Cover V11, I04



Questions and Answers

Amy Rich

Q I want to set up IP Multipathing on my Netra T1. I've heard it's now possible with Solaris 8, but it doesn't seem to be well covered in the docs. Any pointers?

A First, be sure that you have have media dated 10/00 or later; that's when multipathing was introduced. There are several reference documents that will be of use to you.

  • An article on the blueprints site:
  • The IP Network Multipathing Administration Guide:
  • A Sys Admin article written by Peter Baer Galvin:
  • A short HOW-TO style document, by Doug Hughes:
The basic steps are:

1. Make sure you have two working NICs in your machine (the Netra T1 comes with two already, so you should be fine there).

2. Configure the machine to use actual Ethernet addresses by doing:

eeprom 'local-mac-address?=true'
3. Obtain four IP addresses (two floating public addresses, one for each NIC, and two fixed private addresses, one for each NIC).

4. Create /etc/host entries for all four IPs, tying the actual machine name to one of the public IPs.

5. Set up the secondary interface to use a different MAC address.

6. Create /etc/hostname.<interface> files according to the hostnames you defined in /etc/hosts.

7. Tweak failover parameters in /etc/default/mpathd.

If you're using more than two NICs, be sure to take that into account for the above numbers (two IPs per NIC). I suggest reading Doug's document for some tips and examples to help you along.

Q I want to automatically sync a few directories from one AIX server to a bunch of FreeBSD clients. The transfer will take place over the public network and the data is somewhat sensitive, so both the authentication and data transfer have to be encrypted. I've taken a look at things like scp and sftp, but I don't want to transfer all of the files every night if nothing has changed. There also doesn't seem to be any good way to automate things since I don't want to have to use expect. Any suggestions?

A There are a few programs that are well suited for just this sort of application, and you can do them securely if you already have ssh. For starters, take a look at rsync ( This is probably the best tool for what you're trying to accomplish, since you mentioned that you only want to sync a few directories. If you're looking for something more flexible and powerful, try cfengine (

You can also combine the two and have cfengine use rsync over ssh for its file transfers. Take a look at the following page to get you started if you're interested in combining the two:
I also suggest doing ssh DSA key authentication (with no passphrase) if you're setting up a simple automated job via ssh. Using DSA auth allows you to limit the action that ssh can take when the key is used. This example is for using rsync over OpenSSH and would exist as $HOME/.ssh/authorized_keys2 on the machine from which you're trying to pull down (MachineA):

command="/usr/local/bin/rsync --server --sender -vur . /Directory/To/Sync/"  <key>
<key> would be the $HOME/.ssh/ from the machine on which you're calling rsync (MachineB) and would be of the form:

ssh-dss <a long string of characters> remoteuser@remotehost
So, to copy MachineA:/Directory/To/Sync to MachineB:/Local/Directory, execute the following command from MachineB:

/usr/local/bin/rsync -vure "/usr/local/bin/ssh -c blowfish" machineA:/Directory/To/Sync /Local/Directory
The user executing this command must be able to read all of the files in MachineA:/Directory/To/Sync and be able to write to MachineB:/Local/Directory, of course.

Q Our environment here is completely Solaris (Ultra SPARCs). I've advocated getting KVM switches for our machine room since I've found them to be invaluable in the past. When I proposed this idea in a meeting, however, the developers declared that KVM switches are unnecessary because everything can be done via the network. The developers have been here longer than I have, so they have more sway with the president of the company (we're fairly small). I'm looking for suggestions to help me convince the president that we should purchase KVMs because they'll make my job as a sysadmin easier. Any tips on how I can sway him to my point of view?

A I'm afraid that I'll have to side with your developers on this issue. If you're doing PC administration, then KVMs are pretty much the only way to go. They're primarily designed to get around the BIOS bootstrapping issue. Since you have all Suns at your workplace, though, you have the OBP, making the KVMs unnecessary and, in some cases, a hindrance. As your developers stated, most things can indeed be done over the network (all X applications, for example, if you actually have X installed on your servers), and those things that can't be, usually need to be done at the prom (OBP) level.

What you really want to push for is a terminal server, and I'm betting that you can probably sway both the developers and the president to your cause on that account. It would be optimal if you get a modem card and a terminal to attach to the terminal server for instances where the network is completely down. If you have the budget, also get an IP addressable power switch so you can remotely power-cycle machines.

