OpenSolaris 2009.06 as a domU guest on Xen 3.4/openSUSE 11.2

OpenSolaris LogoI recently trawled the web figuring out how to install a paravirtualized OpenSolaris 2009.06 on Xen. No one place had all the story, so I’m blogging this. I found a lot of the information spread across many other blog entries; some I figured out on my own. Thanks to all the giants on whose shoulders I am now standing:

The procedure:

  1. Download OpenSolaris 2009.06 ISO
  2. Mount the ISO somewhere
    pat-m6400:~ # mount -o loop,ro /vm/opensolaris/osol-0906-x86.iso /mnt
  3. Copy the kernel and rootfs somewhere convenient
    pat-m6400:~ # cp /mnt/platform/i86xpv/kernel/amd64/unix /vm/opensolaris
    pat-m6400:~ # cp /mnt/boot/amd64/x86.microroot /vm/opensolaris
  4. Create a disk image for your root filesystem
    pat-m6400:~ # dd if=/dev/zero of=/vm/opensolaris/root.img bs=1G count=1010+0 records out
    10+0 records in
    10+0 records out
    10737418240 bytes (11 GB) copied, 127.888 s, 84.0 MB/s
  5. Create a Xen config file (let’s call it /vm/opensolaris/opensolaris-install.cfg) with the following content:
    name = "opensolaris"
    vcpus = 1
    memory = 1024
    kernel = "/vm/opensolaris/opensolaris/unix"
    ramdisk = "/vm/opensolaris/x86.microroot"
    extra = "/platform/i86xpv/kernel/amd64/unix -B console=ttya"
    disk = ['file:/vm/opensolaris/osol-0906-x86.iso,6:cdrom,r', 'file:/vm/opensolaris/root.img,0,w']
    vif = ['bridge=br0']
    on_shutdown = "destroy"
    on_reboot = "destroy"
    on_crash = "destroy"
  6. Now start your VM:
    pat-m6400:~ # xm create -c /vm/opensolaris/opensolaris-install.cfg
  7. You should see something like:
    Using config file "./opensolaris-install.cfg".
    Started domain opensolaris (id=21)
    v3.4.1_19718_04-2.1 chgset '19718'
    SunOS Release 5.11 Version snv_111b 64-bit
    Copyright 1983-2009 Sun Microsystems, Inc.  All rights reserved.
    Use is subject to license terms.
    Hostname: opensolaris
    Remounting root read/write
    Probing for device nodes ...
    Preparing live image for use
    Done mounting Live image
    USB keyboard
    1. Albanian                      23. Lithuanian
    2. Belarusian                    24. Latvian
    3. Belgian                       25. Macedonian
    4. Brazilian                     26. Malta_UK
    5. Bulgarian                     27. Malta_US
    6. Canadian-Bilingual            28. Norwegian
    7. Croatian                      29. Polish
    8. Czech                         30. Portuguese
    9. Danish                        31. Russian
    10. Dutch                         32. Serbia-And-Montenegro
    11. Finnish                       33. Slovenian
    12. French                        34. Slovakian
    13. French-Canadian               35. Spanish
    14. Hungarian                     36. Swedish
    15. German                        37. Swiss-French
    16. Greek                         38. Swiss-German
    17. Icelandic                     39. Traditional-Chinese
    18. Italian                       40. TurkishQ
    19. Japanese-type6                41. TurkishF
    20. Japanese                      42. UK-English
    21. Korean                        43. US-English
    22. Latin-American
    To select the keyboard layout, enter a number [default 43]:
  8. Press enter to select the default…
    1. Arabic
    2. Chinese - Simplified
    3. Chinese - Traditional
    4. Czech
    5. Dutch
    6. English
    7. French
    8. German
    9. Greek
    10. Hebrew
    11. Hungarian
    12. Indonesian
    13. Italian
    14. Japanese
    15. Korean
    16. Polish
    17. Portuguese - Brazil
    18. Russian
    19. Slovak
    20. Spanish
    21. Swedish
    To select desktop language, enter a number [default is 6]:
  9. Press enter again…
    User selected: English
    Configuring devices.
    Mounting cdroms
    Reading ZFS config: done.
    opensolaris console login:
  10. Now login with jack/jack
    opensolaris console login: jack
    Sun Microsystems Inc.   SunOS 5.11      snv_111b        November 2008
  11. And su with the password opensolaris
    jack@opensolaris:~$ su
    Feb  5 20:29:29 opensolaris su: 'su root' succeeded for jack on /dev/console
  12. Now do ifconfig -a to discover your IP address. You might have to try a few times since it seems to take a minute or two to get an IP:
    jack@opensolaris:~# ifconfig -a
    lo0: flags=2001000849 mtu 8232 index 1
    inet netmask ff000000
    xnf0: flags=1004843 mtu 1500 index 2
    inet netmask ffffff00 broadcast
    ether 0:16:3e:79:d:ba
    lo0: flags=2002000849 mtu 8252 index 1
    inet6 ::1/128
    xnf0: flags=2000841 mtu 1500 index 2
    inet6 fe80::216:3eff:fe79:dba/10
    ether 0:16:3e:79:d:ba
  13. Now go to a dom0 shell and find the domain id:
    pat-m6400:~ # domid=`xm domid opensolaris`
    pat-m6400:~ # echo $domid
  14. Use xenstore-read to find the vnc port and password:
    pat-m6400:~ # xenstore-read /local/domain/$domid/guest/vnc/port
    pat-m6400:~ # xenstore-read /local/domain/$domid/guest/vnc/passwd

