UNIX Administratosphere

Wandering about, it would appear that UNIX aficionados (geeks!) are putting everything imaginable onto the EeePC.

For example, there are people running MacOS X Tiger, MacOS X Leopard, OpenSolaris 2008.05, Ubuntu, and NetBSD on the EeePC. There is a video review of the EeePC which is very informative and well done (even if the video itself is slightly off-color). There is another video describing the EeePC and how to install Ubuntu Linux onto it. There’s even a video demonstration of MacOS X Tiger running on the EeePC. Doesn’t seem to be anything it can’t do.

There’s a NetBSD on EeePC page as well.

This all makes me want to go get one for myself; I’ve been holding off. One of these with a dual-bootable Windows/Linux or Windows/UNIX installation would be perfect - and as it boots off of flash cards as well, perhaps Windows 2000 on flash would be just the thing for me (every corporate doodad requires Windows - VPN, WPA, intranet - ack!).

These machines apparently continue to be quite popular, as this romp through UNIX on the EeePC shows.

Sparse files are basically just like any other file except that blocks that only contain zeros (i.e., nothing) are not actually stored on disk. This means you can have an apparently 16G file - with 16G of “data” - only taking up 1G of space on disk.

This can be particularly useful in situations where the full disk may never be completely used. One such situation would be virtual machines. If a virtual machine never fills the disk entirely, then a certain amount of the disk will never have anything but zeros in it - permitting the saving of disk space by using a sparse file.

The operating system (which supports sparse files) knows that the block “exists” but is null, so it provides the zero-filled block out of thin air. As soon as the block contains data, the data is written to disk in the appropriate way and the file on disk grows.

There are problems with using sparse files. The most egregious would be that any utility that does not recognize or utilize sparse files can replicate the entire file on disk, so that a 500M sparse file could suddenly balloon to 6G. Even utilities that can work with sparse files must be told to do so, so this trap is easy to fall into.

Another problem is that everything about disk management is based on how many sectors or blocks are used - and the disk size reported for a sparse file is the full size of the file (not the actual number of blocks on disk). This also means that any utilities that work solely with blocks on disk (e.g., du) will report different amounts than other utilities.

Yet another problem is whether backup programs recognize or preserve sparse files. A backup program that does not recognize (and store) sparse files may well be quite oversized. A restore of this flawed backup - or indeed, a restore that does not recognize properly backed up sparse files - will balloon in size as mentioned before. In a worst case, there would not be enough room on disk to restore the data, if the sparse file expands enough to fill the disk.

To get the ls command to report actual on-disk sizes (instead of just the file size typically reported) use these options:

# ls -ls
total 96
8 -rw-r–r– 1 root root 2003 Aug 14 2006 anaconda-ks.cfg
68 -rw-r–r– 1 root root 59663 Aug 14 2006 install.log
8 -rw-r–r– 1 root root 3317 Aug 14 2006 install.log.syslog
12 -rw——- 1 root root 10164 Oct 25 2006 mbox

The blocks used are in the left side column; the bytes used are in their usual column just before the date. In this case, all of the files are using appropriate number of blocks - that is, none of these files are sparse.

Creating a sparse file basically amounts to a simple process: create a file, and seek to the desired end of the file. This can be done at the command line with a command like (to create a 1M sparse file):

dd if=/dev/zero of=sparse-file bs=1 count=1 seek=1024k

Here is an example, run on HP-UX:

# dd if=/dev/zero of=sparse bs=1 count=1 seek=1024k
1+0 records in
1+0 records out
# ls -ls sparse*
2 -rw-r–r– 1 root sys 1048577 May 22 12:58 sparse
#

Looking at HP-UX (and perhaps other environments), there does not appear to be a wide amount of support for sparse files in the typical utilities (such as tar, cp, cpio, etc.), even as the operating system itself will dutifully create sparse files.

However, GNU cp supports the –sparse option. By default, GNU cp attempts to detect sparse files and recreates them as warranted. A file can be copied into a sparse format using –sparse=always, or into a nonsparse format using –sparse=never. The default, alluded to earlier, is –sparse=auto.

