Monday Dec 16, 2013

Solaris 11.1 STIG update

I am still in the process of creating a Solaris 11.1 Security Technical Implementation Guide (STIG) with DISA Field Security Office.  The process is long and detailed requiring significant testing and review by DISA for final approval.  The STIG items are complete (pending DISA's approval).  While I can't predict how long the final approval will take, if you are a DoD customer wishing to run Solaris 11, you may contact your Oracle systems sales team to receive a draft copy in spreadsheet form.

STIGs are guidelines to assist DoD customers in securing their systems.  It is NOT required to have a DISA STIG document to run Solaris 11 in your environment.  In the absence of a DISA approved STIG, customers may use industry or vendor recommended guidelines.  We already have a number of DoD customers running Solaris 11.  Resources available include:

 

Our customers find that Solaris 11 is much more secure "out of the box" than Solaris 10 and is easier to bring into compliance.  Solaris 11 is now over two years old and provides significant new features and benefits for Solaris 10 including:

  • ZFS default root file system enabling:
    • Easier, safer system updates
    • Automatic alternate boot envioronments
    • Improved zone management 
    • Encrypted file systems
    • Compressed, de-duplicated file systems
    • Simplified RAID and mirror configuration
  • Image Packaging system for:
    • Faster, safer updates
    • Easier system minimization
  • Improved Security including
    • Elimination of root login
    • FIPS 140-2 certified Crypto Framework
    • Multi-level security enhancements
  • Complete network and application virtualization
  • Automated installer
  • Much more

Learn more about What's New in Solaris 11 and 11.1.

 

Solaris 11 Crypto Framework receives FIPS 140-2 certification


NIST has awarded FIPS 140-2 certificate #2060 to the Oracle Solaris Kernel Cryptographic Framework with SPARC T4 and SPARC T5 (Software-Hybrid), and FIPS 140-2 certificate #2061 for the Oracle Solaris Kernel Cryptographic Framework (Software) module.  The certificates are not yet available, however, the details are already posted on the NIST Validated FIPS 140-2 Website listed below.

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2013.htm

The Userland Software and Software-Hybrid validations are still in the NIST Coordination phase.  

Thursday Jul 11, 2013

National Security, the "two man rule" and Solaris

A recent article in Federal Computer week reports:

In the raging debate over the data breach at the National Security Agency, here’s a nugget that deserves more attention than it has received: The NSA'a director, Gen. Keith Alexander, recently instituted a two-man rule to limit the previously unfettered access of the 1,000-plus systems administrators who work for the agency. It ensures that no single person can gain access to confidential, sensitive and often top secret data.

 In addition, DISA has published "Security Requirements Guides for Operating Systems" which require:

 The operating system must enforce a two-person rule for changes to organization defined information system components and system level information.

Luckily, Solaris 10 and 11 have all the tools to assist in creating a "two man rule." In fact, we published a paper on the topic in 2005. Its comprehensive role and profile based collection of authorizations ensure that only user with the proper authorizations are allowed access to administrative tools.  Solaris can be configured so that one user has the role of "Security Admin" while another user has the role of "System Admin."  The security admin has privileges to add users and give (or remove) authorizations from those users but does not have all the other traditional capabilities of "root."  In other words, the security admin cannot accidentally "rm -rf /" to corrupt the system.  The system admin has authorizations to perform traditional system administration functions such as create file systems, manage services but cannot create new users or give himself additional privileges.

Solaris 11 is Oracle's premier Unix based operating system with support for SPARC based systems from Oracle and Fujitsu and X86 systems from a wide variety of vendors.

Many customers don't know that Solaris is built from a single source code base for both platforms and consists about 95% common code.  Unless there is a specific difference in hardware support (virtualization, cryptography, hardware failure detection, dynamic reconfiguration) Solaris looks and works the same on both platforms from an administrative point of view.

In addition, Solaris helps to protect your software investment by providing a unique Binary compatibility guarantee.  An application written to our ABI on SPARC or X86 from the Solaris 2.6 timeframe will continue to run on newer versions of the same platform running Solaris 11.  

Our source code guarantee ensures that code written for SPARC will compile on X86 and vice versa.

Since the merger of Oracle and Sun, both Solaris and Oracle Database have been optimized to work better together.  With the release of Oracle DB 12c, these enhancements include:

  • Dynamic tracing probes for improved monitoring
  • Dynamic SGA resizing for improved availability
  • Improved DB startup times
  • In kernel Oracle RAC performance enhancements 
  • Improved encryption, security and virtualization support

 

Choose Solaris and Oracle hardware and software for the most reliable, scalable and secure data center environments. 

Wednesday Apr 24, 2013

Solaris 11 and Payment Card Industry (PCI) security compliance

See Lynn Rorher's blog about Oracle's newly published white paper discussing how Solaris 11 enabled security for the payment card industry.

Tuesday Apr 23, 2013

Solaris 11 outperforms RHEL 6 on 2 socket Intel servers

As a long time Sun employee, I've often heard the term "Slow-laris" applied to Oracle's premier Unix operating system.  Most frequently this was in comparison to the Linux OS running on small two socket servers.  I will admit that in the Solaris 8 and 9 timeframe engineering decisions were made to benefit scalability to 64 sockets that sometimes penalized smaller servers.  In addition, because of Solaris long history and derivation from ATT and BSD Unix code, there was undoubtedly a bit of code labeled, "if it ain't broke, don't fix it."  With the advent of Solaris 10 and Dynamic Tracing, (DTrace) we actually hunted down and killed a number of those legacy code segments using a new philosophy labeled internally, "If Solaris is slower than Linux on the same hardware, it's a bug."

As a result, Solaris 11 provides higher performance than Red Hat Enterprise Linux 6.3 on basically identical 2 socket hardware as measured by the SPECjbb benchmark.  According to SPEC:

The SPECjbb2013 benchmark has been developed from the ground up to measure performance based on the latest Java application features. It is relevant to all audiences who are interested in Java server performance, including JVM vendors, hardware developers, Java application developers, researchers and members of the academic community.

Java is one of the predominant enterprise programming environments for mission critical applications and many of Oracle's products are written in Java.

This chart from the SPECjbb site shows the performance of our X3-2 Intel based server with 16 cores and 128 GB of RAM running Solaris 11.1.  The X3-2 tested features the Intel E5-2690 CPU @ 2.9 Ghz.

X3-2 Chart

By comparison, an HP ML350P with the identical Intel chip and clock speed running RHEL 6.3 produces this chart.  Clearly, Solaris 11 produce a smoother response curve with higher numbers for both MaxjOPS and Critical jOPS.  In addition, the X3-2 system requires only 1 rack unit vs. 4 rack units for the HP model reducing data center requirements. 

HP Chart

 To summarize, Solaris is faster than RHEL 6 on small servers and more scalable and responsive on large servers including our SPARC T5 servers.

