Why Solaris is not my favorite operating system

July 3, 2006

Sun killed one of my systems the other day. It was very simple: I installed the latest patches (that had passed testing on my test system), rebooted, and the ssh daemon failed to come up. Bang. Dead in the water due to:

ld.so.1: sshd: fatal: libxfn.so.2: open failed: No such file or directory

Since this machine is accessed only via ssh, that's all she wrote. (For extra fun, outgoing ssh from the machine dies for the same reason.)

It turns out that this is a known issue and has been since June 7th. Current versions of patches 113273 (sshd) and 114356 (ssh) require the SUNWfns package to be installed, a dependency that is not actually listed or enforced (except by having your system fall over if it's violated).

In theory, Solaris patches have dependencies and dependency checking. In practice, as you can see, they don't.

There are two parts to why this makes Solaris not my favorite operating system. The first is that Solaris does not have a real package management system, because a real package management system has real dependencies, created automatically, enforced automatically, so that you cannot screw your systems up this way. If there is a problem you get an error message and the patch or package doesn't install and your system keeps working.

The second is that Sun doesn't care. I say this because the current versions of both 113273 and 114356 were released on June 26th, well after this became a known issue. Neither even mentions the new requirement of SUNWfns in their READMEs, much less enforces it in any of the ways open to Sun.

So much for the ssh situation moving forward. Oh well, the illusion was nice while it lasted.

(I'd hoped to hold off posting this until I could add a happy ending, but some things make it time to post it now.)


Comments on this page:

From 24.98.83.96 at 2006-07-03 11:11:23:

While this doesn't address the specific issue (Sun's patch process is a nightmare), Glenn Brunette posted a super useful shell script to view package dependencies on Solaris hosts:

http://blogs.sun.com/roller/page/gbrunett?entry=solaris_package_companion

Our sales representative informed me that Sun is actively working on addressing the install and patch process, and the opensolaris.org installation / package communities seem to be busy.

- Ryan

From 74.12.143.77 at 2006-07-04 08:11:29:

It's just a bug, pkgs do have dependencies, I cannot speculate why it was missed in that patch. I think the main mistake was backporting Solaris 10 SSH to Solaris 9, a move more complex than originally thought.

On a production system I'd rather have just SSH not started due to a Solaris pkg bug than 90% of the operating system wiped out due to a Debian's apt bug.

Oscar

By cks at 2006-07-04 12:25:06:

Solaris may have manual package dependencies but it doesn't have automatic ones, and automatic ones are what you need because they catch people's mistakes. And people will make mistakes (and do).

I'm not very sure that the sort of thorough automatic package dependencies you need can be retrofitted to the current Solaris package and patch format. (I suppose ultimately anything can, since everything gets run as a script so the scripts could be auto-built to have the dependency checking.)

From 206.168.172.20 at 2006-07-06 02:08:02:

Our Sun sales reps, and Sun engineers during Sun or Solaris BoFs at conferences, have been assuring me for the past 8 years that Sun is working on patch dependencies... They never seem to get anywhere.

We're dodging the Sun SSH problems in the meantime by installing a privilege-separation-capable openssh and using that instead. It seems the reason that Sun isn't implementing compressiondelay and privilegeseparation have to do with their Trusted Solaris versions.

So, those who don't need to use (or who don't care for) the Trusted Solaris MAC and that jazz are stuck with a version forked from openssh 2.3. Contrast this with openssh 4.3, which can both avoid bugs in zlib and prevent instarootability via compression and other attacks.

Vendor ports of critical software are really a mixed blessing. On the one hand, you have support; maybe I should call that "support" given the lack of keeping up with current versions. On the other, you have something that's missing critical safety features and is susceptible to package-requirements bugs that I no longer believe Sun is serious about fixing. It's quite lovely.

From 81.199.29.242 at 2006-08-07 12:51:08:

What is the latest on Solaris SSH now? I would prefer to stay with it, rather than move to OpenSSH. On the other hand if it takes so long to fix.....

Richard.

By cks at 2006-08-24 22:10:35:

It took me a while to find the time to do the research, but the short answer is that Sun seems completely uninterested in fixing this problem. In fact these days it's impossible to install the current Sun SSH patches. (The longer answer is in MoreSolarisSshIII).

My hope is that if there was a security issue in Sun's current SSH stuff, they would wake up and release a new, installable patch, and that they haven't means that there aren't any. But I can't be sure, and at this point Sun has really failed to convince me that they care about SSH.

I am still running the Sun SSH on my Solaris 9 systems, but this is as much inertia and lack of time and lack of a clear need to change it than anything else. Given Sun's behavior with SSH patches, there seems to be no clear benefit to using their version.

Written on 03 July 2006.
« Weekly spam summary on July 1st, 2006
A surprise with using object() instances »

Page tools: View Source, View Normal.
Search:
Login: Password:

Last modified: Mon Jul 3 01:31:16 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.