JomaSoft recently announced the availability of the VDCF Release 8.3 with the primary focus on the security. VDCF is a platform management framework for the Solaris Operating System. Customers that wish to operate, administer, and monitor SPARC LDoms and Oracle Solaris Zones at scale across several systems may consider VDCF as a highly practical and potent solution.
Here are the new major features in this release:
- Enhanced compliance reporting
- Additional rules for hardening Nodes and vServers
- vServer support for the zones limitpriv attribute
- Local vServer filesystem monitoring
- Improved & faster verification operations
- New ‘migration-class2’ is supported for SPARC S7/T7/M7/T8/M8 servers
- Enhanced local IPS repository management
Here is the more in-depth explanation of these new features.
Enhanced compliance reporting
In the earlier releases, VDCF compliance already provides detailed reporting on the VDCF Web Dashboard and an overview on the command line. This update provides the result of each rule for a server, enabling an administrator to detect non-compliant rules promptly.
The following command shows the result of each compliance rule for a server:
$ osmon -c show_compliance server=s0004
Rule Description Result
OSC-54005 Package integrity is verified pass
OSC-53005 The OS version is current informational
OSC-53015 Required CVE fixes are installed pass
OSC-53505 Package signature checking is globally activated pass
OSC-16005 All local filesystems are ZFS pass
......
Additional rules for hardening Nodes and vServers
One of the distinctive capabilities of VDCF is its ability to automatically increase system security by implementing hardening settings based on Solaris Compliance guidelines.
VDCF supports now 59 Hardening Rules. See node -c harden help for details.
$ node -c harden help
The following 59 Hardening Rules are available for Hardening Profiles
OSC-01010: Service svc:/network/http:apache22 is in disabled state
....
OSC-02001: Audit parameters are set to recommended valuesThe following rules have been added
OSC-08505: Use of the cron(8) and at(1) daemons is restricted
OSC-42011: Service svc:/network/ntp is enabled and properly configured as a client
JOM-00001: Log all failed logins (SYSLOG_FAILED_LOGINS)
JOM-00002: Lock account after retry limit reached
JOM-00003: Set default umask 027 for users
These last rules are new JomaSoft specific rules.
vServer support for the zones limitpriv attribute
Numerous zone attributes, including autoboot, resource, network, dataset, and filesystem settings, are configurable in current VDCF versions. The limitpriv property is now supported, enabling adjustment of this crucial security option.
The “default” limitpriv option is used when deploying new Zones (vServers). The limitpriv settings for already-running vServers are imported into the VDCF repository.
To define a new default value for new vServers you have to set the configuration variable VIRTUAL_LIMITPRIV_DEFAULT.
$ export VIRTUAL_LIMITPRIV_DEFAULT=“default“
Existing privileges are displayed by vserver -c show and can be modified using vserver -c modify.
Local vServer filesystem monitoring
With its osmon program, VDCF has long monitored the filesystems of native and global zones on central storage. With this version, a small hole is filled so that zone filesystems deployed on local directories may now also be monitored. Currently, all filesystems are watched, and filesystems that are almost full are found and notified.
Improved and faster verification operations
To find manual system modifications, VDCF can compare the actual system configuration to its repository. Performance was improved in this release to speed up this verification process.
The VDCF verification operations have been able to compare the settings for zones, ldoms, filesystems, network interfaces (single and ipmp), and zpools for many versions. Additionally, with this release the suboptimal assignments of LUNs to the Nodes may be recognized and aggregated network interfaces are confirmed. As a result, the system configuration verification and identification of faulty settings are even more effective.
This includes a new command diskadm -c verify to report LUNs that are incorrectly assigned to multiple Compute Pools:
$ diskadm -c verify
Found LUNs that are visible to multiple ComputePools:
GUID Count cPool Names
60002AC000000000000002F60001507B 6 default proxy sol10_guest sol11 test vdcf
60002AC000000000000002F70001507B 6 default proxy sol10_guest sol11 test vdcf
600140569416732DBB80D4DFCD9DBFD1 5 default hamon-demo ist-stand prodrepo sol11
60014058CE18C9FD80A3D4BC1D805CD9 5 default hamon-demo ist-stand prodrepo sol11
600140593127DD0D3E20D4BBFDB50CDE 5 default hamon-demo ist-stand prodrepo sol11
...
The command dataset -c verify now can update dataset size in VDCF when it has changed on the system:
$ dataset -c verify all update_size
Verifying Datasets on Node node01 ...
Verifying Datasets on Node node03 ...
Real layout and size are equal to the values stored in the DB for dataset 'data1'.
Real layout and size are equal to the values stored in the DB for dataset 'data3'.
Updating size of dataset 'topf' from 4.00 GB to 9.97 GB Real layout and size are equal to the values stored in the DB for dataset 'topf'. Updating size of dataset 'topf1' from 4.00 GB to 9.97 GB Real layout and size are equal to the values stored in the DB for dataset 'topf1'.
And the command node -c verify now verifies aggregated interfaces.
$ node -c verify name=s0003
Discovering Node s0003 ...
Discover Systeminfo ...
Discover Rootdiskinfo ...
Discover Diskinfo ...
This may take some time, it depends on the number of disks
..
Discover Netinfo ...
Verify of Node s0003 was successful
Plus, the performance of node and vserver -c verify has been improved.
New ‘migration-class2’ is supported for SPARC S7/T8/M7/T8/M8 servers
Only CPUs that support the most recent CPU capabilities, such as DAX, etc. are included in the new ldom migration class 'migration-class2'.
For live migration across SPARC S7/T7/M7/T8/M8 Servers, the new 'migration-class2' is supported via the commands gdom -c display candidates and gdom -c migrate.
To confirm and acquire a list of potential target servers that actually meet the parameters to migrate that ldom to, utilize the candidates option. Additionally, the migrate procedure can only be carried out if certain conditions are met.
With the help of these robust capabilities, you may determine in advance whether or not a ldom migration will succeed. Thus, unwelcome downtimes for your ldoms are avoided.
Enhanced local IPS repository management
The ipsadm tool from VDCF has simple-to-use functionality for creating, updating, and displaying IPS repositories. We have included two additional options to only import a specific SRU or the following SRU that is not yet available in the local repository in order to prevent the time- and space-consuming updating of all SRUs from Oracle Support into the local repository.
Command to update your local repository to the next available SRU or with a specific SRU:
$ ipsadm -c update_repo name=prod [ next ] [ sru= ]
About JomaSoft VDCF
VDCF (Virtual Datacenter Cloud Framework) is JomaSoft’s CLI platform management and monitoring framework for Oracle Solaris. Using VDCF you deploy and manage bare metal, LDoms and Zones highly automated. VDCF is easy to use and helps to standardize Oracle Solaris Datacenter.
It saves time and reduces human errors. Based on the architecture using SAN LUNs VDCF offers a failover solution.
VDCF is available in two editions. The commercial version includes bug fixes, updates and support services. The free edition is limited to 5 servers and does not include support.
You can find the free edition download here: https://www.jomasoft.ch/downloads/#vdcf-free For additional information or questions contact JomaSoft by eMail: info@jomasoft.ch