At the same time, it provides virtualization, security and availability features unavailable on RHEL including:

  • Solaris zones
  • Network virtualization
  • ZFS file system
  • Dynamic Tracing
  • Predictive self-healing
  • Service Management Facility
  • Trusted Extensions 
  • Image packaging system

See more at:

  • Jeff Victor's blog
  • Oracle's Performance Blog
  • SPEC and the benchmark name SPECjbb are registered trademarks of Standard Performance Evaluation Corporation (SPEC). Results as of 4/22/2013, see http://www.spec.org for more information.
  • SPARC T5-2 75,658 SPECjbb2013-MultiJVM max-jOPS, 23,334 SPECjbb2013-MultiJVM critical-jOPS. Sun Server X2-4 65,211 SPECjbb2013-MultiJVM max-jOPS, 22,057 SPECjbb2013-MultiJVM critical-jOPS. Sun Server X3-2 41,954 SPECjbb2013-MultiJVM max-jOPS, 13,305 SPECjbb2013-MultiJVM critical-jOPS. SPARC T4-2 34,804 SPECjbb2013-MultiJVM max-jOPS, 10,101 SPECjbb2013-MultiJVM critical-jOPS. HP ProLiant DL560p Gen8 66,007 SPECjbb2013-MultiJVM max-jOPS, 16,577 SPECjbb2013-MultiJVM critical-jOPS. HP ProLiant ML350p Gen8 40,047 SPECjbb2013-MultiJVM max-jOPS, 12,308 SPECjbb2013-MultiJVM critical-jOPS. Supermicro X8DTN+ 20,977 SPECjbb2013-MultiJVM max-jOPS, 6,188 SPECjbb2013-MultiJVM critical-jOPS. HP ProLiant ML310e Gen8 12,315 SPECjbb2013-MultiJVM max-jOPS, 2,908 SPECjbb2013-MultiJVM critical-jOPS. Intel R1304BT 6,198 SPECjbb2013-MultiJVM max-jOPS, 1,722 SPECjbb2013-MultiJVM critical-jOPS.


Solaris 11 provides smooth, scalable performance on SPECjbb 2013

Oracle released SPEC Benchmark results for the T5-2 and X2-4 processor using the SPECjbb 2013 benchmark. Who would be interested in SPECjbb performance? According to SPEC:

The SPECjbb2013 benchmark has been developed from the ground up to measure performance based on the latest Java application features. It is relevant to all audiences who are interested in Java server performance, including JVM vendors, hardware developers, Java application developers, researchers and members of the academic community. 

Jeff Victor has posted an excellent comparison of the T5 SPECjbb performance to our competitors on a per core basis.  To me, the charts tell the biggest part of the story,  Oracle's Solaris 11 on both SPARC and X86 shows smooth scaling with excellent response times over a wide range of transaction counts.

First, let's look at the results for the SPARC T5-2 server with 2 CPU sockets and 32 cores.  The vertical access marks "response time" so a lower number is better.  The horizontal axis is the number of Java operations being performed.  The blue dots indicate the median response time at each level of operations being processed.  Notice how Solaris 11 and the SPARC hardware provide smooth, predictable performance up through 60,000 jOPS.

(Note: You may not be able to see the full chart width on this page.  Right-click and open image in new tab to see the full chart.) 

T5-2 Chart

 Now let's look at Oracle's X2-4 Intel based system also running Solaris 11.  The X2-4 has 4 CPU chips with 40 total cores.  Here Solaris 11 also provides smooth scaling of performance.

X2-4 chart

For comparison, I've also selected HP's most powerful Intel based server the DL980 with 8 CPUs and 80 cores.  This system, however is running Red Hat Enterprise Linux 6.3.  On this chart you will see that RHEL 6 takes a dive in median response time shortly after 27,000 jOPS. Response time drops from 10 milliseconds to 100 milliseconds at around 27,000 jOPS.  Oracle's T5-2 stays below 100 milliseconds all the way to about 62,000 jOPS. Also note how the minimum response times fall apart at around 20,000 jOPS where the T5-2 stays consistent through 57,000 jOPS.

While admittedly, the 80 core DL980 reaches a higher total MaxjOPS throughput number than the 32 core T5-2, the Solaris 11 based system provides smoother scalability in a 2 socket system that requires only three rack units of space.  If that's not enough horsepower, we also offer a T5-4 and T5-8 system.  Need more?  Our M5-32 data center server scales to 32 sockets, 192 cores and 1536 threads. The M5-32 also supports up to 32 TB of RAM. All support our no cost Logical Domains virtualization capability.

HP DL980 Chart

Summary:

 If you want a proven, enterprise class, scalable OS for SPARC (from Oracle or Fujitsu) or X86 based platforms (from Oracle or many third party vendors), choose Solaris 11.  Predictability in response time is important to your enterprise customers.

All Oracle servers under Premier Support for systems include:

  • 7 x 24 on-site hardware support
  • Solaris (SPARC or X86), Oracle Linux (x86 only) and Oracle VM support (SPARC or X86)
  • Integrated Lights out Management
  • Oracle Enterprise Manager Ops Center support 

For more information on recent SPARC T5 world records, see https://blogs.oracle.com/BestPerf/.

  • SPEC and the benchmark name SPECjbb are registered trademarks of Standard Performance Evaluation Corporation (SPEC). Results as of 4/22/2013, see http://www.spec.org for more information.
  • SPARC T5-2 75,658 SPECjbb2013-MultiJVM max-jOPS, 23,334 SPECjbb2013-MultiJVM critical-jOPS. Sun Server X2-4 65,211 SPECjbb2013-MultiJVM max-jOPS, 22,057 SPECjbb2013-MultiJVM critical-jOPS. Sun Server X3-2 41,954 SPECjbb2013-MultiJVM max-jOPS, 13,305 SPECjbb2013-MultiJVM critical-jOPS. SPARC T4-2 34,804 SPECjbb2013-MultiJVM max-jOPS, 10,101 SPECjbb2013-MultiJVM critical-jOPS. HP ProLiant DL560p Gen8 66,007 SPECjbb2013-MultiJVM max-jOPS, 16,577 SPECjbb2013-MultiJVM critical-jOPS. HP ProLiant ML350p Gen8 40,047 SPECjbb2013-MultiJVM max-jOPS, 12,308 SPECjbb2013-MultiJVM critical-jOPS. Supermicro X8DTN+ 20,977 SPECjbb2013-MultiJVM max-jOPS, 6,188 SPECjbb2013-MultiJVM critical-jOPS. HP ProLiant ML310e Gen8 12,315 SPECjbb2013-MultiJVM max-jOPS, 2,908 SPECjbb2013-MultiJVM critical-jOPS. Intel R1304BT 6,198 SPECjbb2013-MultiJVM max-jOPS, 1,722 SPECjbb2013-MultiJVM critical-jOPS.

Monday Apr 15, 2013

DoD customer receives authority to operate SparcSupercluster

Recently, one of our good U.S. DoD customers purchased a SPARC SuperCluster system and received their "Interim Authority to Operate" on the DoD network.  Why is this a big deal?  First, allow me provide an overview of the SPARC SuperCluster system.

