Superpatterns

OpenSolaris 2009.06 as a domU guest on Xen 3.4/openSUSE 11.2

Pat Patterson — Sat, 27 Feb 2010 18:15:39 +0000

I recently trawled the web figuring out how to install a paravirtualized OpenSolaris 2009.06 on Xen. No one place had all the story, so I’m blogging this. I found a lot of the information spread across many other blog entries; some I figured out on my own. Thanks to all the giants on whose shoulders I am now standing:

The procedure:

Download OpenSolaris 2009.06 ISO

Mount the ISO somewhere

pat-m6400:~ # mount -o loop,ro /vm/opensolaris/osol-0906-x86.iso /mnt

Copy the kernel and rootfs somewhere convenient

pat-m6400:~ # cp /mnt/platform/i86xpv/kernel/amd64/unix /vm/opensolaris
pat-m6400:~ # cp /mnt/boot/amd64/x86.microroot /vm/opensolaris

Create a disk image for your root filesystem

pat-m6400:~ # dd if=/dev/zero of=/vm/opensolaris/root.img bs=1G count=1010+0 records out
10+0 records in
10+0 records out
10737418240 bytes (11 GB) copied, 127.888 s, 84.0 MB/s

Create a Xen config file (let’s call it /vm/opensolaris/opensolaris-install.cfg) with the following content:

name = "opensolaris"
vcpus = 1
memory = 1024
kernel = "/vm/opensolaris/opensolaris/unix"
ramdisk = "/vm/opensolaris/x86.microroot"
extra = "/platform/i86xpv/kernel/amd64/unix -B console=ttya"
disk = ['file:/vm/opensolaris/osol-0906-x86.iso,6:cdrom,r', 'file:/vm/opensolaris/root.img,0,w']
vif = ['bridge=br0']
on_shutdown = "destroy"
on_reboot = "destroy"
on_crash = "destroy"

Now start your VM:

pat-m6400:~ # xm create -c /vm/opensolaris/opensolaris-install.cfg

You should see something like:

Using config file "./opensolaris-install.cfg".
Started domain opensolaris (id=21)

v3.4.1_19718_04-2.1 chgset '19718'
SunOS Release 5.11 Version snv_111b 64-bit
Copyright 1983-2009 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
Hostname: opensolaris
Remounting root read/write
Probing for device nodes ...
Preparing live image for use
Done mounting Live image
USB keyboard
1. Albanian                      23. Lithuanian
2. Belarusian                    24. Latvian
3. Belgian                       25. Macedonian
4. Brazilian                     26. Malta_UK
5. Bulgarian                     27. Malta_US
6. Canadian-Bilingual            28. Norwegian
7. Croatian                      29. Polish
8. Czech                         30. Portuguese
9. Danish                        31. Russian
10. Dutch                         32. Serbia-And-Montenegro
11. Finnish                       33. Slovenian
12. French                        34. Slovakian
13. French-Canadian               35. Spanish
14. Hungarian                     36. Swedish
15. German                        37. Swiss-French
16. Greek                         38. Swiss-German
17. Icelandic                     39. Traditional-Chinese
18. Italian                       40. TurkishQ
19. Japanese-type6                41. TurkishF
20. Japanese                      42. UK-English
21. Korean                        43. US-English
22. Latin-American
To select the keyboard layout, enter a number [default 43]:

Press enter to select the default…

1. Arabic
2. Chinese - Simplified
3. Chinese - Traditional
4. Czech
5. Dutch
6. English
7. French
8. German
9. Greek
10. Hebrew
11. Hungarian
12. Indonesian
13. Italian
14. Japanese
15. Korean
16. Polish
17. Portuguese - Brazil
18. Russian
19. Slovak
20. Spanish
21. Swedish
To select desktop language, enter a number [default is 6]:

Press enter again…

User selected: English
Configuring devices.
Mounting cdroms
Reading ZFS config: done.

opensolaris console login:

Now login with jack/jack

opensolaris console login: jack
Password:
Sun Microsystems Inc.   SunOS 5.11      snv_111b        November 2008
jack@opensolaris:~$

And su with the password opensolaris

jack@opensolaris:~$ su
Password:
Feb  5 20:29:29 opensolaris su: 'su root' succeeded for jack on /dev/console

Now do ifconfig -a to discover your IP address. You might have to try a few times since it seems to take a minute or two to get an IP:

jack@opensolaris:~# ifconfig -a
lo0: flags=2001000849 mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
xnf0: flags=1004843 mtu 1500 index 2
inet 192.168.69.124 netmask ffffff00 broadcast 192.168.69.255
ether 0:16:3e:79:d:ba
lo0: flags=2002000849 mtu 8252 index 1
inet6 ::1/128
xnf0: flags=2000841 mtu 1500 index 2
inet6 fe80::216:3eff:fe79:dba/10
ether 0:16:3e:79:d:ba

