Why Run the Directory Server on Solaris?
By cn_equals_directory_manager on Sep 08, 2006
Yesterday, someone asked why Solaris was the best platform on which to run Directory Server. While I may be a bit biased, I do believe this to be the case and feel that there is plenty of evidence to support it. This is true across the board. I'll try to list many of those benefits here, and also to avoid bashing or picking on any of the other operating systems that are available for use. Many of the other operating systems are quite capable and in some areas are able to meet or even exceed the corresponding offering from Solaris, but I don't think that any of them come close to providing the complete package.
General Platform Benefits
Performance and Scalability Benefits
General Platform Benefits
- Solaris runs on lots of different systems, on the SPARC, x86, and x64 processors. Sun makes excellent hardware and our systems are frequently setting new world records in performance, but Solaris is certified on systems from lots of other hardware vendors and our hardware compatibility list contains more systems than most other UNIX or Linux vendors.
- Compatibility and stability is taken very seriously. If you develop your applications based on public interfaces (and we have tools to help you do that) in current versions of Solaris, then they will continue to work in future versions. This is not necessarily the case on other platforms.
- Solaris is available for use at no cost whatsoever if you don't need support. If you do need support, then the pricing plans are frequently less expensive than the offerings from other vendors.
- Solaris is continually and rapidly improving. Solaris 10 has many significant improvements over previous releases, and it is continuing to get better.
Performance and Scalability Benefits
- Solaris runs on systems with anywhere from 1 to 144 CPU cores, and anywhere from hundreds of megabytes to over a terabyte of memory. These constraints are primarily based on hardware that is currently available and not necessarily limitations in the operating system.
- Solaris understands subtle but important differences between different types of hardware concurrency models (SMP, CMT, NUMA, dual/multi-core, HyperThreading, etc.) and can optimize its behavior accordingly.
- Solaris has excellent resource management capabilities that make it possible to control how computing resources are allocated between processes. This can be done through fixed-size processor sets, variable-size resource pools, and through various scheduler models like the fair-share scheduler, the fixed-priority scheduler, and the real-time scheduler. An upcoming CPU cap implementation may also provide another mechanism for achieving fine-grained control.
- Networking performance was significantly improved in the Solaris 10 release, and work is still ongoing to make it even faster and more scalable.
- In many areas, the libumem memory manager provides dramatically improved performance (especially when compared with previous alternatives like mtmalloc), in addition to providing many features that can help identify memory leaks and other related problems. Upcoming enhancements to the virtual memory subsystem should even further improve performance, especially when working with very large caches.
- UFS filesystem performance was dramatically improved in Solaris 9 updates and has been carried through to Solaris 10. In many cases (and particularly for the kinds of workloads that Directory Server has), ZFS is notably faster than UFS and offers many more attractive features like compression and snapshots that work well in a directory environment.
- We do much more Directory Server testing on Solaris (both SPARC and x86/x64 systems) than on any other platform. If there is a performance problem with the server on Solaris, we are more likely to find it and fix it before it is released than on other platforms.
- The introduction of process rights management (also called least privilege) in Solaris 10 makes it very easy to provide the Directory Server with exactly the privileges that it needs to operate, and even to take away capabilities that it doesn't need. Even if an exploitable security hole were found in the Directory Server, least privilege can be used to severely constrain what a potential attacker could do. For older Solaris systems, role-based access control (RBAC) can be used to limit the need to have root access when starting the server, although it is not as flexible as process rights management.
- Solaris containers (also called zones) can provide tightly-constrained environments for applications like Directory Server to operate in a manner that isolates it from anything else that might be running on the system. When used in conjunction with features like resource pools, containers can help limit the impact of denial-of-service attacks or other forms of resource exhaustion.
- The Solaris cryptographic framework provides a centralized mechanism for encryption and message digest operations, particularly those using the PKCS#11 framework. Although the Directory Server is currently unlikely to benefit from hardware SSL acceleration in most cases, it can still use this mechanism for secure key storage using FIPS 140-2 compliant devices. In addition, future developments in hardware (e.g., the "free encryption" capabilities of the Niagara 2 processor) may provide performance benefits. Note that you will not be able to take full advantage of the Solaris cryptographic framework with the Directory Server until our upcoming 6.0 release.
- Solaris BSM provides fine-grained auditing capabilities for keeping track of what happens on the system.
- Additional security-related enhancements that will be available in the near future include Trusted Extensions (which adds labeling capabilities to Solaris 10), ZFS encryption, and a key management framework.
- Solaris 9 has been evaluated at EAL4 for the CAPP and RBACPP protection profiles. Solaris 10 is currently under EAL4+ evaluation for the same profiles, and Solaris 10 with Trusted Extensions is also being evaluated with the LSPP protection profile.
- DTrace provides complete observability into virtually all aspects of the system in a way that is unmatched by any competing offerings. Even for external users without access to the Directory Server source code, it is very useful to be able to collect information about the underlying system and the way that the Directory Server interacts with it. For cases in which there is a problem with the Directory Server, engineering may be able to provide custom DTrace scripts for more detailed analysis of a problem without a significant impact on the running server.
- All of the standard performance analysis tools are available (e.g., vmstat, iostat, mpstat, etc.), but a number of additional tools are also provided, including lockstat/plockstat, prstat, cpustat, and trapstat. These can help identify potential problems or bottlenecks that may be responsible for unnecessarily low performance.
- The coreadm utility provides a mechanism for managing core file creation, and offers a way for allowing setuid/setgid processes like the Directory Server to dump core (which is not allowed by most UNIX-based operating systems).
- The service management framework (SMF) provides a mechanism for ensuring that services are started appropriately when the system boots, and can also monitor processes and restart them if a failure is detected. SMF can also provide further integration with process rights management to offer greater control over what rights are granted to and removed from individual processes.
- Much of the Solaris source code is available through OpenSolaris (and more code is being released all the time), which can make it easier to understand how the underlying system works. The new Solaris Internals books also go into great detail on the design and implementation of the operating system. In addition, OpenSolaris provides direct access to the engineers responsible for major components of Solaris.