    Supposedly you can also discover the IP address this way, but I’ve never seen

    pat-m6400:~ # xenstore-read /local/domain/$domid/ipaddr/0
    xenstore-read: couldn't read path /local/domain/21/ipaddr/0
  15. Now you can VNC to the OpenSolaris installer – use the port and password you just discovered. Note the double colon (::) to use port number rather than
    display number

    pat-m6400:~ # vncviewer
    Connected to RFB server, using protocol version 3.8
    Performing standard VNC authentication
    Authentication successful
  16. You should see the OpenSolaris installer – hurrah! Go through the install process, click ‘restart’ and the domain should shutdown.
  17. Once it is down (you can check with xm list), create another config file – opensolaris.cfg
    name = "opensolaris"
    vcpus = 1
    memory = 1024
    bootloader = "/usr/bin/pygrub"
    disk = ['file:/vm/opensolaris/root.img,0,w']
    vif = ['bridge=br0']
    on_shutdown = "destroy"
    on_reboot = "destroy"
    on_crash = "destroy"
  18. Now you can create the VM again using the new config
    xm create -c /vm/opensolaris/opensolaris.cfg
  19. If all is well, you should now be the proud owner of an OpenSolaris domU πŸ™‚
  20. Now, log in as the user you specified in the install, su – to root and find the IP address.
    pat@opensolaris:~$ su -
    root@opensolaris:~# ifconfig xnf0
    xnf0: flags=1004843 mtu 1500 index 2
    inet netmask ffffff00 broadcast
    ether 0:16:3e:5d:6:60

That’s the basic install done. You have a couple of options at this point depending on whether you want to be able to VNC in for the full OpenSolaris desktop experience, and whether you want a static IP address.

