Article

mar2004.tar

Questions and Answers

Amy Rich

Thanks to Robert Banniza for a correction to the February 2003 (http://www.samag.com/documents/s=9023/sam0402h/0402h.htm) Q&A about booting a Sun V240 from Solaris 8. Although Sun specifies on their Web site that the V240 should boot from Solaris 8 02/02 , Solaris 8 05/03 is actually required because the machine will issue a kernel panic due to missing drivers.

QSun specifies on their Web site that the V240 should boot from Solaris 8 02/02 , Solaris 8 05/03 is actually required because the machine will issue a kernel panic due to missing drivers.Q Our group just inherited a Sun AXi that someone had been using as a desktop machine. We were going to turn this box into a small server, but it has a very annoying problem. Every time the machine resets, it won't auto-boot. Instead, it gives the error trap 3e. If you type in boot from the console after the error, the machine comes up just fine.

I've tried everything I can think of to diagnose/fix this problem. I increased the diagnostic level, and there doesn't appear to be anything really wrong. I tried enabling diag-switch? and setting the diag-device to disk, but it just gives the error twice. I tried reinstalling the OS, reinstalling the boot blocks, and fsck'ing the disk. Nothing ever shows up as actually being a problem, but the machine just fails to auto-boot. Do you have any suggestions?

A It sounds like your boot drive is an IBM. There's a known issue with some IBM drives not being ready after a reset. The workaround is to force a disk probe upon power on so that the disks are recognized and ready to boot from by the time the machine tries to boot. To accomplish this, drop the machine to the ok prompt and use nvedit to add the some lines to the nvramrc. The following is a quick key-binding list for nvedit:

Control-B: Move backward one character.
Control-C: Exit the editor and return to the OpenBoot command interpreter. The temporary buffer is preserved but is not written back to NVRAMRC. (Use nvstore afterwards to write back the temporary buffer.)
Control-F: Move forward one character.
Control-K: If at the end of a line, join the next line to the current line (that is, delete the newline).
Control-L: List all lines.
Control-N: Move to the next line of the NVRAMRC editing buffer.
Control-O: Insert a new line at the cursor position and stay on the current line.
Control-P: Move to the previous line of the NVRAMRC editing buffer.
Delete: Delete the previous character.
Return: Insert a new line at the cursor position and advance to the next line.

For the entire command-line editor key map, see:

http://docs.sun.com/db/doc/805-4434/6j46vcb5g?a=view

To begin, record the information stored in the OBP -- just in case you make a mistake and need to restore it later. Then, add the lines listed below to any existing configuration information in the nvramrc temporary buffer. The instance of /pci@1f,0/pci@1/scsi@1 below should be replaced with the actual location of your SCSI card. This information can be determined by performing a probe-scsi, but the default on an AXi is /pci@1f,0/pci@1/scsi@1.

nvramrc=probe-all install-console banner
" Probing all to work around IBM boot disk trap 3e error" type cr
" /pci@1f,0/pci@1/scsi@1" " show-children" execute-device-method drop

On the next blank line, type Control-c to exit nvedit and then type the following to make sure that your changes are stored and used during boot time:

nvstore ok
setenv use-nvramrc? true

If you munge the nvramrc and your machine fails to give you a display after you reset it, hit Stop-n to reset the OBP to its factory defaults.

Q I'm trying to do some performance tuning on a FreeBSD 4.9-STABLE machine, so I've whipped up a Bourne shell script to time some functions. I'm then parsing and correlating the output from the time command to generate some statistics. Because I needed some extra functionality, I switched to bash. Unfortunately, the time command doesn't seem to be outputting what I expect. Here's the simplest case of the two scripts, with the bash script first:

#!/usr/local/bin/bash
time ls -a

The output from the above script is:

.       ..

real    0m0.004s
user    0m0.000s
sys     0m0.003s

And the Bourne shell script:

#!/bin/sh
time ls -a

with an output of:

.       ..
        0.00 real         0.00 user         0.00 sys

How do I make the output match?

A You're getting different output because bash reserves the time keyword and prints it out in its own format. You can reformat the bash output to appear like /usr/bin/date output would in the Bourne shell by modifying the TIMEFORMAT variable in your script. Here's an excerpt from the BASH FAQ:

If TIMEFORMAT is not set, bash acts as if the following assignment had been performed:

TIMEFORMAT=$'\nreal\t%3lR\nuser\t%3lU\nsys\t%3lS'

The POSIX.2 default time format (used by 'time -p command') is

TIMEFORMAT=$'real %2R\nuser %2U\nsys %2S'

The BSD /usr/bin/time format can be emulated with:

TIMEFORMAT=$'\t%1R real\t%1U user\t%1S sys'

The System V /usr/bin/time format can be emulated with:

TIMEFORMAT=$'\nreal\t%1R\nuser\t%1U\nsys\t%1S'

The ksh format can be emulated with:

TIMEFORMAT=$'\nreal\t%2lR\nuser\t%2lU\nsys\t%2lS'

You want the BSD format, so your script would be written as:

#!/usr/local/bin/bash
TIMEFORMAT=$'\t%1R real\t%1U user\t%1S sys'
time ls -a

Q I'm trying to get a grasp on the way sendmail 8.12.10 handles things in the accessdb and in what order entries are processed. I want to add some DNSBL entries to the accessdb, but I need to whitelist some people who may use DNSBL addresses. Does accessdb process OK entries before DNSBL entries so I can whitelist these people? Do I just put the accessdb lines in the order I want them processed?

