[csw-buildfarm] Nmap access to Solaris build farm

Dagobert Michelsen dam at opencsw.org
Thu Sep 29 17:46:28 CEST 2011 

Hi David,

Am 29.09.2011 um 16:24 schrieb David Fifield:
> On Thu, Sep 29, 2011 at 11:42:36AM +0200, Dagobert Michelsen wrote:
>> Am 29.09.2011 um 00:05 schrieb David Fifield:
>>> On Wed, Sep 28, 2011 at 02:57:05PM -0700, David Fifield wrote:
>>>> In http://seclists.org/nmap-dev/2011/q3/646, you offered to let us have
>>>> access to the Solaris build farm for the purpose of testing Nmap. We'd
>>>> like to accept the offer.
>>>> 
>>>> I've seen the page at
>>>> http://www.opencsw.org/extend-it/contribute-packages/build-standards/build-machines/.
>>>> Here is an SSH public key. If you need a user name, "nmap" will do. Do
>>>> you need anything else?
>>> 
>>> I forgot to add: does build farm access include root access? Most
>>> non-trivial testing of Nmap requires access to raw sockets.
>> 
>> Not by default. What do you need? Will an internal zone without
>> connection to the internet (only via the login server) suffice? We are
>> a bit short on official IP adresses, but if you need one I can set up
>> a special zone with root access just for nmap and a dedicated network
>> interface.
> 
> It doesn't necessarily have to have raw sockets to the Internet; just
> being able to scan internal IPs would be okay.
> 
> We had trouble with another Solaris zone because it didn't have the
> /dev/ip device. I found this documentation:
> 
> http://docs.huihoo.com/opensolaris/solaris-containers-resource-management-and-solaris-zones/html/p87.html
>        In general, all applications can run in a non-global zone.
>        However, the following types of applications might not be
>        suitable for this environment:
>        * The few applications dependent upon certain devices that do
>          not exist in a non-global zone, such as /dev/kmem or /dev/ip.
> 
> I think, in short, that we need the DLPI interface; i.e., the "snoop"
> command would have to work. From what I read, that would expose even
> traffic destined to other zones, so a dedicated network interface is a
> good idea if that's easy to do.

A zone with exclusive interface may suffice, I'll set this up tomorrow.
If that is not enough I can generate a vSphere VM which definitely
fits your requirements, but has also a larger footprint in terms of
patching etc. so I would go with a zone first.

I'll keep you informed.


Best regards

  -- Dago

More information about the buildfarm mailing list