Oracle Solaris 11.4 SRU 90 is now available via “pkg update” from the support repository or by downloading the SRU from My Oracle Support Doc ID KB631614. Highlights of the changes in this release are given in the release announcement and important information to read before installing it is provided in the Readme linked from the above support document. This blog post provides more details about selected new features and interface changes in this SRU, as well as some preparation work for changes coming in future SRUs.
Security and Compliance Features
ikev2cert PIN from SMF
IKEv2 stores its key material in a PKCS#11 token, which in most cases for Solaris 11.4 is the default pkcs11_softtoken. The IKEv2 daemon (in.ikev2d) reads the PKCS#11 token PIN from the read protected property pkcs11_token/pin of its SMF service svc:/network/ipsec/ike:ikev2.
To setup IKEv2 the admin needs to initially create or import the key material/certificates and uses ikev2cert(8) to do that. Use of ike2cert(8) previously required the PKCS#11 token PIN to be entered interactively, making it difficult to do a hands off deployment of IKEv2.
SRU 90 updates ikev2cert(8) to not prompt for the PIN when it is already available in the IKEv2 SMF service. If the PIN is not present or is the empty string then ikev2cert(8) will operate as it did in prior SRUs.
Data Management Features
Changing restricted ZFS retention properties on receive of new file system
Prior to SRU 90, some file system properties were restricted from changing during a zfs receive and failed with an error:
# zfs send tank/a@now | zfs recv -o retention.policy=off tank/b
Cannot receive: cannot override received retention.policy
warning: cannot send 'tank/a@now': Broken pipeStarting in SRU 90, ZFS allows for changing retention.policy in that situation. The two primary abilities this adds is for a user to take a retention-enabled file system and copy it to one with no retention, and vice-versa. It also enables a user to raise or lower the retention restrictions between privileged and mandatory retention policies.
ZFS also now allows a user to change the retention.period.grace proprerty under the same circumstances. Normally, this is restricted from being lowered or disabled once enabled with mandatory retention.
This does not let a user change the retention policy of an existing retention-enabled file system, nor restore a file system stream from a differing file retention policy over a given file system.
This only changes the property; files which were previously marked as retained will retain that information. This information only applies if the resulting file system has retention enabled. The rtime, if previously set on a file system with retention disabled, will no longer be displayed.
ZFS scan with pending free
In previous versions of ZFS, if a pool is still working through a list of blocks to free from deleted snapshots or clones, then scrub and resilver were postponed. When very large snapshots were deleted, resilver could be postponed for hours to even days.
In SRU 90, zpool upgrade -v now shows a new version, “54 Scan with pending free”, which remedies this issue once pools are upgraded to zpool version 54 or later.
devnm -s option
A new -s option has been added to the devnm(1) command in SRU 90, to produce short output for a single argument specified on the command line. Unlike the default output, the short output does not include the arguments after the special file, reducing the need for parsing the output. For example:
% devnm / /var
rpool/ROOT/11.4.90 /
rpool/ROOT/11.4.90/var /var
% devnm -s /
rpool/ROOT/11.4.90Networking Features
Selecting which DHCP address to use for Automatic DNS configuration
A new ipadm(8) address property named dhcpinfo-option-source has been added in SRU 90. When the property is set to yes, packets from the dhcp server to which that dhcp address is bound are searched for DNS configuration to be used to configure the Solaris DNS client instance. This property may be set to yes on only one address per system, and when set to yes on an address, the value on all other addresses will be automatically set to no.
Updating DNS options when DHCP responses change
In compliance with RFC 8415 Section 18.2.10, only DNS configuration options from the most recent server reply will be used for the DNS configuration starting in SRU 90. If a later reply does not include an option (such as search list) that was in a previous reply, it will be removed from the DNS configuration in use. This change only applies to DNS information and not other settings provided by DHCP.
ipadm release-addr
SRU 90 adds a release-addr subcommand to ipadm(8), allowing an admin to trigger a release of a DHCP lease without disabling the address object. This is similar to ifconfig interface dhcp release which does not delete the address while releasing the current lease.
BIND upgraded from 9.18 to 9.20
The BIND DNS nameserver has been upgraded from the 9.18 series to the 9.20 series in SRU 90. While most elementary configurations will be fine there are some configurations that will require changes to named.conf(5) following package updates. For more information, see ISC’s Changes to be aware of when moving from BIND 9.18 to 9.20 and the documentation provided in the /usr/share/doc/release-notes/bind-transition.txt file in the BIND package in SRU 90 and later.
In addition, support for Internationalized Domain Names (IDN) has been enabled in the BIND 9.20 packages.
