Solaris Update

1
SolarisUpdate

• Linda Kateley
• Solaris Fan
• linda.kateley_at_sun.com
• Sun Microsystems, Inc.
• .

2
Agenda

• Yesterdays solaris
• Open Solaris
• 06/06
• 11/06
• Sooner..
• Later...

3

• Solaris 8
• 6/30/08

4
Existing FeaturesSolaris, Nevada and OpenSolaris
5

• Distribution for Solaris, Java, and Web 2.0
  application development
• Simplified, out-of-the-box experience for
  common x64 desktops and laptops
• Deploy to Solaris 10
• Regular releases
• Developer support and training offerings

Solaris Express,Developer Edition
Optimized for Developers
6
SXDE 5/07 highlights

• Same as 2/07 install experience
• Four new wireless drivers (total of 5 now)
• Studio 12 (maybe RR)
• Thunderbird 2.0
• StarOffice 8 Update 6
• Lightning 0.3 (Calendar)
• AMP (desired but issues still to be resolved)
• Network Auto Magic phase 0

Tentative name/release dates
7
SXDE 8/07 highlights

• Dwarf Caiman (first phase of new installer)
• GNOME 2.18
• Xen and Xen Virt-manager GUI
• Flash 9
• Off The Record (OTR)
• Battery Status Indicator
• GNOME Dev Help
• AMP stack

Tentative name/release dates
8
Solaris 10 6/06ZFS

• Key Features
• Ease of Management
• Self Healing
• 128-bit
• Endian neutral
• Performance
• zfs(1M), zpool(1M)
• http//opensolaris.org/os/community/zfs

9
Solaris 10 6/06ZFS Integration with Zones

• Allow Zone administrator to manage ZFS datasets
• Datasets exported via zonecfg(1M)
• http//opensolaris.org/os/community/zfs/docs/zfsad
  min_0417.pdf

zonecfg -z zion zion No such zone
configured Use 'create' to begin configuring a
new zone. zonecfgziongt create zonecfgziongt add
dataset zonecfgziondatasetgt set
nametank/zone/zion zonecfgziondatasetgt
end
10
Solaris 10 6/06FMA for x64

• Error handling and diagnosis for
• AMD Athlon 64
• Opteron
• Automatic page retire and CPU offline for faulty
  DIMMs and CPUs
• Fully integrated with fmd(1M) and syslog(1M)
• fmd(1M), fmdump(1M)
• http//blogs.sun.com/roller/page/gavinm?entryamd_
  opteron_athlon64_turion64_fault

11
Solaris 10 6/06PostgreSQL

• 8.1.x
• Embedded DTrace probes some Solaris specific
  patches

12
Solaris 10 11/06
Download December 11, 2006 Media December 19,
2006

• Solaris Trusted Extensions
• Secure by Default
• Logical Domains
• New Solaris Containers functionality
• Attach/detach
• Clone
• Configurable privileges
• New ZFS functionality
• Hot Spares
• RAIDZ2 (RAID6)
• Clone Promotion Fast Snapshots
• Performance Enhancements
• Support for new systems Bug Fixes

13
Solaris 10 11/06Secure by Default

• PSARC 2004/368
• On newly installed systems, all network services
  (except for ssh) that were previously enabled by
  default are now either disabled or constrained to
  respond to local requests only.
• This change minimizes the attack surface for an
  installed system and provides a base for
  customers to enable only the services they
  require.

14
Solaris 10 11/06Secure By Default

• For newly installed systems (initial install
  only), all services with external interfaces
  turned off
• except those required for local login and boot,
  and ssh
• Implemented as SMF profile
• Next Phase modifies deamons and setuid root
  programs to use PRM (Privileges)
• http//www.opensolaris.org/os/community/security/p
  rojects/sbd/

netservices limited ltdisable network services
manuallygt netservices open
ltenable default network servicesgt

15
Solaris 10 11/06Niagara LDOMs

• New sun4v architecture

Operating System
Solaris X (genunix)
Solaris X update (genunix)
Solaris X (sun4v)
sun4v interface
US-Z CPU code
SPARC hypervisor
CPU Z
SPARC CPU
Platform
16
Solaris 10 11/06Niagara LDOMs

• Replace HW domains with Logical Domains
• Highly flexible
• Each Domain runs an independent OS