GNU tar uses the –sparse option (or the equivalent -S option) to make tar store sparse files appropriately.

GNU cpio supports the –sparse option, which operates similarly: any suitable length of zeros is recorded as a “empty” and the file is stored or created as a sparse file.

The command rsync, while not a GNU project, does support sparse files. The option –sparse (or -S) will attempt to handle sparse files efficiently, that is, not creating file blocks full of only zeros.

It appears that utilities pax, scp, sftp, and ftp do not in general support sparse files. Using such a utility, then, would make a sparse file balloon in size.

Given this utility support for sparse files, the best native environment is proably Linux or MacOS X, or other open platform. More specifically, any platform where the GNU utilities are available, along rsync.

Recognizing a sparse file can be done at the command line with the previously mentioned ls -ls command. To see a sparse file (right down to the block level), one way would be to write a C program (or other language) to start at the end of the file, and truncate the file one block shorter - if the file on disk becomes shorter, then that block was on disk; if not, then it was a sparse block. Of course, any block that contains data is on disk; it is only blocks with zeros with which there is any question as to whether it is on disk or not. Jonathan Corbet had an article in December of 2007 in the Linux Weekly News that described a method that the Solaris ZFS developers had proposed, and posed the question as to whether Linux should support similar system calls that will seek to the next hole or the next set of data in a file.

How much memory is in this machine?

It would seem that answering this question ought to be easy; it is - but every system has the answer in a different place. Most put an answer of some sort into kernel messages reported by dmesg (AIX apparently does not).

Most systems have a program for system inventory which reports a variety of things, including memory.

Rather than go into great detail about each one, we’ll just put these out there for all of you to reference. Each environment has multiple commands that give available memory; each command is listed below.

Without further ado, here are a few answers to this burning question:

Solaris

1. dmesg | grep mem
2. prtdiag | grep Memory
3. prtconf -v | grep Memory

AIX

1. bootinfo -r
2. lsattr -E1 sys0 -a realmem
3. getconf REAL_MEMORY

HPUX

1. dmesg | grep Physical
2. /opt/ignite/bin/print_manifest | grep Memory
3. machinfo | grep Memory

Linux

1. dmesg | grep Memory
2. grep -i memtotal /proc/meminfo
3. free

OpenVMS

1. show mem /page

Update:

FreeBSD

1. dmesg | grep memory
2. grep memory /var/run/dmesg.boot
3. sysctl -a | grep mem

In Solaris 9, two new utilities were added: pkill and pgrep. These tools are perhaps old news to Solaris admins. However, these utilities were then quietly added to Linux in short order, and now show up in HP-UX 11i v3 and perhaps others. What do these tools do?

First of all, pkill is just a wrapper for pgrep. Well, what does pgrep do? It searches the current processes for a match based on arguments that you give to it.

The most common use would be to search for a command. The pgrep utility will then return each process ID, one per line. The pkill utility will send the default kill signal to each pid. The pgrep utility can search based on a large array of factors, including userid, groupid, virtual size, effective user ids, command name, full command string, and more.

Here’s an example:

# pgrep cache
13
12
14
15
33
49
22006
21950
21973
21976
#

When combined with scripting, these commands can be quite useful. Consider this ksh snippet:

for i in $(pgrep cache) ; do
  // do some commands here
done

I saw this post about finding the version of a Solaris DVD - very interesting. It relies on the fact that the DVD contains all of the packages in a unpacked format, and then goes looking for /etc/release contained within the SUNWsolnm package. His example looked like this:

# cd /Solaris_10/Product/SUNWsolnm/reloc/etc
# cat release
Solaris 10 3/05 HW2 s10s_hw2wos_05 SPARC
Copyright 2005 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
Assembled 26 September 2005
#

This also translates into doing the same thing on an installed system:

# cat /etc/release
Solaris 10 6/06 s10s_u2wos_09a SPARC
Copyright 2006 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
Assembled 09 June 2006
#

If you wish to examine a runaway program outside of its element, you may choose to use the utility gcore. This utility is found in Solaris, Linux, and HP-UX, and perhaps others. The program syntax is:

gcore [ -o corename ] pid

The pid is the process id of the process to dump core, and the corename is the base of the filename to use for the core dump - the full name is the base name plus period (”.”) and the process id number. The default is to use “core“.

