OmniOS Community Edition r151028b OmniOS Community Edition

OmniOS Community Edition release r151028b is now available.

r151028b (2018-11-12)

Weekly release for w/c 12th of November 2018.

This is a non-reboot update.

Updates

  • ipmitool updated to fix crash when doing AES encryption with lanplus;
  • Updated illumos-gate build templates in developer/build/onbld;
  • developer/illumos-tools updated to include python-35 and gcc7;
  • Installer updated to set default route without requiring an additional reboot.

New installation media have been prepared for this release and can be found at https://omniosce.org/download

For more details, see https://omniosce.org/releasenotes

Any problems or questions, please get in touch via the lobby or #omnios on Freenode

Time-based One-time Passwords Josef "Jeff" Sipek

Recently I ended up playing with Wikipedia article: Time-based One-time Passwords as a second factor when authenticating with various services. When I saw an RFC referenced in the references section, I looked at it to get a better idea of how complicated the algorithm really is. It turns out that TOTP is very simple. So simple that I couldn’t help but put together a quick and dirty implementation in Python.

TOTP itself is documented in RFC 6238. It is a rather short RFC, but that’s because all it really says is “use HOTP and feed it these values”.

HOTP is documented in RFC 4226. This RFC is a bit longer since it has to describe how the counter value gets hashed and the resulting digest gets mangled. Reading it, one will learn that the HMAC-SHA1 is the basic building block of HOTP.

HMAC is documented in RFC 2104.

With these three documents (and a working implementation of SHA1), it is possible to implement your own TOTP.

The Key

If you follow those four RFCs, you’ll have a working TOTP. However, that’s not enough to make use of the code. The whole algorithm is predicated on having a pre-shared secret—a key. Typically, the service you are enabling TOTP for will issue you a key and you have to feed it into the algorithm to start generating passwords. Since showing the user the key in binary is not feasible, some sort of encoding is needed.

I couldn’t find any RFC that documents best practices for sharing the key with the user. After a while, I found a Google Authenticator wiki page describing the format of the key URIs used by Google Authenticator.

It turns out that this is a very common format. It uses a base32 encoding with the padding stripped. (Base32 is documented in RFC 4648.)

The “tricky” part is recreating this padding to make the decoder happy. Since base32 works on 40-bit groups (it converts between 5 raw bytes and 8 base-32 chars), we must pad to the nearest 40-bit group.

The Code

I tried to avoid implementing HMAC-SHA1, but I couldn’t find it in any of the modules Python ships with. Since it is a simple enough algorithm, I implemented it as well. Sadly, it nearly doubles the size of the code.

Warning: This is proof-of-concept quality code. Do not use it in production.

import struct
import hashlib
import base64
import time

# The pre-shared secret (base32 encoded):
key = "VGMT4NSHA2AWVOR6"

def HMAC(k, data, B=64):
    def H(m):
        return hashlib.sha1(m).digest()

    # keys too long get hashed
    if len(k) > B:
        k = H(k)

    # keys too short get padded
    if len(k) < B:
        k = k + ("\x00" * (B - len(k)))

    ikey = "".join([chr(ord(x) ^ 0x36) for x in k])
    okey = "".join([chr(ord(x) ^ 0x5c) for x in k])

    return H(okey + H(ikey + data))

def hotp(K, C, DIGITS=6):
    def Truncate(inp):
        off = ord(inp[19]) & 0xf

        x = [ord(x) for x in inp[off:(off+4)]]

        return ((x[0] & 0x7f) << 24) | (x[1] << 16) | (x[2] << 8) | x[3]

    return Truncate(HMAC(K, struct.pack(">Q", C))) % (10 ** DIGITS)

def totp(K, T=time.time(), X=30, T0=0, DIGITS=6):
    return hotp(K, long(T - T0) / long(X), DIGITS=DIGITS)

# pad to the nearest 40-bit group
if len(key) % 8 != 0:
    key=key + ("=" * (8 - (len(key) % 8)))

key=base64.b32decode(key.upper())

print time.ctime(), time.time()
print "TOTP: %06d" % totp(key)

This code is far from optimal, but I think it nicely demonstrates the simplicity of TOTP.

References

Building ripgrep on illumos Minimal Solaris

Last night I tried to build ripgrep (grep on steroids). Of course I used Nexenta, but everything below will work for any illumos distribution. ripgrep is written in Rust and we can get the latest Rust version with pkgin (many thanks to Jonathan Perkin):


$ pkgin search rust
...
rust-1.30.0 = Safe, concurrent, practical language

...
$ pkgin install rust
$ export PATH=$PATH:/opt/local/bin

Building ripgrep:


$ git clone https://github.com/BurntSushi/ripgrep
$ cd ripgrep
$ cargo build --release
Updating crates.io index

warning: spurious network error (2 tries remaining): no Content-Type header in response; class=Net (12)
warning: spurious network error (1 tries remaining): no Content-Type header in response; class=Net (12)
error: failed to update registry `https://github.com/rust-lang/crates.io-index

Caused by:
failed to fetch `https://github.com/rust-lang/crates.io-index

Caused by:
no Content-Type header in response; class=Net (12)

Bang! If you have such error:  clone crates.io-index git to the .cargo directory in your $HOME:


$ cd ~/.cargo
$ git clone --bare https://github.com/rust-lang/crates.io-index.git

Then create .cargo/config file:


$ cat .cargo/config
[registry]
index = "file:///home/alhazred/.cargo/crates.io-index.git"

Now build will successful:

$ cargo build --release
...
$ ./target/release/rg --version
ripgrep 0.10.0 (rev fb62266620)
-SIMD -AVX (compiled)
+SIMD -AVX (runtime)

Now you can compare the ripgrep speed and performance with usual grep. See Andrew Gallant's Blog for more information. .

OmniOS Community Edition r151028 OmniOS Community Edition

The OmniOS Community Edition Association is proud to announce the general availability of OmniOSce - r151028.

OmniOSce is published according to a 6-month release cycle, r151028 takes over from r151026, published in May 2018; the next LTS release is scheduled for May 2019. The old stable r151024 release is now end-of-lifed and will no longer receive updates. See the release schedule for further details.

This is only a small selection of the new features, and bug fixes in the new release; review the release notes for full details.

New Features

The OmniOSce team and the illumos community have been very active in creating new features and improving existing ones over the last 6 months. Highlights of this new release include:

  • Production-ready Bhyve hypervisor. For years, OmniOS has provided a linux kvm based hypervisor. With this release, we are adding a second option. The bhyve hypervisor from the BSD world has been made a first class illumos component through the combined efforts of Pluribus networks and Joyent with extra help from the FreeBSD community. It provides massively faster disk and network io than the kvm hypervisor as it does not rely on qemu emulation for these services but comes with a super optimised native driver implementation.

  • Branded zones for bhyve and KVM virtual machines. Running a virtual machine inside a zone provides an additional layer of security as any success in breaking out of the virtual machine container will only result in access to the branded zone which itself guarantees strong isolation from the global zone. On top of added security, zones also provide protection against hyper-threading attacks such as L1TF and Portsmash, and allow strict resource controls for cpu, disk and network access. Our website contains documentation on how to make use of these new zone types.

  • ZFS support for mounting filesystems in parallel. This significantly improves boot time for systems with many filesystems.

  • All userland tools are now compiled with gcc7 and several 32-bit only packages have been moved to 64-bit only.

  • Many packages have been updated to newer releases like Python 3.5, Perl 5.28, OpenSSL 1.1. And developers can now start using gcc 8 on OmniOS.

New Hardware Support

  • Emulex 31000/32000-based Fibrechannel cards.
  • ATTO Celerity FC-162E Gen 5 and Celerity FC-162P Gen 6 Fibrechannel cards.
  • QLogic 16Gb/s Gen5/6 fibrechannel cards.
  • QLogic QL41000/45000 series devices.
  • NVMe 1.3 devices.
  • SMB access to some HP scanner models.

Release Notes and Upgrade Instructions

This is only a small selection of the new features, and bug fixes in the new release; review the release notes for full details and find upgrade instructions at omniosce.org/upgrade

OmniOSce Newsletter

Since the start of OmniOS Community Edition project, we have predominantly announced our new releases via twitter. With r151028 we are now also offering a newsletter with announcements of updates, bug fixes and new releases. You can subscribe here.

Commercial Support

Have you ever wondered how OmniOS development gets financed? You may have noticed that there is no big company bankrolling it all. The way we keep afloat is by the companies who rely on OmniOS powered servers taking out support contracts for their hardware. How about you? Visit omniosce.org/support for more details and to generate a quote. If you aren’t in a position to take a support contract, please consider becoming an OmniOS patron to help secure its future - omniosce.org/patron.

About OmniOS Community Edition Association - this Swiss Association is responsible for the ongoing development and maintenance of OmniOS, having been established in Summer 2017 after OmniTI announced their withdrawal from the project.

