as well. In addition to installing it in the standard location (/opt/SUNWspro) it is also necessary to create a symlink in the place where the OpenCSW developer placed his/her copy of SunStudio :- mkdir -p /opt/studio/SOS11; ln -s /opt/SUNWspro /opt/studio/SOS11/SUNWspro

The next step is to setup a shell environment appropriate to configuring and compiling mod_studio2 :-

export PATH=$PATH:/opt/SUNWspro/bin
export PATH=$PATH:/opt/csw/bin
export PATH=$PATH:/usr/ccs/bin
export PATH=$PATH:/opt/csw/gcc3/bin
export CC=gcc

(The above presumes the use of a shell that understands the above syntax)

The next step is to unpack the module source code, and configure it  :-

cd /var/tmp
gunzip -c modsecurity-apache_2.5.11.tar.gz | tar xvf -
cd modsecurity-apache_2.5.11
cd apache2
./configure --with-apxs=/opt/csw/apache2/sbin/apxs \
   --with-pcre=/opt/csw \
   --with-apr=/opt/csw/apache2 \
   --with-apu=/opt/csw/apache2//bin/apu-config

That should successfully general a Makefile. Edit this makefile and remove all references to “-Wall” (for APSX_EXTRA_CFLAGS, also remove the proceeding “-Wc,”). This is because modules will compile with SunStudio’s compiler no matter what we try to do to stop it, and SunStudio does not understand “-Wall”.

Now finally you can compile the software :-

make
sudo make install

Now we are at the point where we can start configuring mod_security2.

In the main httpd.conf file, add the following two directives somewhere appropriate (i.e. close to the other “LoadModule” directives) :-

LoadFile /opt/csw/lib/libxml2.so
#   Check that this library is installed!
LoadModule unique_id_module libexec/mod_unique_id.so
#   This will be already in the file but may be commented out
LoadModule security2_module libexec/mod_security2.so
#   And this is the one we're interested in.

At this point, try a graceful restart (/opt/csw/apache2/sbin/apachectl graceful) to be sure that the relevant code loads. Now onto enabling the module and configuring it with the “Core Rule Set” …

First copy the rules subdirectory to an appropriate place and fix the permissions :-

cp -rp rules /opt/csw/apache2/etc/modsecurity
chown -R root:root /opt/csw/apache2/etc/modsecurity
chmod -R o+r /opt/csw/apache2/etc/modsecurity
find /opt/csw/apache2/etc/modsecurity -type d -exec chmod o+x {} \;

In the file modsecurity/modsecurity_crs_10_global_config.conf, change SecDataDir to /var/tmp.

In the file modsecurity/modsecurity_crs_10_config.conf :-

  1. Change SecAudditLog to var/log/modsec_audit.log
  2. Change SecDebugLog to var/log/modsec_debug.log

Now add the following to httpd.conf :-

Include etc/modsecurity/modsecurity_crs_10_global_config.conf
Include etc/modsecurity/modsecurity_crs_10_config.conf
Include etc/modsecurity/base_rules/*conf

And gracefully restart Apache.

At this point, mod_security2 is running and blocking stuff, but has not been finely “tweaked” to the local applications – at the very least it partially breaks WordPress, and may well break other applications.

Oct 272009
 

Whether you are using ufs filesystems or zfs storage pools, Solaris has a rather nifty way of migrating storage from one SAN to another wih no (or little) downtime. Or various other reasons involving moving from one disk to another. The key advantage to the following method is to reducing or eliminating downtime. Even if your users can take the hit, not having to slowly watch a multiterabyte filesystem copying from one disk to another is reason enough to use this technique.

Basically it is by using mirroring. Using mirroring to copy a disk might seem a little odd to begin with, but once you’ve seen it work you’ll be a fan.

For UFS (and SVM) Filesystems

This section assumes that the source disk device (cXXXXX) is set in the variable ${sourcedisk} and the destination is in ${destdisk}.

For UFS filesystems, the first step (which does require an outage) is to :-

  1. Stop the application that uses the filesystem being migrated.
  2. Unmount the filesystem.
  3. Encapsulate the existing filesystem device into a SVM metadevice: metainit d1001 1 1 ${sourcedisk}
  4. Create a mirror device with the new metadevice as a submirror: metainit d1000 -m d1001
  5. Change the references in /etc/vfstab to the old device name (${sourcedisk}) to the new mirror (not sub-mirror!) device – d1000
  6. Remount the filesystem and restart the application.

This should take no more than 10 minutes and is the only outage involved. There are two remaining sets of steps :-

  1. Create a new metadevice using the new disk: metainit d1002 1 1 ${destdisk}
  2. Attach the new metadevice to the mirror as an additional sub-mirror: metattach d1000 d1002

At this point, the mirror will start resilvering. It may take some time to complete, but the time it takes to do so does not really matter. In particular the resilvering process should not cause a performance problem to your application – the application I/O takes priority.

When the resilvering is complete :-

  1. Remove the metadevice containing the old SAN disk: metadetach d1000 d1001
  2. Remove the metadevice that is no longer required: metaclear d1001
  3. Attach “nothing” to the mirror metadevice (this is to ensure that the mirror grows to the size of the new submirror): metattach d1000
  4. Finally, ignore the warning on the manual page (which is outdated) and grow the filesystem: growfs -M /mount/point /dev/md/rdsk/d1000

You will see that I have used the metadevice names d1000 (for the mirror), d1001 (for the old sub-mirror), and d1002 (for the new submirror). Whatever device names you use, it is worth trying to be consistent – it helps a lot when you have dozens of filesystems to process.

ZFS Storage Pools

This is even simpler. If you have a storage pool called ${pool} which contains a single device called ${sourcedisk}, you simply :-

  1. Attach the new device: zpool attach ${pool} ${sourcedisk} ${destdisk}
  2. Wait for the resilvering to finish.
  3. Dettach the old device: zpool detach ${pool} ${sourcedisk}

Of course be aware of anything you read on the Internet! I have not actually tested the above; I’m merely regurgitating memory that has recently been exercised – I’m doing a SAN migration at work right now.

Oct 032009
 

Yesterday I went through the process of creating a ZFS storage pool with a single device :-

zpool create zt1 cXXXXX

Next adding an additional device to mirror the first :-

zpool attach zt1 cXXXXX cYYYYY

Watched it resilver, and then detached the first replica reducing the number of replicas to one :-

zpool detach zt1 cXXXXX

This is one of the nicest ways possible to migrate a large dataset from one set of devices to another (say replacing a SAN). However the documentation on Sun’s manual page for zpool is just a little vague in the relevant area and does not explicitly say that a single replica is a perfectly valid configuration.

This might all seem a little obvious, but removing a replica to reduce a storage pool to an pool without a mirror (no redundancy) is something that some volume managers don’t allow.

Jul 272009
 

I am a big fan of ‘self-documenting’ systems where the system has enough ‘comments’ to describe how it is configured and what things are doing. Unfortunately Solaris zones (or containers if you are so inclined to use the marketing name) lack one feature that would assist this :-

# zoneadm list -d
global
black                  Stealth Secondary DNS
grey                   Webserver for project X
white                  Mailbox server for project Y
blue                   Oracle DBMS for project X
puce                   MySQL DBMS for project X

It would seem that project Y hasn’t gotten beyond the talking stage 🙂

Yes, you’ve guessed it. Solaris zones could do with a “description” attribute to assist in documentation.

WP Facebook Auto Publish Powered By : XYZScripts.com

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close