Now go to a dom0 shell and find the domain id:

pat-m6400:~ # domid=`xm domid opensolaris`
pat-m6400:~ # echo $domid
21

Use xenstore-read to find the vnc port and password:

pat-m6400:~ # xenstore-read /local/domain/$domid/guest/vnc/port
5900
pat-m6400:~ # xenstore-read /local/domain/$domid/guest/vnc/passwd
5PaJpX6n

Supposedly you can also discover the IP address this way, but I’ve never seen
it:

pat-m6400:~ # xenstore-read /local/domain/$domid/ipaddr/0
xenstore-read: couldn't read path /local/domain/21/ipaddr/0

Now you can VNC to the OpenSolaris installer – use the port and password you just discovered. Note the double colon (::) to use port number rather than
display number

pat-m6400:~ # vncviewer 192.168.69.124::5900
Connected to RFB server, using protocol version 3.8
Performing standard VNC authentication
Password:
Authentication successful
[...]

You should see the OpenSolaris installer – hurrah! Go through the install process, click ‘restart’ and the domain should shutdown.

Once it is down (you can check with xm list), create another config file – opensolaris.cfg

name = "opensolaris"
vcpus = 1
memory = 1024
bootloader = "/usr/bin/pygrub"
disk = ['file:/vm/opensolaris/root.img,0,w']
vif = ['bridge=br0']
on_shutdown = "destroy"
on_reboot = "destroy"
on_crash = "destroy"

Now you can create the VM again using the new config
```
xm create -c /vm/opensolaris/opensolaris.cfg
```
If all is well, you should now be the proud owner of an OpenSolaris domU

Now, log in as the user you specified in the install, su – to root and find the IP address.

pat@opensolaris:~$ su -
Password:
root@opensolaris:~# ifconfig xnf0
xnf0: flags=1004843 mtu 1500 index 2
inet 192.168.69.128 netmask ffffff00 broadcast 192.168.69.255
ether 0:16:3e:5d:6:60

That’s the basic install done. You have a couple of options at this point depending on whether you want to be able to VNC in for the full OpenSolaris desktop experience, and whether you want a static IP address.

For the OpenSolaris desktop:

Set X11-server to listen to the tcp port

root@opensolaris:~# svccfg -s x11-server
svc:/application/x11/x11-server> setprop options/tcp_listen = boolean: true
svc:/application/x11/x11-server> quit

I disabled idletimeout on the VNC server, so that I don’t lose the desktop over my lunch break!

root@opensolaris:~# svccfg -s xvnc-inetd
svc:/application/x11/xvnc-inetd> setprop inetd_start/exec = astring: "/usr/X11/bin/Xvnc -inetd -query localhost -once securitytypes=none -IdleTimeout 0"
svc:/application/x11/xvnc-inetd> quit

Enable XDMCP for GDM

root@opensolaris:~# printf '[xdmcp]\nEnable=true\n' >>/etc/X11/gdm/custom.conf
root@opensolaris:~# svcadm restart gdm

Make sure GDM runs on startup

root@opensolaris:~# svcadm enable -s gdm

Turn on xvnc-inetd services

root@opensolaris:~# svcadm enable xvnc-inetd

Now just connect from dom0:
```
pat-m6400:~ # vncviewer 192.168.69.128
```
And you should be in GNOME desktop wonderland

If you want to continue to use DHCP, on subsequent boots, just run nmap on dom0 to find your IP address:

pat-m6400:~ # nmap -sP 192.168.69.0/24

Starting Nmap 5.00 ( http://nmap.org ) at 2010-02-05 23:15 PST
Host 192.168.69.1 is up (0.00056s latency).
[...]
Host 192.168.69.128 is up (0.0017s latency).
Nmap done: 256 IP addresses (9 hosts up) scanned in 2.48 seconds

As an alternative to getting a VNC session, you can do

ssh -X 182.168.69.128

(or whatever) and then (at the OpenSolaris prompt) you can do

pat@opensolaris:~$ some-gui-program &

to have the program run on the dom0 desktop. Cool

To configure OpenSolaris to use a static IP address:

root@opensolaris:~# svcadm disable network/physical:nwam
root@opensolaris:~# svcadm enable  network/physical:default
root@opensolaris:~# ifconfig xnf0 down
root@opensolaris:~# ifconfig xnf0 192.168.69.25 netmask 255.255.255.0
root@opensolaris:~# ifconfig xnf0 up
root@opensolaris:~# route add default 192.168.69.1
root@opensolaris:~# echo 192.168.69.25 netmask 255.255.255.0 > /etc/hostname.xnf0
root@opensolaris:~# echo 192.168.69.1 > /etc/defaultrouter

So there you have it – OpenSolaris 2009.06 happily running as a Xen domU. If you have any comments/corrections, please post them and I’ll update this entry as appropriate.

