Friday Aug 01, 2014

Solaris 11.2 released with security and other enhancements

Solaris 11.2 is released!

There's a huge amount of new and improved features in Solaris 11.2 as well as thousands of bug fixes.  In short, it's our best Solaris ever!

For security conscious customers, Solaris 11.2 delivers significant compliance enhancements (see the docs) and provides the new "solaris-minimal-server" Install group, which is an excellent basis for installing secure, minimized (hardened) systems.

Hardening (minimizing) a system in Solaris 10 and earlier was as much an art form as a science.  It was hard to be sure that the system was as minimized as possible.

In Solaris 11.2, the "solaris-minimal-server" Install group dramatically simplifies the process.  It's a new install option in addition to the existing "solaris-small-server", "solaris-large-server", and "solaris-desktop" install groups.

"solaris-minimal-server" does exactly what it says.  It provides the minimal set of packages to provision a minimal supported command-line Oracle Solaris environment.  You will typically need to add packages to this minimal set which are required to support your applications.

For example, install a test domain with "solaris-minimal-server", your application, and any additional packages which you know your application requires - for example JRE7 and the application installer.  Test it, and add in any additional packages which you discover your application requires - for example, for it's user GUI/BUI.  That's the minimum install footprint for your application.  Repeat as desired for other applications.

By reducing the install footprint, you reduce the "attack surface", ensuring you system is exposed to the minimum number of vulnerabilities.  This in turn reduces the need to patch for security compliance, further reducing your TCO.

Since installing an Oracle Database would be a common scenario, Solaris 11.2 also
provides an additional group package for the database:

    group/prerequisite/oracle/oracle-rdbms-server-12-1-preinstall

So, if you want to install the Oracle Database (single instance), you can simply add the above package to your solaris-minimal-server and you will have the required packages to install the database.

It's just one of many new features in Solaris 11.2 which I think you'll like.  Please take a few minutes to browse the "What's New" and other documentation released with 11.2.

As with any Solaris Update release, expect a number of important bug fixes in the first few Solaris 11.2 SRUs which didn't make the Solaris 11.2 release.

More details on "solaris-minimal-server":

$ pkg contents -mr -g ./s11u2 group/system/solaris-minimal-server                                          
set name=pkg.fmri value=pkg://solaris/group/system/solaris-minimal-server@0.5.11,5.11-0.175.2.0.0.42.0:20140623T214938Z
set name=pkg.summary value="Oracle Solaris Minimal Server"
set name=pkg.description value="Provides the minimal, supported command-line Oracle Solaris environment"
set name=info.classification value="org.opensolaris.category.2008:Meta Packages/Group Packages"
set name=org.opensolaris.consolidation value=solaris_re
set name=variant.arch value=i386 value=sparc
set name=variant.opensolaris.zone value=global value=nonglobal
depend fmri=network/ping type=group
depend fmri=service/network/ssh type=group
depend fmri=shell/tcsh type=group
depend fmri=shell/zsh type=group
depend fmri=system/network type=group
depend fmri=developer/debug/mdb type=require
depend fmri=editor/vim/vim-core type=require
depend fmri=group/system/solaris-core-platform type=require
depend fmri=package/pkg type=require
depend fmri=release/name type=require
depend fmri=release/notices type=require
depend fmri=shell/bash type=require
depend fmri=shell/ksh93 type=require
depend fmri=system/core-os type=require
depend fmri=system/library/platform type=require

The packages with group dependencies in the list above can be removed to further minimize the system.  For example, if you don't want 'ssh', you don't have to install it.

More details on group package with Oracle Database 12.1 install pre-requisites:

$ pkg contents -mr -g ./s11u2 group/prerequisite/oracle/oracle-rdbms-server-12-1-preinstall                
set name=pkg.fmri value=pkg://solaris/group/prerequisite/oracle/oracle-rdbms-server-12-1-preinstall@0.5.11,5.11-0.175.2.0.0.42.0:20140623T214934Z
set name=pkg.summary value="Prerequisite package for Oracle Database 12.1"
set name=pkg.description value="Provides the set of Oracle Solaris packages required for installation and operation of Oracle Database 12."
set name=info.classification value="org.opensolaris.category.2008:Meta Packages/Group Packages"
set name=org.opensolaris.consolidation value=solaris_re
set name=variant.arch value=i386 value=sparc
depend fmri=x11/diagnostic/x11-info-clients type=group
depend fmri=x11/library/libxi type=group
depend fmri=x11/library/libxtst type=group
depend fmri=x11/session/xauth type=group
depend fmri=compress/unzip type=require
depend fmri=developer/assembler type=require
depend fmri=developer/build/make type=require

The benefits of SuperCluster to other Solaris 11.x users

As you may know, my team and I have been heavily focused on SuperCluster Engineered Systems for the last few years.

