[ntp:hackers] More on Solaris

Brian Utterback brian.utterback at sun.com
Tue Apr 19 10:01:10 PDT 2005


David L. Mills wrote:
> Guys,
> 
> Two things to know about Solaris 10 that affect NTP. First, the startup 
> infrastructure is completely different, although the initd 
> infrastructure continues for the present. The new code has been disabled 
> on the NTP campus flock. The backroom flock might not be upgraded to 
> Solaris 10 until the rest of the department flock (about 250 machines) 
> is upgraded in Summer. Eventually we (me) will have to come to terms 
> with the new infrastructure.

I can help you with that. The SMF infrastructure is perhaps the most
surprising feature in Solaris 10 (in the literal sense of the word),
but is a great move forward in many ways. Once you get past the initial
surprise, it is pretty easy to use. In fact, the current manifest used
is a quick and dirty conversion job. Much more can be done.

> 
> Second, Sun now believes in virtual machines (fancy that) as a way for 
> complete separation between services such as the web and presumably NTP. 
> I've always thought the chroot thing is a crock. A virtual machine would 
> be a much better plan. Figuring out how to do that would be an excellent 
> exercise for our UDel sandbox. I once wrote a virtual operating system 
> for the PDP11 and found that a really neat debugging platform.

I am not sure what you mean here. Do you mean grid containers (aka
"zones")? If so, I am afraid that there is disappointment down that
road. The ntp_adjtime and adjtime system calls are only allowed
from the global zone.

On the other hand, the RBAC roles and privileges do suggest another
avenue for securing ntpd. With Solaris privileges, applying the
principle of least priv becomes possible. Add to that SMF, and it
becomes almost trivial.

-- 
blu

If you put a submarine in a blender...
----------------------------------------------------------------------
Brian Utterback - OP/N1 RPE, Sun Microsystems, Inc.
Ph:877-259-7345, Em:brian.utterback-at-ess-you-enn-dot-kom



More information about the hackers mailing list