Logical Domain 1
Logical Domain 2
Logical Domain 3
Solaris 10
Solaris 11
Service Domain
Zone 2
Zone 1
Zone
Hypervisor
Hardware
CPU
CPU
CPU
CPU
Shared CPU, Memory, IO
I/O
Mem
Mem
Mem
17
Solaris 10 11/06ZFS Hot Spares

• Add Hot Spare support to ZFS
• http//www.opensolaris.org/jive/thread.jspa?messag
  eID30323

zpool create test mirror c0d0 c1d0 spare c2d0
c3d0 zpool status pool test .... c0d0 ONLINE
0 0 0 c1d0 ONLINE 0 0 0 spares c2d0 ONLINE c3d0
ONLINE zpool add test spare c4d0 c5d0 zpool
remove test c2d0
18
Solaris 10 11/06Zone Rename

• zonecfg(1M) zonename property
• zone must be in installed or configured state
• Read the Request For Comments
• http//www.opensolaris.org/jive/thread.jspa?thread
  ID1833tstart45

zonecfg -z myzone zonecfgmyzonegt set
zonenamemyzone2 zonecfgmyzone2gt exit
19
Solaris 10 11/06Zone Move

• zoneadm(1M) move subcommand
• Relocate a non-global zone from one point on a
  system to another point on the same system
• Works within and across filesystems on local
  system
• data copied if zone is moved across filesystems
• Zone must be halted prior to the move
• Read the Fast-Track Proposal (November 2005)
• http//www.opensolaris.org/jive/thread.jspa?thread
  ID3907tstart30

zoneadm -z myzone move /newpath
20
Solaris 10 11/06Zone Clone

• zoneadm(1M) clone subcommand
• Provision a new zone based on the configuration
  of an existing zone on the same system
• New zone must be in configured state, source
  halted
• Much faster alternative to install
• New zone sys-unconfig'ed
• http//www.opensolaris.org/jive/thread.jspa?thread
  ID3907tstart30

zoneadm -z newzone clone -m method
method_params srczone
21
Solaris 10 11/06Zone Migration
host1 zoneadm -z myzone detach move the
myzone zonepath from host1 to host2 host2
zonecfg -z myzone myzone No such zone
configured Use 'create' to begin configuring a
new zone. zonecfgmyzonegt create -a
/export/zones/myzone zonecfgmyzonegt
commit zonecfgmyzonegt exit host2 zoneadm -z
myzone attach
22
Solaris 10 11/06Zone Configurable Privileges

• Using this, you can
• Augment the default set of privileges
• Beware that, depending on what you set, such
  changes might allow processes in one zone to
  affect processes in other zones by being able to
  control a global resource
• Create a zone with fewer privileges than the
  default set
• See System Administration Guide Solaris
  Containers - Resource Management and Solaris
  Zones
• http//docs.sun.com/app/docs/doc/817-1592

23
Solaris 10 11/06Zone Configurable Privileges
global zonecfg -z twilight zonecfgtwilightgt set
limitpriv"default,sys_time,!net_icmpaccess" (add
s the ability to set the system clock and removes
the ability to send raw ICMP packets) global
zonecfg -z twilight zonecfgtwilightgt set
limitpriv"basic,sys_mount" (sets the privilege
set to the basic set of privileges as well as the
ability to mount and unmount file systems)
24
Solaris 10 11/06Trusted Extensions

• Historically known as Trusted Solaris
• A security-enhanced version of Solaris with
  additional access control policies based on the
  sensitivity/label of objects
• Security policy a set of rules and practices
  that help protect information and other
  resources. For e.g., who's allowed to do what?
• Earlier releases were separate and distinct
  Trusted Extensions are now part of Solaris 10 and
  leverage foundation features
• Available on SPARC and x86

25
projects in the open

• Chime
• Dtrace toolkit
• Links to blogs

26
Solaris 10 Next update08/07
27
Solaris 10 Next ...

• More on Virtualization ...
• Solaris Containers for Linux Applications /
  BrandZ
• Solaris Live Upgrade for Containers
• Major value is for patching systems with Zones
• Container resource management
• Enhanced memory capping
• Duckhorn
• Network Virtualization and Performance
• More configurability for Containers

Tentative name/release dates
28
Solaris 10 NextPlatform Support, Live Upgrade
for Containers (Zulu)

• New platform support
• CPU power management
• FMA support for Rev FG AMD 64
• iSCSI target support for Solaris
• Live Upgrade for Containers (Zulu)
• Patch systems with Zones
• Safest way to patch
• LU doesn't solve Zones patching problems, it just
  allows patching to take place in the background
• Watch for Patching with LU Blueprint