The intense work we've done for SuperCluster - especially on expediting fixes for scalability and availability issues - has a significant trickle down benefit for all Solaris customers.  All of these critical fixes are in Solaris 11.2 SRU1.

Did you know that 97% of all customer SuperCluster domains / zones run Solaris 11.x ?  Only 3% run Solaris 10.  The reason for this massive adoption of Solaris 11.x is due to it's compelling features, excellent quality, and superb stability.  It really is time to move to Solaris 11.x.  It's like going from horses to motor cars.  It is that big a difference.

Even if you are not in a position to adopt Solaris 11.2 immediately, please do consider using a recent Solaris 11.1 SRU, such as Solaris 11.1 SRU19.6 or later.  This includes fixes for 110 critical issues encountered on SuperCluster and which are also relevant for other T4/T5/M5/M6/M10 users.  This is our current recommended version for SuperCluster and our experience with it to date has been excellent. 

We'll be moving up to Solaris 11.2 shortly to leverage more of the exciting features it provides.

Best Wishes,

Gerry.

Monday Nov 28, 2011

Solaris 11 Customer Maintenance Lifecycle

Hi Folks,

Welcome to my new blog http://blogs.oracle.com/Solaris11Life which is all about the Customer Maintenance Lifecycle for Image Packaging System (IPS) based Solaris releases, such as Solaris 11.

It'll include policies, best practices, clarifications, and lots of other stuff which I hope you'll find useful as you get up to speed with Solaris 11 and IPS.  

Let's start with an updated version of my Solaris 11 Customer Maintenance Lifecycle presentation which I originally gave at Oracle Open World 2011 and at the 2011 Deutsche Oracle Anwendergruppe (DOAG - German Oracle Users Group) conference in N├╝rnberg.

Some of you may be familiar with my Patch Corner blog, http://blogs.oracle.com/patch , which fulfilled a similar purpose for System V [five] Release 4 (SVR4) based Solaris releases, such as Solaris 10 and below.

Since maintaining a Solaris 11 system is quite different to maintaining a Solaris 10 system, I thought it prudent to start this 2nd parallel blog for Solaris 11.

Actually, I have an ulterior motive for starting this separate blog. 

Since IPS is a single tier packaging architecture, it doesn't have any patches, only package updates. 

I've therefore banned the word "patch" in Solaris 11 and introduced a swear box to which my colleagues must contribute a quarter [$0.25] every time they use the word "patch" in a public forum.  From their Oracle Open World presentations, John Fowler owes 50 cents, Liane Preza owes $1.25, and Bart Smaalders owes 75 cents. 

Since I'm stinging my colleagues in what could be a lucrative enterprise, I couldn't very well discuss IPS best practices on a blog called "Patch Corner" with a URI of http://blogs.oracle.com/patch.  I simply couldn't afford all those contributions to the "patch" swear box. :)

Feel free to let me know what topics you'd like covered - just post a comment in the comment box on the blog.

Best Wishes,

Gerry.


About

This blog is to inform customers about Solaris 11 maintenance best practice, feature enhancements, and key issues. The views expressed on this blog are my own and do not necessarily reflect the views of Oracle. The Documents contained within this site may include statements about Oracle's product development plans. Many factors can materially affect these plans and the nature and timing of future product releases. Accordingly, this Information is provided to you solely for information only, is not a commitment to deliver any material code, or functionality, and SHOULD NOT BE RELIED UPON IN MAKING PURCHASING DECISIONS. The development, release, and timing of any features or functionality described remains at the sole discretion of Oracle. THIS INFORMATION MAY NOT BE INCORPORATED INTO ANY CONTRACTUAL AGREEMENT WITH ORACLE OR ITS SUBSIDIARIES OR AFFILIATES. ORACLE SPECIFICALLY DISCLAIMS ANY LIABILITY WITH RESPECT TO THIS INFORMATION. Gerry Haskins, Director, Software Lifecycle Engineering

Search

Categories
Archives
« May 2015
SunMonTueWedThuFriSat
     
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
      
Today