Category Archives: solaris
Sun Glassfish Webstack 1.5
Sun Glassfish Web Stack 1.5 is out this week, for Solaris and Linux platforms.
This is the latest update to the webstack, and like previous versions is available both as a free download and commercially as a supported product in a choice of bundles, to meet the needs of everyone from enterprise clients, through small and medium size business and startups, to students and hobbyists. The most striking change for most users will probably be the shiny new Enterprise Manager dashboard.
Open sourcers will note the updates to the constituent open-source components of the webstack. In this context, and in view of my recent blog entry, I should perhaps mention that while the Apache HTTPD version bundled is 2.2.11, it does include local patches, most importantly the security fixes in this week’s 2.2.12 release from Apache. Other components are similarly upgraded.
mod_privileges for Apache 2.2
I committed mod_privileges to Apache HTTPD trunk late last year, so it’s available to users of trunk. Since we have yet to release an alpha 2.3 (let alone a beta or stable 2.4) version, that’s a limited audience.
I’ve now hacked up a simple patch to enable it to be run with Apache 2.2 (prefork MPM). You can safely apply the patch whether or not you use mod_privileges, and I’ve proposed it for backport so it may become standard in future 2.2 releases. The module itself will remain separate, but may be bundled in future releases of Sun’s webstack.
Links:
Separating Virtual Hosts: mod_privileges
A longstanding issue with web hosting on Apache is the problem of lack of separation of virtual hosts. Users of a system had better trust each other, because if they have privilege to deploy non-trivial applications, they’re likely also to have privilege to crack each other’s apps. Of course the level of vulnerability depends on local factors – mostly the competence of the sysop – but it’s always a worry for security-minded users.
A complete solution to this is full virtualisation, including an entire apache instance per user. But that’s expensive. A range of partial solutions exist: generally these involve separate processes such as suexec and fastcgi (both for CGI). The perchild MPM promised full privilege separation, but was abandoned.
I have today uploaded a new module mod_privileges to Apache svn, under modules/arch/unix. This is a module for Solaris 10 and OpenSolaris, that uses Solaris privileges to enhance webserver security. Specifically, it enables both privileges and Unix user&group to be specified per virtual host. Like the perchild MPM, each virtual host can run as a different system user, and it will also (by default) run in a more secure mode than “normal”, by removing privileges rarely used by a webserver. A BIG_SECURITY_HOLE compile-time option lets you shoot yourself in the foot by running with your choice of privileges.
mod_privileges is currently in /trunk/, and won’t be in any released version of Apache for a while. It will require further work – including of course security audit – before it can be recommended for operational use.
And it has a major limitation: it won’t run with a threaded MPM. But neither will mod_php (at least not in a sane setup), so PHP users have nothing to lose. It’s also useful for other in-process scripting environments such as mod_perl, mod_python or mod_ruby. And therein lies its major target market: hosting companies offering scripting should find this meets a long-standing need!
Yay for Zones!
Well, I’ve still no idea what killed my SFW build.
But after further attempts to fix or work around it, I’ve gone for an alternative approach. Instead of just running it as its own user (as I started out doing), I’ve created a new Solaris Zone dedicated to sfw. And of course an sfw user within that zone. I’m happy to say that it works within the zone, so I’m back on track and (hopefully) isolated from whatever caused the trouble. Evidently zones have more to offer than mere security 🙂
Next, I’m playing about with creating a virtual network amongst zones. Slightly confuzzled by the significant differences between my solaris version and the crossbow docs (such as Sunay’s blog) in, for example, the dladm command, but I think I can work around that.
Confuzzled
Still (evidently) not got to grips with the SFW consolidation.
Having successfully executed a full build with one additional module, I thought I was past the steep bit of the learning curve, and added in six more modules. Of course I didn’t expect them all to build successfully first time – bound to hit snags, typos, gotchas, miscellaneous bugs. But I did expect to get meaningful error messages from those modules that failed to build.
It didn’t build. httpd itself failed, so the modules didn’t even have the prerequisites to try to build. The error was an invalid –with-apr in the configure. Seems that it tries to build both prefork and worker MPMs, but with just one APR build (on worker). That relies on worker getting built before prefork, and the error suggests that didn’t happen.
Having failed to figure out what among my changes could possibly have caused this (unexpected) error, I fell back to recreating the entire hierarchy from the same clean tarball I’d started out with. Same error! So it wasn’t anything I’d done, and looks suspiciously like a heisenbug. Bugrthat 😦
OK, I wonder what happens if I just remove those –with-apr configure options from the apache-prefork build? Hopefully it’ll get though to building the modules, so I can get the results I want: successful build or relevant errors! It’s running now.
Mailer for solaris
The new solaris box came with Thunderbird installed as a default mailer. It works for mail once I’ve disabled crap like pseudo-HTML composition. At least, while online and its IMAP servers are responding. And so long as you post everything through one SMTP host.
OK, yes, that’s pretty limiting. But the real killer is how it falls about in a ghastly heap when trying to access an IMAP server that’s offline or responding slowly.
I’m used to Apple’s mailer – on the mac laptop – which makes a decent job of it. Once it’s synced with the IMAP server on the (linux) desktop, I can access its local cached copies of my mail, no fuss. And it’s pretty good at syncing up whenever a connection is available.
Thunderbird, by contrast, hangs and refuses to open the offline account when the IMAP server is unavailable. Worse, it pops up error messages about it, to interrupt whatever I’m doing. And worst of all, this morning when I first tried to sync it, the IMAPD was responding slowly because the linux box was running updatedb, and has the slowest of cheapo discs. Instead of syncing in background, thunderbird started grabbing all my desktop’s resources, and made X11 more sluggish than ever the linux box’s own desktop gets when running updatedb. It felt like a forkbomb!
So, I want a better mailer. And here’s the rub: I’ve never run a *X box in the same circumstances, with intermittent availability of an IMAP server. I do most of my mail on the Linux box, but obviously its own dovecot instance is always up when i use that. Going back before the days of the mac laptop, I wasn’t running an imapd, so I didn’t have the issue. Back in the days of dialup, I used fetchmail+local folders, as opposed to fetchmail feeding dovecot, and Pine worked just fine.
So, dear lazyweb, what’s a good mailer for *X with intermittent connectivity?
Solaris!
Yay! I’ve set up the new solaris box, and I can do things like blog from it. Things are progressing!
There’s still much to do, of course. I had to work around some strange security restrictions just to set up a user account (root has no privilege to create a /home/nick directory, nor even to chmod /home). It feels a little like when you first get bitten by selinux. And plenty of boring routine admin to do, like making sure sshd is the only network daemon to start at boot time!
I’ve also got some logistics to figure out, with two machines now sharing one desk. I think I may be able to plug both computers in to the same monitor, in which case I can just switch keyboard/mouse to move from one to t’other. The Sun monitor is indeed luxury!
niq's soapbox 