Create a Xen config file (let’s call it
/vm/opensolaris/opensolaris-install.cfg) with the following content:

The ForgeRock OpenSSO Roadshow comes to North America!

Pat Patterson — Tue, 23 Feb 2010 04:59:15 +0000

My friends at ForgeRock are bringing their series of OpenSSO user group meetings to the USA and Canada in late March/early April 2010. If you’re interested in where they’re taking open source identity, you should definitely take this opportunity to participate in one of the meetings – choose from New York (3/29), Toronto (3/30), Chicago (3/31) or San Francisco (4/1). I’ll likely take the drive up 280 to the SF event on April 1st – see you there!

OpenSSO User Group Meetings in Northern Europe – Nov/Dec 2009

Pat Patterson — Thu, 19 Nov 2009 05:39:03 +0000

Although I’m no longer as active in the OpenSSO community as I once was, some things still catch my eye – for example, news of a series of user group meetings across Northern Europe in late November and early December. OpenSSO experts Allan Foster, Jonathan Scudder, Steve Ferris and Victor Ake (not a blogger amongst them!?!?) will be presenting on OpenSSO-related topics ranging from monitoring to the Fedlet, via entitlements and OAuth, in Helsinki, Stockholm, Copenhagen, Oslo, London and Brussels. Seems like SupportRock might be a name to watch in the world of OpenSSO…

Bookmarks for November 15th 2009

Pat Patterson — Mon, 16 Nov 2009 13:00:00 +0000

These are my links for November 15th 2009:

Skype Emoticons & Flags Cheatsheet – Nice – text for all the Skype emoticons, including the secret ones [ (mooning) - who knew? ] and flags

SAML Single Sign-on with Desktop Apps – Enabled by OAuth

Pat Patterson — Thu, 12 Nov 2009 23:55:52 +0000

One question that repeatedly comes up in any discussion of web single-sign on is “How do I get my desktop apps to play?”. Often, Enterprise Single Sign-on (ESSO) is the answer – deploying an agent to the client desktop to automatically populate the username/password popup for Outlook, or whatever desktop app you’re working with. This has always felt a bit clunky to me, particularly since you need a credential store somewhere in the system, but it works well enough for the username/password case.

The ESSO approach breaks, however, if you’ve moved to a federated identity model, perhaps outsourcing your email to Google Apps and using SAML for single sign-on so that, instead of end users logging in to the email system directly, they authenticate to an identity provider (IdP) within your enterprise, which sends a SAML assertion (a signed XML document containing the user’s identifier and possibly other information) to Google as part of the web single sign-on process. Now the problem becomes: how do you use a fat email client such as Outlook, when (by design) Google knows nothing about the end users’ passwords?

Last week at Internet Identity Workshop 9 at the Computer History Museum in Mountain View, CA, Google presented an approach to this problem, leveraging OAuth as the glue between the web SSO world of SAML and the desktop view of Outlook. Well, they would have presented it, if the wifi had been more reliable; as it was, the Google engineers explained their solution to me

It works like this:

A Google plugin in Outlook intercepts the authentication process, obtains an (unauthorized) OAuth request token from Google’s OAuth service provider (SP) endpoint and invokes the browser with a SAML SP Google Auth URL, including the request token as a query parameter.
Google Auth invokes Google’s SAML SP, which redirects to the user’s enterprise IdP.
The user authenticates to the enterprise IdP (in the browser via whatever mechanism has been configured – typically username/password).
The enterprise IdP redirects to Google with a signed SAML assertion containing the user’s Google identifier.
Google returns a page for the user to give permission for Outlook to access their email; the user gives consent, submitting a form back to Google. This is the OAuth protocol step that authorizes the request token and permits an OAuth access token to be issued later.
Browser shows “Success” page.
Outlook plugin detects success (I guess it watches the window title), requests an OAuth access token from the Google OAuth SP (sending the, now authorized, request token), and uses the access token as the password in subsequent IMAP/SMTP/POP3 authentications with the Google mail server.

The OAuth consent page (step 5 above) seems a little clumsy, but, without it, if the user were already logged in to the enterprise identity provider, there would be no user interaction in the process, allowing a desktop app to obtain the OAuth tokens, and, thus, access to the user’s email account, without the user’s consent. Probably not a good thing

All of this is documented in the following articles at Google – many thanks to Eric Sachs for pointing me to the links:

OAuth for Installed Applications – how to use OAuth to access Google Apps from a desktop app. The article doesn’t explicitly call out SAML, but, if you have enabled SAML on your Google Apps deployment, it gets used between steps 4 and 5 in the flow documented there.
UX research on Desktop Apps using federated login and/or OAuth – an older article describing the approach taken by Google.

Note – I updated the flow above in light of more input from Eric at Google.