SPARC SuperCluster is a relatively new engineered system from Oracle consisting of:

This engineered system is designed to provide extremely high performance on database and applications while also reducing "time to mission" and cost of operations.  Because it is engineered in the factory by Oracle, it reduces the amount of vendor finger pointing, tuning, integration and incompatibilities.  It is also 100% compatible with Solaris/SPARC applications written for Solaris 11, 10, 9 and 8.

Getting the authority to operate on a DoD network means that our customer showed to their security auditors that they can properly and securely operate this large, complex, virtualized super-server in compliance with DoD standards. 

To my knowledge, this is the first instance of Solaris 11 being accredited in the US DoD.  As readers of my blog may know, the Defense Information Systems Agency (DISA) creates Security Technical Implementation Guides (STIGs) for various products and technologies.  You can find the Solaris 10 STIG documents at the DISA site, for example.  There is currently no DISA STIG document written for Solaris 11 although I am working to create one with DISA.  Because they are going through a lengthy transition from scripted compliance auditing to SCAP based auditing, the STIG for Solaris 11 is being re-written from scratch using their new Security Resource Guide for Operating systems as a baseline requirement.  Watch this site for updates on the Solaris 11 STIG process.

If there is no STIG for Solaris 11, how did this customer complete their accreditation?  DISA's guidance has alway's been, "In the absence of a DISA provided STIG, the customer may use vendor or industry recommended security practices." There are several resources publicly available for Solaris 11 and the SPARC SuperCluster:

In addition, with the help of my colleague, Kevin Rohan, I have been able to provide customers with two additional resources:

  • A spreadsheet mapping the current Solaris 10 STIG to Solaris 11 features
  • A set of scripts that can be used to configure the most common security settings.  This tool take advantage of advance Solaris 11 features such as alternate boot environments, Image Packaging System (IPS) and System Management Facility (SMF).

These tools are available from the Oracle DoD hardware sales team and not publicly posted at this time.

To summarize, I would like to remind our customers that:

  • A DISA STIG is not required to complete accreditation.
  • Solaris 11 and the SPARC SuperCluster has received an IATO from the DoD  
  • Other DoD customers have received accreditation for Exadata, Exalogic and Database Appliance engineered systems
  • Oracle can provide support to help you complete accreditation for SuperCluster, Exadata, Exalogic and Oracle Database Appliance.
  • Oracle's Engineered systems can help you reduce costs, speed time to mission and simply your operations.

Please contact me: jim dot laurent at oracle dot com for additional information.

Monday Mar 25, 2013

Learn about the world's fastest microprocessor tomorrow

On Tuesday, join Larry Ellison and John Fowler when Oracle will announce new SPARC servers with the world's fastest microprocessor. Considering that the current SPARC processors already have performance comparable with the newest from competing architectures, the performance of these new processors should give you the best real-world performance for your enterprise workloads.

You can register to watch the event live at 4:00 PM EDT (New York).

Of course, these systems will run Solaris 10 or 11 and provide virtualization built-in. 

Monday Jan 28, 2013

Using Solaris profiles to run with limited privilege

Solaris has had Role Based Access Controls since the Solaris 8 timeframe (circa 2000). With each release, it has been improved with additional profiles and capabilities.  In Solaris 11, we took a step further and converted the "root" user in to a role.  The goal of these enhanced security features is to ensure that an administrator can perform his assigned functions with the minimum privileges required and reduce the number of personnel required to access the root role.  Glenn Faden, security architect for Solaris engineering has blogged about these topics extensively (also see Glenn Brunette's blog).

Here's a simple use case for why you might need to use Solaris profiles and how to use them. 

Let's imagine that you are a basic Solaris user, but you have been asked to be the Auditing Administrator.  The first thing you might to is check to see if you have permissions to run the auditing tools.

test@solaris11:~$ pfexec auditconfig -getflags
auditon(2) failed.
error: Not owner(1)

Perhaps this is because you don't have the proper profile configured.  Check your current profiles.

test@solaris11:~$ profiles
          Basic Solaris User
          All

Without the "Audit Configuration" profile, you can't execute this command.  Here is what the Audit Configuration profile looks like when you enter profiles -all.  It allows you to execute the auditconfig command with the correct authorizations.

Audit Configuration
auths=solaris.smf.value.audit
          /usr/sbin/auditconfig      privs=sys_audit

You ask the senior administrator to add the Audit configuration profile to your list.  Pay close attention to the "+" sign, quote and upper case letters.  The "+" sign means to add this profile to your existing profiles.  Leave it off and it will replace existing profiles.

sudo usermod -P +"Audit Configuration" test

Now, you can try again.  You profile has been updated and the command is successful.

test@solaris11:~$ profiles
          Audit Configuration
          Basic Solaris User
          All

test@solaris11:~$ pfexec auditconfig -getflags
active user default audit flags = ex,xa,ps,ua,as,ss,ap,lo,ft(0x80575080,0x80575080)
configured user default audit flags = ex,xa,ps,ua,as,ss,ap,lo,ft(0x80575080,0x80575080)

Note that the pfexec command is required to execute this command with your profiles in effect.  To avoid typing "pfexec" in front of every command, you can simply run pfbash or ask the administrator to make your default shell /usr/bin/pfbash instead of standard bash.

sudo usermod -s /usr/bin/pfbash test

There are many different profiles available in Solaris 11 to include ZFS administration, SMF administration, File system administration and more.  Type profiles -all to see the entire list.

Thursday Oct 25, 2012

Oracle Solaris 11.1 available today

Today Oracle is pleased to announce availability of Oracle Solaris 11.1.

Download Solaris 11.1

Order Solaris 11.1 media kit


Existing customers can quickly and simply update using the network based repository

Highlights include:

  • 8x faster database startup and shutdown and online resizing of the database SGA with a new optimized shared memory interface between the database and Oracle Solaris 11.1
  • Up to 20% throughput increases for Oracle Real Application Clusters by offloading lock management into the Oracle Solaris kernel
  • Expanded support for Software Defined Networks (SDN) with Edge Virtual Bridging enhancements to maximize network resource utilization and manage bandwidth in cloud environments
  • 4x faster Solaris Zone updates with parallel operations shorten maintenance windows
  • New built-in memory predictor monitors application memory use and provides optimized memory page sizes and resource location to speed overall application performance.
Learn more and share these valuable tools with your customers to enable them to move to Oracle Solaris 11.1 quickly. Many customers wait for the first update --now is the time to encourage them to install Oracle Solaris 11.1.

Oracle Solaris 11.1 Data Sheet 
What's New in Oracle Solaris 11.1
Oracle Solaris 11.1 FAQs
Oracle Solaris 11 .1 Customer Presentation

Oracle Solaris 11.1 is recommended for all SPARC T4 Systems and will soon be available preinstalled.

IDC Recommends Oracle Solaris 11

IDC published a research report this week on Oracle Solaris 11 and described it as "Delivering unique value."  The report emphasizes the ability of Oracle Solaris to scale up and provide a mission critical platform for a wide variety of computing.

Solaris built-in server and network virtualization helps to lower costs and enable consolidation while reducing administration costs and risks.