For the OpenSolaris desktop:

  1. Set X11-server to listen to the tcp port
    root@opensolaris:~# svccfg -s x11-server
    svc:/application/x11/x11-server> setprop options/tcp_listen = boolean: true
    svc:/application/x11/x11-server> quit
  2. I disabled idletimeout on the VNC server, so that I don’t lose the desktop over my lunch break!
    root@opensolaris:~# svccfg -s xvnc-inetd
    svc:/application/x11/xvnc-inetd> setprop inetd_start/exec = astring: "/usr/X11/bin/Xvnc -inetd -query localhost -once securitytypes=none -IdleTimeout 0"
    svc:/application/x11/xvnc-inetd> quit
  3. Enable XDMCP for GDM
    root@opensolaris:~# printf '[xdmcp]\nEnable=true\n' >>/etc/X11/gdm/custom.conf
    root@opensolaris:~# svcadm restart gdm
  4. Make sure GDM runs on startup
    root@opensolaris:~# svcadm enable -s gdm
  5. Turn on xvnc-inetd services
    root@opensolaris:~# svcadm enable xvnc-inetd
  6. Now just connect from dom0:
    pat-m6400:~ # vncviewer

    And you should be in GNOME desktop wonderland πŸ™‚

  7. If you want to continue to use DHCP, on subsequent boots, just run nmap on dom0 to find your IP address:
    pat-m6400:~ # nmap -sP
    Starting Nmap 5.00 ( ) at 2010-02-05 23:15 PST
    Host is up (0.00056s latency).
    Host is up (0.0017s latency).
    Nmap done: 256 IP addresses (9 hosts up) scanned in 2.48 seconds

As an alternative to getting a VNC session, you can do

ssh -X

(or whatever) and then (at the OpenSolaris prompt) you can do

pat@opensolaris:~$ some-gui-program &

to have the program run on the dom0 desktop. Cool πŸ™‚

To configure OpenSolaris to use a static IP address:

root@opensolaris:~# svcadm disable network/physical:nwam
root@opensolaris:~# svcadm enable  network/physical:default
root@opensolaris:~# ifconfig xnf0 down
root@opensolaris:~# ifconfig xnf0 netmask
root@opensolaris:~# ifconfig xnf0 up
root@opensolaris:~# route add default
root@opensolaris:~# echo netmask > /etc/hostname.xnf0
root@opensolaris:~# echo > /etc/defaultrouter

So there you have it – OpenSolaris 2009.06 happily running as a Xen domU. If you have any comments/corrections, please post them and I’ll update this entry as appropriate.

Create a Xen config file (let’s call it
/vm/opensolaris/opensolaris-install.cfg) with the following content:

The ForgeRock OpenSSO Roadshow comes to North America!

ForgeRockMy friends at ForgeRock are bringing their series of OpenSSO user group meetings to the USA and Canada in late March/early April 2010. If you’re interested in where they’re taking open source identity, you should definitely take this opportunity to participate in one of the meetings – choose from New York (3/29), Toronto (3/30), Chicago (3/31) or San Francisco (4/1). I’ll likely take the drive up 280 to the SF event on April 1st – see you there!

OpenSSO User Group Meetings in Northern Europe – Nov/Dec 2009

SupportRockAlthough I’m no longer as active in the OpenSSO community as I once was, some things still catch my eye – for example, news of a series of user group meetings across Northern Europe in late November and early December. OpenSSO experts Allan Foster, Jonathan Scudder, Steve Ferris and Victor Ake (not a blogger amongst them!?!?) will be presenting on OpenSSO-related topics ranging from monitoring to the Fedlet, via entitlements and OAuth, in Helsinki, Stockholm, Copenhagen, Oslo, London and Brussels. Seems like SupportRock might be a name to watch in the world of OpenSSO…

SAML Single Sign-on with Desktop Apps – Enabled by OAuth

OAuth from Desktop App Diagram

One question that repeatedly comes up in any discussion of web single-sign on is “How do I get my desktop apps to play?”. Often, Enterprise Single Sign-on (ESSO) is the answer – deploying an agent to the client desktop to automatically populate the username/password popup for Outlook, or whatever desktop app you’re working with. This has always felt a bit clunky to me, particularly since you need a credential store somewhere in the system, but it works well enough for the username/password case.