IPv6 Protocol Property _forward_src_routed removed
SRU 90 removes the defunct _forward_src_routed IPv6 protocol property, also known as ip6_forward_src_routed when using the ndd(8) command. _forward_src_routed is a hidden property, and while documented in the Oracle Solaris 11.4 Tunable Parameters Reference Manual, it is not displayed by the ipadm show-prop command unless explicitly requested.
Attempting to set the _forward_src_routed IPv6 property via ipadm(8) will result in an “Operation not supported” message in SRU 90 and later.
IPQoS removed
IPQoS is an implementation of Differentiated Services (DiffServ), designed to mark and classify packets arriving at edge routers with flags in the DiffServ field of the IP header for packet classification purposes. Such flags are used to determine packet forwarding priority within a DiffServ enabled network and other characteristics such as class which translates to a probability of the packet being dropped.
Oracle Solaris 11.4 provides some features such as flows and Edge Virtual Bridging, the combination of which provide for bandwidth reservation locally and through the network, though these do not however provide all features of a DiffServ enabled network.
In Solaris 11.1, the following note was added to the ipqosconf(1m) man page:
The IPQoS facility may be removed in a future release. Users are encouraged to migrate to dladm(8), dlstat(8), flowadm(8), and flowstat(8), which support similar bandwidth resource control features.
In SRU 90, the obsolete flag has been set on pkg://solaris/system/network/ipqos so that it will be removed on upgrade to SRU 90 or later.
Performance and Observability
ctfdump refresh
The ctfdump(1) utility provides insight into the CTF data included in ELF binaries. SRU 90 brings a set of changes intended to refresh the output produced by the ctfdump utility to make it easier to read, and comprehend. Note that the output from ctfdump is not considered an interface covered by the Solaris interface stability rules.
Changes include dropping the string table and statistics from the default output, leaving the Header, Labels, Data, Function, and Types sections displayed by default. To see the same sections as previous versions, including the string table and statistics, now requires specifying these options:
% ctfdump -sS -dfhlt filewhere -s is the string table, -S is statistics, and -dfhlt are the 5 option flags needed to specify the other sections that would otherwise be displayed by default.
To make this less cumbersome, this SRU also added a new option, -a (all), that specifies those 5 categories, plus the string table. With the -a option, all CTF data in the object, including the string table, can be displayed simply as:
% ctfdump -a fileand all CTF data, plus the statistics drawn from them, can be displayed with:
% ctfdump -aS fileVirtualization Features
Kernel Zone Memory LZR support disabled for SPARC migration classes ‘generic’ and ‘migration-class1’
SRU 90 disables support for memory live zone reconfiguration (MEMLZR) for kernel zone memory resources on SPARC platforms where a kernel zone is configured to run in either the generic or migration-class1 migration class. It remains available in kernel zones configured with the migration-class2 or sparc64-class1 migration classes, as well as on x86 platforms.
Memory LZR for SPARC was introduced in SRU 45, enabling users to increase or decrease the amount of memory assigned to a running kernel zone by modifying the capped-memory:physical resource with zonecfg(8) either with the -r option or then executing the zoneadm(8) 'apply' command to add or remove memory from the running kernel zone.
System Management Features
Boot Environment preservation policy
With manual or automatic boot environment creation it is sometimes necessary to mark a specific BE as important and to be preserved. A new policy called preserve is added in SRU 90 that prevents a BE from being destroyed by beadm(8) (even with the -F flag) until the policy is updated to remove preserve.
It is not intended to stop an administrator running zfs destroy to delete boot environments. This policy is implemented only at the boot environment layer and is not intended to be a ZFS dataset nodestroy for Solaris.
Example usage:
root# beadm set-policy -n preserve 11.4.87.205.0
root# beadm list
BE Name Flgs Mntpnt Space Policy Created
------------- ---- ------ ----- -------------------- ----------------
11.4.87.202.0 - - 6.97G auto,static 2025-08-08 12:45
11.4.87.203.0 - - 2.79G auto,static 2025-08-26 14:07
11.4.87.205.0 - - 3.99G auto,preserve,static 2025-09-19 16:43
11.4.87.206.0 NR / 9.44G auto,static 2025-09-27 06:29
root# beadm destroy 11.4.87.205.0
Are you sure you want to destroy be://rpool/11.4.87.205.0? This
action cannot be undone [y|N]: y
Destroying BE be://rpool/11.4.87.205.0 failed: Unable to destroy
be://rpool/11.4.87.205.0 because it is marked with 'preserve'.
Please see logfile /var/share/beadm/beadm.5916.20251002_141426.hwuoo2g8.log
for additional details
root# beadm set-policy -n -preserve 11.4.87.205.0
root# beadm destroy 11.4.87.205.0
Are you sure you want to destroy be://rpool/11.4.87.205.0? This
action cannot be undone [y|N]: ybootadm support for unrestricted property on GRUB menu entries
GRUB implements an authentication and authorisation system for access to the boot menu and its entries. The update to GRUB 2.12 in SRU 81 added a menu entry option, --unrestricted, that must be specified to allow unauthenticated access to individual menu entries when authentication has been enabled, whereas in GRUB 1.99 in previous SRUs, the unrestricted behavior was the default.
