[csw-users] Openssh upgrade problem under Solaris 10 for next package

Dennis Clarke dclarke at blastwave.org
Sat Aug 18 22:23:46 CEST 2007 

Firstly, Yann, this is top notch excellent work. I want you to know that I
am very thankful for these packages and the work you do.

Also .. I'll watch for you post to announce and if we can make a nice easy
README then I'll get it on the homepage as well as on a static permanent
page on the site like so :

   http://www.blastwave.org/articles/BLS-0043/index.html

more comments below :

> Hi,
>
> Following smf support in last openssh package, I have some problems with
the openssh upgrade for the next openssh package.
>
> Because of the process contract stuff, smf right now kills all ssh
processes when the service is disabled.
>
> This is a bug in itself and leads to two problem when openssh will be
upgraded:
>
> 	- Problem 1: all the sshd connections will be closed 60s maximum after
the
> openssh package removal. Administrators may not be aware of this, and this
could close the current ssh connection used to do the upgrade.
>
> 	- Problem 2: smf is still trying to shutdown the previous sshd service
> (waiting 60s before killing all sshd processes) when the new one is being
installed. And after that the service goes into maintenance mode so the
new sshd service will not be properly started.
>
> Hence you can end up in a situation where you have no more opened ssh
connections and no way to open a new one.
>
>
> For now, here is what I intend to do or did:
>
> 	- for problem 1: I don't see any workaround, so I will warn blastwave
users
> on -announce and -users before the next package will land in unstable.
>
> 	- for problem 2: I solved the problem by adding a little hack in
> preinstall, it will wait for the service to quit the 'online*' state and
then will clear the service state, if it is in maintenance mode. This way,
the sshd service will be restarted.
>
> Updated solaris 10 packages are available in /testing:
> http://www.blastwave.org/testing/openssh-4.6,REV=2007.08.17_rev=p1-SunOS5.10-i386-CSW.pkg.gz
http://www.blastwave.org/testing/openssh-4.6,REV=2007.08.17_rev=p1-SunOS5.10-sparc-CSW.pkg.gz
>
> Comments and testing are welcome.
>
> These problems will only affect next upgrade, because starting with theses
packages, I enabled solaris contract support for Solaris 10
> which avoid the problem 1, and I now use the  "-s" option for "svcadm
disable" in preremove so that a service really
> is in the disabled state when the package is removed.
>

I think that these packages need to be handled with some degree of care.

I have been giving this some thought and I'd like to institute a testing
form or test report that needs to be filled out on packages like this.
Please hear me out on this if you will.

Some packages, like gzip, need minimal testing in order to verify that they
perform as expected and install correctly. Other packages like browsers (
SeaMonkey in particular ) need lots of testing with various mixed pages of
various encryption levels and with Shockwave flash plugins and java etc etc
etc on both Sparc and x86 for more than just Solaris 8.  It is my sad duty
to report that I still have a sun4m machine in fact and from time to time
I'll use it. :-P

Packages like OpenSSH or OpenSSL require more extensive tests. Something
organized and rigourous. Within reason.  The mathematician within me knows
that we can not achieve a rigourous proof that provides certainty. We can
only test test test on every platform reasonable and then sign off saying
"yes, that works as expected in my opinion".

 I will test the OpenSSH packages on Sparc for both Solaris 8, Solaris
Nevada ( Express Release 64a ) as well as Solaris 10 at Global Zone and
non-global zone.  I would think that we can create a test matrix that shows
what was tested, on what platform and who did the test :

WARNING : ASCII table

 ---------+----------------+--------------------+------------------
 software | Solaris 8      |  Solaris 10 Global | Solaris 10 Zone
 ---------+----------------+--------------------+------------------
 openssh  | Sparc: dclarke |  Sparc: dclarke    | Sparc: dclarke
          |  x86 :         |   x86 : dclarke    |  x86 : dclarke
          |                |  AMD64: dclarke    | AMD64: dclarke
 ---------+----------------+--------------------+------------------


Something like that but with Solaris Nevada Developers Release thrown in
also as I thik that is an important release to test on. That should be build
70a to be released by Wed this week.

Anyone have anything add?  Like *what* the test would consist of on each
platform and release. Perhaps large file scp and many small files scp and
then just good old ssh with aes256-cbc block ciphers and things like that.

Thoughts ?

Dennis Clarke
dclarke at opensolaris.org

More information about the users mailing list