HP-UX systems will accept multiple process ids instead of just one. Solaris has several additional flags (as well as multiple pids). The additional Solaris flags won’t be covered here.

Once core has been dumped, the program continues operation; it does not stop. Thus, gcore is especially useful for taking a snapshot of a running process.

For example, consider a program with the process id 6674:

gcore 6674

This command generates a core file in the current directory with the name “core.6674“. This file then can be read by the GNU debugger gdb. Solaris also provides the dbx(1), mdb(1), and pstack(1) utilities. HP-UX provides gdb as well as the HP adb(1) utility. Both Solaris and HP-UX provide a core management utility coreadm(1m) - which is a topic for another day.

This article has an excellent description of working with core files in Solaris.

When root is locked out of a system, it can be a real problem. It’s even worse when you are root, yes?

There are many legitimate reasons this can happen:

• You purchased a used system with operating system installed, and the root login is unknown.
• The root password expired. (This has happened!)
• You have taken on a new system as a system administrator, and no one knows what the root password is (or what the box is, or what it does…)
• You have taken on a job as a new system administrator, and the previous administrator didn’t leave all of the passwords.
• You just plain forgot the system password (uhoh…).

We are going to assume that single user mode is locked out or not available. We are also going to skip talking about taking the system down (which is going to be necessary in any case).  We are also going to assume that you have legitimate physical access to the system.

In most situations, the system admin’s adage holds true: if you have physical access to the box, then there’s no stopping you from breaking in.  That’s why many operating systems make it fairly easy to access the system with physical access - and this is the reason you must physically secure your servers.  Putting them behind locked doors is the easiest and best way to go.  With physical access, it generally becomes easy to get into the system.

If you can access single user mode (such as booting HP-UX with “hpux -is” or booting Linux with “linux single“) then you can do all of the password recovery steps quite easily.

No matter what the operating system, if you have physical access to the system itself, then it is generally possible to crack it. There is a method that will work with any system:

1. Convert the disk into a “secondary” data disk in some fashion.
2. Boot into another operating system that can read and write the now secondary data disk.

There are several ways to do this. One way is to use a bootable floppy, CDROM, or DVDROM to enter into a maintenance mode, then access the original boot disk in the system. Sun Solaris has this capability using the install disk, as does Red Hat Enterprise and OpenSUSE. There are also bootable floppies and CDROMs that run on Linux all over everywhere.

Another way is to physically extract the hard disk from the system, and to use it as a data disk on another (identical) system. Macintosh laptops have this capability “builtin”: it’s called Target Mode, and turns the laptop into a large disk on a Firewire connection to a desktop or other system.

Remember, however, that the Macintosh uses NetInfo to manage its data; you’ll probably have to manipulate the NetInfo database on the other system in some fashion, or at least, turn it off.  That’s currently beyond our knowledge (but who knows…).

Under HP-UX, the boot disk is probably a single volume group, vg00: this volume group would have to be vgexported and vgimported in some fashion. The LVM structures would have to be accounted for.

Once the once bootable system is correctly mounted (read and write) as a data disk on another system, the easiest thing to do (with UNIX and Linux) is to change root’s password to null, by making the password entry empty in the /etc/password file. With NT, you may be able to extract the SAM file and use a cracker like L0pht to reveal the password.

With OpenVMS, the steps are more complicated, but the concept is the same: use a different security environment (an alternate UAF) and change the password in the original environment (the original UAF). First, alter the booting process to make OpenVMS boot into a sysboot> prompt. At this prompt, enter the command to use an alternate UAF:

sysboot> set uafalternate 1
sysboot> continue

The username and password to login will be null, so login by pressing enter until the prompt appears. Then we need to go about changing the password entry for SYSTEM:

$ define/system/executive sysuaf sys$system:sysuaf.dat
$ set def sys$system
$ run authorize
Authorize> modify system/password=newpass/nopwdexp
Authorize> exit

Then restore the alternate UAF setting back to zero so that the system UAF will be used on reboot:

$ run sys$system:sysman
sysman> param use current
sysman> param set uafalternate 0
sysman> param write current
sysman> exit

Then reboot the system and the SYSTEM password should be newpass.