Learn more about Oracle Solaris and the recently announced 11.1 update.

In their conclusion, IDC reports:

Today, Oracle is a multi-OS vendor that is adjusting to the opportunities presented by a significantly expanded product portfolio. The company has a long history of supporting Unix operating systems with its broad product portfolio, but the main difference is that now Oracle has direct control over the destiny of the Solaris operating system.

The company has made a strong commitment to Solaris on both SPARC and x86 systems, as well as to Linux on x86 systems, and expects to continue to enhance Oracle Solaris 11 with update releases once a year as well as Solaris 12, which is already on the road map.

Oracle is working to help its customers understand its strong commitment to Oracle Solaris and the product's role as a single operating system that runs on both SPARC and x86 processors. While Oracle Solaris and Oracle Linux are critical assets, the company's crown jewel is the deep collection of software that runs on top of both Oracle Solaris and Oracle Linux, software that creates a robust application environment. The continuing integration and optimization of the software and hardware stack is a differentiator for Oracle and for customers that run an Oracle Solaris stack.

Tuesday Sep 18, 2012

New Solaris 11 book available

A new Solaris 11 book is now available.  Congratulations to my colleague in the Oracle Public Sector Hardware sales organization "Dr. Cloud" Harry Foxwell and his co-writers on publishing Oracle Solaris 11 System Administration The Complete Reference

Table of contents

1 The Basics of Solaris 11
2 Prepare a System for Solaris
3 Installation Options
4 Alternative Installations for Enterprise
5 The Solaris Graphical Desktop Environment
6 The Service Management Facility
7 Solaris Package Management "Image Packaging System"
8 Solaris at the Command Line
9 File systems and ZFS
10 Customize the Solaris Shells
11 Users and Groups HF
12 Solaris 11 Security
13 Basic System Performance Tuning
14 Solaris Virtualization
15 Print Management
16 DNS and DHCP
17 Mail Services
18 Mgmt of Trusted Extensions
19 The Network File System
20 The FTP Server
21 Solaris and Samba

22 Apache and the Web Stack

Buy one today

Thursday Dec 01, 2011

Solaris 11 compliance with DISA Security guidance

Disclaimer

This article should not be construed as a statement of compliance by Oracle or by DISA.  It is simply the result of a casual review of Solaris 11 against current DISA Security Guidelines

Some of my dedicated readers (I know you're out there) remember that back in Janauary of this year, I reviewed Solaris 11 for compliance to the DISA Security Technical Implementation Guidelines (STIGs).  The STIGs are written by DISA and used by the DoD community to ensure that systems are secured properly before connecting to the network.

With the release of Solaris 11 in November, I decided to update the document. 

Update: Thanks to Darren Moffat's comments I've updated the document as of 12/9/11. 

Download the PDF document to review

The great news is that the one item that I listed as RED in January has been fixed in the release of Solaris 11.  At that time, the installation scripts did not provide any way for /var to be mounted as a separate file systems as required by the scripts.  The default installation now automatically sets of /var as a separate ZFS data set.

Friday Nov 11, 2011

Building a Solaris 11 repository without network connection

Solaris 11 has been released and is a fantastic new iteration of Oracle's rock solid, enterprise operating system.  One of the great new features is the repository based Image Packaging system.  IPS not only introduces new cloud based package installation services, it is also integrated with our zones, boot environment and ZFS file systems to provide a safe, easy and fast way to perform system updates.

My customers typically don't have network access and, in fact, can't connect to any network until they have "Authority to connect."  It's useful, however, to build up a Solaris 11 system with additional software using the new Image Packaging System and locally stored repository. The Solaris 11 documentation describes how to create a locally stored repository with full explanations of what the commands do. I'm simply providing the quick and dirty steps. 

The easiest way is to download the ISO image, burn to a DVD and insert into your DVD drive.  Then as root:

  • pkg set-publisher -G '*' -g file:///cdrom/sol11repo_full/repo solaris

Now you can to install software using the GUI package manager or the pkg commands.  If you would like something more permanent (or don't have a DVD drive), however, it takes a little more work.

  • After installing Solaris 11, download (on another system perhaps) the two files that make up the Solaris 11 repository from our download site
  • Sneaker-net the files to your Solaris 11 system
  • Cat the two files together to create one large ISO image. The file is about 6.9 GB in size
  • mount -F hsfs sol-11-11-repo-full.iso /mnt

You could stop here and set the publisher to point to the /mnt/repo location, however, this mount will not be persistent across reboots. Copy the repository from the mounted ISO image to a permanent, on disk location.

  • zfs create -o atime=off -o compression=on rpool/export/repoSolaris11
  • rsync -aP /mnt/repo /export/repoSolaris11
  • pkgrepo -s /export/repoSolaris11/repo refresh
  • pkg set-publisher -G '*' -g /export/repoSolaris11/repo solaris

You now have a locally installed repository for adding additional software packages for Solaris 11.  The documentation also takes you through publishing your repository on the network so that others can access it.



Saturday Nov 05, 2011

11 reason to love Solaris 11

Solaris 11 will be launched on November 9th in New York and via live webinar.  Here are 11 reasons you will want to try Solaris 11.

  1. Faster, easier, safer updates using Image Packaging System
  2. Improved security via immutable zones.
  3. Easy to manage boot environments using ZFS snapshots.
  4. Improved quality of service controls for networking
  5. Reduced costs through system wide network virtualization
  6. Reduce your planned downtime using Solaris fast reboot
  7. Safer data at rest in encrypted ZFS datasets
  8. Reduced storage costs using file system de-duplication and compression
  9. No cost virtualized environments through Oracle VM for SPARC and Solaris Zones
  10. Platform choice, SPARC and 64-bit Intel or AMD chip support
  11. It "goes to 11!"
  12. I've only listed 11 reasons but there are many more benefits to S11.  What the web cast and find out more reasons that Solaris 11 will lower your costs, improve your performance and reduce your downtime.

Monday Nov 15, 2010

Video Tutorial: Installing Solaris 11 Express in VirtualBox

Today, Solaris 11 Express is available for download allowing customer to get a preview of the technologies that will be delivered in Solaris 11 next year.  In this video tutorial, I take you through the steps to install and configure Solaris 11 Express using Oracle's free Type 2 hypervisor, VirtualBox.  VirtualBox can be downloaded for free and is available for MacOS, Solaris, Linux and Windows Platforms.

Solaris 11 Express is binary compatible with Solaris 8, 9 and 10 and is supported on SPARC as well as X86 chip sets. It is a fully virtualized operating system to include virtual networks, zones and file systems (ZFS).  Learn more about What's New in Solaris 11 Express.  You can also learn more about Solaris 11 by reviewing these slides from the recent Oracle Solaris Summit.

The video is 13 minutes long and through the magic of digital video editing covers "just the good parts" without all the waiting around.  I created it using the built-in screen recording features of Quicktime X on MacOS 10.6 and used iMovie 09 for the editing and voiceover.  It's available on YouTube and viewing it in full screen mode makes it easier to see the terminal commands.

