[csw-buildfarm] Nmap access to Solaris build farm

Dagobert Michelsen dam at opencsw.org
Mon Oct 3 18:55:08 CEST 2011

Hi David,

Am 30.09.2011 um 17:39 schrieb Dagobert Michelsen:
> Am 29.09.2011 um 17:46 schrieb Dagobert Michelsen:
>> Am 29.09.2011 um 16:24 schrieb David Fifield:
>>> On Thu, Sep 29, 2011 at 11:42:36AM +0200, Dagobert Michelsen wrote:
>>>> Am 29.09.2011 um 00:05 schrieb David Fifield:
>>>>> On Wed, Sep 28, 2011 at 02:57:05PM -0700, David Fifield wrote:
>>>>>> In http://seclists.org/nmap-dev/2011/q3/646, you offered to let us have
>>>>>> access to the Solaris build farm for the purpose of testing Nmap. We'd
>>>>>> like to accept the offer.
>>>>>> I've seen the page at
>>>>>> http://www.opencsw.org/extend-it/contribute-packages/build-standards/build-machines/.
>>>>>> Here is an SSH public key. If you need a user name, "nmap" will do. Do
>>>>>> you need anything else?
>>>>> I forgot to add: does build farm access include root access? Most
>>>>> non-trivial testing of Nmap requires access to raw sockets.
>>>> Not by default. What do you need? Will an internal zone without
>>>> connection to the internet (only via the login server) suffice? We are
>>>> a bit short on official IP adresses, but if you need one I can set up
>>>> a special zone with root access just for nmap and a dedicated network
>>>> interface.
>>> It doesn't necessarily have to have raw sockets to the Internet; just
>>> being able to scan internal IPs would be okay.
>>> We had trouble with another Solaris zone because it didn't have the
>>> /dev/ip device. I found this documentation:
>>> http://docs.huihoo.com/opensolaris/solaris-containers-resource-management-and-solaris-zones/html/p87.html
>>>      In general, all applications can run in a non-global zone.
>>>      However, the following types of applications might not be
>>>      suitable for this environment:
>>>      * The few applications dependent upon certain devices that do
>>>        not exist in a non-global zone, such as /dev/kmem or /dev/ip.
>>> I think, in short, that we need the DLPI interface; i.e., the "snoop"
>>> command would have to work. From what I read, that would expose even
>>> traffic destined to other zones, so a dedicated network interface is a
>>> good idea if that's easy to do.
>> A zone with exclusive interface may suffice, I'll set this up tomorrow.
>> If that is not enough I can generate a vSphere VM which definitely
>> fits your requirements, but has also a larger footprint in terms of
>> patching etc. so I would go with a zone first.
>> I'll keep you informed.
> I made a new zone Solaris 10 Sparc with exclusive interface vnet2:
>  david at login [login]:~ > ssh root at nmap10s
> It is not really separated from the other buildfarm traffic, so please
> do not fubar the installation. The zone still has some minor issues which
> however should not disturb initial testing. Please let me know if you
> see anything strange.

Did you have time to look into the zone? Does it fit your needs or do you need
more? If this zone is not sufficient the next thing would a sepaarate Solaris x86 VM.

Best regards

  -- Dago

More information about the buildfarm mailing list