This sequence hints at one reason a root password might “go bad” - if your root password expires, then you are undone. These steps still work, but instead of changing the password, one will have to reset the expired account so you can login again.

The NSA is, of course, the United States National Security Agency. It’s their job to a) keep the nations computers secure; b) find out how to break everyone else’s (ah, the dichotomy of national intelligence!). Thus, some of the best computer security minds are at the NSA - it was the NSA that brought us SELinux (and still does!).

They also have a vast array of security guides available for download. These include guides on securing Solaris 8 and 9, MacOS X 10.3 and 10.4, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and more.

Use a security guide next time you secure a box - and not necessarily just one. Do some research. Implement all of the security you can on all of your boxes - even if it is not on the Internet. One day, someone might just crack through - then all of your internal systems will be at risk. Each system should be able to withstand an assault without falling.

SystemTap is one amazing piece of work - it is a programmer-friendy and admin-friendly interface to KProbes (which are included in the Linux 2.6 kernel).  When you compare its capabilities to what has gone before, it is truly amazing.  Here are some of the things you can do:

• Quantify disk accesses per disk per process (or per user)
• Quantify the number of context switches that are a result of time outs
• List all accesses to a particular file and the process that accessed it

This is only the tip of the iceberg. There is a wiki with more details, including “war stories.”  There is a language reference there as well.

There was an excellent article in Red Hat Magazine, “Instrumenting the Linux Kernel with SystemTap” by William Cohen.

One controversy that came up was that the initial impetus for creating SystemTap was to implement something like Sun’s DTrace for Solaris but under the GNU Public License.  Solaris and DTrace are licensed with Sun’s Common Development and Distribution License (CDDL), which many feel makes DTrace incompatible with the GPL-licensed Linux kernel.

Apparently, the CDDL is also incompatible with the BSD-licensed FreeBSD, as FreeBSD 7.0 will not have DTrace either.  There appears to be some licensing issues.

According to the Wikipedia entry on the CDDL, it was designed to be both GPL-incompatible and BSD-incompatible.  With regard to the GPL, the entry suggests that Sun never clarified why; as to the BSD, Sun did not want Solaris to wind up in proprietary products - which the BSD license allows.

On a brighter note, Eugene Teo was able to get the SystemTap tool to work on the Nokia N800.  The article seems to be behind a wall at LiveJournal; the article is still in Google’s cache.  However, it does requires some amazing convolutions:

• A kprobes-enabled kernel must be installed on the N800
• The SystemTap programs (like stap) must be installed on the N800
• Any traces must be cross-compiled on another host
• The kernel module thus created must be moved to the N800
• Once the kernel module is in place, then the trace can be done.

So every desired trace requires precross-compilation on a desktop (sigh)…  Oh, well.

There is even a GUI for SystemTap in the works.

In the past, the z/Series has been known for its virtualization of Linux servers (over 10,000 possible!). Now, someone is showing OpenSolaris running on z/Series at the Gartner Data Center Conference in Las Vegas. There is an excellent write-up from the Mainframe blog, and another post from Marc Hamilton.

There is also an excellent open source IBM zSeries emulator called Hercules which can run Linux, MVS, DOS/VSE and others - and now, soon, OpenSolaris.

There is a very interesting speech given at Linuxworld by Guru Vasudeva from Nationwide about how his company implemented virtual Linux machines on IBM zSeries with z/VM.

When I first saw this (from IBM’s web site) I thought it was laugh out loud funny - and it still is. It also gives a hint at the power of the IBM z/Series, and shows one of the reasons I’m excited about the power one of these has.

I just love the deadpan Joe Friday responses from the cops, and some of the quotes:

• “Could it be an inside job? We’re inside, right?”
• “I need my pills!”
• “What’s a server?”