Listen to the Podcast and Download Solaris 11 Express today. (Use the "LiveCD" ISO download version which includes the GUI installer)

FAQ:

  • How do I get out of the virtual machine and back to my host OS?
    • VirtualBox defines a "HOST" key.  The default in MacOS is the Left Command key.  Pressing this key releases the cursor and keyboard from the VM control.  You can change this key in VirtualBox Preferences.
  • How do I make the virtual machine run in full screen mode?
    • On MacOS, use Command-F or the VirtualBox menus to switch between window mode and full screen mode.
  • My Virtual machine is locked in a low resolution display mode?  How do I get it to adjust properly to the window size?
    • You MUST have the VirtualBox guest extensions installed.  The VM must be rebooted after installing.
  • What's the difference between the "Solaris" choice in VirtualBox VM settings and Solaris 64-bit?
    • If you choose, Solaris the system will boot the 32-bit kernel.  If you choose Solaris 64-bit, it will choose the 64-bit kernel.  Only a single install is required because both the 32 and 64-bit kernel are installed.  In fact, you can change this parameter after installing Solaris 11 Express and it will automatically boot the correct kernel.
  • How did you find out all these tips?
    • See the VirtualBox Help menu.  It's actually quite helpful.
  • How do you make the folder sharing work without having to manually mount the file system each time as root?
    • See by original blog entry on sharing folders which I recently updated describing how to give the user the Primary Administrator role.  It describes how to add a mount command to the Gnome startup options.
  • Where can I learn more about the installation procedure?

Tuesday Aug 10, 2010

Solaris 11 in 2011

John Fowler (Executive VP of Oracle Hardware Systems) today announced continue increasing investment in SPARC and Solaris technologies going forward.  Oracle is committing to increased performance, ease of management, security, reliability and scalability going forward.  He also announced that Solaris 11 will be available in 2011 and sooner as Solaris 11 Express for enterprise customers.

The replay of the web cast and the actual presentation slides will be posted later today or tomorrow.

Solaris 11 will be based on technologies currently available for preview in OpenSolaris including:

  • Image packaging system
  • Crossbow network virtualization
  • ZFS de-duplication 
  • CIFS file services
  • Enhanced Gnome user environment
  • Updated installer and auto network installer
  • Network Automagic configuration
  • and much more
Look for more information next month at Oracle Openworld.  Join us there for JavaOne activities as well.

 

Thursday Jan 28, 2010

Oracle's strong commitment to Solaris

I'm very excited after hearing Oracle's commitment to Solaris during their strategy webcast yesterday (1/27).  In case you've been living under a rock, Oracle offered to purchase Sun back in April 2009 and completed the acquisition on 1/26/2010. While the delay was certainly frustrating to Sun employees and customers, it gave Oracle enough time to formulate a strong strategy and product plan.  

During his portion of the webcast Edward Screven (Chief Corporate Architect) provided his view of how Oracle will invest more in Solaris and how Solaris is a primary platform today for Oracle products such as the Database, WebLogic, PeopleSoft and other product lines. (View the PDF as well).  He also commented on Oracle's commitment to Sun's virtualization technologies such as Solaris Containers and Logical Domains and promised that they will be managed (along with Oracle VM) a centralized coherent fashion.

It  also became clear that those of us with Solaris expertise will soon be learning about Oracle Enterprise Linux and Oracle VM as well.  OEL currently has over 4000 paying subscription customers. 

At the end of the five hour extravaganza Larry Ellison provided an excellent summary and answered questions from the audience.  Larry is also a huge Solaris fan and emphasized that both Solaris and OEL had their market position and applications. He believes that Solaris can become the center of a grid of systems operated as a single collection (and had some very entertaining comments about the term "cloud computing.") Oracle will be able to provide both and manage them from a single point using a combinatation (over time) of Sun Ops Center and Oracle Enterprise Manager.

As I tell my 19-year old college student (majoring in IT at George Mason University), "Get used to learning new things, because in this business, you will never stop learning."

Congratulations to Oracle and I'm looking forward to expanding my own skills and knowledge in the coming years.  I invite you to view all the video and PDF slides from the webcast.

 (You'll notice that ALL the sun.com content has migrated to Oracle.com)

Thursday Sep 17, 2009

Answering a customer's LDOMs security questions

Recently a customer in the Federal Government asked some fairly straightforward security questions about Logical Domains.  In doing my research, I found it wasn't that straight forward to get the answers from the standard Logical Domains (LDOMs) documentation.  Luckily, our engineering and marketing team stepped up to provide clear, concise answers so that this customer (who prefers to remain anonymous) can move forward and implement their virtualization strategy on Sun's T2 class of processors.

Logical Domains (LDoms) provide built-in and no-cost virtualization capabilities for Sun Chip Multithreading (CMT) Servers. Unlike proprietary virtualization technologies, LDoms can save you up to $10,000 per server. It allows you to create virtual machines that take advantage of the massive thread scale offered by these platforms. Create up to 128 virtual servers on one system... for free!  Customers have used Logical Domains to reduce their costs and consolidate their server farms for significant returns in operations and energy savings. For example, using LDOMs and Solaris containers, the United States Air Force was able to reduce rack space to achieve a 13:1 consolidation ratio, decreased server deployment time by more than 90% and cut datacenter power consumption by more than 25%. Download the software for Solaris 10 or OpenSolaris today.

Logical Domains allow the primary Solaris domain (sometimes known as the control domain) to create virtual disks and assign CPU thread, network, memory and I/O resources to other virtual Solaris machines to run on a single system.  The control domain uses the Logical Domains Manager (LDM) to control, monitor and manage the running domains.  Live migration of domains is supported.

LDoms 1.2 adds a number of new features, including:

  • Improved Network performance with the introduction of support for jumbo frames
  • Reduced power footprint with CPU power management, powering off cores that aren't in use automatically
  • Easier adoption with support for physical-to-virtual migration tool
  • Quick start with support for configuration assistant tools
  • Faster agility with enhancements to Domain Mobility
  • Increased control and response to guest availability with Domain dependencies
  • In-built protection from corruption with Auto-recovery of configurations
And now on to the Q and A:

CPU

Q: Can the Control domain access/utilize the CPU threads of a guest without shutting down the guest?

Answer: A Control domain cannot access the CPU threads assigned to a guest domain unless the threads are removed from the guest, and then added to the control domain, such as with CPU Dynamic Reconfiguration, or by rebooting both the guest and control domain after a Static Reconfiguration. LDoms fundamentally partitions CPU resources and there is no sharing of CPU thread resources. Enforcement of this partitioning and separation is done at the Hypervisor level, so it cannot be circumvented by the Control domain.

Virtualization solutions for x86 and IBM Power systems typically time-slice access to threads across multiple guests. This is because IBM and Intel CPU's have very few threads per socket. With SPARC CMT, we have up to 128 threads per socket, and we take advantage of the hardware by using a much safer and simpler partitioning approach in the SPARC Hypervisor and LDoms.

Q: Can a guest domain access the CPU threads of another guest?