Here are a few points you can bring up in your crusade to get a terminal server. Upper management especially wants to know what it will save them on the bottom line, so be sure to emphasize monetary savings when possible:

  • Multiple people can use the terminal server to connect to multiple machine consoles at the same time (this is many-to-many, unlike a KVM, which is one-to-many).
  • The terminal server can be set up for encrypted logins if you purchase a terminal server that supports ssh.
  • The terminal server can be set up on a restricted network to further protect console access.
  • The terminal server will occupy less space in the machine room (fewer cables and no monitors, keyboards, or mice).
  • Sys admins do not have to work in the unpleasant conditions (cold, not ergonomic, etc.) of the machine room. There also will be less waste of energy in the machine room and less chance that someone will accidentally trip over a network cable or power cord.
  • Many terminal servers have some sort of capture buffer so that quickly scrolling errors or boot sequences can be logged and reviewed for speedier debugging.
  • Hardware costs are lower. For example, many terminal servers can be had for less money than most KVMs that support Suns.
  • No need to purchase frame buffers, mice, and keyboards for all systems.
  • KVM cables are more costly than serial cables (which you can make in-house fairly easily if you have to).
  • You can also hook up your network equipment and other non-PC hardware to the terminal server.
  • Some Sun machines (e.g., the Netra X1s and T1s) do not have a slot for a frame buffer and the console MUST be accessed via the serial port. Extra hardware would have to be purchased for these machines anyway.
  • Remote administration via a terminal server allows separation of administrative power and physical access. This can be especially important if you have customers at remote sites or machines co-located in cages.
  • Remote administration allows the sys admin to respond more quickly to off-hour incidents, which can save big bucks in downtime and overtime/comptime costs.

Good luck getting your new hardware!

Q I'm ssh'ing from a Windows box to a UNIX box and running screen. I've tried putty, ttssh, and SecureCRT, and they all exhibit the following problem. When I hit Control-\ (which, preceded by the screen hotkey, should be mapped to quit in screen), everything dies, not just the window I'm in. According to the screen man page, I'm doing this right, but I'm seeing really unsuspected results. Is the man page incorrect, or have I done something wrong?

A Most likely Control-\ is set in to quit in your shell session. If you do:

stty -a | grep quit
and you see:

quit = ^\
you've found your culprit. To disable this in the shell, you can do the following in the shell from which you start screen:

stty quit undef
You can also use the screen hotkey and then type in :quit instead of Control-\ if you don't want to change your shell settings.

Q We've made a bunch of custom Solaris 8 packages for our customers to install on their machines. When we find the occasional bug, we want to make patches available to them for download, instead of making them install the whole package again (this also makes it easier to track which version they really have installed with showrev -p). I know how to make the packages, but I've never seen documentation on how to make patch files. Looking at the patches from Sun, they should be somewhat similar, but I'm not sure what the actual differences are. Will I need to use pkgadd to add my patches, or is there some way I can create patch files that can be applied with patchadd?

A You're correct in assuming that patches are just like packages in many respects. A patch is what's sometimes called a "sparse" package. For those people who aren't familiar with package creation, take a look at:
As part of that document, there's a section on Advanced Packaging Techniques. Under this book, they cover creating patch files, among other things:
The sections on patches cover the six basic parts to a patch file:

  • checkinstall script
  • preinstall script
  • Class Action script
  • postinstall script
  • patch_checkinstall script
  • post_checkinstall script

Looking at the examples they provide and dissecting some of the Solaris OS patches should give you a practical understanding of how to implement your own.

While it is possible to add the patch with the pkgadd command (it is, after all, just another package), you NEVER want to do this because it doesn't register the patch information with the database. That means it won't show up under showrev -p and you will lose the ability to back out the patch. Always add your patches with the patchadd command.

Q I have a FreeBSD 4.4-STABLE machine (800-MHz Duron) that keeps crashing when I run seti@home. I've also had it crash when I attempt to do a "make buildworld", but not when I do a simple kernel build. This machine is about two months old, and it stays up just fine unless I do one of those two things. Do I have bad hardware? Is it a FreeBSD incompatibility? Am I tickling some sort of weird bug somewhere?

