Oracle Solaris 11.4 SRU 66 is now available via ‘pkg update’ from the support repository or by downloading the SRU from My Oracle Support Doc ID 2433412.1. Highlights of the changes in this release are given in the release announcement and important information to read before installing it is provided in the Readme linked from the above support document. This blog post provides more details about selected new features and interface changes in this SRU, as well as some preparation work for changes coming in future SRUs.
Security and Compliance Features
Migration of Solaris packages to OpenSSL 3.0
Solaris packages that depend on OpenSSL have been migrating from using version 1.0.2 to version 3.0 over a series of Solaris 11.4 SRUs. In Solaris 11.4 SRU 66, most of the remaining binaries linked against the OpenSSL 1.0.2 libraries have been converted to use the 3.0 libraries instead. This may affect which encryption algorithms they support, and may allow those making TLS connections to start using the TLS 1.3 protocol. There are still some packages delivered in SRU 66 that require OpenSSL 1.0.2, so it cannot be removed from Solaris installations yet. This migration will continue in upcoming SRUs.
Note that in OpenSSL 3.0 some older/weaker cryptographic algorithms are no longer available by default. When the system is not running in FIPS 140-2 mode, these algorithms can be made available in Oracle Solaris by installing the legacy provider package: pkg:/library/security/openssl-3/legacy-provider and changing the activate property in /etc/openssl/3/conf.d/legacymodule.cnf.
To run the system in FIPS 140-2 mode, install the package crypto/fips-140. This package will also ensure that the library/security/openssl-3/fips-140-provider package is installed. Note that having the fips-140-provider package installed causes OpenSSL to apply the FIPS-140-2 restrictions, including disabling some newer cryptographic algorithms that are not allowed by the older FIPS-140-2 standard. Systems which do not want these restrictions can uninstall the fips-140 packages manually after upgrade.
Networking Features
resolv.conf option “usevc” to use DNS over TCP
The Solaris DNS resolver library has allowed applications to set the RES_USEVC flag to send DNS queries over TCP instead of the default UDP since Solaris 2.6. Solaris 11.4 SRU 66 adds the ability to add either “usevc” or “use-vc” to the config/options property for the svc:network/dns/client SMF service to enable the use of TCP by default for DNS lookups from all applications. See the resolv.conf(5) man page for more information.
Removal of IPFilter to PF conversion tool
The ipf2pf package aided in converting firewall configurations from the IPFilter format used with Solaris 11.3 and earlier, to the PF format used with Solaris 11.4. As direct upgrade from Solaris 11.3 to a Solaris 11.4 SRU later than SRU 56 is not possible, and all updates to current Solaris 11.4 SRUs must be from a previous Solaris 11.4 SRU in which all attached zones have booted, the conversion tool for upgrades from 11.3 is no longer needed and it has been removed.
Performance and Observability
Fractional timestamps in system log messages
The timestamp format used by log(4d) has been extended to allow timestamps past January 2038, and to include fractions of a second. This will appear in logs from dmesg(8), syslogd(8), and rsyslogd(8) as subsecond precision in messages, such as:
Jan 22 17:02:48.462 solaris genunix: [ID 672855 kern.notice] syncing file systems... Jan 22 17:02:48.609 solaris genunix: [ID 904073 kern.notice] done
The syslogd(8) man page documents the new time_precision SMF property, which determines how many digits of precision to include in log files. The default is 3 digits (milliseconds).
ptree(1) option -g to list direct global zone parents for -z option
The ptree command now accepts a new option -g that may be used with the -z zone option to show parent processses in the global zone for processes in the specified non-global zone. Those parents will have a suffix of ‘*’ on the process ID to identify them as global zone processes:
$ ptree -z kzone -g 26489* zlogin -U kzone 26490 <defunct> 26491* zlogin -U kzone 26492 <defunct> 26471 zsched
See the ptree(1) man page for further details.
Enhancements for Developers
Apache Tomcat 9 added
A new package web/java-servlet/tomcat-9 has been added with the Apache Tomcat 9 application server. Tomcat 8.5 is still provided in the web/java-servlet/tomcat-8 in SRU 66, but is planned for removal in a future Solaris 11.4 SRU, so those who are hosting their applications in Tomcat should work on migrating to the new version. See the Apache Tomcat 9 Documentation for more information.
kldd support for multiple sysroots, _depends_on[], and platform selection
The kldd utility extended the -S option to accept a colon-separated path of directories, added the -P option to specify platform directories to search, and added support for finding dependencies specified via the deprecated _depends_on mechanism. See the kldd(1) man page for more information.
Plus flags for mdb_getopts
The mdb_getopts() API now accepts a new flag MDB_OPT_PLUSBITS to support options beginning with ‘+’ in addition to the previously supported ‘-’. See the mdb(1) man page for further details.
Type and name mapping for mdb
The mdb API added new functions and a new ::typemap dcmd to map opaque types to detailed types, such as the vfs_data pointers in vfs_t structures. See the mdb(1) man page for more information.
Before Upgrading to SRU 66
Migration from cx_Oracle to python-oracledb
The packages for the cx_Oracle Python module have been marked obsolete and will be removed on upgrade to SRU 66.
Maintainers of python code that use this API to access Oracle databases need to ensure their code is updated to use the oracledb Python module instead, as provided in the Solaris package library/python/oracledb. See Open Source Python Thin Driver for Oracle Database for more information on the differences and links to information on how to update Python code to use the new module.
Migration from MySQL 5.7 to 8.0
The packages for version 5.7 of the MySQL database have been marked obsolete and will be removed on upgrade to SRU 66.
Administrators of MySQL 5.7 databases should follow the instructions in MySQL 8.0 Reference Manual: Upgrading MySQL to migrate their databases to version 8.0 before upgrading to SRU 66. The MySQL 8.0 packages are available in Solaris 11.4 SRU 57 and later.
Recompile Go software that was built with GCC 10
The packages for the version 10 GNU compilers have been marked obsolete and will be removed on upgrade to SRU 66.
Users of the gccgo compiler need to note that the removal of GCC 10 packages will also remove of the libgo.so.16 library used by Go programs compiled with GCC 10, and that they thus will need to recompile any such programs with a newer version of gccgo before upgrading to SRU 66.
Preparation for Upcoming SRUs
The following are a subset of the removals planned for future SRUs. See End of Feature Notices for Oracle Solaris 11 for the complete list of removals announced so far.
Migration from OpenSSL 1.0.2 to 3.0
SRU 66 provides packages for both versions 1.0.2 & 3.0 of the OpenSSL libraries. OpenSSL 1.0.2 will be removed in a future SRU; likely no earlier than the January 2025 SRU. All locally built applications and ISV applications that use the system provided OpenSSL 1.0.2 need to migrate to OpenSSL 3.0 as soon as possible. Migration to OpenSSL 3 of Solaris delivered core functionality and FOSS is ongoing and continues to be delivered incrementally over a number of SRUs.
Migration from Python 3.7 to 3.9 or 3.11
SRU 66 provides packages for Python versions 3.7, 3.9, and 3.11. Upstream support for Python 3.7 ended on June 27, 2023. Python 3.7 will be removed in a future SRU. All locally built applications and ISV applications that use the system provided Python 3.7 need to migrate to a later version as soon as possible. Migration of Solaris delivered core functionality and FOSS is ongoing and will be delivered incrementally over a number of SRUs.