Answer: No. LDoms partitions threads and does not share them across logical domain boundaries. See detailed explanation above.

Q: Can a guest domain access the CPU threads of the control domain?

Answer: No. See answers above.

Memory

Q: Can the Control domain alter the active memory space of a running guest?

Answer: There are two types of memory “alteration” in a system, first is modifying the contents of existing memory in a guest, and second, is the reconfiguration of memory size within a guest. For LDoms, guests have no knowledge of one another, nor are there any interfaces to allow one guest to gain access to or modify the memory of another guest. Memory separation and partitioning is enforced by the SPARC Hypervisor.

As of LDoms 1.2, Any request to change the memory configuration (i.e. How much memory a guest has allocated to it), through the LDM command line interface on the Control Domain would queue a “Delayed Reconfiguration” operation, which would take effect upon the next reboot of the guest. Beginning in LDoms 2.0, we will support the dynamic reconfiguration of a guest domain's memory configuration.

There are some memory transfer or shared memory access between domains done in order to implement virtual device and domain services. These transfers and sharing are strictly controlled by each domain and by the SPARC hypervisor: a domain will define, with the hypervisor, the memory data it is going to transfer or share with another domain

Q: Can a guest domain access the memory of another guest?

Answer: No. Guests have no knowledge of one another, nor are there any interfaces to allow one guest to gain access to or modify the memory of another guest. Memory separation and partitioning is enforced by the SPARC Hypervisor.

Q: Can a guest domain access the memory of the control domain?

Answer: No. There are no interfaces which allow for a guest to modify the configuration of or gain access to any part of the control domain's memory.

Virtual Network

Q: Can the control domain alter the network traffic of guest domains? The concern is about a compromised Control Domain becoming a man-in-the-middle. How can this condition be identified/reported?

Answer: Yes. The network switching of the packets is done in a software driver(vsw), its harder to alter the network traffic to Guest domains, but a compromised control(or service) domain \*can\* alter the traffic. Our Security model assumes that the domain(s) that host services such as vsw, are trusted, so they need to be secured as per the local security guidelines. Compromising or accessing the network traffic of guest domains from the control domain requires root access on the control domain.

Q: Can a guest domain access the network traffic for another guest? The assumption is yes, since an IP network is being shared. A scenario of interest - or pre condition - is if the physical NIC is disconnected, other than via the physical IP network. The key concern is a guest domain accessing the IP traffic of another guest domain via the virtual switch.

Answer: No. The traffic between the virtual switch(vsw) and the virtual network device(vnet) uses Logical Domain Channels(LDCs) that are a point-to-point type of connection. As a result, the traffic between the virtual switch and a guest domain is not visible to other guest domains. Note, switching is based on mac-addresses and LDoms doesn't allow the change of mac-address of a vnet device in a guest domain, so guest domains cannot spoof by changing their mac-addresses.

Q: Can a guest domain access the network traffic of the control domain?

Answer: No. Guest domains will only see the traffic that fits the following:

  • Unicast traffic that matches the virtual network device's mac-address in the guest domain.

  • Broadcast traffic.

  • Multicast traffic for which the guest domain registered to receive.

No other packets will be seen by the Guest domains.

Virtual Disks

Q: Can a guest domain access virtual disk devices that it has not been allocated, e.g., other guests, Control Domains?

Answer: No. A guest domain can only access virtual disk devices that have been explicitly assigned to it. It will not see, nor can the guest access any other disk.

Virtual Console

Q: Can a guest domain access the virtual console of another guest domain?

Q: Can a guest domain access the console for the control domain?

Answers: A guest domain cannot access the console interface for a different guest domain, nor can a guest domain access the console for the control domain. The only console access is via a privileged user on the control domain itself. There are no interfaces available in any other scenario for access a guest console, including over the general network interface.

Special Interest

Once the LDoms are running in our environment, there is very little need to log into the Control Domain (CD) and this is preferred behavior.

Q: Can a Control Domain be shut down and the LDOMS continue to run? If not, are there other options for maximally restricting access to, e.g., "locking" a CD once the LDoms are configured? An acceptable instance of "locking"is restricting access to the CD from Virtual Console only. Ideally, access via SSH would also be highly restricted. Limited access for maintenance and configuration are also acceptable.

In summary, the primary objective of these features is to secure the CD from a malicious user gaining access and changing LDom configuration without detection.

Answer: one of the architectural principles of LDoms has been that a guest domain can operate independently of the control domain. For example, If a control domain were to fail and reboot, the guests will continue to operate. Extending this logic, yes, you can currently shutdown the control domain and the guest environment will continue to operate. However, this holds only if the guests are using virtual I/O (assuming that I/O is being served from an I/O service domain that's not the control domain) or have been granted direct ownership of one or more PCI-E busses. But with the advent of upcoming projects like direct I/O (the ability to assign individual PCI-E slots to a guest) and SR-IOV (the ability to assign individual PCI-E virtual functions to a guest), it will not be possible to shut down the control domain without impacting guest domains that have been allocated individual PCI-E slots or functions.

In addition, other caveats, or things to consider are:

  • Without a control domain, there is no console access to the guests unless the console service is hosted elsewhere.

  • With no control domain, there's no LDoms Manager, which precludes any monitoring or reconfiguration of the guests. It also precludes capabilities such as domain mobility (i.e. migration) and power management.

  • All IO used by the guest must continue to be available – i.e. If the control domain is also operating as an IO service domain, those IO devices being served by the control domain will cease to be available for the duration that the control domain is down.

  • FMA (the Solaris Fault Management Architecture) will be unavailable

  • Certain Sun as well as third party management tools require access to the control domain, if the control domain goes down, those tools will have degraded capability

In terms of "locking" or severely limiting access to the control domain, that is certainly possible, but would be subject to its own set of constraints:

  • Without control domain access, there is no console access to the guests unless the console service is hosted elsewhere.

  • There's no way to interact with the LDoms Manager directly, which limits the ability to monitor, manage, or reconfigure the guests. The current lack of a suitable standalone LDoms management capability exacerbates this issue.

  • The inability to login to the control domain makes it extremely difficult to discover or manage any I/O (e.g. disks & network interfaces) bound to that domain.

  • Certain Sun as well as third party management tools require access to the control domain, if the control domain is locked down, those tools will have degraded capability

The control domain is usually configured as a service domain. In that case,the control domain needs to be up and running in order to provide service for virtual devices used by guest domains. If the control domain is down then access to virtual devices is suspended until the control domain comes back up.

On appropriate platforms, I/O domains can be created and used as service domains instead of using the control domain as a service domain. That way, guest domains will not depend on the control domain to access their virtual devices.

Monday Sep 14, 2009

Why Oracle wants Solaris

Forbes magazine published a great article on why Oracle wants Solaris.

Some of the highlights include:

  • Virtualization
  • Scalability
  • Security 
  • Reliability
  • Management
  • Flexibility

Also, see my earlier blog entry about 7 things Oracle will love about Sun.

If you have any doubts about Oracle's commitment to Solaris, SPARC and Sun, Just ask them....