The ESSO approach breaks, however, if you’ve moved to a federated identity model, perhaps outsourcing your email to Google Apps and using SAML for single sign-on so that, instead of end users logging in to the email system directly, they authenticate to an identity provider (IdP) within your enterprise, which sends a SAML assertion (a signed XML document containing the user’s identifier and possibly other information) to Google as part of the web single sign-on process. Now the problem becomes: how do you use a fat email client such as Outlook, when (by design) Google knows nothing about the end users’ passwords?

Last week at Internet Identity Workshop 9 at the Computer History Museum in Mountain View, CA, Google presented an approach to this problem, leveraging OAuth as the glue between the web SSO world of SAML and the desktop view of Outlook. Well, they would have presented it, if the wifi had been more reliable; as it was, the Google engineers explained their solution to me πŸ™‚

It works like this:

  1. A Google plugin in Outlook intercepts the authentication process, obtains an (unauthorized) OAuth request token from Google’s OAuth service provider (SP) endpoint and invokes the browser with a SAML SP Google Auth URL, including the request token as a query parameter.
  2. Google Auth invokes Google’s SAML SP, which redirects to the user’s enterprise IdP.
  3. The user authenticates to the enterprise IdP (in the browser via whatever mechanism has been configured – typically username/password).
  4. The enterprise IdP redirects to Google with a signed SAML assertion containing the user’s Google identifier.
  5. Google returns a page for the user to give permission for Outlook to access their email; the user gives consent, submitting a form back to Google. This is the OAuth protocol step that authorizes the request token and permits an OAuth access token to be issued later.
  6. Browser shows “Success” page.
  7. Outlook plugin detects success (I guess it watches the window title), requests an OAuth access token from the Google OAuth SP (sending the, now authorized, request token), and uses the access token as the password in subsequent IMAP/SMTP/POP3 authentications with the Google mail server.

The OAuth consent page (step 5 above) seems a little clumsy, but, without it, if the user were already logged in to the enterprise identity provider, there would be no user interaction in the process, allowing a desktop app to obtain the OAuth tokens, and, thus, access to the user’s email account, without the user’s consent. Probably not a good thing πŸ™‚

All of this is documented in the following articles at Google – many thanks to Eric Sachs for pointing me to the links:

Note – I updated the flow above in light of more input from Eric at Google.

Bookmarks for November 6th 2009

These are my links for November 6th 2009:

  • Remus – Transparent High Availability for Xen – Remus provides transparent, comprehensive high availability to ordinary virtual machines running on the Xen virtual machine monitor. It does this by maintaining a completely up-to-date copy of a running VM on a backup server, which automatically activates if the primary server fails
  • OpenSSL is written by monkeys – Marco Peereboom's rant on OpenSSL. To be honest, looking at the examples of OpenSSL code, it's difficult to disagree – sorry, Ben!

Bookmarks for October 22nd 2009

These are my links for October 22nd 2009:

Bookmarks for October 13th 2009

These are my links for October 13th 2009:

Huawei – Two Weeks In

Programming Amazon Web Services
I'm currently reading 'Programming Amazon Web Services'

It’s the end of my second week at Huawei, and things are looking good. I’ve done a LOT of reading, getting up to speed on the non-identity parts of cloud computing, and we’ve spent some quality time around the whiteboard. I’ve also booked my first trip to Huawei’s headquarters in Shenzhen, which will be my first visit to mainland China (I went to a Liberty Alliance plenary meeting in Hong Kong a few years back).

One news item that caught my eye – Matt Bross (formerly BT’s CTO) has joined Huawei. BT has some very smart people, and it looks like Matt is no exception – I’m looking forward to meeting him when he visits the Huawei site in Santa Clara!

Talking of hiring, we’re still recruiting for the ‘virtual data center’ team – see Geoff’s blog entry – so, if you’re into large scale identity/security, storage, or systems and network management, drop me an email atΒ  with your resume, the sooner the better!