Bookmarks for November 6th 2009

Pat Patterson — Sat, 07 Nov 2009 13:00:00 +0000

These are my links for November 6th 2009:

Remus – Transparent High Availability for Xen – Remus provides transparent, comprehensive high availability to ordinary virtual machines running on the Xen virtual machine monitor. It does this by maintaining a completely up-to-date copy of a running VM on a backup server, which automatically activates if the primary server fails
OpenSSL is written by monkeys – Marco Peereboom's rant on OpenSSL. To be honest, looking at the examples of OpenSSL code, it's difficult to disagree – sorry, Ben!

Bookmarks for October 22nd 2009

Pat Patterson — Fri, 23 Oct 2009 13:00:00 +0000

These are my links for October 22nd 2009:

19 Ways to Build Physical Security into a Data Center – Quite old now (2005), but still very relevant. It doesn't matter how many layers of security you have in the cloud infrastructure software if you allow unauthorized access to the hardware!
Cloud Cube Model: Selecting Cloud Formations for Secure Collaboration – From the Jericho Forum – a model for organizing cloud computing into four dimensions – so it really should be a hypercube
Cloud Standards Wiki – Not sure who actually runs this, but it's a useful collection of links relating to cloud standards
Daoli Project – Interesting – a project to leverage Trusted Computing in the Cloud – the hypervisor becomes part of the Trusted Computing Base (TCB).

Bookmarks for October 13th 2009

Pat Patterson — Wed, 14 Oct 2009 13:00:00 +0000

These are my links for October 13th 2009:

OpenCrowd – Cloud Computing > Cloud Taxonomy, Landscape, Evolution – Useful cloud taxonomy diagram
Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds – Mapping Amazon EC2's internals and instantiating co-resident machine instances with a view to mounting cross-VM side channel attacks.
Cloud Security Alliance – Security Guidance for Critical Areas of Focus in Cloud Computing – Comprehensive overview of the cloud security landscape
Keyboard Shortcuts for Gmail – Note – you'll have to enable keyboard shortcuts in Gmail Settings
Keyboard Shortcuts for Google Reader – Great time-savers for Google's feed reader
Cloud Computing Ecosystem Map v1.0: Standing on the Shoulders of Giants – Mega-map (by Troy Angrignon) of everything cloud related
OpenCrowd – Cloud Computing > Cloud Taxonomy, Landscape, Evolution – Useful cloud taxonomy diagram
Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds – Mapping Amazon EC2's internals and instantiating co-resident machine instances with a view to mounting cross-VM side channel attacks.
Cloud Security Alliance – Security Guidance for Critical Areas of Focus in Cloud Computing – Comprehensive overview of the cloud security landscape
Keyboard Shortcuts for Gmail – Note – you'll have to enable keyboard shortcuts in Gmail Settings
Keyboard Shortcuts for Google Reader – Great time-savers for Google's feed reader
Cloud Computing Ecosystem Map v1.0: Standing on the Shoulders of Giants – Mega-map (by Troy Angrignon) of everything cloud related
Brewer’s CAP Theorem – Nice article on Brewer's CAP (Consistency, Availability, Partition Tolerance – pick any two) theorem and its implications for distributed systems. Interesting to see the parallels with eventual consistency in directory services. Bonus reference to the Sex Pistols' seminal 4th June 1976 Manchester Lesser Free Trade Hall gig in the intro!

Bookmarks for October 8th 2009

Pat Patterson — Fri, 09 Oct 2009 13:00:00 +0000

These are my links for October 8th 2009:

The OpenSSO REST Interfaces in Black / White – DocTeger gives a comprehensive explanation of OpenSSO's REST-like identity services, with the usual cool music video at the end
Directory "Engineering" – Ludo’s sketches – Nice – an OpenDS engineer has built a hardware dashboard for Sun's open source directory server

Huawei – Two Weeks In

Pat Patterson — Fri, 02 Oct 2009 15:41:18 +0000

I'm currently reading 'Programming Amazon Web Services'

It’s the end of my second week at Huawei, and things are looking good. I’ve done a LOT of reading, getting up to speed on the non-identity parts of cloud computing, and we’ve spent some quality time around the whiteboard. I’ve also booked my first trip to Huawei’s headquarters in Shenzhen, which will be my first visit to mainland China (I went to a Liberty Alliance plenary meeting in Hong Kong a few years back).

One news item that caught my eye – Matt Bross (formerly BT’s CTO) has joined Huawei. BT has some very smart people, and it looks like Matt is no exception – I’m looking forward to meeting him when he visits the Huawei site in Santa Clara!

Talking of hiring, we’re still recruiting for the ‘virtual data center’ team – see Geoff’s blog entry – so, if you’re into large scale identity/security, storage, or systems and network management, drop me an email at with your resume, the sooner the better!