The new feature release of the Oracle ZFS Storage software has just become available and has both new features and updated functionality for some existing ones.  A number of these features focus on security.

One new security feature is the ability to require two administrators for any destructive action of shares, projects, snapshots, replication packages, and pools. When enabled, the object cannot be destroyed unless two different administrators perform the operation. One administrator, the approver, sets the prevent destruction property to off/false, and the second administrator deletes the object in the normal manner. The approver’s username is recorded and can be viewed through the BUI, CLI, or the RESTful API.

When the property for preventing share destruction is set at the pool level, shares and projects within the pool cannot be deleted. Share and project snapshots, replication packages within the pool, and the pool itself, are also protected from destruction because of inheritance rules. Protection is also extended to destroying a share through dependent clones. However, it does not affect shares destroyed through replication updates. If a share is destroyed on an Oracle ZFS Storage Appliance system or an OCI ZFS-HA cluster that is the source for replication, the corresponding share on the target will be destroyed, even if this property is set to on/true.

Another set of features extends the file retention capabilities introduced in OS8.8.45.  The new capabilities include:

  • Ability to automatically delete files when retention has expired
  • Ability to modify read and exec permissions on retained files
  • Ability to block deletion of files whose retention has expired for the purpose of Legal Hold

For file retention behavior after expiry features, the File Retention on Expiry deferred update is required, as well as a specific user authorization. The File Retention feature, itself, requires the File Retention deferred update (OS8.8.45).

Not all of the new features are security-based.  OS8.8.63 also introduces a “one-button” option to automatically configure the LDAP service for a currently joined Active Directory domain. After setup, you can view the LDAP configuration and customize it, if necessary. If only one LDAP server is configured, more LDAP servers can be added by customizing the configuration. Also, if the DNS service cannot discover any LDAP servers, customizing the configuration allows you to manually set up the servers in the LDAP service.

Users of the Oracle ZFS Storage’s S3-compatible object store will find improved support for the s3cmd client.  Previously, using a legacy version of the client was required. With OS8.8.63, the Amazon S3 Object Storage implementation now supports the most recent s3cmd client.

A new feature for users of the Oracle ZFS-HA image from the OCI Marketplace only is Instance Principal Authentication support.  Instance principal authentication can be used when creating a cloud target instead of authenticating with a combination of user OCID and private key. An instance principal is an Oracle Identity Access Management feature, enabling instances to become authorized principals that can perform actions on service resources, such as Object Storage.

OS8.8.63 of course includes features and fixes from previous releases.  Of note is the addition of Multi-Factor Authentication for directory users.  Originally released in OS8.8.60, this feature introduces the RADIUS service for communicating with a RADIUS server to authenticate directory users for logging in to Oracle ZFS Storage Appliance. RADIUS provides authentication by supporting classic password-based authentication, as well as supporting multi-factor authentication, which requires additional authentication using such schemes as challenge-response authentication and one-time password authentication. Multi-factor authentication adds a layer of security to help prevent unauthorized access. Once enabled, all directory users use the RADIUS service. The RADIUS server controls the authentication process and prompts for required information.

Of special note to those customers that have Oracle ZFS Storage Appliances with 14 TB hard drives is the inclusion of new drive firmware for the 14 TB HDD model numbers W7214A520ORA014T and W7214A524ORA014T. This firmware includes a fix for an issue that could cause drive errors leading to an increase in drives being failed in a short period of time, and a fix for an issue that can cause a severe performance issue that could stall IO for several minutes. A scrub should be run on any pools with 14 TB drives after this firmware has been loaded to the drives.  This was originally released in OS8.8.62.

OS8.8.63 can be downloaded from My Oracle Support.

Anyone interested in ZFS Storage in OCI can find out more by following this link.