OmniOSce Association Aarweg 17, 4600 Olten, Switzerland

OmniOS Community Edition r151026aa, r151022by OmniOS Community Edition

OmniOS Community Edition releases r151026aa & r151022by are now available.

Weekly releases for w/c 5th of November 2018.

For more details, see https://omniosce.org/releasenotes

Any problems or questions, please get in touch via the lobby or #omnios on Freenode

Tribblix and the python transition The Trouble with Tribbles...

It's been over a decade since python 3 came out, and a lot of the world is still using python 2.

But we're at the point now where the world has said enough is enough, and it's time to finally get the 2-to-3 transition over with.

And while Tribblix is all about retro styling, it's also all about keeping up. So I put together a plan for migrating Tribblix from python 2 to python 3.

  • Ship all the modules for python 3 as well as python 2, ready to switch
  • Move the python consumers (eg mercurial) across to python 3
  • Make python 3 the default
  • Deprecate and remove python 2
This is made a little easier by the fact that there's nothing in Tribblix itself that uses python directly - I haven't made the mistake of having my packaging system or anything like that written in python, for example.

There was a little wrinkle in all this. I had got this planned out, and then python 3.7 was just around the corner. So I ended up waiting a little, and put a python 3.6 to 3.7 transition at the beginning of the list.

So where am I right now? I've now got all the modules built and packaged for python 3.7, and python 3.6 has been removed from Tribblix. This was made somewhat easier by the fact that no packages in Tribblix yet depended on python 3 - the transition hadn't been started properly, so I could simply throw away all the python 3.6 stuff.

As an aside, this had the odd side effect that all the python 3.7 modules were packaged straight away for SPARC, whereas python 3.6 was never finished there - the 3.6 to 3.7 switch was all scripted, rather than manual, so was very little actual work. There were a couple of modules that needed to be updated anyway to work with 3.7 (pyyaml for example), and I took the opportunity to do a bunch of routine module updates at the same time.

So just having all the modules turned out to be nearly trivial. Now there's going to be a longer slog migrating all the python consumers across and making python 3 the default. (It might be easiest to make python 3 the default first, so that when building the consumers they automatically pick up the python I want.)

I was originally thinking of a fairly slow and structured approach where each step would be a point release of 3.7. But I'm well ahead of that already, and the remaining steps are likely to occur fairly promptly. (Or, as promptly as I have time to do the work.)

So it won't be long before we bid farewell to python 2 in Tribblix.

What is my sftp server doing? alp's notes

Well, I'm not familiar with DTrace, but sometimes want to find, what some application is doing. In this case I wanted to monitor my sftp server. Luckily, most illumos distributions provide dtrace patch (coming from Oracle Solaris) to find this out. Unluckily, I haven't found any documentation on it, just source code. After reading Translators chapter of DTrace Guide and looking at /usr/lib/dtrace/sftp.d I've come to this:


dtrace -n 'sftp*:::transfer-done { printf ("%d: %s %s %s %d", pid, xlate <sftpinfo_t *>((sftpproto_t*)arg0)->sfi_pathname, xlate <sftpinfo_t *>((sftpproto_t*)arg0)->sfi_user, xlate <sftpinfo_t *>((sftpproto_t*)arg0)->sfi_operation, xlate <sftpinfo_t *>((sftpproto_t*)arg0)->sfi_nbytes ); }'

dtrace: description 'sftp*:::transfer-done ' matched 8 probes
CPU ID FUNCTION:NAME
1 80412 process_read:transfer-done 7409: /export/home/user/1.pp user read 1808
1 80412 process_read:transfer-done 7409: /export/home/user/1.pp user read 0
1 80411 process_write:transfer-done 7409: /export/home/user/1.pp user write 1808
1 80412 process_read:transfer-done 7409: /export/home/user/dtrace/poll.d user read 53
1 80412 process_read:transfer-done 7409: /export/home/user/dtrace/poll.d user read 53

Seems rather interesting to me.

Quest: creating one hundred zones alp's notes

Well, I need to create about one hundred zones once again. You could probably use ansible for this, but an old-fashioned man will do everything in shell. So: we have one "golden image" and have to create 100 zones like it. We could clone it, but with clones you receive wonderful issue - beadm activate fails in zone. So we create zones and do send/receive manually. This looks like this:


#!/bin/bash
set -e

for i in $(seq 1 100); do

#Creating interface for the zone
dladm create-vnic -l e1000g1 hnet$i

#Creating initial config

TEMPFILE=$(mktemp /tmp/XXXXXXXXXXXXXXXXXX)
cat > $TEMPFILE <<EOF
create -b
set zonepath=/zones/h$i
set autoboot=true
set ip-type=exclusive
add net
set physical=hnet$i
end
add capped-memory
set physical=2G
end
add rctl
set name=zone.max-swap
add value (priv=privileged,limit=2147483648,action=deny)
end
add rctl
set name=zone.max-locked-memory
add value (priv=privileged,limit=536870912,action=deny)
end
EOF

zonecfg -z h$i -f $TEMPFILE
zfs send -R data/zones/h0@initial | zfs recv -F data/zones/h$i

# Zone tools should know that zone is in installed state, not configured
# Also during installation zoneadm assigns uuid to zone (last field). We do this manually.
uuid=$(uuidgen)
gsed -i -e "/^h${i}:/ s/\$/${uuid}/" -e "/^h${i}:/ s/configured/installed/" /etc/zones/index
zoneadm -z h$i mount

# We known that golden image ip address ends in 254 and change it
addr=$((1+$i))
sed -i -e "s:hnet0:hnet$i:g" -e "s:\.254:.$addr:g" /zones/h$i/root/etc/ipadm/ipadm.conf
zoneadm -z h$i unmount
zfs destroy data/zones/h$i@initial
rm $TEMPFILE
zoneadm -z h$i boot
done

A brief story of how you shouldn't promote your open source project alp's notes

I'll just leave it here https://github.com/jasperla/openbsd-wip/issues/86 . And will block any attempt to integrate Pale Moon in our repository. Just to protect our developers from such attitude and trolling.

Operating system materials alp's notes

https://drive.google.com/open?id=0B5aSh2tKvpqDdkVQM2Uzbnp2eVE

Does ip belong to network? alp's notes

It's so easy to check if IP belong to network... Until you start doing this in shell. I've tried and finally got this. This version works in bash, dash and ksh... Good enough for me, but perhaps it could be optimized a bit to avoid cut usage. Our function gets two parameters - ip address and network in address/netmask format. In fact we compare IPaddress & netmask and IPnetwork & netmask.


#!/bin/sh

belongs_network ()
{
addr=$1
network=$2

netaddr=`echo $network | cut -d / -f 1`
netcdr=`echo $network | cut -d / -f 2`

a1=$(echo "$addr" | cut -d . -f 1)
a2=$(echo "$addr" | cut -d . -f 2)
a3=$(echo "$addr" | cut -d . -f 3)
a4=$(echo "$addr" | cut -d . -f 4)

n1=$(echo "$netaddr" | cut -d . -f 1)
n2=$(echo "$netaddr" | cut -d . -f 2)
n3=$(echo "$netaddr" | cut -d . -f 3)
n4=$(echo "$netaddr" | cut -d . -f 4)

ares=$((($a1*256*256*256+$a2*256*256+$a3*256+$a4)>>(32-$netcdr)))
nres=$((($n1*256*256*256+$n2*256*256+$n3*256+$n4)>>(32-$netcdr)))

if [ $ares -eq $nres ] ; then
return 0
else
return 1
fi
}

if belongs_network 10.208.103.255 10.208.128.0/17; then
echo "belongs"
else
echo "does not belong"
fi


Thank you, Oracle engineers alp's notes

After 2010, when Oracle acquired Sun, most of us, who followed OpenSolaris, were depressed. In one year one of the most advantageous operating systems was closed under steel curtain. Luckily, due to enormous efforts of community, of companies, dependent on OpenSolaris, the system survived. Currently we have several more or less successful illumos distributions, targeting different users. But nowadays there's a (of course, deserved) common negative feeling towards Oracle in illumos community. But let's speak from another point of view. Let's look at things, which illumos community (and in particular, OpenIndiana) got directly or indirectly from Oracle in recent years.

  • Our userland build system, which constantly evolves, however, in different directions, under Oracle control and in our distribution. But still a lot of components can be easily migrated between build systems.
  • A lot of software build receipts and patches, as result, were borrowed with small modifications, from Oracle userland-gate. The process is still going on.
  • We still borrow patches from Solaris pkg-gate. Also differences in underlying kernels are currently rather significant, a lot of changesets from pkg-gate can be ported to OpenIndiana pkg5 repository.
  • Of course, I can not avoid thanking Alan for his constant help in supporting Xorg subsystem and GUI parts of our distribution. He was always helpful to me and Aurélien.
  • Evidently, recent KMS work, integrated into OpenIndiana, wouldn't be possible without Oracle's open drm port, which was ported from Solaris to illumos by Martin Bochnig, and later independently ported and enhanced by Gordon Ross.
- And of course, I cannot count patches, which were suggested to upstream projects by Oracle engineers. Just today when I tried to solve two issues related with IPS and apache 2.4 interaction, I've found two patches by Petr Sumbera, fixing Apache issues on Solaris. So, I want to use the chance and thank all Oracle Solaris engineers for their work on open source projects. I doubt that without them illumos could survive in large scale. Perhaps, we could be an excellent playground for ZFS development, but not an universal operating system...

