Friday, 16 May 2008

OpenVPN and solaris

A little more solaris joy. Mainly as a note for myself here is how to setup an OpenVPN client on OpenSolaris 2008.05:

  1. Add Blastwave and SunFreeWare IPS repositories to the Image Packaging System:

    -bash-2.05b# pkg set-authority -O Companion
    -bash-2.05b# pkg set-authority -O Blastwave
    -bash-2.05b# pkg refresh

  2. Install and setup the TUN device:

    -bash-2.05b# pkg install IPStun
    -bash-2.05b# add_drv tun

  3. Install openvpn:

    -bash-2.05b# pkg install IPSopenvpn

... and now you're ready to put your openvpn.conf file in /etc/csw/openvpn/.

You start and stop the daemon using:

-bash-2.05b# /etc/init.d/openvpn start
-bash-2.05b# /etc/init.d/openvpn stop

... which is nice and familiar, but I'd rather have it set up for use with svcadm. Ah well, can't have everything.

Brandz Spanking New

So, long time no Solaris talk.

I've not been sleeping well this last couple of weeks (ironically this seems to have a lot to do with exhausting myself during my recent trip to England), but that inevitably leads to lots of mucking around with computers in the wee hours of the morning.

So OpenSolaris 2008.05 is on my laptop right now, and it's a bit of surprise to find it there as I am trying to hack on some code that is destined to run on Linux. The crux of the biscuit is this: I need a contained environment to much around with different Python implementations, it needs to be Linux and it needs to have network access from my laptop. Previously I'd been trying to achieve this on Linux using:

  • Plain old chroots
  • VMWare
  • VirtualBox

All of the above turned out to be failures. Chroots just don't cut it (the interaction between the chroot and the host is too strong - debootstrapping tends to lead to all sorts of issues with network services (sorry dbus didn't install correctly because it was already running..?!?!).

VM's seem like an obvious solution. The problem? My network access is predominantly wireless. Wireless and network bridging don't play well in Linux - you can do it, but it tends to screw up in all sorts of odd ways when the wireless card renegotiates with the AP. This isn't helped by the fact that my laptops wireless card (an Intel 4965ABG) is fairly new and the linux drivers are only just stabilising (Kudos to Ubuntu Hardy Heron for being the only Linux distro I've tried that made this card "just work" out of the box). Another factor is that same wireless card is also the only physical interface available to bind a tun to for my OpenVPN connection to my clients network. The reality of working with this setup for bridged interfaces is a series of hacks and, unfortunately, rebooting every 40 minutes or so. So I have made do with NAT'd and local networking in VMWare and switched between them based on my networking needs. Frustrating doesn't even begin to capture it!

Of course, I could plug in some cat 5 to the router, but the router is hidden in a cabinet in the front room, no where near a sensible location for doing work, so I've been living with NAT'd VM's for a couple of months now.

So where does OpenSolaris come into all of this? Well, I've been tracking OpenSolaris for a long time now - I've used Solaris several times over the past decade, but it's always been a fringe thing for me, Linux has always given me more bang for less effort. OpenSolaris 2008.05 is a pretty polished distribution and it's starting to address some of the issues. I don't want to write about that here, but one key thing is that the re-emergance of the iwk wireless driver and the immature, but suprisingly reliable Network Auto Magic Daemon (nwam - a sort of NetworkManager, sans braindamage, for OpenSolaris) combine to make my goddamn tricky wireless card work out of the box.

OK, that's nice, but what does that give me that Hardy Heron doesn't? Well, whilst OpenSolaris may only just be maturing into an operating system that a sane human being would want to use in the day to day, it does have some seriously powerful and reliable toolsets built in for large scale (if I ever say "Enterprise" just shoot me..) computing: ZFS, Containers/Zones and by extension Branz - a special kind of zone that can masquerade as something else, i.e. Linux.

So I have set up a lx branded solaris zone on my laptop. What does this give me, well, it gives me something that's more isolated than a chroot, but more lightweight than a VM. It looks like Linux (like CentOS specifically). It has it's own IP Address on the wireless network, bound to the same card as the global zone (the host) and both the global zone and the lx zone can see each other as first class peers on the same network as well as talking to the outside world. It has it's own ZFS filesystem (linux with ZFS? w00t!). I can choose to access that filesystem from the global zone (just like a chroot), which saves some tedious mucking around with network file transfer protocols to relatively simple things (security is not my prime concern in this case). I believe I can also dtrace this environment.. a unexpected benefit.

So what hoops did I have to jump through to set up such a marvel? Here's the transcript:

-bash-2.05b# zonecfg -z timaeuszone1
zonecfg:timaeuszone1> create -t SUNWlx
zonecfg:timaeuszone1> set zonepath=/export/timaeuszone1
zonecfg:timaeuszone1> add net
zonecfg:timaeuszone1:net> set address=
zonecfg:timaeuszone1:net> set physical=iwk0
zonecfg:timaeuszone1:net> end
zonecfg:timaeuszone1> commit
zonecfg:timaeuszone1> exit
-bash-2.05b# zoneadm -z timaeuszone1 install -d /export/home/gteale/Desktop/Centos_fs_image.tar.bz2
-bash-2.05b# zoneadm -z timaeuszone1 boot
-bash-2.05b# zlogin timaeuszone1

Not too shabby! Now let the hacking commence.