Friday Aug 01, 2014

Solaris 11.2 released with security and other enhancements

Solaris 11.2 is released!

There's a huge amount of new and improved features in Solaris 11.2 as well as thousands of bug fixes.  In short, it's our best Solaris ever!

For security conscious customers, Solaris 11.2 delivers significant compliance enhancements (see the docs) and provides the new "solaris-minimal-server" Install group, which is an excellent basis for installing secure, minimized (hardened) systems.

Hardening (minimizing) a system in Solaris 10 and earlier was as much an art form as a science.  It was hard to be sure that the system was as minimized as possible.

In Solaris 11.2, the "solaris-minimal-server" Install group dramatically simplifies the process.  It's a new install option in addition to the existing "solaris-small-server", "solaris-large-server", and "solaris-desktop" install groups.

"solaris-minimal-server" does exactly what it says.  It provides the minimal set of packages to provision a minimal supported command-line Oracle Solaris environment.  You will typically need to add packages to this minimal set which are required to support your applications.

For example, install a test domain with "solaris-minimal-server", your application, and any additional packages which you know your application requires - for example JRE7 and the application installer.  Test it, and add in any additional packages which you discover your application requires - for example, for it's user GUI/BUI.  That's the minimum install footprint for your application.  Repeat as desired for other applications.

By reducing the install footprint, you reduce the "attack surface", ensuring you system is exposed to the minimum number of vulnerabilities.  This in turn reduces the need to patch for security compliance, further reducing your TCO.

Since installing an Oracle Database would be a common scenario, Solaris 11.2 also
provides an additional group package for the database:


So, if you want to install the Oracle Database (single instance), you can simply add the above package to your solaris-minimal-server and you will have the required packages to install the database.

It's just one of many new features in Solaris 11.2 which I think you'll like.  Please take a few minutes to browse the "What's New" and other documentation released with 11.2.

As with any Solaris Update release, expect a number of important bug fixes in the first few Solaris 11.2 SRUs which didn't make the Solaris 11.2 release.

More details on "solaris-minimal-server":

$ pkg contents -mr -g ./s11u2 group/system/solaris-minimal-server                                          
set name=pkg.fmri value=pkg://solaris/group/system/solaris-minimal-server@0.5.11,5.11-
set name=pkg.summary value="Oracle Solaris Minimal Server"
set name=pkg.description value="Provides the minimal, supported command-line Oracle Solaris environment"
set name=info.classification value="org.opensolaris.category.2008:Meta Packages/Group Packages"
set name=org.opensolaris.consolidation value=solaris_re
set name=variant.arch value=i386 value=sparc
set value=global value=nonglobal
depend fmri=network/ping type=group
depend fmri=service/network/ssh type=group
depend fmri=shell/tcsh type=group
depend fmri=shell/zsh type=group
depend fmri=system/network type=group
depend fmri=developer/debug/mdb type=require
depend fmri=editor/vim/vim-core type=require
depend fmri=group/system/solaris-core-platform type=require
depend fmri=package/pkg type=require
depend fmri=release/name type=require
depend fmri=release/notices type=require
depend fmri=shell/bash type=require
depend fmri=shell/ksh93 type=require
depend fmri=system/core-os type=require
depend fmri=system/library/platform type=require

The packages with group dependencies in the list above can be removed to further minimize the system.  For example, if you don't want 'ssh', you don't have to install it.

More details on group package with Oracle Database 12.1 install pre-requisites:

$ pkg contents -mr -g ./s11u2 group/prerequisite/oracle/oracle-rdbms-server-12-1-preinstall                
set name=pkg.fmri value=pkg://solaris/group/prerequisite/oracle/oracle-rdbms-server-12-1-preinstall@0.5.11,5.11-
set name=pkg.summary value="Prerequisite package for Oracle Database 12.1"
set name=pkg.description value="Provides the set of Oracle Solaris packages required for installation and operation of Oracle Database 12."
set name=info.classification value="org.opensolaris.category.2008:Meta Packages/Group Packages"
set name=org.opensolaris.consolidation value=solaris_re
set name=variant.arch value=i386 value=sparc
depend fmri=x11/diagnostic/x11-info-clients type=group
depend fmri=x11/library/libxi type=group
depend fmri=x11/library/libxtst type=group
depend fmri=x11/session/xauth type=group
depend fmri=compress/unzip type=require
depend fmri=developer/assembler type=require
depend fmri=developer/build/make type=require

The benefits of SuperCluster to other Solaris 11.x users

As you may know, my team and I have been heavily focused on SuperCluster Engineered Systems for the last few years.

The intense work we've done for SuperCluster - especially on expediting fixes for scalability and availability issues - has a significant trickle down benefit for all Solaris customers.  All of these critical fixes are in Solaris 11.2 SRU1.

Did you know that 97% of all customer SuperCluster domains / zones run Solaris 11.x ?  Only 3% run Solaris 10.  The reason for this massive adoption of Solaris 11.x is due to it's compelling features, excellent quality, and superb stability.  It really is time to move to Solaris 11.x.  It's like going from horses to motor cars.  It is that big a difference.