If admins have a custom GRUB configuration that defines users and superusers, with the update to GRUB 2.12 they are suddenly required to enter a password to access any menu entries. To resolve this problem, SRU 90 has added an unrestricted property to bootadm’s menu entry management for x86. That allows customers to use the full GRUB functionality as needed.
Example on allowing unrestricted access to a specific menu entry:
bootadm change-entry 11.4.87.205.0 unrestricted=TrueIf authentication is already enabled for an entry (which is accomplished using the bootadm change-entry add-auth command) attempting to set unrestricted fails with the error:
bootadm: 'unrestricted' property cannot be modified with active credentialsThe user must use bootadm change-entry del-auth to remove the credentials, after which setting unrestricted to True succeeds. Conversely, adding authentication credentials to an entry with bootadm change-entry add-auth automatically sets the unrestricted property to False.
Like all GRUB-specific options, this property is x86 only.
nscfg(8) ‘check’ subcommand and a new naming check SMF service
SRU 90 adds a new check sub-command to the existing nscfg(8) name service configuration tool, and a new SMF service svc:/system/check/name-services:default to warn administrators of current configuration issues that are detected by holistically inspecting all naming service confguration. This new sub-command and SMF service aims to inform users of mis-configured naming SMF properties and/or potential naming issues caused by existing configuration that could or may be impacting the behavior of the Solaris system.
The service runs during boot, after milestone/multi-user. Any observed issues are recorded in the service’s SMF log file. Additionally, the check SMF service is restarted whenever any name service SMF method has been refreshed. Alternatively, the sub-command can be run by an administrator at any time to look for issues that may have been introduced due to a change in naming configuration. See the nscfg(8) man page for details.
The command and corresponding SMF service does not change naming configuration in any way. The service simply reports issues it detects so that an administrator can investigate. If the SMF service is disabled, the system behaves as it does today with no additional configuration checking.
Enhancements for Developers
Unsigned 32-bit time types
Time stamps in Unix have traditionally been measured relative to the epoch date of January 1, 1970. In 32-bit environments, when the number of seconds relative to that date were stored in a signed int (aka int32_t), that allowed time stamps to range from December 13, 1901 to January 19, 2038. While 64-bit environments often use 64-bit integers instead, allowing timestamps to range billions of years into the past and future, there are some binary file and network protocol formats which only have room for 32-bit values for the time stamp.
One method of allowing software using 32-bit values for timestamps to continue working with dates past 2038 is to change the timestamp to an unsigned value, trading dates in the range of 1901-1969 for dates in the range 2038-2106. For instance, in SRU 72, the file format for recording login and logout times in the lastlog, utmpx, & wtmpx files was converted this way, as there were no logins to Solaris systems prior to 1970 to record in them.
Instead of using uint32_t for a 32 bit time stamp, SRU 90 adds a new type utime32_t to <sys/types32.h> in order to signal the intention to handle 32-bit timestamps in an explicitly unsigned way. This labels the consumer as “expecting post-Y2038 timestamps”, rather than “expecting pre-1970 timestamps” and will therefore be clearer when reading the code.
SRU 90 also introduced a new timeval structure, utimeval32 based on the existing timeval32 structure, but which uses unsigned values for both the tv_sec and tv_usec components. A corresponding TIMEVAL_TO_UTIMEVAL32 macro was also added to <sys/time.h>.
bufmod Y2038 timestamp extension
bufmod(4M) is the packet capture module used by snoop(8). As part of the data sent from the kernel to the userland consumer, there is a timestamp field using a timeval32 structure. This has been updated to a utimeval32 to allow timestamps from 2038 to 2106, as described above, without breaking binary compatibility of existing consumers of the bufmod interface.
Limiting “Send to All” signalling
In traditional UNIX/POSIX signal semantics the process ID of -1 has long has a special meaning of “send to all”. If the caller is “privileged” (PROC_OWNER is in the effective set) then “all” really means every process on the system, including all non-global zone processes when sent from the global zone. If the caller does not have PROC_OWNER, then it refers to all processes owned by that user.
There have been known outages due to a TERM/HUP/KILL signal being unintentionally sent to all processes, such as when uninitialised data in a monitoring tool resulted in -1 as the pid, or when a bug in sudo made it try to kill process group 1 (which is represented as a pid of -1). While SMF restarts services it will not restart login sessions or anything started outside of SMF.