Tentative name/release dates
29
Solaris 10 Nextiscsi target in zfs

• zfs create -V 2g tank/volumes/v2
• zfs set shareiscsion tank/volumes/v2
• iscsitadm list target
• Target tank/volumes/v2
• iSCSI Name iqn.1986-03.com.sun02984fe301-c4
  12-ccc1-cc80-cf9a72aa062a
• Connections 0

Tentative name/release dates
30
Solaris 10 NextLive upgrade

• Patch system from infodoc 72099
• Run liveupgrade2.0 script on dvd
• Lucreate new environment
• lucreate -c old -n new -m //dev/dsk/c0d0s7ufs
• Luupgrade
• luupgrade -u -n new -s /cdrom/cdrom0
• Luactivate
• luactivate new

Tentative name/release dates
31
Solaris 10 next PostgreSQL

• PostgreSQL 8.2
• Over 200 new features and enhancements
• DTrace probes (now in open source tree)
• Kerberos authentication
• Higher performance (20 on OLTP tests)
• Improved Warm standby databases
• Online index builds

Tentative name/release dates
32
Network Context

• Containers use networks. -)

33
Problems

• Containers and Networks don't work well together
  -)

34
Solution

• Fix everything! -)

35
Networking in Zones prior to IP Instances
(shared-IP zones)

• User level is separated
• Zone constrained to use its assigned IP
  address(es)
• Conceptually IP/ARP/IPsec common for all zones
• Shared routing, ARP, configuration
• Conceptually TCP, UDP, SCTP separate for each zone

36
IP Isolation Multiple IP Instances
37
Solaris 10 next Networking

• Networking

• Can give exclusive ip stack for an interface to
  zone
• Solves for dhcp, routing,
• Zonecfg -z newzone
• add ip-typeexclusive

Tentative name/release dates
38
What is separated?

• Separate IP routing table
• Route command and routing daemons run unmodified
• Separate ARP table
• Separate IPsec policies and security associations
• The ipsec commands and in.iked run unmodified
• Separate IP Filter rules, statistics etc
• Controlled by the non-global zone
• Separate project provides IP Filter between
  shared-IP zones in S10U4. Controlled by the
  global zone.
• Separate TCP/IP ndd variables
• But not for ndd variables used by datalink device
  drivers etc

39
Limitations with IP Instances (1)

• Only works with GLDv3 datalink drivers
• If dladm show-link has 'type legacy' you are out
  of luck
• For instance, no 'ce' support
• A future project, Nemo unification, will make
  'ce' and other legacy drivers appear as GLDv3.
  That project is not planned for any S10 update
• Can't put IP addresses in zonecfg for
  exclusive-IP zones
• Can use a /etc/sysidcfg in the zone before the
  first time the zone is booted instead
• No easy way for global zone to change the IP
  address past first boot, unless the zone is using
  DHCP
• Can't pick pieces. If the customer wants DHCP
  configuration of zone, then the zone must be
  exclusive-IP

40
Solaris Containers
Need to be able to attach physical resources
quickly
OS scheduler hardware specific drivers
CPU
CPU
Memory
41
Solaris 10 nextZones RM integration - (Duckhorn)

• Zones Resource Mgmt integration
• Ability to use zonecfg(1M) on the Global Zone
• Ability to configure the Scheduling Class through
  zonecfg(1M)
• Set shares
• gtset cpu-shares1000
• gtset scheduling classFSS

42
Solaris 10 nextCpu sets in zonecfg

• Ability to cpu's without having to use pooladm
• Cpu keyword
• Temp pools
• Put in zones.xml file and will migrate
• add dedicated-cpu
• gtset ncpus1-4
• gtset importance2

43
Solaris 10 nextsmemory config in zonecfg

• Ability to limit memory and swap in global zone
  without having to use rcapadm
• gtadd capped-memory
• gtset physical2g
• gtset swap2g
• gtset locked1g
• monitor with rcapstat

