OpenSSL and Solaris 10

So if you are still running Solaris 10 and haven’t looked at the patches recently, Oracle bundled in OpenSSL 1.0.1 as a patch. While this was awesome to see an updated version, now that everyone should only be running TLSv1.2 on their websites, there are some issues. The main issue is that the GCC version that is supplied with Solaris 10 for what ever reason has /usr/sfw/include and /usr/sfw/lib hardcoded in to the gcc binary as the first Include and Library path. While I can understand why it was probably done to begin with, it makes compiling any software that needs an updated version of OpenSSL completely impossible.

For example say you wanted to compile a new *AMP stack, and wanted the latest version of Apache with SSL enabled. Well, it won’t work. It will by default use the old 0.9.7 OpenSSL libraries and include files. I spent days on this, even compiled my own version of OpenSSL and tried to link against it, still wouldn’t work and kept linking against the 0.9.7 ones..

So how to fix this? Well you could build your own version of GCC, which in and of itself is not an easy task. You also can’t remove the OpenSSL 0.9.7 libraries as there is a lot that depends on it. So if you read the patch notes for the new OpenSSL they give some “recipes” on ways to maybe possibly fix it during compile time. Which for me did not work. So what I ended up doing was this:

 

  1. In /usr/sfw/include I moved the openssl directory to .openssl. The new 1.0.1 includes are in /usr/include/openssl.
  2. In /usr/sfw/lib I removed the symlink from libssl.so and libcrypto.so. Also did this in /usr/sfw/lib/amd64. This allows those apps that are using the actual libssl.so.0.9.7 to still run, but compile time stuff can’t find them.

Once I did that, I went back to the apache directory and did the compile and yippie, it was against the /usr/lib/libcrypto.so.1.0.1 and /usr/lib/libssl.so.1.0.1, which also meant that I could limit Apache to only use TLSv1.2.

 

So If this helps just one person, great.. This was something that took me a few  weeks to figure out. I also should have noted that if I had fully read the readme in the patch that introduced OpenSSL it would have probably went a little faster… If you are worried about breaking stuff, once you get your compile done, you can put the symlinks back and move the openssl directory back to it’s original place.

N.B. I am not sure if the gcc in Solaris 11 has the same quirk.

RIP Sun Ray

Checking the daily tech news, I see tonight that Oracle is axing their ‘desktop virtualiaztion’. What this really means is the end of the Sun Ray. Such a sad day for those “Sun” people who worked on that and brought the “Network is the Computer” to reality. I remember getting my first Sun Ray (Sun Ray 1) from some Sun guys in Texas. It was awesome, hooked it up to a Sun Blade 100 and now had 2 “heads” on it. I then went on to recommend it for the rest of my group and then the rest of the office. It was nice when I figured out how to make them work from home before Sun made them work with DNS. Once they did that, we got them for the rest of our office to take home as well.

How awesome was it to start something at work or home, and pull the card out and go to the other office and your desktop was there. Same with going between datacenter’s. It truly was the best Thin Client I have ever dealt with. It is not a “chubby” client, but a true Thin Client. You will be missed, but not forgotten. If Oracle know what they have, they should open source the software so that it can be kept up and enhanced by the community of die hard Sun Ray enthusiasts.

sun ray fw rip

VMWare and Sun Gigaswift Ethernet cards

I began setting up my new sun server and san at home the other day.. (Picked up a Sun V20Z and a Sun T3 SAN Disk array very cheap)… Because I am going to be doing some IPv6 testing as well, I installed a Sun Gigaswift (aka Sun’s ce, Cassini Ethernet) card in to the machine along with the fibre channel card. I put the VMWare vSphere 4i cd in and went on with the install. But didn’t really pay attention that it did not see the CE card, just the two broadcom cards.. So I went ahead any ways thinking I will fix it later. But it seems that there is no drivers on the interweb for the Sun CE card for vmware? If any one knows of a place to get them let me know? Otherwise I will have to find a new card to use in it’s place.

Seeing Red – RIP Sun

Not sure how I feel now that Sun is no longer Sun. Kinda weird watching the Oracle web cast of their purchase of Sun and what is going to happen. One thing I can’t understand is they are all wearing badges saying “We’re Hiring!”. But yet they let go SO many good Sun employees. I just don’t think it is going to be the same old Sun that I have used since 1994.