Enterprise Information systems alp's notes

This year I'm going to read "Enterprise Information systems" course for students of Southern Federal University Institute for Advanced Technologies and Piezotechnics. The materials of this course will be appearring in this Microsoft Class Notebook Google docs link

Sending SMS notifications from OpenIndiana zone with Huawei E1550 alp's notes

I want to receive SMS notifications when something is terribly wrong in our data center. One part of the problem is OpenNMS, and we know how to configure it. But another part is actually sending SMS.

As only physical server with normal USB ports which we have is self-assembled SuperMicro storage, running OpenIndiana, we want to create OI zone, which can send SMS. First of all, we'll need some USB modem. I use Huawei e1550, which was already switched to modem-only mode (AT^U2DIAG=0) on Windows PC. Let's look at prtconf -v (looking for HUAWEI):


device, instance #0
Driver properties:
name='pm-components' type=string items=3 dev=none
value='NAME= usbsacm0 Power' + '0=USB D3 State' + '3=USB D0 State'
Hardware properties:
name='driver-minor' type=int items=1
value=00000000
name='driver-major' type=int items=1
value=00000002
name='high-speed' type=boolean
name='configuration#' type=int items=1
value=00000001
name='usb-product-name' type=string items=1
value='HUAWEI Mobile'
name='usb-vendor-name' type=string items=1
value='HUAWEI Technology'
name='usb-raw-cfg-descriptors' type=byte items=85
value=09.02.55.00.03.01.03.e0.fa.09.04.00.00.03.ff.ff.ff.00.07.05.81.03.40.00.05.07.05.82.02.00.02.20.07.05.01.02.00.02.20.09.04.01.00.02.ff.ff.ff.00.07.05.83.02.00.02.20.07.05.02.02.00.02.20.09.04.02.00.02.ff.ff.ff.00.07.05.84.02.00.02.20.07.05.03.02.00.02.20
name='usb-dev-descriptor' type=byte items=18
value=12.01.00.02.00.00.00.40.d1.12.01.10.00.00.02.01.00.01
name='usb-release' type=int items=1
value=00000200
name='usb-num-configs' type=int items=1
value=00000001
name='usb-revision-id' type=int items=1
value=00000000
name='usb-product-id' type=int items=1
value=00001001
name='usb-vendor-id' type=int items=1
value=000012d1
name='compatible' type=string items=3
value='usb12d1,1001.0' + 'usb12d1,1001' + 'usb,device'
name='reg' type=int items=1
value=00000006
name='assigned-address' type=int items=1
value=00000003

If modem was switched to modem-only mode, you'll see

value='usb12d1,1001.0' + 'usb12d1,1001' + 'usb,device'
in 'compatible' field.So, let's say OI that it should use usbsacm to talk to it:
# update_drv -a -i 'usb12d1,1001' usbsacm

Now you should have /dev/term/0 - 3 devices and can use tip to talk to /dev/term/0:


# tip /dev/term/0
connected
AT
OK
~^D

Let's create zone and pass /dev/term/0 to the zone:


# zonecfg -z sms1
sms1: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:sms1> create
zonecfg:sms1> set zonepath=/zones/sms1
zonecfg:sms1> set brand=ipkg
zonecfg:sms1> set autoboot=true
zonecfg:sms1> set ip-type=exclusive
zonecfg:sms1> add net
zonecfg:sms1:net> set physical=sms10
zonecfg:sms1:net> end
zonecfg:sms1> add device
zonecfg:sms1:device> set match=/dev/term/0
zonecfg:sms1:device> end
zonecfg:sms1> exit
# zfs create data0/zones/sms1
# zoneadm -z sms1 install
# zoneadm -z sms1 boot

Now we can configure network in our zone:


# zlogin sms1
# ipadm create-if sms10
# ipadm create-addr -T static -alocal=192.168.1.2/24 sms10/v4
# route add -p -net 0 192.168.1.1
# cp /etc/nsswitch.dns /etc/nsswitch.conf
# echo 'nameserver 8.8.8.8' > /etc/resolv.conf
# svcadm enable dns/client

We'll use gammu utilities to send sms:


# pkg install utility/gammu

Your /etc/gammurc (or ~/.gammurc) should look like:


[gammu]
device = /dev/term/0
connection = at

If everything is fine, now you can send SMS:


# gammu sendsms TEXT +7myphone -text "test"

My Crimea trip (April-May 2016) alp's notes

This time I had little time to plan my holidays. So, I didn't have time to get Visa. After repairing my flat, I also didn't have a lot of money, and tried to find something interesting and cheap. Luckily, my travel agent advised me a trip to Crimea. I was frightened by long bus road, but plain tickets costed almost as all trip, so decided, why not and went to Alushta by bus. I tried to make some notes during the trip, they are presented later.

Day 1. The road

What can you expect from bus tour to Crimea for 170 euros? Everything is possible. In the beginning we found out that bus has opaque windows and malfunctioning microphone. Also one of the drivers forgot his documents, so we stayed in Azov for 2 hours waiting for another bus.  So we walked in Azov city park for some time. After leaving park we had to wait some more time on the road. So at last we left Azov at 7-8 in the evening.
When we finally left Azov,  driver turned on a film, which killed me with its stupidity. Luckily, the DVD disk was damaged, and we didn't have to watch all the film. There's no good light in the bus, so I can't read my book. But I can hear loud conversations of patriotic company which drink cognac on the backseat of the bus. So I'm listening to Frank on my phone and hope that it will not discharge too soon.
Ferry… Passenger control was surprisingly fast, but our bus registration took some time. So the overall process took about 2.5 hours. One interesting thing I've seen while waiting for the bus registration is boarding of railway oil tanks boarding the ferry.

Day 2. Alushta. Nikitsky botanical garden. Massandra palace

So, we still in the road. I hope I'll be able to sleep at the hotel. Vain hope. I've just managed to unpack my bag, take a shower and take a breakfast. And back to the bus.
First stop is Nikitsky botanical garden. The park is big and beautiful. But there's no any salt, which would impressed me (like Japan maples).  Perhaps, I'm just too sleepy.




After visiting the garden, we hurry to Massandra palace, a former dacha of Russian monarchs (and  recreation place for general secretaries). The palace looks really fine, however it would benefit from some restoration. Inside the palace everything is similar to other palaces in St. Petersburg or Vienna. I can't expect that a man can comfortably live there, it's too luxurious (and boring). 

Day 3. Livadia palace. Lower Oreanda Park

Ufff. It's cold. Terribly cold. I couldn't turn on conditioner in heating mode, so had to sleep  under 3 blankets. It's about 10 degrees outside. But under 3 blankets it's warm enough. Of course, there's no any central heating in this summer hotel. In the morning hotel staff explained me that air conditioner remote buttons should be pressed harder and helped to turn on air conditioner in heating mode.
In the morning we are going to Livadia palace. I liked it. It's very light, big and decorated with taste. As I understood, it was finished in the end of 19th century, and Nikolay II liked to spend his spare time there. During excursion we were told about this intelligent, almost saint, tsar… But he seems more like miserable tsar. Lost Russian territories, allowed country to fall apart and was killed by his own nation… Not a bright figure for an emperor.  Nikolay had the largest private collection of cars in Europe.. and especially high rate of illiteracy in the country. They say he liked to rest in Yalta, make photos. Kodak has presented him special camera to make panoramic photos. The photos of his family are exhibited in the palace.

In the palace there's also an exhibition devoted to the Yalta conference. The palace itself was given as residence for Roosevelt. There's a copy of "Pravda" newspaper of 1945 with printed decisions of the conference. You can see a sculpture of Churchill, Roosevelt and Stalin near sanatorium, which is situated nearby. It wasn't placed near the palace, as it's too heavy for this place.