SRU 90 adds “guard rails” to limit what even a privileged user can do with a “sent to all” kill(2). This is possible because POSIX allows for a restriction of the special -1 process id, as defined in the kill(2) definition of the standard. Thus the kernel was updated to check for some additional restrictions when the target pid is -1 and the signal is being sent by a process with the PROC_OWNER privilege: if sysadm(8) noreboot maintenance mode is set, or if the sending process does not have the new PRIV_PROC_SENDTOALL process flag set, then EACCES is returned, a kernel message is logged, and an audit record is generated.
The PRIV_PROC_SENDTOALL process flag is set by reboot(8), halt(8), and poweroff(8) by calling setpflags(PRIV_PROC_SENDTOALL, 1) before calling kill(2). A process can also be granted PRIV_PROC_SENDTOALL via ppriv(1).
The killpg(3c) function was previously modified in SRU 83 to reject a process of group of 1, so that killpg calls with an invalid process group of 1 were not inadvertently turned into attempts to signal all processes, and thus are not affected by this change.
Solaris ELF support for Zstandard section compression
This project added support for the Zstandard (Zstd) compression algorithm to the Solaris ELF implementation. Zstd support is part of the generic ELF ABI (gABI), and has already been implemented by GNU/Linux.
The Solaris link-editor (ld) -z compress-sections option and the elfcompress utility -t option both now accept zstd as a valid compression type. The elf_compress() function provided by libelf now accepts ELFCOMPRESS_ZSTD as a valid compression type.
Manual pages for elfcompress(1), ld(1), and strip(1) were updated.
LLVM/Clang version 21
Packages for LLVM & Clang version 21 packages have been added alongside the existing packages for LLVM & Clang versions 13 and 21. Users of the Clang compilers should read the Clang 20 Release Notes and Clang 21 Release Notes for important information on changes between these versions, including some potentially breaking changes in each.
Other Changes
ls -s output with the -h (human readable) option
SRU 90 altered the behavior of the ls -s (show size in blocks) option when the -h (human readable output) option is also used.
Historically, the native Solaris ls(1) utility has not converted the output controlled by the -s option to human readable form when the -h option was also specified, while the GNU version of ls has. This SRU changed Solaris /usr/bin/ls behavior to scale the reported sizes like the GNU version.
Before Upgrading to SRU 90
Migration from gcc 12 to a later version
SRU 89 provided packages for versions 12, 13, 14, and 15 of the GNU Compiler Collection. GCC 12 has been removed in SRU 90. Users of the gccgo compiler need to note that the removal of GCC 12 also included the removal of the libgo.so.21 library used by Go programs compiled with GCC 12, and that they thus will need to recompile any such programs with a newer version of gccgo before upgrading to SRU 90 or later.
Preparation for Upcoming SRUs
The following are a subset of the removals planned for future SRUs. See End of Feature Notices for Oracle Solaris 11 for the complete list of removals announced so far.
Migration from older libpng versions to libpng 1.6
SRU 90 provides packages for versions 1.0, 1.2, 1.4, and 1.6 of the Portable Network Graphics (PNG) library, libpng. Upstream ended support for versions 1.5 and earlier in 2017 and recommends all users port to version 1.6. Migration of the Solaris delivered packages to the new version has been completed, so in an upcoming SRU, the packages for versions 1.0, 1.2, and 1.4 will be obsoleted and removed on upgrade. All locally built applications and ISV applications that use the system provided image/library/libpng10, image/library/libpng12, or image/library/libpng14 packages need to migrate to image/library/libpng16 as soon as possible.
Migration from MySQL 8.0 to 8.4
SRU 78 added packages for version 8.4 of the MySQL database alongside the existing packages for version 8.0. Upstream support for MySQL 8.0 is scheduled to end in April 2026 and it is planned for removal in a future Solaris 11.4 SRU. Administrators of MySQL 8.0 databases should follow the instructions in MySQL 8.4 Reference Manual: Upgrading MySQL to migrate their databases to version 8.4 before upgrading to an SRU in which 8.0 has been removed.
Migration from OKM to KMIP
Support for Oracle Key Manager (OKM) via pkcs11_kms(7) may be removed from a future Oracle Solaris 11.4 SRU. Systems should be migrated to using a key management system using the OASIS KMIP standard supported by pkcs11_kmip(7), such as Oracle Key Vault (OKV).
Migration from PCRE to PCRE2
SRU 90 provides packages for both ABI versions 1 and 2 of the Perl Compatible Regular Expressions (PCRE) library, as provided by library/pcre (version 8.45) and library/pcre2 (version 10.42). Upstream ended support for the version 1 API/ABI after June 2021 and recommends all users port to version 2. Migration of the Solaris delivered packages to the new version is completed as of SRU 90, after being delivered incrementally over a number of SRUs. Thus, in an upcoming SRU, the package for version 1 will be obsoleted and removed on upgrade. All locally built applications and ISV applications that use the system provided libpcre need to migrate to libpcre2 as soon as possible.