A Sendmail uses rulesets from the sendmail.cf file to process entries from the access.db file (it's just a lookup table for the rulesets). Therefore, specific parts of a message are processed before others. The ordering of lines in the access file is inconsequential and may not correspond to the order in which the entries are read by the rulesets.

The sendmail rulesets are organized such that, by default, checks on the sender address occur after the check on the connecting machine name/IP. If your LHS specifies a hostname or IP addresses, then your OK will be processed. If your LHS specifies an entire email address (username and machine name), then the mail may be rejected because the DNSBL lookup happens first. Here's an example access file to make that a bit clearer:

that.domain           OK
user@other.domain     OK

If both that.domain and other.domain are listed in the DNSBL you specify in your mc file, then all users from that.domain can send email to your mail server, but no users at other.domain can email you because other.domain is rejected during the connection phase and never gets to the ruleset that checks the sender address.

To work around this behavior, you can specify delay_checks in your sendmail.mc file and rebuild your sendmail.cf file:

FEATURE('delay_checks')dnl

When delay_checks is specified, the rulesets check_mail and check_relay are no longer called when a client connects or issues a MAIL command, but are instead called by the check_rcpt ruleset. The delay_checks feature can also take an optional argument for friend or hater:

  FEATURE('delay_checks', 'friend')dnl
  FEATURE('delay_checks', 'hater')dnl

A segment from the cf/README file best explains the friend and hater options:

If such an argument is given, the recipient will be looked up in the access map (using the tag Spam:). If the argument is 'friend', then the default behavior is to apply the other rulesets and make a SPAM friend the exception. The rulesets check_mail and check_relay will be skipped only if the recipient address is found and has RHS FRIEND. If the argument is 'hater', then the default behavior is to skip the rulesets check_mail and check_relay and make a SPAM hater the exception. The other two rulesets will be applied only if the recipient address is found and has RHS HATER.

This allows for simple exceptions from the tests, e.g., by activating the friend option and having Spam:abuse@ FRIEND in the access map, mail to abuse@localdomain will get through (where "localdomain" is any domain in class {w}).

A second parameter, n, can be specified with the delay_checks feature to turn off backward compatibility for versions of sendmail prior to 8.12, which used a different syntax:

FEATURE('delay_checks', 'friend', 'n')dnl

FEATURE('delay_checks', 'hater', 'n')dnl

Q I'm running an Apache Web server on a machine that needs to have all of its Web traffic encrypted. I want to send everything over port 443 and use SSL, but I also need the server to answer on the standard http port (80). What's the best way to get everyone to send encrypted data but still have the server answer to http://www.my.domain requests?

A There are a few ways you could go about this, but the easiest way is probably to change the virtual host directive and redirect all traffic for port 80 over to the https instance on port 443. The virtual host directive for port 80 in your httpd.conf would look something like the following:

 <VirtualHost *:80>
  ServerName www.my.domain
  Redirect / https://www.my.domain/
</VirtualHost>

Q We run Solaris 8 on a variety of SPARC hardware. Right now, we're using a homegrown script to modify passwords via cfengine. We want to migrate to using LDAP. One of the big blocks has been that we require password aging for various accounts, and support for that only seems to be in Solaris 9. We can't yet upgrade to Solaris 9 because we have applications that require porting. Has anyone backported password aging with LDAP, or is there a good alternative that provides the same functionality?

A There's a LDAP patch for Solaris 8, 108993, that includes password aging with pam_ldap. Be sure not to apply version 29 of this patch because it had issues. The latest good revision of this patch is 26, and this is the documenting text from sunsolve.sun.com:

******************************************************

Patch 108993-26 was re-instated on Nov 4, 2003

Reason:
Patch 108993-29 has been withdrawn:
After applying patch 108993-29, the init(1M) command will hang
when changing the system run level to 0, 5 or 6
(halt, power off, reboot). In addition, it is not possible to log
|in to the system in single user mode.

Please reference bug 4947516 for further information.

Recommendation:
Backout patch 108993-29 or replace /etc/lib/nss_files.so.1 with an
older version of /etc/lib/nss_files.so.1 for Solaris 8. This must be
from patch revision -26 (or earlier).

|***********************************************

Later in the patch description:

4357827 pam_ldap should fully support password aging

Q I want to replace some text in a bunch of html files using Perl. I issue the following command from the shell prompt:

perl -pi.bak -e "s/foo\s(1234.+?)\sbar/baz $1 bop/m;" *.html

This should replace the first instance of any stuff prefixed with 1234 inbetween foo and bar with baz. If a file has the line:

foo 1234abcd bar foo 1234wxyz bar

I expect to get:

baz 1234abc bop foo 1234wxyz bar

Instead, the stuff (that should be stored) in $1 is being omitted, and I get the following:

baz  bop foo 1234wxyz bar

Am I specifying the regex incorrectly? I know I've done something very similar to this before and it's worked fine, but I can't find my previous example.

A Your regular expression is fine, but your shell is getting in the way. Because you're using double quotes, the $1 is being expanded and substituted by the shell. Because your shell has nothing stored in $1, there's nothing to replace it in your output file. Try using single quotes around your Perl command or create a Perl script instead of calling perl from the command line.

Amy Rich, president of the Boston-based Oceanwave Consulting, Inc. (http://www.oceanwave.com), has been a UNIX systems administrator for more than 10 years. She received a BSCS at Worcester Polytechnic Institute, and can be reached at: qna@oceanwave.com.