44
RM Revamp Ease of Use

• rctl aliases feature aids setting resource
  controls
• Integrate settings for global zone

zonecfgdropzonegt set max-lwps500 zonecfgdropzon
egt set cpu-shares5 zonecfgdropzonegt set
scheduling-classFSS zonecfgdropzonegt set
max-shm-memory10M
zonecfg -z global zonecfgglobalgt set
cpu-shares10
45
RM Revamp Example
zonecfgdropzonegt set max-lwps500 zonecfgdropzon
egt add dedicated-cpu zonecfgdropzonededicated-cp
ugt set ncpus1-5 zonecfgdropzonededicated-cpugt
end zonecfgdropzonegt add capped-memory zonecfgd
ropzonecapped-memorygt set locked64M zonecfgdrop
zonecapped-memorygt set swap256M zonecfgdropzone
capped-memorygt set physical128M zonecfgdropzone
capped-memorygt end
46
Solaris 10 next

• Limiting System V resources used in Zones
• zone.max-shm-memory
• zone.max-shm-ids
• zone.max-msg-ids
• zone.max-sem-ids
• Set through add rctl in zonecfg for NGZ
• Set through prctl for GZ

47
Changing Property Values
Example prctl -n zone.max-swap -v 1g -t
privileged -r -e deny -i zone twilight
48
RM Fair Share Scheduler
1
3
2
4

Shares Allocated to Projects
49
Solaris 10 nextZone DTrace availability

• Based on zonecfg(1M) limitpriv property
• add dtrace_proc, dtrace_user to default set
• http//blogs.sun.com/roller/page/dp?entrydtrace_z
  ones_crazy_delicious

zonecfg -z myzone zonecfgmyzonegt set
limitprivdefault,dtrace_proc,dtrace_user
zonecfgmyzonegt D zoneadm -z myzone boot
zlogin myzone myzone dtrace -l
... myzone plockstat -Ap pgrep startd
...
50
Solaris 10 nextBrandZ Solaris Containers for
Linux Applications

• An extension of the Zones infrastructure
• Allows the creation of non-Solaris zones on a
  Solaris system
• Only supports user-space environments.
• If you need a different kernel, see Xen or LDOMs
• Each distinct zone type is called a Brand
• Supports a native zone (that's s10 on s10u4 and
  Nevada on Nevada) and Linux zones
• PSARC 2005/471
• http//opensolaris.org/os/community/brandz

51
Solaris 10 nextBrandZ Solaris Containers for
Linux Applications

• Enables Linux Binary Applications to run
  unmodified
• Creates a zone for Linux application execution
• Zone is populated only with Linux software
• Runs Linux init(1M) and configuration scripts
• DTrace Linux PID and syscall provider
• This is not a Linux distro, and we do not include
  our own special Linux software
• We install and run standard Linux distributions
• RHEL 3 (U7) and the corresponding CentOS 3.7
• Linux 2.4.21 glibc 2.3.2 32bit linux x86 only
  (but will run a 32 bit linux zone on a 64bit
  Solaris)

52
Solaris 10 nextBrandZ Solaris Containers for
Linux Applications
global zonecfg -z myzone myzone No such zone
configured Use 'create' to begin configuring a
new zone. zonecfgmy-zonegt create -B lx
...... global zoneadm -z myzone install -d
/cdrom/cdrom0 ...... global zoneadm list -iv
ID NAME STATUS PATH
BRAND 0 global running /
native 1 myzone
installed /export/zones/myzone lx
53
Solaris 10 maybeSummary

• ZFS Boot
• Secure Execution
• Physical Memory Caps
• Newboot for SPARC
• iSCSI boot
• IP duplicate address detection
• Intel enhanced speed step

Tentative name/release dates
54
linda.kateley_at_sun.com
55
Other Resources

• Zones BigAdmin site
• http//www.sun.com/bigadmin/content/zones
• Solaris Zones Operating System Support for
  Server Consolidation. (LISA 2004, available from
  BigAdmin)
• Solaris Containers BlueprintThe Sun BluePrints
  Guide to Solaris Containers Virtualization in
  the Solaris Operating System http//www.sun.com/b
  lueprints/1006/820-0001.html

56
More Resources

• OpenSolaris Zones Community
• http//opensolaris.org/os/community/zones/
• 90 FAQs http//opensolaris.org/os/community/zones
  /faq
• zones-interest_at_opensolaris.org
• OpenSolaris Resource Management Project
• http//opensolaris.org/os/project/rm/
• Engineering/SE Weblogs
• http//blogs.sun.com/comay
• http//blogs.sun.com/dp
• http//blogs.sun.com/jclingan
• http//blogs.sun.com/jeffv
• http//blogs.sun.com/menno