illumos watch for December 2015

libdladm ncurses dependency removal

Yuri Pankov spotted and removed a libncurses dependency that lived in libdladm. Raised as 4008: libdladm should not have a curses UI inside. So if you or your tools used dladm show-link -S or flowstat -S, it's going to go away.

Several commans/libraries build missing LDLIBS

From Yuri Pankov again, a fix for build process, where commands/libraries are missing proper LDLIBS, leading to linking outised a proto area. This fixes

6492: Several commands/libraries build missing LDLIBS. As a consequence, it broke build process, as reported by Andrew Stortmont and quickly fixed by Yuri.

6057: login(1) "Last login" hostname is too short

Lauri Tirkkonen resent for review his fix for Last login line being only 16 characters, too short for IPv6 addresses. There's been some short discussion and issue is closed now.

Moving gettext to alternate directory

Igor Kozhukhov proposed moving illumos gettext to /system/bin/ directory, to allow swap in with GNU gettext. His reasoning is that it's much easier to work on a distribution if the original was put aside.
After some discussion, with developers asking for specific reasons for this move, Garrett D'Amore posted two mails strongly objecting to the change. In similar vein to post from Peter Tribble, he says:
I have a pretty strong objection to replacing our version by default with a GPL version from GNU.

If our default gettext can be improved to be more compatible with GNU gettext I’m in favor of that. Otherwise for 3rd party packages that need GNU specific features, they should be handled in their configure or packaging meta data.

What distributions do is up to the distributions, but please don’t start an ugly precedent by replacing CDDL or BSD licensed illumos versions of tools with GNU stuff. Not all of us are drinking from the Linux kool-aid trough.

(I think GNU gettext may actually have its own ugly dependency list too; stuff that is not a problem for a major distribution to deal with, but is extremely problematic for folks trying to build minimal systems or appliance-type configurations from illumos.)

The thread seem to have died on this.

6496 Panic in qlc with QLE2460 in PCI passthrough mode on ESXi

Yuri Pankov send a short note acompanying fix for 6496: Panic in qlc with QLE2460 in PCI passthrough mode on ESXi:
As it's not a common use case, simply disable MSI-X in qlc driver if running under VMware hypervisor, which seems to solve the problem - I was able to attach the LUN, create pool, and write some data to it.

It led to few reviews and corrections and, at some point, request for rca from Garrett D'Amore:
I'd like more info as to why MSI-X has to be disabled on VMware. Is this a problem specific to this device or something more generic. The code looks ok I just want to see a little more root cause analysis. A comment explaining this in the code would be good too.

Richard Elling sent a link to VMware Knowledge Base that seem likely culprit. Seems that, while using Interrupt Remapping, some PCI devices may stop responding to guest system in ESXi 6.0.x, ESXi 5.x and ESXi/ESX 4.1. The workaround is to disable MSX-I. Garrett noted in his mail, that since the change doesn't come from a fully understood root cause, the better option may be leaving driver intact and disabling MSX-I on affected systems globally.
The tunable linked to by Yuri in his mail is:
There were no new mails in the thread after this one.

illumos developer's guide

Surfaced once more, in a two mails thread. Worth reminding time to time, there is an ongoing work on illumos developer's guide, a book on building illumos, creating webrevs and sending for integration.

OpenIndiana Roadmap

The roadmap thread is back. The thread is long, there are many voices in it. Overall, the conclusion from reading is the same: OpenIndiana needs active developers, package maintainers, documentation writers.

PCRE update for OmniOS

Dan McDonald posted information about PCRE update:
Several CVEs have been filed against PCRE (Perl Compatible Regular Expressions). All supported versions of OmniOS (r151006, r151014, and r151016) have updates of PCRE to version 8.38.

This is a non-reboot-needed update, but you may need to restart certain services, especially those not provided by the system.


OpenSSL updates for OmniOS

From Dan McDonald again:

OpenSSL 1.0.2e is now available for LTS (r151014), Stable (r151016), and will also be ready for the next large update of bloody.

OpenSSL 1.0.1q is now available for old-LTS (r151006).

Additionally, LTS receives a bump to wget, to work better with modern HTTPS servers, and old-LTS gets a bump in "entire", due to a previous packaging error.

These are SECURITY FIXES and you should "pkg update" as soon as possible.


Security updates for zones

Martin Waldenvik asked how to run security updates in OmniOS zones. The answer came from Dan:
If it's just openssl, you can do pkg update in each zone.

Use "pkg update -nv" to confirm things. And use "pkg update --no-backup-be" to prevent backup-BEs from being created.

You do know that the "lipkg" zones are linked to global, and update when the global does, right? :)


Possible MIM for OmniOS AMI r151012 or earlier

Dan McDonald issued a warning to OmniOS Discuss Mailing List:
If you are using any OmniOS AMI r151012 or earlier, please read this. If you're using r151014, you may ignore this message.

It has come to our attention that some of the older OmniOS images, including images for r151006 and r151012, may have stored SSH host keys included with them, which could be used to execute a man in the middle attack.

If you are currently running one of these older versions, we suggest you verify and regenerate your keys, and/or move to a current OmniOS AMI.

For r151006 users, there is a new image named "OmniOS r151006 LTS" which should be available in your region. We recommend that users of r151012 (and any other older versions which are now ESOL) move to a current r151014 AMI.

Again, the OmniOS r151014 AMIs DO NOT HAVE stored SSH host keys and are *NOT* vulnerable.

Thanks and sorry for any inconvenience,


p.s. This is also on the AWS forums:

OmniOS: Updates for LTS (r151014) and Stable (r151016)

OmniOS got updates for stable and LTS:
The updates for LTS and Stable are identical this time. New release media is out, and if you "pkg update" you will need to reboot, because of kernel ZFS changes.

This update includes:

* BIND security update to 9.10.3-P2

* ZFS receives now replication streams with a refquota even if older snapshots exceed it (illumos 4986). Includes new ZFS Test Suite test.

* OpenSSH now integrates with the illumos audit subsystem. Thanks to Joyent, and this is part of getting OpenSSH to match SunSSH's integrated functionality.

* NVMe bugfixes (illumos 6466 and 6467).

Modulo disaster, this will be the last update for calendar year 2015. After this week ends, I will be on vacation (just relaxing at home with my family), but I will be occasionally reading mail. My latency will be VERY HIGH after COB Friday, US/Eastern.

Have an enjoyable holiday season, whatever you do or don't celebrate, and catch you in 2016!


Multiboot SmartOS

Avi Deitcher asked on SmartOS discuss mailing list how to multiboot SmartOS with other operating systems. From this mail came thread resulting in a SmartOS Wiki Page: Booting SmartOS from GRUB2.

Setting custom kernel driver parameters on boot

Jeff Goeke-Smith asked on a SmartOS discuss mailing list how to pass custom kernel parameters on boot.
Answer came from Nahum Shalman as a link to his blog post:
Overriding Driver Config Files on SmartOS