A There is always some chance that you've hit a software bug or that you have bad hardware. The first place I'd look, though, is how hot your machine is running (CPU and case temperatures), verifying that it has proper cooling. Both seti@home and building the FreeBSD userland can be very CPU intensive, and some PCs do not ship with a sufficiently rated fan or heat sink for sustained intensive use. If you find that your CPU is running hot, you might want to try putting a small bit of thermal compound (just enough to fill in the irregularities on the chip surface, not so much that it's acting as an insulator) between your CPU and the existing heat sink. If that doesn't help, try replacing the fan and/or heat sink with a better one. You may have to go as far as to get a different case (or modify your existing case) if you're really tight on space.

If it's not a temperature issue, search through the FreeBSD mail archives ( for your chipset and OS revision. It could also be some other piece of hardware you have in the machine, too, so you may want to search for other pieces of hardware you have in or attached to the machine.

Q I want to add a CDRW drive to my Sun to pump out a large number of data CDs to be shipped to our branch offices overseas (doing the data transfer via network isn't an option). I know that Suns can be picky about the kind of devices that it will support (driver wise), so I was wondering if there was a blessed list of third party vendors/products from Sun. Also, what software should I be using to write the discs?

A Sun has a list of their supported third party I/O devices at:
Plextor has the most number of supported CDRW drives out, so that's probably your best bet. As to software, if you're using Solaris 8 10/00 or later, there is a tool called cdrw on your supplemental CD. If you have a pre-Solaris 8 OS, there's also Jörg Schilling's cdrecord; check out:örg.schilling/private/cdrecord.html
Jörg's page also contains some good CD/CDR/CDRW links.

Q I've installed TCP wrappers and am using it to allow/disallow IMAP access to a machine to allow some people to pick up their mail while giving the host some minimal protection. My /etc/hosts.deny file (tcp wrappers is compiled with -DPROCESS_OPTIONS to handle both allow and deny statements in the same file) looks similar to the following (the names and IPs have been replaced):

imapd : LOCAL 10.2.2. : ALLOW
ALL : ALL : banners /usr/local/etc/banners : DENY
Some of the allows seem to be working:

Feb 22 9:47:16 server imapd[11753]: connect from
But some seem to be failing:

Feb 22 10:19:13 server imapd[11753]: warning: can't verify hostname:  gethostbyname( failed
Feb 22 10:19:13 imapd[11753]: refused connect from is the IP address of in this case. So, why does tcp wrappers allow the first connection through, but not the latter? They're both checking IPs and not hostnames. Why does gethostbyname even come into the picture?

A It sounds like you've compiled tcp wrappers with -DPARANOID. If the forward and reverse resolutions don't match, then tcp wrappers won't even look at your ALLOW and DENY rules. The correct way to solve your problem is to fix your DNS. If you disable PARANOID when you compile, though, this should also allow these people to pick up their mail. You are, of course, sacrificing security when you do that. If you want to take a middle approach to security, compile without -DPARANOID but have the following lines:

imapd : 192.168.2. : ALLOW
imapd : PARANOID : banners /usr/local/etc/banners : DENY
imapd : LOCAL 192.168.2. 10.2.2. : ALLOW
ALL : ALL : banners /usr/local/etc/banners : DENY
This way the machines with the bogus DNS entries can pick up their mail, but you then check for mismatched forward and reverse name resolution before you allow anything else.

Q I have a quick and, hopefully, easy Perl question. I'm writing a script to do reporting for a number of clustered Web servers. All of these servers are named webNN, where the N's are digits. The problem I'm having is that I'm trying to do a foreach loop like the following:

foreach $servernum (01, 02, 11, 12) {
  print "web$servernum\n";
I wind up with web10 and greater printed out correctly, but web01 coming out as web1. Obviously, this isn't going to work since I later need to do pattern matching based on the name. Is there a way to get the machine names to print out correctly?

A As long as you don't have machine names greater then 99 (i.e., you will ALWAYS have two digits), you can do the following:

foreach $servernum (1, 2, 11, 12) {
  printf ("web%02d\n", $servernum);
A leading 0 on a number will indicate to Perl that you want to use octal numbers, so make sure to leave out the leading 0 for 1-9. If you use 01 instead of 1, Perl will error, complaining that you're using an illegal octal digit in your print statement.

Amy Rich, president of the Boston-based Oceanwave Consulting, Inc. (, has been a UNIX systems administrator for more than five years. She received a BSCS at Worcester Polytechnic Institute, and can be reached at: