What’s New in Oracle Solaris 11.4 SRU 84

Oracle Solaris 11.4 SRU 84 is now available via “pkg update” from the support repository or by downloading the SRU from My Oracle Support Doc ID 2433412.1. Highlights of the changes in this release are given in the release announcement and important information to read before installing it is provided in the Readme linked from the above support document. This blog post provides more details about selected new features and interface changes in this SRU, as well as some preparation work for changes coming in future SRUs.

Security and Compliance Features

sxadm(8) update for Intel RFDS Vulnerability Mitigations

SRU 84 adds new sxadm extensions for Intel’s Register File Data Sampling (RFDS) vulnerabilities which are covered by CVE-2023-28746. Intel has provided CPU microcode updates that mitigate these vulnerabilities and allow CPUs to report if they are affected by the vulnerability or not.

The sxadm(8) command will report these new extensions:

• RFDS_CLEAR is a new extension for Intel machines that will be enabled if the processor has a mitigation present for the RFDS vulnerabilities.
• RFDS_NO is a new readonly extension that will be enabled if the CPU is not vulnerable to any of the RFDS vulnerabilities. It will always be shown as enabled on systems with SPARC or AMD CPUs.

Data Management Features

Re-loading disk information on format(8) startup

Starting in Solaris 11.4.0, the startup of the format(8) utility was made much faster on large setups by reading the list of disks and their properties from the dev_info cache instead of walking the /dev directory and querying each device. While this enhancement had very positive impact in most scenarios, there was an issue in clustered environments. When node A modified the label of a disk, the information displayed in format(8) on node B was not up-to-date until the label was explicitly re-read by the node B. SRU 84 introduces a new command line option -r (for reload) which causes it to re-query the disks instead of relying on the cached information.

format(8) non-interactive disk listing

The format(8) command was originally written as an interactive utility. However, lots of users have been using it non-interactively in scripts to print list of disk devices. Common uses included “echo | format” or “format </dev/null“.

In order to improve user experience in this area, SRU 84 introduces new command line options -n and -q. When -n is used, the utility prints a list of disks with their basic attributes non-interactively. With -q, the output is less verbose and it prints just the disk list with their location, when available. The -q option may be used in both interactive and non-interactive modes.

For example:

root# format -n
       0. c0t5000CCA05615DC04d0 <HITACHI-H109060SESUN600G-A690-558.91GB>
          /scsi_vhci/disk@g5000cca05615dc04
          /dev/chassis/SYS/SASBP/HDD0/disk
       1. c0t5000CCA0562047E0d0 <HITACHI-H109060SESUN600G-A690-558.91GB>
          /scsi_vhci/disk@g5000cca0562047e0
          /dev/chassis/SYS/SASBP/HDD1/disk
       2. c0t5000CCA0561F86E4d0 <HITACHI-H109060SESUN600G-A690-558.91GB>
          /scsi_vhci/disk@g5000cca0561f86e4
          /dev/chassis/SYS/SASBP/HDD2/disk
       3. c0t5000CCA05620ECA8d0 <HITACHI-H109060SESUN600G-A690-558.91GB>
          /scsi_vhci/disk@g5000cca05620eca8
          /dev/chassis/SYS/SASBP/HDD3/disk

root# format -q
AVAILABLE DISK SELECTIONS:
       0. c0t5000CCA05615DC04d0 /SYS/SASBP/HDD0
       1. c0t5000CCA0562047E0d0 /SYS/SASBP/HDD1
       2. c0t5000CCA0561F86E4d0 /SYS/SASBP/HDD2
       3. c0t5000CCA05620ECA8d0 /SYS/SASBP/HDD3
Specify disk (enter its number):

root# format -qn
       0. c0t5000CCA05615DC04d0 /SYS/SASBP/HDD0
       1. c0t5000CCA0562047E0d0 /SYS/SASBP/HDD1
       2. c0t5000CCA0561F86E4d0 /SYS/SASBP/HDD2
       3. c0t5000CCA05620ECA8d0 /SYS/SASBP/HDD3
root#

The -q option has no effect when used together with -f or -L. The -n option is not allowed to be used together with -f or -L. See the format(8) manual page for details.

Force flag for fmthard

The format(8) utility does not allow you to write the label if the disk contains a mounted file system, part of an active ZFS pool, part of an exported ZFS pool with retained data, an SVM metadb, an SVM volume, a VXVM volume, swap, the dump device or a spare vdev for ZFS. format(8) also issues a warning if the disk contains an unmounted file system, an exported pool, or a potentially active pool.

SRU 84 modifies fmthard(8) to operate similarly. It also adds a new -f option which is required if the disk contains an unmounted file system, an exported pool, or a potentially active pool. Without the flag the command reports that the device is in use, with the appropriate message and then exits. With the flag the message is still printed but the disk is relabelled.

Networking Features

Internet Key Exchange Version 1 (IKEv1) EOF announcement

IKEv1 was first delivered with Solaris 9 and was also available as part of the SunScreen firewall appliance. As of April 2023, IKEv1 is considered deprecated and historic by the IETF, as documented in RFC 9395.

IKEv2 is the replacement technology and it was delivered in Solaris 11.2.

SRU 84 separates IKEv1 from the pkg:/system/network/ike package into the new pkg:/system/network/ike-v1 and delivers the latter with legacy metadata in preparation for removal in a future SRU. pkg:/system/network/ike continues to deliver IKEv2.

IPQoS moved to legacy status, pending removal

IPQoS is an implementation of Differentiated Services (DiffServ), designed to mark and classify packets arriving at edge routers with flags in the DiffServ field of the IP header for packet classification purposes. Such flags are used to determine packet forwarding priority within a DiffServ enabled network and other characteristics such as class which translates to a probability of the packet being dropped.

Oracle Solaris 11.4 provides some features such as flows and Edge Virtual Bridging, the combination of which provide for bandwidth reservation locally and through the network, though these do not however provide all features of a DiffServ enabled network.

In Solaris 11.1, the following note was added to the ipqosconf(1m) man page:

The IPQoS facility may be removed in a future release. Users are encouraged to migrate to dladm(8), dlstat(8), flowadm(8), and flowstat(8), which support similar bandwidth resource control features.

In SRU 84, the legacy metadata was added to the manifest for pkg://solaris/system/network/ipqos and we plan to remove it in a future Solaris 11.4 SRU.

Performance and Observability

Restoring truss(1) behavior to exit with the child’s exit code

SRU 84 reintroduced truss(1) returning the exit code of the trussed process. Other ptools like ptime(1) and ppriv(1) also return the exit code and this allows the use of such a ptool command to prefix commands in scripts without having to workaround the previous behavior of truss(1) always returning 0 unless used with incorrect options.

This was always the original intention but when the -f option was added to truss long ago, an extra truss process was created for each forked process; and without thinking about the other repercussions, sigset(SIGCLD, SIG_IGN) was added to not to accumulate truss zombies. However, that change also ignored that the ability to catch the original child’s status was gone.

After careful consideration, it was decided to restore the original behavior which allows for flow control in scripts based on the exit code of the trussed child, while properly dealing with finished truss children.

The truss(1) manual page was also missing documentation of the exit status. The “EXIT STATUS” section was added which documents this once and future behavior delivered with this SRU.

Stats Store Threshold alerts for /tmp usage

Filling or overuse of tmpfs filesytems can cause performance and availability problems. To help notify admins before this becomes a problem, SRU 84 provides two new sstore(7) thresholds for /tmp:

percentage capacity threshold with a limit of 95%:

//:class.fs//:res.mountpoint//tmp//:stat.capacity

large use threshold with a value of 10G:

//:class.fs//:res.mountpoint//tmp//:stat.used

These specifically monitor only /tmp and not other tmpfs filesystems such as /system/volatile.

Virtualization Features

Timeout values for LDoms vdisk can now be changed dynamically

SRU 84 now allows using the ldm set-vdisk subcommand to set the timeout property for a virtual disk while the domain using the vdisk is active. This can be used, for example, if a vdisk transaction is stuck waiting while the associated vdisk server(s) are not active. If the timeout is set to zero, the vdisk client will wait forever. With this feature, the user can now run “ldm set-vdisk timeout=some-non-zero-value ...” to change the timeout immediately, and force the transaction to terminate.

System Management Features

Improved nscd resilience

The name service cache (nscd) has already been very stable and resilient, rarely hanging or failing while returning 100k+ cached results per second, but there were edge cases that could cause issues in certain situations. This SRU addressed those edge cases to improve nscd reliability.

The nscd service now starts up two processes, a monitor process (reported as nscd by process monitoring tools), and the main process that handles name service lookups (reported as nscd-worker).

Installation and Software Management Features

csh refactored to new package pkg:/legacy/shell/csh

In Oracle Solaris 11.4.0, /usr/bin/csh was moved to /usr/sunos/bin/csh, and a pkg mediator for csh was added with values of suncsh and tcsh and a default vendor-priority for suncsh.