 

Sunday May 31, 2009

Updating to OpenSolaris 2009.06

Update:  See the screencast on how to update at the CommunityOne website.

For What's New in OpenSolaris 2009.06, see this PDF presentation... 

If you have OpenSolaris 2008.11 installed, the repositories have now been updated to include the 2009.06 packages. You do NOT have to do a clean install. Simply update your packages.  The complete download image will be available on Monday June 1st.

However, the Update manager GUI tools will tell you that no new packages are available. You must use the command line tools to update SUNWipkg first. Attempting to run the "pfexec pkg image-update" command will give you a message indicating that you need to run:

pfexec pkg install SUNWipkg

in order to update the package tools. Once this process is complete, you can use the command line or the GUI Update Manager to move to 2009.06. Update manager will create a new boot environment (using ZFS) and make it the default BE. OpenSolaris will be featured prominently during Community One/JavaOne this week.

One more bit of information.  If you have created zones on your opensolaris installation, you may need to uninstall the zones before updating. Otherwise, the update manager will give you an error (for which there is a bugID 8313 )

"Unable to clone current boot environment"

To remove the zones:

pfexec zoneadm -z zonename uninstall

Wednesday Apr 22, 2009

DoD uses Solaris Security Toolkit

If you are a part of the US DoD you may remember my earlier blog entry (July 2007) in which I posted customizations to the Solaris Security Toolkit designed to help secure a computer in compliance with DISA Security Guidelines.  Although I haven't done any additional work since that time, Aaron Lippold of DISA took my work and extended it to increase compliance and updated it to more recent versions of DISA STIGs.

Aaron recently notified me that his modifications have now been posted on Forge.mil.

Forge.mil is a family of services provided to support the DoD's technology development community. The system currently enables the collaborative development and use of open source and DoD community source software. These initial software development capabilities are growing to support the full system life-cycle and enable continuous collaboration among all stakeholders including developers, testers, certifiers, operators, and users.

This is great news because it provides a way for the DoD community to collaborate together to make the tool better for everyone. If you are a DoD employee or contractor with a Common Access Card (CAC) you can access this project at https://software.forge.mil/sf/projects/dodsst/.

Join the community, download the tools, contribute changes and make your life generally better by using the Toolkit and DoDSST project to secure your Solaris 10 environment quicker, in an automated and more reproducible fashion.

 I'd like to thank Aaron for the hard work he has done and for his iniative in creating this project for the good of the US Government.

Tuesday Mar 24, 2009

Sharing Folders in VirtualBox

One of the new features of the recently posted VirtualBox 2.2 beta1 is that you are finally allowed to share folders from an OpenSolaris guest to a MacOS host.  This increases the usability of VBox substantially for me because I've been using a workaround for a while.

It's easy to setup the sharing capability in the Virtualbox GUI. With your VM running:

Devices > Shared Folders

Enter the path of a folder on our Mac and the "Share" name that you will be using to reference it on your OpenSolaris system.  The folder name does not need to be related to the actual folder path.

UPDATE NOTE:  In Solaris 11 express build 151a, the initial user is NOT configured as Primary Administrator by default and the pfexec command listed below will not work until you give the user that role. 

  • System > Adminstration > Users and Groups
  • Click on your username and Properties
  • User Profiles tab, select  Primary Administrator and click OK 

On the OpenSolaris side, you need to mount the file system to make it visible to the user.

bash-3.2$ id
uid=101(jlaurent) gid=10(staff) groups=10(staff)

bash-3.2$ mkdir mac
bash-3.2$ pfexec mount  -F vboxfs -o uid=101,gid=10 jlaurent /export/home/jlaurent/mac

This, however, is annoying to do each time you reboot so it would be nice to have the file system mount on boot up.  Adding a line to /etc/vfstab should help.

 jlaurent    -    /export/home/jlaurent/mac    vboxfs    -    yes    uid=101,gid=10

Unfortunately, in my testing, this prevented the system from booting.  Thanks to Michael, I learned that this is because Solaris process vfstab BEFORE it completes the ZFS mount of my home directory in /export/home.  Changing the line to:

jlaurent    -    /mac    vboxfs    -    yes    uid=101,gid=10

Fixed the problem.  

However, it's not very convenient at /mac.  There are a few other options.

You can also add the line you your .bashrc file but that only takes effect when you start a new terminal window.  The best option for me was to place the line in the Gnome session startup scripts.

System > Preferences > Sessions > Add


There's a little trick, however, that was non-intuitive to me the first time I did this.  My file system was NOT mounting on login and I didn't know why.  I checked into my .xsession-errors file and found the message: mount: command not found.

As you can see in the screen shot above, the absolute pathname is required for commands executed during login.

Issues:

StarOffice and Gedit do NOT want to save data back into this folder even though cp and vi have no problem with it.  I'm still researching this issue.



Wednesday Mar 11, 2009

OpenSolaris and Cloud Computing at FOSE

If you happen to be attending the Federal Office Systems Exhibition (FOSE) this week at the convention center in Washington D. C. drop in on my OpenSolaris session.  It will be held Thursday at 11:30 in room 158A. Come and see the benefits of ZFS, Dtrace, Zones and other new features in OpenSolaris.

Come visit Sun's booth #2309 to learn more about all of our systems, storage, software and services. 

I also provided a 5 minute "lightning talk" and panel discussion on Cloud Computing on Tuesday. About 120 people attended. Read more about Sun's cloud initiatives at our web site. Stay alert for upcoming announcement about Sun's cloud offerings.

Catch me if you can at Sun's table in the Cloud area of the exhibit hall and play "stump the geek."

 You can download OpenSolaris or Solaris 10 for free usage.  Do it today and get started learning.

Wednesday Feb 25, 2009

HP to Ship the Solaris 10 OS With its ProLiant Systems

 In a resounding endorsement for the Solaris 10 enterprise grade operating system.  Today, Sun and Hewlett-Packard announced an expanded multi-year partnership agreement for HP to distribute and support Sun's Solaris 10 OS. The top five x86/x64 based system vendors (Sun, HP, IBM, Fujitus/Siemens, Dell) now all ship Solaris with their systems.

If you don't happen to have an HP system, feel free to check out Sun's servers based on the Intel, AMD or Sparc processors or download Solaris 10 or OpenSolaris for free and try it out on your laptop or PC.  If you don't like the ugly mess of muti-booting using GRUB, try it in Sun's free and open-source VirtualBox environment.  VBOX allows you to run Solaris 10, OpenSolaris, Red Hat or Windows on top of a variety of hosts such as Windows, Linux, Solaris or Mac OS.


Thursday Nov 06, 2008

File sharing OpenSolaris guest in VirtualBox on Mac host

Sun's VirtualBox type II hypervisor is a great free tool for running multiple guest OSes on your desktop.  I use VBOX on my Mac to run Solaris 10 and OpenSolaris.

One of the weaknesses of VBOX at this time is that the "guest additions" don't yet support file sharing from a Solaris guest OS.  There are ways around this, however, using SMB protocols.  Here's how....