RIP Sun 1982 – 2010

From http://blogs.sun.com/jag/

Sun Ray 5 Early Access part 2

I finally got time again to start playing with Sun Ray 5 Early Access software. Now my current setup probably should not be used for any type of test more than simple single/dual user testing. But I did not want to test the software on the current working server. So I decided to install it in a VMWare image on my Mac Pro. The Mac Pro is more than suited to handle it and had plenty of free memory/processor/storage to use so there was no contention (I gave the VM 4 processors and 8 gig of ram)..

The kicker was getting VMWare Fusion to actually allocate the network cards the way I needed them. I gave the VM 2 nics (the Mac Pro has 2), however the only options that VMWare Fusion let you do is NAT, Host-Only, and Bridged. None of which will work if I want a private network for the Sun Ray’s. To fix this you will need to go and edit some files that VMWare Fusion uses. What I had to do was the following:

1. Open up the Terminal app
2. Edit the file /Library/Application Support/VMware Fusion/boot.sh

sudo vi /Library/Application\ Support/VMware\ Fusion/boot.sh

3. Comment out the following line:

"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 ''

And then add 2 lines directly below that line, which tells vmware to bind the en0 physical device to the vmnet0 virtual device, same for en1 to vmnet2. Note you can not use vmnet1 or vmnet8 as those are for NAT and Host-only connections.

"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet0.pid vmnet0 en0
"$LIBDIR/vmnet-bridge" -d /var/run/vmnet-bridge-vmnet2.pid vmnet2 en1

Once done, do the following:

sudo /Library/Application\ Support/VMware\ Fusion/boot.sh --restart

Now go in to your Mac System Preferences and configure the second network card for a private subnet (i.e. 192.168.128.0/24, and set the IP to be something like 192.168.128.254).

Now make sure that your VM is NOT started and is in a powered off state. Go in to the VM and under the settings for that VM add another network adapter, make sure it is selected as “Connected” it doesn’t matter what the device is configured to as we will change it later to an option that is not shown in that list.

Now you need to change the .VMX file so that it can use the new network device. So go in to the directory where you have your VM’s at and then cd in to the machine.vmwarevm directory (For example mine is called SolarisDev.vmwarevm)

Once in there you will need to edit the vmx file, mine is called SolarisDev.vmx. The first thing we are going to change is the ethernet0.connectionType property. Right now it could be any of the ones listed (host-only,bridged, nat). But we are going to change this to “custom”:

ethernet0.connectionType="custom"

Next find the entry for ethernet0.vnet, if it doesn’t exist create it and make it look like the line below. If it does exist and doesn’t match that below, make it match that:

ethernet0.vnet = "vmnet0"

Now we need to do the same for the ethernet1 entries. The only difference to what is above is vmnet0 changes to vmnet2. Once the changes are made you can save the file and start up your Solaris VM. Now what ever network is on your en0 connection on your Mac should be what is connected to the e1000g0 network on the Solaris side. I used the e1000g0 as the “public” side of the Sun Ray server. The e1000g1 interface will be what ever is connected on the en1 connection on the Mac side. I used this adapter for the private Sun Ray Lan.

You should be able to finish following the instructions on the Sun Ray wiki now and get everything configured.

To test the soft client, I set up LAN Connections on the Sun Ray Server:

/opt/SUNWut/sbin/utadm -L on

I then installed the soft client in another VM on the same machine that only had access to the public network. You then can tell the soft client what the IP of the Sun Ray server is and it will connect. Pretty darn cool that the soft client works with minimal config.

This can probably be done on a MacBook Pro as well, if you use the wireless connection as the public side and the wired as the private side. Nice way to do a little demo in one computer.

For reference here is what my network section of the .vmx file looks like :

ethernet0.addressType = "generated"
ethernet0.connectionType = "custom"
ethernet0.generatedAddress = "00:0c:29:f8:29:3b"
ethernet0.generatedAddressOffset = "0"
ethernet0.linkStatePropagation.enable = "TRUE"
ethernet0.pciSlotNumber = "32"
ethernet0.present = "TRUE"
ethernet0.virtualDev = "e1000"
ethernet0.vnet = "vmnet0"
ethernet0.wakeOnPcktRcv = "FALSE"
ethernet1.addressType = "generated"
ethernet1.connectionType = "custom"
ethernet1.generatedAddress = "00:0c:29:f8:29:45"
ethernet1.generatedAddressOffset = "10"
ethernet1.linkStatePropagation.enable = "TRUE"
ethernet1.pciSlotNumber = "35"
ethernet1.present = "TRUE"
ethernet1.virtualDev = "e1000"
ethernet1.vnet = "vmnet2"
ethernet1.wakeOnPcktRcv = "FALSE"

References:
Sun Ray Software 4.2 Wiki: http://wikis.sun.com/display/SRSS4dot2/Home