Even if you are not in a position to adopt Solaris 11.2 immediately, please do consider using a recent Solaris 11.1 SRU, such as Solaris 11.1 SRU19.6 or later.  This includes fixes for 110 critical issues encountered on SuperCluster and which are also relevant for other T4/T5/M5/M6/M10 users.  This is our current recommended version for SuperCluster and our experience with it to date has been excellent. 

We'll be moving up to Solaris 11.2 shortly to leverage more of the exciting features it provides.

Best Wishes,


Tuesday Sep 17, 2013

Top Tips for Updating Solaris 11 Systems

We now have quite a bit of experience of IPS and Repositories under our belt. 

Feedback from customers has been extremely positive.  I recently met a customer with 1000+ Solaris servers who told me that with Solaris 10 it took them 2 months to roll out a new patchset across their enterprise.  With Solaris 11, it takes 10 days.

That really helps lower TCO.

As with anything, experience teaches us how to optimize things.  Here's a few Top Tips around IPS / Repo management which I'd like to share with you from my experience with SuperCluster:

  • To avoid most IPS dependency resolution errors, keep your main local Repository populated with all Solaris Updates and SRUs up to and including the version you wish to apply.  A sparsely populated Repo is much more likely to result in copious IPS dependency resolution errors.
  • Keep any IDRs (Interim Diagnostics or Relief) in a separate Repo local to the Boot Environments (BEs) for which they are relevant.  For example, if you have an IDR to address an issue with 11gR2 RAC on Solaris (Solaris 11.1 SRU7.5), keep it local to the relevant BEs running 11gR2.  This avoids IDRs being unnecessarily propagated to LDoms or Zones for which they are irrelevant.
  • Before upgrading, check to ensure that the issues addressed in any IDRs you are using are fixed in the Solaris version to which you are updating.  If they are, IPS will automatically supersede them - that is, unlike in Solaris 10, there's no need to manually remove them.  You can check this by looking in the Support repository, or the relevant Repo ISO image, for packages whose base name is the IDR number, that is 'idr<number>'.  If such a package exists, then the IDR has been superseded and the issues it addresses are fixed in that SRU.  If the issues are not fixed in the Solaris version to which you are updating, you may need to ask Support for new IDR(s) for that Solaris version.
  • Zone creation in Solaris 11 works differently to how it did in Solaris 10.  In Solaris 11, effectively a manifest is taken of the Global Zone and then Non-Global Zones (NGZs) are constructed from that using the Repo(s).  Therefore, your Repo(s) must be up to date with all Solaris software installed on your global zone, including any IDRs.  You can have multiple Publishers specified, so that multiple Repos can be used (e.g. main local Repo for the Solaris Updates / SRUs, BE specific Repo for IDRs).

I hope you find these tips useful.

My colleagues, Glynn Foster and Bart Smaalders, will be presenting on "Oracle Solaris 11 Best Practices for Software Lifecycle Management [Con3889]" @ Oracle OpenWorld next week.  The Oracle Sun "Systems" sessions are in the Westin this year.  This particular session is on Tuesday, Sept 24 @ 5:15pm in the "City" meeting room in the Westin and will have lots more tips and best practices.

Other colleagues, Rob Hulme and Colin Seymour, are presenting on "Best Practices for Maintaining and Upgrading Oracle Solaris [CON8255]" on Monday, Sept 23 @ 10:45am in the Westin San Francisco, also in the "City" meeting room.

And there's lots of other good stuff on Solaris and SuperCluster.  For example, the "Deep Dive into Oracle SuperCluster [CON8632]" on Tuesday, Sept 24 @ 5:15pm in the Westin, Metropolitan II.

I'm not presenting this year, but if you would like to meet up with me @ OpenWorld to discuss anything about Solaris / Systems / SuperCluster Lifecycle Maintainence, whether it's ideas you'd like to see implemented, what's keeping you awake at night, issues you want me to look at, etc., I am more than happy to do so.  Just ping me at

Best Wishes,



This blog is to inform customers about Solaris 11 maintenance best practice, feature enhancements, and key issues. The views expressed on this blog are my own and do not necessarily reflect the views of Oracle. The Documents contained within this site may include statements about Oracle's product development plans. Many factors can materially affect these plans and the nature and timing of future product releases. Accordingly, this Information is provided to you solely for information only, is not a commitment to deliver any material code, or functionality, and SHOULD NOT BE RELIED UPON IN MAKING PURCHASING DECISIONS. The development, release, and timing of any features or functionality described remains at the sole discretion of Oracle. THIS INFORMATION MAY NOT BE INCORPORATED INTO ANY CONTRACTUAL AGREEMENT WITH ORACLE OR ITS SUBSIDIARIES OR AFFILIATES. ORACLE SPECIFICALLY DISCLAIMS ANY LIABILITY WITH RESPECT TO THIS INFORMATION. Gerry Haskins, Director, Software Lifecycle Engineering


« December 2015