There is a pathway which starts near the palace. Originally it was used by tsar's family. Now it leads to the Lower Oreanda Resort. This resort was used by  Central Committee of the CPSU members and especially honoured men. Almost every Russian actor, a lot of writers were here. Even Korolev visited this place. The pathway is really cool. It looks like similar pathways in Kislovodsk's parks, only surrounded with southern exotic plants.  I'd like to spend there more time, but as always we were in a  hurry. So we ascended to the arc in the hills, and then descended to the mentioned resort. The road down is rather steep, so it was interesting.
Near this resort there's a church. A priest who serves there is famous in Crimea. He writes theological and philosophical books. Also he is known, because he doesn't require payments for his wedding and memorial services.
After visiting Resort's park there was a concert of church choir music. As I barely could withstand this, I spent this time walking in the park, which looked lovely.
We were going back to the bus along the same pathway. The pathway is called "Sunny path" and to justify this name, sundial was placed near the path. However, it never shows true time and serves only as decorative element.
In the evening I forgot a packet with food in the bus, so I had to go walking, searching for a cafe. I've walked along the beach, but all cafes there were still closed or were not very attractive. Finally I've chosen one with adequate prices and interesting interior - guns, steering wheels, bear's skins. Food was delicious, but music was awful. As it was live music, they even included some margin for it in the bill. It wasn't high, but I'd prefer to pay it to these musicians for silence, not for their music.
 

Day 4. Vorontsov Palace. Swallow's Nest. Yalta.

After breakfast we were going to the Vorontsov Palace. In the road the guide talked us about count Vorontsov. It was one of the richest russians of his time. But unlike modern Russian thiefs oligarhs, he spent a lot of own money on the state business - he built roads and developed cities.  When after battle he lost most of his 9000 soldiers, he rebuilt one of his estates into the hospital and all of his remaining wounded soldiers were nursed there. When they recovered, he paid them significant rewards and gave everyone a fur coat (it was in winter). He has even sold another estate to cover the costs of carousing hussars in Paris  when our troops were leaving it after first Patriotic War...
In any case, his palace is great. It looks like a Medieval castle, and is made from semiprecious material. And of course, white lions are majestic. There's an English park beyond his palace, with pounds, swans and so on… It's evident that this palace was created by one of the richest man in Russian Empire. They say, Nikolay I was angry when saw this palace, as it was more beautiful than his own palaces. But the next morning he pardoned Vorontsov and asked him to oversee the building of Emperor palace nearby (Livadia palace). By the way, Vorontsov Palace was Churchill's residence during Yalta conference. It's not a big surprise, as this place resembles European castles.
After the palace we went to the Swallow's Nest. This castle was sold several times. His last owner before the Revolution was some merchant, who wanted to make a restaurant there. In Soviet era, the castle was in pity state. It needed reconstruction. Some works were made in the mid of the century, and it was transformed into museum. Several films were shot there, including "Ten Little Niggers". Ukrainian government leased this palace to Italian company, who tried opened restaurant. They didn't know the history. After several years Ukrainian president voided the contract and turned palace into museum again. He even repaired it for state's money. They say he wanted to privatize the palace, but didn't have time to finish with his plans, as Maidan has happened. Now it's a museum again.
From Swallow's Nest we went by small ship to Yalta. In Yalta we had some free time. I even managed to have a decent dinner there for ~ 2 euro. While walking along the seafront, I've seen several concerts - they were held on the stages under clear sky. There were a lot of publice there. Some of them tried to get their money, lending different exotic personal vehicles, forcing you to take a picture with their animals or playing violins. Lively place. I was fond of several pairs of old men, playing chess on the benches. A man managed to do check-mate in 6 moves from situation, which didn't foretell it in any way. 
In the evening I walked from the hotel in the direction opposite to the city center. Saw several pictures in Stalker style - abandoned children recreation centers, rusty satellite antennas, abandoned wagons…

Day 5. Genoese fortress. Vine plant.

At 7 o'clock we left for Sudak. During our way guide talked about Alans, Greeks, Genoeses, Tatars, Turks and other nationalities, living in Crimea in different times. She even read some poems. Churches and mosques were seen along our way. In 1945 a lot of tatars were deported from these lands, and all original titles were changed in one night. So town names like Perevalnoe, Svetloe, Pionerskoe appeared. The Tatars in awful conditions, in goods wagons, were transferred to Kazakhstan.
Sometimes we see monuments to partizans. They created a lot of troubles for fascists, but also often died. Germans burned and cut down forest, trying to secure roads for their transports, but everything was in vain.
First event for today is Genoese fortress. However, earlier it was Byzantine fortress, and before this it was Alanian fortress. Looks great. The spirit of the place a bit resembles Tanais ruins. I'd gladly walked here for half a day, but we have only one hour. Almost whole or well reconstructed towers, walls,  battlements. Hipster-style guide gives us brief information about different fortifications in the fortress. There is an interesting building in the fortress. It's a mosque, which was built by Turks, who one day came here. When they left, it became Catholic church. Later it was used as sinagoga by local Jews. This holy place now is a museum. You should appreciate that internal area of the fortress housed a small city. There were not enough Genoeses here to defend such big fortress, so during hard times either militia was used, or people have to live the fortress and the city and hide in the forest.
Next stop is vine cellars of "Solnechnaya Dolina" vine plant. The plant produces a lot of vines, and we are told how vine is made. They say, the cost of one oak barrel for vine is about 1000 euros. If it's just cost of empty barrel, how much will full barrel cost? The cellars were founded in the end of  XIX century by Golitsyn, but changed their owners rather often.  Local people managed to steal vine, using ventilation holes, so in middle of the century they were locked with bars.  The cellars successfully survived WWII, because one of the German high officers liked winemaking and wanted to grab the plant, but you know the history. Now plant produces a lot of vines, the main brands include "Black doctor" and "Black colonel". I wanted to get "Black doctor", as my friend liked his cheap replica, but it costed as 4-5 bottles of Abkhazian wines, so I stopped on portvein, which was cheaper.
As I forgot to buy any food during the day, I have to buy "Snickers" for the cost of the second course in the canteen where I usually eat. Another impressions on the ferry are related to the ferryboat itself. It looks grandiosely. It was interesting that ferryboat does two turns during its way so that it lands with its back part…

Epilogue

There were a lot of impressions, and most of them were positive. I saw that this region is developing with great speed. From several conversations I found out that people expect that a lot of funding will come from Moscow after 2018, when World Championship will be over and Kerch strait bridge will be finished. Of course, this bridge is a necessity, as crossing strait on the ferry takes too much time.
I still haven't seen a lot in Crimea, and I'd like to go back and visit Sevastopol and Bakhchysarai, to spend several days on the sea shore.
If you decide to go there, don't forget that for now it seems only MTS mobile services work there. Also several men in our group had issues with their credit cards, so don't forget to get cash. Luckily, you'll not need a lot of money there.

Converting "linked images" zones to non-linked alp's notes

A while ago we introduced "nlipkg" zone brand in OI to create "non-linked" images. OmniOS uses ipkg as non-linked brand by default and has additional "lipkg" brand for linked images. Briefly speaking, when you deal with linked images, global zone's IPS knows a lot about zones, can work with them (for example, you can update all zones in one step with "pkg update -r") and imposes some restrictions on child images. Zone's brand is recorded in /etc/zones/zonename.xml and can be changed manually or using zonecfg. As ipkg and nlipkg zones are rather similar (in fact, they are distinguished only in name and IPS checks in some places on which brand it's operating, but for these two brands zone brand scripts are the same). So, when you are bugged with IPS checks for linked images, you can try to change zone's brand from ipkg to nlipkg. This even can work. The only issue is that it doesn't always work. Sometimes you still receive irritating messages like


pkg install: Invalid child image publisher configuration. Child image publisher
configuration must be a superset of the parent image publisher configuration.
Please update the child publisher configuration to match the parent. If the
child image is a zone this can be done automatically by detaching and
attaching the zone.

The parent image has the following enabled publishers:
PUBLISHER 0: openindiana.org (non-sticky)
PUBLISHER 1: userland (non-sticky)
PUBLISHER 2: hipster-encumbered

The child image has the following enabled publishers:
PUBLISHER 0: openindiana.org (non-sticky)
PUBLISHER 1: hipster-encumbered
Even for nlipkg-branded zones. The issue is that inside zone IPS knows nothing about zone's brand. Its logic is always the same. The only thing which it checks for are files in /var/pkg/linked directory. These files are usually created on pkg operations initiated from GZ (the same pkg update -r) and contain information about parent image (read - GZ). When you change zone's brand, they will not disappear, and IPS inside zone will still think that it works with linked image. Luckily, to convince it that it's not true, it's enough to do "rm -fr /var/pkg/linked". Then this condition will make IPS happy. So, long story short - don't forget to remove /var/pkg/linked if you convert zone from ipkg to nlipkg brand.

Bye-bye, sysidtool, hello sysding alp's notes

Often you want to have some simple tool to configure basic system settings after installation, such as ip settings, time zone settings, locales and so on. More important, installer also sometimes needs similar utility, which would run on first boot and initialize basic system parameters. For example, OmniOS runs /.initialboot script on the first boot. Solaris historically had sysidtool service, which read /etc/sysidcfg file and used it to configure zones or base system. Sysidtool also had ncurses-based interface to perform basic zone configuration.
The disadvantage of sysidtool is that it is a closed source tool, and you cannot fix it if you want it to do a bit more. So, we switched to sysding in OpenIndiana Hipster.
Sysding was originally written by Olaf Bohlen (Agnar at #oi-dev) to configure multiple illumos/Solaris zones. It doesn't have interactive interface, but has a set of utility functions to write configuration scripts. File /etc/sysding.conf is a simple ksh script, sourced by /lib/svc/method/sysding on . /lib/svc/method/sysding predefines some useful functions which can be necessary for initial configuration. Sample configuration file can look like


setup_timezone Europe/Moscow
setup_locale en_US.UTF-8
setup_user_password root '$5$+Fu+utqXFqU=$RD2LbFipqwKc2srNFYnVkda9U6K2pmMajvuR3iyHzR'
setup_interface PRIMARY v4 192.168.1.4/24
setup_route default 192.168.1.1
setup_ns_dns "stud.lan" "stud.lan notebook.lan" "8.8.8.8"

Using it, sysding will set timezone, locale, root password, network settings on first boot and reboot zone (or NGZ), because /etc/default/init was changed. It also cares about setting root password to 'NP' at first boot in zone if it's empty and you haven't specified one. Without this you wouldn't be able to "zlogin" to the zone. It can do a bit more. If you are interested, look at /lib/svc/method/sysding . If you want to have some customizations for your environment, create pull requests against https://github.com/OpenIndiana/sysding/, but don't forget two things: test your changes thoroughly and keep in mind that sysding was created to be a simple configuration tool.

Materials for Unix courses alp's notes

https://drive.google.com/folderview?id=0B5aSh2tKvpqDdkVQM2Uzbnp2eVE (Yes, I needed some fast way to share link :))

Userland incorporation in OpenIndiana Hipster and what does it mean for developer alp's notes

Last Sunday we've published userland incorporation to /hipster-2015 repository. This was a feature long asked for by several users. It is generated by Jenkins on the build host and forces all packages generated by oi-userland build (excluding illumos-gate-provided packages and kvm) to be the latest. As we publish this incorporation on each oi-userland rebuild, you can force your system to go to specific point in the future. For example:

$ pkg list -avf pkg://openindiana.org/consolidation/userland/userland-incorporation
FMRI IFO
pkg://openindiana.org/consolidation/userland/userland-incorporation@0.5.11-2015.0.2.0:20151006T203007Z ---
pkg://openindiana.org/consolidation/userland/userland-incorporation@0.5.11-2015.0.2.0:20151005T203207Z ---
pkg://openindiana.org/consolidation/userland/userland-incorporation@0.5.11-2015.0.2.0:20151004T163056Z i--
pkg://openindiana.org/consolidation/userland/userland-incorporation@0.5.11-2015.0.2.0:20151004T150924Z ---
pkg://openindiana.org/consolidation/userland/userland-incorporation@0.5.11-2015.0.2.0:20151004T132353Z ---
pkg://openindiana.org/consolidation/userland/userland-incorporation@0.5.11-2015.0.2.0:20151004T122350Z ---
pkg://openindiana.org/consolidation/userland/userland-incorporation@0.5.11-2015.0.2.0:20151004T095518Z ---
....

We can see that this system has incorporation with  20151004T163056Z  timestamp installed and two more recent versions are available. So I can do something like:
$ sudo pkg update -v \
pkg://openindiana.org/consolidation/userland/userland-incorporation@0.5.11-2015.0.2.0:20151005T203207Z

to move to the 5th October  package versions.

Why developers doesn't like incorporations (and IPS generally)? Because it doesn't allow you to do what you want with your system. For example, you can't install another package version.
In case of userland incorporation, you have some freedom. You can just uninstall it (and entire, as entire depends on userland-incorporation). But you can get issues during new zone setup if your NGZ misses entire. So, you have three options:
  • stay with old entire, which doesn't depend on userland-incorporation (pkg freeze it);
  • uninstall entire and userland-incorporation;
  • use facets to relax incorporate dependencies.

Let's look on the last option more attentively. For example, I'm going to experiment with new mesa. But userland-incorporation has the following dependency:
$ pkg contents -m userland-incorporation |grep mesa
depend facet.version-lock.x11/library/mesa=true fmri=x11/library/mesa@10.5.9,5.11-2015.0.1.0:20150927T212600Z type=incorporate


As you see, it is marked by facet. So you can do
$ sudo pkg facet facet.version-lock.x11/library/mesa
FACET VALUE SRC
version-lock.x11/library/mesa True system
$ sudo pkg change-facet facet.version-lock.x11/library/mesa=false
$ sudo pkg install pkg://userland/x11/library/mesa
$ sudo pkg info mesa
Name: x11/library/mesa
Summary: The Mesa 3-D Graphics Library
Category: System/X11
State: Installed
Publisher: userland
Version: 11.0.2
Branch: 2015.0.1.0
Packaging Date: October 7, 2015 03:00:58 PM
Last Install Time: October 7, 2015 06:49:24 PM
Size: 34.82 MB
FMRI: pkg://userland/x11/library/mesa@11.0.2-2015.0.1.0:20151007T150058Z
Project URL: http://www.mesa3d.org/
Source URL: ftp://ftp.freedesktop.org/pub/mesa/11.0.2/mesa-11.0.2.tar.xz
But beware, if you would like to change facet back, you can't do it:
$ sudo pkg change-facet version-lock.x11/library/mesa=true
Creating Plan (Solver setup): /
pkg change-facet: Package entire must be uninstalled before the requested operation can be performed.
Reject: pkg://openindiana.org/entire@0.5.11-2015.0.2.1:20151003T221212Z
Reason: No version matching 'require' dependency consolidation/userland/userland-incorporation can be installed
Package x11/server/xorg/driver/xorg-video-ati must be uninstalled before the requested operation can be performed.
Reject: pkg://openindiana.org/x11/server/xorg/driver/xorg-video-ati@6.14.6-2015.0.1.0:20150927T212825Z
Reason: No version matching 'require' dependency x11/server/xorg@1.14.7-2015.0.1.0 can be installed
----------------------------------------
Reject: pkg://openindiana.org/x11/server/xorg@1.14.7-2015.0.1.0:20150927T184317Z
Reason: No version matching 'optional' dependency x11/library/mesa@7.4.4-2014.1.3.0 can be installed
----------------------------------------
Reject: pkg://userland/x11/library/mesa@11.0.2-2015.0.1.0:20151007T150058Z
Reason: This version is excluded by installed incorporation consolidation/userland/userland-incorporation@0.5.11-2015.0.2.0
----------------------------------------
----------------------------------------

.....


Firstly, you have to install mesa version offered by openindiana.org publisher.
Update (2016-01-26). If you use your host as test station, it's easier just to uninstall userland-incorporation. Now you can do this without touching entire. Just do

$ sudo pkg change-facet facet.require.consolidation/userland/userland-incorporation=false
$ sudo pkg uninstall userland-incorporation

Don't think for me... alp's notes

I really like OpenVZ and Proxmox. But what I hate is programs which try to think for me. For example, we have /var/lib/vz and subdirectories on ZFS. If by chance it was not mounted on system startup, OpenVZ creates subdirectories in /var/lib/vz/template. Next time ZFS filesystem containers/vz/template just will not be mounted on non-empty /var/lib/vz/template. And you discover it only during runtime. If OpenVZ just threw error on startup, it would be better. If ZFS just silently mounted filesystems over non-empty directories (as usual mount does), it would be better. But two subsystems try to think for me and make my life better. I hate programs being so smart...

On attaching zones and linked images alp's notes

Recently updated IPS was added to OI and it caused some inconvenience to developers. The most annoying "feature" is caused by publisher check: NGZ first several publishers should be the same as GZ's publishers and their stickiness should match.
OK, I've set the publishers according to this rule, but today was surprised by fact that I can't longer set openindiana.org publisher to be non-sticky in NGZ. I've set openindiana.org publisher to non-sticky in GZ, NGZ, but still IPS complains on "pkg install":

pkg install: Invalid child image publisher configuration.  Child image publisher
configuration must be a superset of the parent image publisher configuration.
Please update the child publisher configuration to match the parent.  If the
child image is a zone this can be done automatically by detaching and
attaching the zone.

The parent image has the following enabled publishers:
    PUBLISHER 0: openindiana.org
    PUBLISHER 1: userland (non-sticky)

The child image has the following enabled publishers:
    PUBLISHER 0: openindiana.org (non-sticky)
    PUBLISHER 1: userland (non-sticky)
    PUBLISHER 2: hipster-encumbered

I've rechecked. Both GZ and NGZ had  openindiana.org publisher set to non-sticky.  I've followed IPS advice - detached and attached zone. And zone attach -u failed with the same error.

OK. Time for black magic. I've unset userland publisher. Set GZ and NGZ publisher list only  to openindiana.org (non-sticky). The same issue - IPS doesn't see that GZ publisher is non-sticky now. So, I concluded that  information about parent image is recorded or cached in some local zone configuration file. Looked at zone's /var/pkg and found /var/pkg/linked/linked_ppubs, which listed [["openindiana.org", true], [userland, false]]. I changed this file to [["openindiana.org", false]] and after that could attach zone.