  • Configure SMB sharing on your Mac
    • Apple Menu > System Preferences > File Sharing pref pane
    • Enable File sharing
    • Click Options
    • Enable Share files and folders using SMB
    • Enable your username account for file sharing. Doing this exposes your home folder on the network as a Windows shared folder. Make sure you have a good password!
  • Install Solaris or OpenSolaris in VirtualBox
  • Configure NAT networking
  • Open a Nautilus file browser
  • Go > Location
  • Enter: smb://10.0.2.2/<usernameonmac>
  • Enter your password
  • A new file browser should open with your mounted files.
  • Bookmarks > Add Bookmark

This works because when NAT networking is configured the Solaris guest gets an IP address of 10.0.2.xx.  The VBOX hypervisor acts not only as DHCP server but also as gateway and host at IP address 10.0.2.2.

In OpenSolaris, you can also do this using the Places > Connect to server menu item.  Choose Custom Location from the pull-down menu and enter the SMB address.

For more on accessing Windows Sharing check out Brian Leonard's blog entry.

Meanwhile, make sure to get the free downloads of Solaris 10, OpenSolaris or VirtualBox.


Thursday Oct 23, 2008

Comparing Solaris/OpenSolaris/Red Hat and Win2003 server

Many of you have previously seen my comparison chart for Solaris 10, Red Hat Enterprise Linux 5 and MS Windows 2003, all of which can be purchased from Sun running on Sun hardware.  All of the current open source development effort for Solaris is going on in the OpenSolaris community and Sun has produced a binary distribution of OpenSolaris which is available (along with support contracts) at OpenSolaris.com.  

Development from Sun's engineers and outside contributors continues at a fast pace on OpenSolaris and there are hundreds of projects and thousands of community members.  Occasionally, features from OpenSolaris get back ported to Solaris 10 when there is sufficient business case, customer demand and engineering determines that the new feature will not reduce the stability of Solaris 10.  Past examples includes Trusted Extensions, ZFS CPU Caps and more.  Eventually, OpenSolaris with form the basis for the next major version of Solaris with long term support.  In the mean time, you can put OpenSolaris binary distrbution into production today and get support for it from Sun.

With that in mind, I have updated my comparison chart to included OpenSolaris in addition to the other OSes.

Why should you care?

OpenSolaris provides significant new features for Sun users for developers as well as infrastructure operators. Examples include:

  • ZFS automatic snapshot
  • Network auto configuration
  • Image Packaging system and update GUI
  • CIFS server in kernel
  • Improved Gnome user interface and accessibility
  • More GNU utilities.

Download it today for Intel and AMD based laptops, workstations or servers.

Try it out with Sun Studio Developer tools, optimized AMP Stack or other open source software in our repository.



Monday Oct 20, 2008

Another one of my customers loves Solaris 10

 

My previous blog entry attempted to establish the fact that Solaris 10 (including Containers/Zones) is used through the US DoD.  On a related note, I received this direct quote from one of my customers in the US DoD.

Just as a reminder, I'm the DNS guy for all of <Deleted> We're running
zones for our DNS servers (authoritative and recursive) world-wide from
Hawaii to Stuttgart and places in between and they are functioning
beautifully.  Sol 10 is the most versatile OS ever!

Keep the good new coming!

Tuesday Oct 14, 2008

US Air Force Saves money/space with Solaris containers

As an OS Ambassador for Sun Federal, I'm frequently asked the questions:

Are Solaris containers "certified" for use by the US Government or DoD?

  • Short answer: Yes!  Read on for the long answer.
  • Solaris 10 has received the highest commercial level of Common Criteria Certification.  This is known as EAL4+ and we did this using 3 protection profiles:
  • If you review our documentation and security target, you'll find that the "Trusted Extensions" component of Solaris 10 which implements the LSPP is based upon Solaris containers.  We use Solaris containers in a unique manner by providing each container with a security label which cannot be violated by a user inside the container.
  • In addition, you should note that Sun includes the GUI, Multi-level desktop (Gnome and CDE), LDAP server and management tools in our evaluation.  Red Hat's CC evaluation is for a command line installation only.
  • I'm unaware of any other government "certification" which would apply to Solaris containers.  If you know of any, please let me know.

Who is using Solaris containers in the US Government?

Is Solaris 10 (or MySQL or JCAPs other other Sun product) on my federal agency's "approved products list?" 

  • Whenever I get this question I ask my own questions:
    • For which agency?
    • Please show me a public web site that hosts the "approved products list."
    • Whom should I contact to have my product added to the "approved products list?"
    • What are the specific requirements to be on the "approved products list?"
  • In many cases I'm met with blank stares and the person who asked me the question doesn't know where to find the APL. Sometimes it doesn't actually exist.  In other cases there are waiver procedures available to bypass the APL. While I'm not saying that there are no APLs in federal agencies, I believe that a lot of people believe that there is when there isn't.  There most certainly is NOT one big APL for the federal government or DoD.
  • One example of an APL is the DoD's Joint Interoperbility Test Command's IPv6 APL.  There you will find Solaris 10, and we are in the process of adding additional products.

Summary

Solaris 10 is in use today in a wide variety of government and DoD applications including many of its advanced features such as containers, ZFS, SMF and much more.

Download Solaris 10 today and try it or look into the future with OpenSolaris.


Wednesday Oct 01, 2008

Solaris: Why it's so successful.

Why is Solaris 10 so successful in the market?  It's all about platforms, developers, OEM providers and application availability.

Platforms

Solaris 10 runs on the major volume platforms in the industry: Sparc, Intel and AMD.  Contrary to popular opinion (and competitive FUD), the Sparc architecture is NOT a proprietary architecture.  It is an industry standard and open source architecture that anyone can replicate (and have already).  On the other hand, the Intel X86 architecture (while a defacto standard) is propriety and can only be replicated using an expensive and legally difficult clean room reverse engineering process.

Developers

Solaris 10 supports developers by being available for free download, being able to run on low-cost x86 laptop and desktop systems and providing a vibrant open source community for developing new enhancements.  Don't forget our great development toolkit.

OEM Vendors

Solaris 10 can be purchased from the major hardware vendors in the industry through OEM agreements: Sun, Dell, IBM, Fujitsu/Siemens and Intel.

Applications

Solaris 10 has a larger application catalog than any other Unix or Linux product in the market place.

Solaris Ready Application Catalog
All Results 6620 Apps
SPARC 5653 Apps
X64 3527 Apps

Why should you care?

You don't buy hardware or operating systems because they're cool or keep your data center warm.  You buy for applications.  Choosing a platform that is available from major vendors, runs on a variety of platforms (large and small), supports your developers and has a larger application catalog should be high on your list.


About

Jim Laurent is an Oracle Sales consultant based in Reston, Virginia. He supports US DoD customers as part of the North American Public Sector hardware organization. With over 17 years experience at Sun and Oracle, he specializes in Solaris and server technologies. Prior to Oracle, Jim worked 11 years for Gould Computer Systems (later known as Encore).

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today