Oracle / Sun X-series ILOM & BIOS updates, Linux access, Firefox and more

We used to install Sun Servers at Green Tree Systems, but since the takeover by Oracle we were forced to abandon this, since Oracle only kept the big resellers on board. ūüė¶
But that didn’t mean that we abandoned the servers.¬† The show must go on and so it did!

Firstly, we run Linux on all our servers and desktops.  Secondly, Sun Integrated Lights Out Management (ILOM) modules use Java to allow Remote Console access.  This poses some challenges, although they have become less in never versions of Linux.  Here is a summary of the issues we had and how we overcame them.

Let me just say: If you’re using a windows client, please don’t ask me for help.¬† There are lots of windows people out there that can help and I don’t want to.

1. ILOM & BIOS updates

Since Oracle will only supply software updates to maintenance contract customers, getting ILOM and BIOS firmware update means you have to “phone a friend”.¬† Once you have that, the rest is plain sailing.

2. Firefox & Chrome sub-window woes

Later releases of Firefox & Chrome do not display the content in the bottom half of the screen, but only the menu of the ILOM interface and the descriptive text.¬† It is possible to bypass the problem by right-clicking on the a menu item and selecting “open in new tab”, which is what I did, until I found this gem:

http://rich-notes.blogspot.com/2012/10/make-firefox-load-ilom-pages.html

The crux of the solution is this:

Add the following file to your home directory.
In ~/.mozilla/firefox/profile_id.default/chrome add a file called userContent.css

@media print {
 }
@namespace url(http:www.w3.org/1999/xhtml);
 #mainpage { visibility: visible !important; }

Note – The profile_id.default will be the only file with .default at the end in the Firefox directory. You may have to create the chrome directory.

That fixes the problem of the sub-window not showing in the main ILOM window.

3. Very slow leading ILOM webpages

This problem stems from an expired certificate it seems. I presume each web call has to time out before the next is done, or something like that.  Changing the ILOM web port to port 80, instead of 443, will allow fast normal access, which will allow you to update the ILOM and certificate.

4. Expired ILOM certificate

The older ILOM’s had certificates that expired on 2010, so accessing the web interface with Java 7 or later is a problem.¬† There is no simple way to ignore expired certificates any more.¬† Big Brother Oracle cannot allow you to make your own choices, or at least that’s what it feels like. :-]

I tried installing a self-signed certificate, but Oracle Java doesn’t fall for that either.

Eventually, updating to the latest ILOM firmware actually installed a new certificate which is valid till 2030!  Incidentally, version ILOM 3.0.6.21 r50234 was the last version with the old certificate.  I installed v3.0.16.15.h r93405 and that fixed the certificate as well as install the latest ILOM update.

5. IcedTea and OpenJDK to the rescue

The later version of Ubuntu come with OpenJDK and IcedTea instead of Oracle Java Webstart and Java. In the IcedTea Web Control Panel, the settings can be changed to ignore the expired certificate.

Pick the JRE you wish to use.  I have tested both the 32 and 64bit versions and they work equally well for me.

IcedTea-WebThen select the Security tab and set it to you liking.  Mine looked like this.

IcedTea-SecurityThis will hopefully give you less trouble than Oracle Java for the purpose of this exercise.

I will be adding additional tip and tricks wrt to Sun Servers here in time.

Hope it helps someone as it has helped me.

Advertisements

South African Radio Stations via Rhythmbox

Since I run an Ubuntu desktop environment, I get to do with all the idiosyncrasies of service providers that imagine a “Windows only” world…¬† <sigh>

Here’s what to use to get radio via Rhythmbox or other music players:

  • Cape Talk 567 MW – rtsp://196.35.68.110/capetalk-live
  • RSG – rtsp://196.35.68.110/rsg_22?MSWMExt=.asf

If you have more streams (that you have tested!), please comment below and I’ll add them here.

LTSP notes

These are my personal notes wrt LTSP installations, tips and tricks that I have needed in various setups.  Instead of just storing these in my own notebook, I share them here for the benefit of anyone that may benefit from them.  Feel free to leave comments, corrections or suggestions.

Ubuntu 12.04 64bit Server with LTSP

i386 Clients that don’t support required ‘cmov’

Norhtec Surfboards with XCore86 processors:

  1. The last version of Ubuntu that has the ‘cmov’ instruction built into the kernel is 10.04.¬† I suppose it is possible to compile a custom kernel with ‘cmov’ support, but I think Ubuntu has removed code from their source, so one would need quite a bit of customisation to overcome this.¬† Not for me, I’ve wasted too much time on things I don’t really know enough about.
  2. Debian continues supporting ‘cmov’ up to the latest build.
  3. Debian LTSP implements NFS to connect from the chroot booted system to the server, Ubuntu uses NBD.
  4. With Ubuntu 10.04 Lucid, the NBD server listened on a port, typically 2000, 2001, 2002, etc.  Since 12.04 Precise (or maybe even the release before that?), the chroot booted clients connects with a named pipe instead of a port.
  5. To allow a 10.04 chroot client to connect to the 12.04 server, do the following
      1. $ sudo ltsp-chroot -a i386
        $ vim /etc/ltsp/update-kernels.conf

        Change the content to:
        BOOTPROMPT_OPTS=”append ro initrd=initrd.img quiet splash nbdport=2002″
        NBD_ROOT_NAME=ltsp_i386


        Now run:

        $ /usr/share/ltsp/update-kernels
        $ exit


        $ sudo ltsp-update-kernels

        Now the file /var/lib/tftpboot/ltsp/i386/pxelinux.cfg/default should reflect the changed connection method using a port.


      2. Change the nbd-server config as follows:
        $ sudo vim /etc/nbd-server/config
        [generic]
        user = nbd
        group = nbd
        includedir = /etc/nbd-server/conf.d
        oldstyle = true


        $ sudo vim /etc/nbd-server/conf.d/ltsp_i386.conf
        [/opt/ltsp/i386]
        exportname = /opt/ltsp/images/i386.img
        port=2002
        readonly = true


        $ sudo vim /etc/nbd-server/conf.d/swap.conf
        [swap]
        port = 2002
        exportname = /tmp/nbd-swap/%s
        prerun = nbdswapd %s
        postrun = rm -f %


      3. A different way (which I only found out yesterday by going through the script), is:
        $ sudo ltsp-update-image -a i386 -o “quiet splash nbdport=2002”

     

Extra notes:

There is a file /etc/ltsp/ltsp-update-image.excludes which removes certain file from the chroot when the image is created.  Edit this to allow sshd keys, home directories and more to included in the image.

If the client doesn’t log in to the server due to ssh keys not in the ssh_known_hosts file, delete the /etc/ssh/ssh_known_hosts file in the chroot, run ltsp-update-sshkeys and then ltsp-update-image.

If the screen resolution notification pops up after logon, delete the users ~/.config/monitors.xml file.

To enable sshd on the thin client:
In /etc/ltsp/ltsp-update-image.excludes comment out:
# etc/ssh/ssh_host_*_key

In /var/lib/tftpboot/ltsp/i386/lts.conf add:
KEEP_SYSTEM_SERVICES=”ssh”

Printers connected to the thin client?
check the device the printer is on: ls -la /dev/usb/lp1 for example  (on wheezy)
then set lts.conf to:
LOCALDEV = true
PRINTER_0_DEVICE = /dev/usb/lp1
PRINTER_0_TYPE   = U
for the application MAC address

Lexmark Support fail!

Here is the exchange I had with Lexmark support regarding the Lexmark Prospect 205 printer/scanner/fax/copier.
I have highlighted some text in orange to make it clearer and clipped some standard template text for the sake of brevity, but otherwise I changed nothing.  Just did a cut and paste from gmail.
Lexmark have now removed the drivers in question… ¬†but haven’t said a word about it.

Dear Roland,

Here is your Service Request # 1-11261004232

Thank you for the information and it’s clearer this time. Going back to your concern, I tried checking it from our website again and found out that this printer doesn’t have an Ubuntu drivers so this means that it is not compatible with it. I sincerely appreciate your patience.

If you have any more questions or concerns, please contact me at your convenience and I will be happy to assist you. (If I am not available, another representative may reply to your request.)

<clipped template info>

Sincerely,

Giovanni
Lexmark eSupport Team
http://support.lexmark.com
[THREAD ID:1-568IEH4]Please rate your e-mail support experience. Your feedback is extremely valuable to us. Please click the link below to participate in a brief Lexmark Customer Satisfaction Survey.https://surveys.lexmark.com/survey/s?s=9972
**********Original Message**********
I can understand why we have missed each other.  In the original thread I
referred to a “Lexmark Prospect 205 Scanner/Fax/Printer” which is what I
have.  That model definitely has a driver on your website and it works as I
said before. Does that make it clearer?
On Thu, Feb 14, 2013 at 9:18 AM, Lexmark Support <support3@lexmark.com>wrote:>
Dear Roland,
>
> Here is your Service Request # 1-11261004232
>
> We have here the P250 printer as your printer and we don’t have drivers
> for Ubuntu with this type. May I know if you really have a P250 printer?
>
> If you have any more questions or concerns, please contact me at your
> convenience and I will be happy to assist you. (If I am not available,
> another representative may reply to your request.)<clipped template info>> Sincerely,
> Giovanni
> Lexmark eSupport Team
> http://support.lexmark.com
>
Eh, am I missing something here?  I think you should read my original mail
before firing off a canned response!Here is what I asked:I have installed the latest printer & scanner drivers for Ubuntu (32 bit)
from your support site on two machines.  On the one (running Ubuntu 11.10)
everything works 100%, printing & scanning over the network.  On the other
machine running Ubuntu 12.10 however I can print, but scanning produces the
error “Failed to open device ‘lexmarklegacy_1_0_0:libnet/00200075694B’:
Error during devce I/O.I have also engaged some non-lexmark forum on this matter and the full
thread is available here:
http://www.linuxquestions.org/questions/linux-software-2/sane-device-information-for-network-scanner-893105/page2.html#post4886245<https://rightinbox.herokuapp.com/follow/d6892e36-09e2-4015-a8cb-63a6177d3f0f/http%253A%252F%252Fwww.linuxquestions.org%252Fquestions%252Flinux-software-2%252Fsane-device-information-for-network-scanner-893105%252Fpage2.html%2523post4886245>
I¬†posted as “lifeboy” and have provided this link so I don’t have to repeat
the volume of information I have provided there regarding my setup.To which you responded (totally unrelated and seeming not having read what I wrote!)
Here is your Service Request # 1-11261004232
>
> Thank you for contacting Lexmark. With regards to your concern, I regret
> to inform you that this printer is not compatible with Ubuntu and that you
> can’t find any drivers available from our website. I sincerely appreciate
> your patience.
>1. I *did download* the drivers from your website and you *do* support *
Ubuntu* and *Debian*.  And the printer works as well as the scanner from
one of my machines!!
2. I explicitly asked for technical help.  In the thread I referred to I
have posted extensive technical information that you should pass on the
your driver development team. The drivers where update recently with never
version, so don’t try to tell me you don’t¬†support¬†Ubuntu.
3. It seems that I should rather buy a printer from HP, Brother, Canon or
Epson, right?
4. Does you employer know that you’re not doing your job, by brushing off a
technical support request?I am appalled by this response. Can you please escalate this request to
your manager?thank youRoland Giesler, CEOOn Wed, Feb 13, 2013 at 10:13 AM, Lexmark Support
<support3@lexmark.com<https://rightinbox.herokuapp.com/follow/d6892e36-09e2-4015-a8cb-63a6177d3f0f/mailto%253Asupport3%2540lexmark.com>
> wrote:> Dear Roland,
>
> Here is your Service Request # 1-11261004232
>
> Thank you for contacting Lexmark. With regards to your concern, I regret
> to inform you that this printer is not compatible with Ubuntu and that you
> can’t find any drivers available from our website. I sincerely appreciate
> your patience.> If you have any more questions or concerns, please contact me at your
> convenience and I will be happy to assist you. (If I am not available,
> another representative may reply to your request.)
>
<clipped template info>
**********Original Message**********
Roland Giesler <roland@***********t> Feb 15
to Lexmark
Again I don’t understand? ¬†When I go to the Lexmark¬†support¬†site and select the Prospect Pro205 printer, I get the driver plain and simple:
Here is the site URL:
Select on the Downloads tab: “Unix /Linux” and then “Ubuntu 12.04”, I get the complete list of drivers.

Canonical: Killing Maverick Meerkat and plugging its burrows? (Solution available)

I really didn’t think that I would ever have to write this kind of post

Since the end of support for Ubuntu Maverick 10.10 in April 2012, the repos are suddenly (since when?) removed as well.  This is a very serious problem since we have a number of 10.10 environments which are extremely stable and in production, with only very occasional modifications needed.  However, it is not possible to add even a simple application like vim to any of these installations by using the repositories and standard Ubuntu provided tools, since the complete repositories seem to have been removed!

Now, I realise and support the fact that Canonical cannot continue to support releases indefinitely and that’s perfectly in order. ¬†But, hey, even Microsoft of all companies have many of the patches and updates available that were previously released even for very old products. ¬†Ubuntu is an open source system, we use it exclusively at clients and inhouse, but in this instance you are seriously letting us down. Why can the repos not simply stay online? ¬†I’m not asking for new updates, but simply that what was there before stays there. ¬†There is a community as well, you know, and by what reasoning do things simply get removed?

Consider this. ¬†Our client wants to upgrade their systems to 12.04 and have budgeted for this in the next 6-12 months. ¬†Neither they, nor we, currently have manpower resources available to upgrade their LTSP servers and applications and to ensure that it all works. ¬†You know that it’s not as simple as clicking the upgrade button, so why are we being put in this position? ¬†The forced upgrade cycle is one of the main reasons why we moved away from Windows, apart from the security issues inherent in that platform, yet now Canonical is putting us in the same position.

Here is a quote from Kate Stewart’s announcement to the Ubuntu Security Announcement List:

Since its launch in October 2004 Ubuntu has become one of the most
highly regarded Linux distributions with millions of users in homes,
schools, businesses and governments around the world. Ubuntu is Open
Source software, costs nothing to download, and users are free to
customize or alter their software in order to meet their needs.

Canonical, please but the repos back online where they belong.

Update: (Please see Kate Stewart’s comment as well)

The old repos are held at¬†http://old-releases.ubuntu.com/. All one need to do to keep Maverick (or any of the other discontinued releases) alive, is the change the repositories. ¬†It would be great if Ubuntu could add the “old” repository to the sources in the Update Manager. ¬†For now one has to edit the /etc/apt/sources.list to reflect the repository.

Here are the ones I changed:

deb http://old-releases.ubuntu.com/ubuntu maverick main restricted
deb http://old-releases.ubuntu.com/ubuntu maverick-updates main restricted
deb http://old-releases.ubuntu.com/ubuntu maverick universe
deb http://old-releases.ubuntu.com/ubuntu maverick-updates universe
deb http://old-releases.ubuntu.com/ubuntu maverick multiverse
deb http://old-releases.ubuntu.com/ubuntu maverick-updates multiverse
deb http://old-releases.ubuntu.com/ubuntu maverick-backports main restricted universe multiverse

## Partner release are not in the old repositories.
### deb http://old-releases.ubuntu.com/ubuntu/ maverick partner

deb http://old-releases.ubuntu.com/ubuntu/ maverick-security main restricted
deb http://old-releases.ubuntu.com/ubuntu/ maverick-security universe
deb http://old-releases.ubuntu.com/ubuntu/ maverick-security multiverse

Once the changes have been made, do a sudo apt-get update and inspect the output for any repositories that are not found and correct the corresponding line accordingly.

File system root rights affect the whole file system

Check the rights for the file system root if “access denied” errors occur when logs, pid files, temp files or others are needed, but cannot he written.

I recently had to troubleshoot a system where the file access rights got messed, although all the rights for /var/log, /tmp and more where correct.¬† It turned out eventually that the fs root (/) didn’t have the right for others to read, which had a knock-on effect disallowing things like /var/run/… to be accessed by mysql, postfix, ntpd, etc, thus preventing the pid file to be written.
There were more strange access denied errors, but once the root right was set allow others to read, all these errors went away.

Ubuntu Lexmark Prospect Pro205 series printing

(OS: Ubuntu 11.04, 11.10, 12.04, 12.10)

History: Ubuntu 10.04

After downloading and installing the driver for my new Lexmark Prospect Pro 205 printer/fax/scanner/copier from¬†Lexmark’s support pages, by unpacking it and doing

sudo ./lexmark-inkjet-09-driver-1.0-1.i386_ts.deb.sh

it tested fine by printing a test page.  However, printing from an application like LibreOffice Write, or any other application for that matter, just resulted in an error and not printout.

The problem may be seen without going to the command line by simply right-clicking the stopped printqueue item and viewing the detail. ¬†The status from the printer is: “/usr/lexinkjet/lxk09/bin/printdriver failed” ¬†(or some other file like in that bin directory)

The log at /var/log/cups/error_log shows:

 D [11/May/2011:14:50:51 +0200] [Job 32] envp[22]="DEVICE_URI=lxusb://Lexmark/Pro200-S500%20Series"
 D [11/May/2011:14:50:51 +0200] [Job 32] envp[23]="PRINTER_INFO=Lexmark Pro205 via USB"
 D [11/May/2011:14:50:51 +0200] [Job 32] envp[24]="PRINTER_LOCATION="
 D [11/May/2011:14:50:51 +0200] [Job 32] envp[25]="PRINTER=Lexmark_Pro205_USB"
 D [11/May/2011:14:50:51 +0200] [Job 32] envp[26]="CUPS_FILETYPE=document"
 D [11/May/2011:14:50:51 +0200] [Job 32] envp[27]="FINAL_CONTENT_TYPE=printer/Lexmark_Pro205_USB"
 D [11/May/2011:14:50:51 +0200] [Job 32] Started filter /usr/lib/cups/filter/pdftopdf (PID 15284)
 D [11/May/2011:14:50:51 +0200] [Job 32] Started filter /usr/lib/cups/filter/pdftoraster (PID 15285)
 D [11/May/2011:14:50:51 +0200] [Job 32] Started filter /usr/lexinkjet/lxk09/bin/printdriver (PID 15286)
 D [11/May/2011:14:50:51 +0200] [Job 32] Started backend /usr/lib/cups/backend/lxusb (PID 15287)
 D [11/May/2011:14:50:51 +0200] [Job 32] /usr/lexinkjet/lxk09/bin/printdriver: Permission denied
 D [11/May/2011:14:50:51 +0200] [Job 32] STATE: +connecting-to-device
 D [11/May/2011:14:50:51 +0200] [Job 32] Printer using device file "/dev/usblp0"...
 D [11/May/2011:14:50:51 +0200] [Job 32] STATE: -connecting-to-device
 D [11/May/2011:14:50:51 +0200] [Job 32] backendRunLoop(print_fd=0, device_fd=5, use_bc=1)
 D [11/May/2011:14:50:51 +0200] [Job 32] Ghostscript command line: /usr/bin/gs -dQUIET -dPARANOIDSAFER -dNOPAUSE -dBATCH -sDEVICE=cups -sstdout=%stderr -sOutputFile=%stdout -I/usr/share/cups/fonts -sOutputType=1 -r300x300 -dDEVICEWIDTHPOINTS=595 -dDEVICEHEIGHTPOINTS=841 -dcupsMediaType=1 -dcupsBitsPerColor=8 -dcupsColorOrder=0 -dcupsColorSpace=1 -dcupsCompression=8 -dcupsRowFeed=1 -dcupsRowStep=1 -scupsPageSizeName=A4 -c -f -_
 (I highlighted the pertinent line above)

However, I found this line in /var/log/messages:

May 12 08:56:24 gts-server kernel: [214361.584639] type=1400 audit(1305183384.387:59): apparmor="DENIED" operation="exec" parent=15270 profile="/usr/sbin/cupsd" name="/usr/local/lexmark/lxk09/bin/printdriver" pid=28978 comm="cupsd" requested_mask="x" denied_mask="x" fsuid=7 ouid=0

This indicated that something call apparmor denies access to the printdriver file.

Reading up on this, I found that apparmor has a profile that protects CUPS by default in Ubuntu.  All one has to do to make printing work, is to tell apparmor where the Lexmark driver is and allow it to run.

This is what I changed in /etc/apparmor.d/usr.sbin.cupsd

  # backends which come with CUPS can be confined
  /usr/lib/cups/backend/bluetooth ixr,
  /usr/lib/cups/backend/dnssd ixr,
  /usr/lib/cups/backend/http ixr,
  /usr/lib/cups/backend/ipp ixr,
  /usr/lib/cups/backend/lpd ixr,
  /usr/lib/cups/backend/parallel ixr,
  /usr/lib/cups/backend/scsi ixr,
  /usr/lib/cups/backend/serial ixr,
  /usr/lib/cups/backend/snmp ixr,
  /usr/lib/cups/backend/socket ixr,
  /usr/lib/cups/backend/usb ixr,
 /usr/lib/cups/backend/lxnet ixr,
  # we treat cups-pdf specially, since it needs to write into /home
  # and thus needs extra paranoia
  /usr/lib/cups/backend/cups-pdf Px,
  # third party backends get no restrictions as they often need high
  # privileges and this is beyond our control
  /usr/lib/cups/backend/* Ux,

  /usr/lib/cups/cgi-bin/* ixr,
  /usr/lib/cups/daemon/* ixr,
  /usr/lib/cups/monitor/* ixr,
  /usr/lib/cups/notifier/* ixr,
  # filters and drivers (PPD generators) are always run as non-root,
  # and there are a lot of third-party drivers which we cannot predict

 # Lexmark Pro205 driver  /usr/local/lexmark/lxk09/* rix,  /usr/local/lexmark/lxk09/lib/* rix,  /usr/local/lexmark/lxk09/bin/* rix,  /usr/lexinkjet/lxk09/* rix,

(Again, I have marked the additions in red)

After restarting apparmor (sudo /etc/init.d/apparmor restart) the printer prints with both the USB and Wifi connections as it should.

The scanner also work 100% with the simplescan sane frontend, but only via the USB cable, not via wifi.

Faxing from the computer I haven’t addressed yet, since the print driver doesn’t expose the fax function.

Tom Bamford added this comment on the glug-tech(at)linux(dot)org(dot)za list:

AppArmor often gives me hassle when I’m working with files in arbitrary locations.

You can edit /etc/apparmor.d/usr.sbin.cupsd and add the path to the printdriver binary (/usr/local/lexmark/lxk09/bin/printdriver) under the existing entries for /usr/sbin/* etc. Or (less ideally) just put the cupsd profile into complain mode.

Trouble with the legacy-1.0-1 driver

When attempting to install the lexmark-inkjet-legacy-1.0-1.i386.deb.sh driver from Lexmark and lua error occurs.  Lexmark support has send me this advice.

  1. Please delete the tmp folder that was created after extracting the shell script.
  2. Extract the shell file (the extracted file)
    sudo sh –keep –noexec . This will create the tmp folder
  3. Edit run.lua found in /tmp/config/run.lua. Change ownhership to ownership.
  4. Go back to terminal and type cd ..
  5. Then type sudo sh startupinstaller.sh

It seems that this problem was reported here more than a year ago, but the driver has not been updated by Lexmark since.  Please message them and ask them to fix the simple mistake now!

Ubuntu 11.10

Installing these three drivers allows printing and scanning via USB of WIFI from Ubuntu.  Very nice!

lexmark-inkjet-legacy-1.0-1.i386.deb
lexmark-printer-utility-1.0-2.i386.deb
lexmark-scan-legacy-1.1-1.i386.deb

Unfortunately I noticed today (18 Mar 2013) that Lexmark have removed these from their support site!

Ubuntu 12.04 & 12.10

These drivers (above) did allow printing with Ubuntu , but not network scanning with Ubuntu 12.04 & 12.10.

It now seems that there is only support for Fedora 10 and OpenSuse 11.0 / 11.1 from Lexmark.

Are they working of fixing the bugs for Debian based distros? ¬†No-one knows, since they’re denying everything (head in the sand, hoping it will go away?)

Their helpdesk had this to say!

I have downloaded the Fedora driver and with see if I can hack to work on Ubuntu 12.04 / 12.10 and report back if I succeed.