I think I still doesn't understand as linked images work (or should work), but they are starting annoying me...

Hipster 2015.03 is here alp's notes


We released our last snapshot ISO almost half a year ago. I believe, you want something new. You'll get it. New ISOs were just uploaded to dlc server. Let's see what has changed.

First of all, most evident changes were made in desktop area. We've updated Xorg server and libraries, which allowed us to incorporate some important security fixes from Oracle x-s12-clone and Debian Xorg. Also we've moved much more closely to Gnome 2.32. Most packages were updated to this level, excluding packages which either have a lot of specific patches (like gdm) or just dropped some significant functionality (like cheese, which dropped HAL support in version 2.32). Not everything has gone smoothly. We had to drop trusted desktop support during update. I believe nobody seriously used it under OI. The most annoying thing is that updated Xorg and Intel driver require some DRM updates, which are still not ready. So, if you have Intel video card, either pkg freeze X-incorporation and xorg, or use vesa driver.

General system changes

All Sun Studio-compiled C++ libraries were removed from the system. The libraries were published in their current form to http://dlc.openindiana.org/c++-libs/, so you can grub necessary libraries and LD_PRELOAD them or use in alternative path if necessary. All X/g++/Y packages are renamed to X/Y and moved from /usr/g++ to /usr. We continue delivering system/library/c++/sunpro for the foreseeable future.
Text installer was changed to install OI on EFI-labeled disk by default. Note, in this case the entire disk is erased. If you want to install OI on MBR-labeled disk, choose partitioned install.

Desktop software and libraries

  • A lot of desktop libraries were updated
    • GTK2 is updated to 2.24.27
    • libdrm is updated to 2.4.58
    • libX11 is updated to 1.6.2, xcb support is enabled in libX11
    • xf86-video-ati driver updated to 6.4.16
    • nvidia proprietary driver was updated to 340.76
    • Mesa is updated to 10.5.1
    • Xorg is updated to 1.12.4. This requires updating xorg drivers and modules. OI-shipped modules will be updated automatically, but if you use VirtualBox, you'll have to update your guest additions to at least 4.3.22 version.
    • Glib2 is updated to 2.43.4
  • Enlightenment 0.19.3 is added as alternative desktop environment
  • fontconfig was updated to 2.11.1
  • libid3tag and libmtp were imported from SFE, gmtp is added
  • rdesktop is updated to 1.8.3
  • transmission is updated to 2.52
  • XScreensaver is updated to 5.32
  • gnome-commander is updated to 1.4.5
  • QT 4.8.6 is added
  • emacs is updated to 24.3
  • Input Method Selector was added from upstream input-method gate. Bug in svc:/application/desktop-cache/input-method-cache:default service preventing correct input methods functioning in recent OI was fixed. In fact, gtk input modules cache was moved from /etc/(amd64/)gtk-2.0/gtk.immodules to /usr/lib/(amd64/)gtk-2.0/2.10.0/immodules.cache and service has to regenerate these cache files in new locations . So, after update you can safely remove /etc/(amd64/)gtk-2.0/gtk.immodules.

Development tools

  • Subversion is updated to 1.7.19
  • SQLite is updated to 3.8.8.3
  • Python 3.4 is updated to 3.4.3
  • Binutils are updated to 2.25
  • OpenBLAS 0.2.13 is added
  • Mercurial is updated to 3.3
  • Ruby 1.9.3 is added
  • Ruby 1.8 is marked obsolete, all OI software is switched to Ruby 1.9.3
  • Ruby 2.2.1 is added
  • Curl is updated to 7.39
  • libncurses.so links are moved to /usr/lib(/amd64)
  • gawk is updated to 4.0.2, this fixes issues with pkgsrc bootstrap
  • MPICH is updated to 3.1.3
  • Sun Studio indent in /usr/bin was replaced by GNU indent. Old one is preserved in /opt/sunstudio12.1/prod/bin/indent

Server software

  • A lot of packages were updated, including apache 2.4, php 5.4, php 5.5, postgresql 9.3, samba 3.6, mariadb 5.5
  • PostgreSQL 9.4 is added
  • PostgreSQL 8.4 is marked obsolete
  • ISC dhcp server is updated to 4.2.7
  • BIND DNS server is updated to 9.9.6-P2
  • rsyslog is updated to 7.4.10
  • NTP is updated to 4.2.8p1

As always, we are proud to deliver to you latest illumos-gate bits.

There's also a lot of security fixes and small bug fixes.

Of course, I had more ideas than spare time, so some of them were not implemented. We still don't have PHP 5.6 and our OpenOffice package still doesn't work with XML-based document formats. I've looked at replacing cpp with one based on Schilix version, but unfortunately I found it to be not always compatible with Sun cpp. So, I've chosen preserve the status quo and we still deliver Sun cpp. I still would like to see postfix as first class MTA in OI.

I'd like to share some more ideas, which attract me now. First of all, we consider further updating of Xorg and other former xnv components (libXfont, freetype). GCC update is also on the roadmap. Our old samba and cups versions, dependency on python 2.6 and ageing Perl 5.16 make me sad.  Of course, I'd like to see PHP 5.6 in oi-userland and perhaps even look at hhvm.

Trip to Japan. Part one - Tokyo alp's notes

So, I've finally returned from Japan. I'd like to share my "road-diary". I need some time to arrange my records, so I'll split them in several parts.

Day 1

First day in the way. I'm going to Moscow as there's no direct flight to Tokyo. RZD surprised me giving ticket for 37 place in the car where there were only 36 places. In such way they sell places in conductor's compartment. Another pleasant surprise was that I had a ticket with included dinner. However, I haven't understood why they brought cake before chicken...

Day 2

One more day in the way. Moscow is as always crowded. After waiting for about 6 hours for my plane in Domodedovo and 9 hours night flight I'm feeling sleepy. Funny case in the plane. I've ordered tea. Got a bottle of gin. Asked "is it a tea?". Got reply, yes, this is tea. Hm… At home I'd like such tea, but in the road I'd like to avoid drinking alcohol. Luckily, another stewardess understood me better.

Day 3

The morning begun sharply and suddenly with Sun blinding me from the . window. The weather was perfect. I saw blue ocean and green land. I had to fill two blanks for foreigners and was afraid that I've done something wrong. However, custom officer just looked that all fields are filled and asked for the intended duration of my stay in Japan.
As for yens, we changed money in the airport. 1 dollars is roughly equivalent to 105 yen. To convert prices from yens you can divide by 100 and get price in dollars (or by 2.5 and get prices in roubles).
The first shock is that not everyone speaks English. Expected, but unpleasant. Luckily, even when people don't understand you, they always try to help. But more on this later. Now we were moving to the Tokyo television tower. Precisely, to the Buddhist temple by the tower. They say that the tower itself was constructed as a copy of Eiffel Tower. Don't know, it seems similar, but different at the same time.
There was a concert in front of the main temple, so we entered smaller one. Today is a Culture day and at the same time the birthday of Meiji Emperor (the one who like Peter the Great in Russia cut a window through to Europe for Japan). We've visited service in the temple. Buddhists are practical people - if you pay for the service, the monks will held one for you even if you are not a Buddhist. I've took a picture of the place where people tie ribbons with monks guidances. All predictions, guidances, amulets are valid only till the end of the year. You have to return them to the temple till the end of December and get new ones in January.
There are also statues in temple's garden. You can order one for you. This statue is devoted to the childrens of your family. You should dress them in caps, bring them toys and candles for your children to prosper. Periodically caps and toys are renewed. Statues stay in the temple's garden forever. And burial urns in the local cemetery - no. You should pay significant rent for the monument on it. Each monument holds several urns, perhaps, for the whole family. If no one pays a rent, the place is sold and urns are transferred to the common store inside the temple. On the photo you can see some ski-like sticks. They mark the number of prayers which were held for the dead.
There are also shogun graves in this cemetery. But this part of cemetery is opened for visitors only once per year. In the common part of the cemetery there is one outstanding tomb - the tomb of Emperor's wife who tried to prevent bloodshed between 14th shogun and Emperor in 19th century, when Emperor brought back true power from shoguns.
The last part of the day was devoted to visiting thermae. As I don't like public baths, I just read the book in the common place ahead of baths. Japanese in kimono look nice. But I think it wouldn't suit me :)
A real surprise was non-european sockets. And lavatory pan with a dozen of buttons (it was hard to find out the main one :). In the evening I've went to Indian Cafe. Interesting experience. I've ordered meat with spinach. When I got it there were more spices than meat. Seriously, I firstly thought that it was some sauce for the meat…
After buying a phone charger found interesting device in the hotel room - a charger for everything (this device has a lot of connectors for every gadget). Unluckily it didn't suit to my camera and I had to ask for Japanese-European adapter at hotel registry.

Day 4

In the morning we went to fish market. The main fish is tunny. The largest part of fish are sold in the morning, starting from 4 a.m. to the large customers. Later, starting from 8 a.m. small quantities of fish are sold to local restaurants. You can see a lot of customers in the market in the morning. I expected to see more fish, but it seems not all fish is shown on the counter. However, there are some exotic goods - crabs, calamars, seaweed.
Then we visited garden near Emperor's palace. However, we were not allowed to enter deep into the garden, because there were some officials in the palace. So, we went to Shinto shrine. We were lucky enough to see traditional marriage. Also, near the temple, we saw girls in traditional costumes. At some age girls should be blessed in the temple. This particular temple was devoted to Meiji Emperor. Near the temple there are two lines of barrels for Sake and wine. On the barrels there are labels of wineries which make donations to the temple.
Later we were visiting viewpoint at the 45th floor of some administrative building. They say the design of the building was inspired by Notre Dame de Paris. And they plainly have something common.
After dinner we were brought to one more temple (this time Buddhist). On the ceiling of the temple you can see the dragon fulfilling wishes of the congregation.
Then we visited tea ceremony. My groupmates were whining that it was too long. But I liked it - at last something national and colorful. In the evening I joined several groupmates and we were walking along Ginza. One of them was citing the poems she wrote. They seem rather nice.

Day 5

In Tokyo we were staying in Grand Prince Hotel Takanawa. Really nice hotel. It has a beautiful park. The park even has a pond with big and vivid fish. There is a small Buddhist chapel in the park.
Today we went to some lake by Mount Fuji. The view is picturesque, but today is rather cold here. Why we were sailing across the lake, I became frozen. The ship we were sailing at was made in some medieval style - with sails and cannons. There even were some pirates on the ship which begged money for making photos with them. During our journey I saw several shrines and temples on the banks of the lake. I tried to find some alcohol in nearby shops, because was frozen, but without any luck. Only when we went up by rope-way, I had some luck in finding sake.
We saw the valley of geysers. Local people boil eggs in their water. As water contains a lot of iron, the eggs become black (only the shell, the egg itself is usual). They say that such egg prolong your life by 7 years. Don't know, I haven't eaten it. The eggs are sold to tourists in any forms: the eggs themselves, the toys in form of eggs, the chocolate in form of eggs and so on.
The next stop on our way was at the house of geishas. A strange art. I can't understand what they study for 20 years. But resulting performance is beautiful. However, the music is a bit mournful (reminds me of Mongolian music).
The last point of our program for today was one more public baths. As I don't like it, I walked by the nearest village. The village itself resembles my mother's homeland. There are buildings on both side of the road. Small houses - hotels, museum. Mountains surround the village. Pine trees grow surround the route. The difference is that there are much more trees and expensive cars on the road.
On the way back the guide has told us about life in Japan. I don't like to live such life: marriage matchmaking, working 24 hours per day, wifes manage the house. There are no free high education. Scholarship should be returned after graduating. And, of course, Russian girls are prettier :)

There and back again alp's notes

Once upon a time in a galaxy far far away there has been OpenSolaris distribution. This was the first Unix-like desktop which allowed me to completely replace Windows on my desktop. It wasn't perfect, but a magic of ZFS and IPS made it very attractive. As we now, the sun sets... So, with the end of OpenSolaris era I've moved to FreeBSD and has never regretted about it.

But I always liked illumos and was interested in OpenIndiana distribution. So, now, when I seem to be one of the last interested in it, I tried to go back. Really, migration was smooth. I've bought Nvidia GeForce 740-based video adapter, 4 more GB of RAM and after this I was sure that my hardware is supported by OI.

OI could recognize FreeBSD ZFS pool, so I've detached one disk from zpool, installed OI Hipster from October ISO, imported data and looked at software. As always, software choice for OI if you don't want to compile it yourself is not wast. Yes, there are pkgsrc builds, but they seems foreign in IPS world. So, I used sfe and sfe-encumbered repositories for OI /dev. I hope to use vlc, but vlc 1.1 from sfe-encumbered was a complete garbage. It didn't want to play anything or when it played something it was awful (like no sound or no video or no navigation in DVD menu...) So I stopped on totem/rhythmbox combination and used additional gstreamer codecs from sfe-encumbered. This works, however you should set sfe-encumbered before sfe in your publisher's list.

When speaking about OI one should mention IIMF/IIMD and other IIIM shit. Luckily, it can be turned off. I've finished just adding setxkbmap command to the list of startup applications.

Unfortunately, our Apache OpenOffice from /hipster is still buggy, so I had to use one from AdfinisSyGroup. VirtualBox 4.3.18 from Oracle for Solaris/x64 works fine. I was pleased with our Firefox 24.8.1. Adobe flash plugin 10.1 r85 sometimes crashes. Especially annoying is that it crashes on the flash games which I have to support. At least I've expected that it would not work - the application require Flash 11+. But for other use cases it works. Having working evince, xchm and FBreader seems enough to read documentation. zpool resilvering has completed by 50%. So, now I'm eating my own dog's food.

Hipster 2014.10 is finally out alp's notes

We are finally ready to present you new OpenIndiana Hipster snapshot and ISO images. We had some difficulties with generating installable "entire", so we had to delay snapshot for a week. But now you can just pkg fix entire to be more stable in constantly-changing Hipster world :) Since last snapshot a lot of work was done. I tried to summarize the changes in this informal "release notes". Please, be sure to read at least Perl-related notices before updating from previous snapshot.

General system changes

We performed migration from GCC 4.7.4 to GCC 4.8.3. New packages are compiled with GCC 4.8.4.
Perl 5.10 is not compulsory now. All perl dependencies were updated to use Perl 5.16 or don't care about perl version. This includes changes to illumos-gate. /usr/perl5/bin/perl now is mediated symlink, pointing to perl 5.16 by default. However, if you would like to compile unmodified illumos gate, you should switch it back to perl 5.10:
pkg set-mediator system-perl=5.10
Perl 5.10 modules which are required to compile illumos-gate are preserved. Other perl 5.10 modules are removed. If you have perl-510 installed on your system and don't need it, you can just remove runtime/perl-510, runtime/perl-510/extra and runtime/perl-510/module/sun-solaris.
During perl update version of perl-516/module/sun-solaris was DECREASED from 5.11 to 0.5.11 for consistency with other illumos-gate provided software. So if you have installed it, please, remove it BEFORE updating to new Hipster snapshot.
Perl 5.16 was recompiled without -Dperl_static_inline="static" flag to avoid creating one more patch for illumos-gate (this can affect perl ABI). So, if you had self-compiled perl modules, possibly, you have to recompile them.
Also, for consistency we renamed library/perl-5/xml-parser@5.12.1-0.151.1.8.1 to library/perl-5/xml-parser@2.41. So, if you have it installed (and every desktop system has it), please update it to library/perl-5/xml-parser@2.41,5.11-2014.1.2.0 (pkg update library/perl-5/xml-parser@2.41,5.11-2014.1.2.0). Also you'll have to update desktop/system-monitor/gnome-system-monitor if you have it installed.

Development tools and compilers

  • OpenJDK was updated to 1.7.60. GCC 4.7 was updated to 4.7.4. GCC 4.8.3 and Clang 3.4 were added.
  • GDB was updated to 7.6.2
  • Mercurial was updated to 3.0.2
  • MPICH was updated to 3.1.2
  • ant was updated to 1.9.3
  • python 2.7 was updated to 2.7.8

Common software

  • bash was updated to fix latest bash CVEs, GNU coreutils were updated to 8.22, CUPS updated to 1.4.8, doxygen updated to 1.8.7, GNU grep was updated to 2.20, gnupg to 2.0.25
  • Several packages to work with numerical data were added (datamash, hdf5)

Server software

  • A lot of packages were updated, including apache 2.4, apache 2.2, nginx, php 5.4, php 5.5, squid 3.1, tomcat 6.0, postgresql 8.4/9.3
  • Ldap backend was enabled for OpenLDAP server.
  • Illumos-gate provided wu-ftpd was replaced with proftpd 1.3.5
  • Barman was updated to 1.3.3
  • NTP was updated to 4.2.7p453
  • Bind was updated to 9.9.6

Desktop software

  • Firefox and Thunderbird were updated to 24.8.1
  • Packages from sic-team incorporation (notably, Mozilla nss and nspr) were updated.
  • glib-networking, webkit were added
  • Experimental package for Apache OpenOffice 4.1.1 was added. There is known issue with it - it can't create ODF documents. We are working on it.
  • ntfsprogs were updated to 2014.2.15 version
  • DJVU support was added to evince
  • Gnome-pilot and Gnome-pilot-link packages are obsolete now as upstream is dead.

Also there were lot of other small fixes.

As always we ship the newest illumos-gate version, so you can leverage the great work of illumos developers.

Last time I blogged about Hipster I shared some plans. From things which were planned but not made I have to point to integration of new Perl version and 64-bit Perl version. Also we didn't add vlc and other multimedia software to oi-userland because of legal issues. We still miss fsvs. However, I hope we'll find decision for this problem soon.

Now I'd like to share my current plans, the things I'm interested in and the things I'm working on.

First of all, I'd like to look at OpenOffice issue with ODF files. It seriously bugs me, but I don't know if and when I'll be able to solve it.

One thing which annoys me in OpenIndiana desktop is lack of text search in gnome terminal. I have prepared update to gnome-terminal 2.32. It's coming soon.

Also I'd like to look at migration of some XNV components to oi-userland. This should allow us to enhance their packaging (so that it better correlates with oi-userland build system) and later I hope to update it.

I'm seriously annoyed by our out-of-date sendmail, coming from illumos-gate. I'd like to see postfix as a first-class OI MTA. Of course, we'll also need dovecot and perhaps some other mail server software.

Finding security patches for our squid 3.1 is becoming harder. Perhaps we have to update it to recent 3.4 version and also receive SMP support as a pleasant triffle.

PostgreSQL 9.4 release is coming. I want to have it in the gate. On other hand, I think we should remove PostgreSQL 8.4 once 9.4 is landed. PostgreSQL 8.4 has already reached its EOL.

PHP 5.6 is already out. I think, we'll get it soon. As always I hope to use EveryCity's work :)

Our Ruby is amazingly old. We have to migrate to at least ruby 1.9. Ruby 1.9 package is ready and just waiting for official snapshot announcement

I'd like to see some binary blobs disappearing from OI Hipster - like cpp (we can use Joyent version), also I hope once we'll have open source gcc-compiled dmake alternative.

Adding dpkg/apt tools and support for DilOS zones in OI seems attractive and perhaps even necessary thing if we want to better collaborate with DilOS on userland packages.

I hate Roskomnadzor alp's notes

I don't have good words for them. This organization of bureaucrats and idiots are a real pain in the ass. Yesterday we (South Federal University) had to block all Youtube IP addresses, because our chiefs are afraid of possible fines. We have Internet Provider license and so have to filter "unacceptable" content. After last Roskomnadzor representatives found that several links on youtube, providing extrimist materials, are accessible from our network. We don't have any filtering services, so we were told just to ban all Youtube IP addresses to avoid penalties. What a hell! I've already received a lot of pleasant comments from our users. Really, ignorance is strength!

rude hack to proceed on zoneadm attach error alp's notes

I have two zones on my build host. One is build zone, serving IPS repository for the whole host,  so I have to be very careful with its updates and another - test one. I wished to update test zone, so issued

# zoneadm -z zonename detach
# zoneadm -z zonename attach -u
and noticed that I detached build zone with repository. zoneadm launched pkg, pkg worked for a while, and then it said:

Evaluation: Packages in zone zonename are out of sync with the global zone. To proceed, retry with the -u flag.
Result: Attach Failed.

What a hell! NGZ and GZ were in sync... At least both of them were latest /hipster. So I removed all publishers served by this zone from host and zone config.  The same reaction.
After grepping for this message in  /usr/lib/brand/ipkg/attach I found that this message is produced in  the following part of the script ($m_need_update message).
#
# Bring the ngz entire incorporation into sync with the gz as follows:
# - First compare the existence of entire in both global and non-global
# zone and update the non-global zone accordingly.
# - Then, if updates aren't allowed check if we can attach because no
# updates are required. If we can, then we are finished.
# - Finally, we know we can do updates and they are required, so update
# all the non-global zone incorporations using the list we gathered
# from the global zone earlier.
#

if [[ -z $gz_entire_fmri && -n $ngz_entire_fmri ]]; then
if [[ $allow_update == 1 ]]; then
LC_ALL=C $PKG uninstall entire || pkg_err_check "$f_update"
else
log "\n$m_need_update" "$ZONENAME"
EXIT_CODE=$ZONE_SUBPROC_NOTCOMPLETE
exit $EXIT_CODE
fi
fi


if [[ $allow_update == 0 ]]; then
LC_ALL=C $PKG install --accept --no-refresh -n $incorp_list
if [[ $? == 0 ]]; then
log "\n$m_complete"
EXIT_CODE=$ZONE_SUBPROC_OK
exit $EXIT_CODE
else
log "\n$m_need_update" "$ZONENAME"
EXIT_CODE=$ZONE_SUBPROC_NOTCOMPLETE
exit $EXIT_CODE
fi
fi

I've just commented all these checks out and after this zone attach succeed. Zone is working now and I'm glad I don't have to reinstall my build zone....

Experience: dialog with prosecutor alp's notes

Wow! Today we had a guest from prosecutor's office.
They checked if we (South Federal University) ban sites from prosecutor's list. Luckily, our upstream provider does it for us.
But a check was ridiculous.
Yes, we receive daily lists of sites to ban. I though they would check some sites from this list and go in peace. But prosecutor just searched for prohibited works with Google and tried if she can download the materials. Of course, Google found working links :)
What a hell? Why should we imitate some work if everyone knows how to avoid these regulation rules? Why should anyone spend resources for content filtering? I think our government are a herd of archaic dinosaurs who just don't know how to lick chief's arse better

OpenIndiana /hipster progress and my long TODO list... alp's notes

There is always a lot of things to do. Of course I'd like to see OpenIndiana a modern universal OS, but it's still a long way to go. We've made a lot of work in the last two monthes.
1) Thanks to Adam Stevko and  Andrzej Szeszo we have a modern IPS version. Unfortunately, IPS GUI has gone, but as it was dropped even by upstream , it's not a big loss. We got ability to generate dependencies on mediated links, improved speed of operations and I hope fixed a number of bugs.
2) Andrzej Szeszo has updated NVidia drivers to version 331.20
3) Andrzej Szeszo has finally proposed a reasonable package versioning scheme, which allows to do /hipster more stable and predictable. I hope we'll adopt it soon.
4) I continued my work on JDS conversion and updates: we received Python 2.7, a lot of Python modules and several GUI applications (totem, rhythmbox, fbreader) were moved from JDS or added to oi-userland. The most noticable additions are OpenJDK 1.7.45, Firefox 17esr and Bacula 5.2.13.
I know, there should be some bugs there, but I hope we'll deal with them soon.

Now I'm interested in several issues:
1) I'm currently working on Thunderbird update to 24.2.0. I hope to finish in about 10 days if there are no any surprises.
2) The second thing I'd like to do is to work a bit on Python 2.7 modules so we'll be able to turn on compilation of Python 2.7 components (I mean setuptools, cherrypy,  mysql, psycopg and so on) by default. As I'm on Python I would deprecate Python 2.4, 2.5. It also worth investigating if IPS could use Python 2.7.
3) I'd like to look on PHP 5.5. Jon Tibble has recently added PHP 5.5 to ec-userland. We could base oi-userland component on this version.
4) I think I should finally build, test and integrate brasero to userland (Ken Mays has prepared patches and Makefile long ago)
4) I would really like to move to userland some more things from oi-build, first of all, kvm and qemu, but I don't think I have a hardware necessary to test it.
5) Also I'd like to look at perl - what do we need to allow Perl 5.10 go away? We definately need 64-bit Perl version. It worth to look at Perl update. One interesting part is current work of Andrew Stormont on https://www.illumos.org/issues/3900 which can allow us to use Perl 5.16 for building illumos-gate.
6) I also want to see apache 2.4 in the gate ( https://www.illumos.org/issues/4405 ). However, I currently don't have a clear view if it can coexist with apache 2.2. The main issue I see now is php module - php 5.4 component currently doesn't allow to build apache php module for several apache versions.
7) And every operating system would like to be a decent desktop. I'd like to see fusefs and vlc out of the box....

It's a long list, I don't know how long it will take to implement everything, but I'm going to do at least something :)

beadm destroy error alp's notes

Today when I was trying to destroy old boot environment, I got strange error:

# beadm destroy oi-hipster-2013-08-06
Are you sure you want to destroy oi-hipster-2013-08-06?
This action cannot be undone (y/[n]): y
be_destroy_callback: failed to destroy data/zones/build/ROOT/zbe: dataset is busy
be_destroy: failed to destroy BE data/zones/build/ROOT/zbe
be_destroy_zone_root_callback: failed to destroy zone root data/zones/build/ROOT/zbe
be_destroy_zone_roots: failed to destroy zone roots under zonepath dataset data/zones/build: dataset is busy
be_destroy_zones: failed to find and destroy zone roots for zone build
be_destroy: failed to destroy one or more zones for BE oi-hipster-2013-08-06
I didn't want to destroy zone root FS accidentally, so was a bit scared. However, after looking at it a bit longer, I found out, that zone root FS has several manual ZFS snapshots. After destroying snapshots I was able to destroy BE.