Prior to SRU 84, csh was in pkg:/system/core-os, which is always installed and cannot be removed. Starting in SRU 84, /usr/sunos/bin/csh and /usr/sunos/bin/which are delivered in the new package pkg:/legacy/shell/csh. This allows systems to be installed without it.

To ensure that csh continues to be installed and present by default on upgrade a group depend action was added to pkg:/system/core-os. This does allow removing or avoiding the install via admin action.

This SRU does not change the install time default value of the csh mediator, but it does inform the admin that we intend to do so in the future via the following pkg release note:

NOTICE: The default /usr/bin/csh mediator value may be changed to tcsh in a future release of Oracle Solaris. This legacy version of csh may be removed in a future release of Oracle Solaris.

Enhancements for Developers

file(1) utility enhanced to identify the presence of CTF

Previously, when examining an executable or shared object, the file utility would report whether it is stripped, and if there is debug information:

% file /usr/bin/ls
/usr/bin/ls: ELF 64-bit LSB dynamic lib AMD64 Version 1 [SSE2 SSE], position-independent executable, dynamically linked, not stripped, no debugging information available

In this context, “debugging information” refers to the DWARF or stabs sections produced by the compilers for use by their associated source-level debuggers, which are dbx for Studio, and gdb for gcc.

In SRU 84, the file command was enhanced to also report on the presence of CTF type information, used by dtrace and the mdb debugger:

% file /usr/bin/ls
/usr/bin/ls: ELF 64-bit LSB dynamic lib AMD64 Version 1 [SSE2 SSE], position-independent executable, dynamically linked, not stripped, no debugging information available, CTF present

Translation of GNU CTF from gcc to Solaris CTF

Support was added in SRU 84 for translating the variant of CTF produced by the gcc compilers (GNU CTF) to Solaris CTF. In doing so, the need to run ctfconvert was eliminated, and CTF produced by gcc can be sent directly to ctfmerge, or to ld -zctf. The ctfdump utility was enhanced to recognize GNU CTF, and dump it properly, allowing it to be examined.

A new man page, ctf(7), was added to provide the high-level “how to” information, and the manual pages ctfconvert(1), ctfdump(1), ctfmerge(1), and ld(1) were updated.

Other Changes

Significant FOSS Updates

libsodium & PHP sodium extension added

The libsodium cryptography library and associated Sodium PHP extension have been added as requested by several customers. 

Node.js 22 added for x86 systems

Version 22 of the Node.js platform is now available alongside the previously delivered version 20. Upstream support for version 20 is scheduled to end in April 2026, and it is planned for removal in a future Solaris 11.4 SRU, so users should begin their migrations to version 22 now.

Before Upgrading to SRU 84

Migration from DSA to newer SSH key types

SRU 84 upgrades OpenSSH from version 9.6 to 10.0. OpenSSH 10 has completely removed support for the DSA signature algorithm, which was available, but disabled by default in OpenSSH 7 through 9 releases.

Users relying on ssh-dss keys for passwordless logins need to set up keys using newer algorithms, before updating to this SRU. For connections to machines running SunSSH on Solaris 11.3 or older, an ssh-rsa key will be required.

See the OpenSSH 10 release notes for information on other potentially incompatible changes from this upgrade.

Preparation for Upcoming SRUs

The following are a subset of the removals planned for future SRUs. See End of Feature Notices for Oracle Solaris 11 for the complete list of removals announced so far.

Migration from MySQL 8.0 to 8.4

SRU 78 added packages for version 8.4 of the MySQL database alongside the existing packages for version 8.0. Upstream support for MySQL 8.0 is scheduled to end in April 2026 and it is planned for removal in a future Solaris 11.4 SRU. Administrators of MySQL 8.0 databases should follow the instructions in MySQL 8.4 Reference Manual: Upgrading MySQL to migrate their databases to version 8.4 before upgrading to an SRU in which 8.0 has been removed.

Migration from PCRE to PCRE2

SRU 84 provides packages for both ABI versions 1 and 2 of the Perl Compatible Regular Expressions (PCRE) library, as provided by library/pcre (version 8.45) and library/pcre2 (version 10.42). Upstream ended support for the version 1 API/ABI after June 2021 and recommends all users port to version 2. Migration of the Solaris delivered packages to the new version is ongoing and continues to be delivered incrementally over a number of SRUs. Once this is complete, the package for version 1 will be obsoleted and removed on upgrade. All locally built applications and ISV applications that use the system provided libpcre need to migrate to libpcre2 as soon as possible.

Migration from Python 3.9 to 3.11 or 3.13

SRU 84 provides packages for Python versions 3.9, 3.11, and 3.13. Upstream support for Python 3.9 will end in October 2025. Python 3.9 will be removed in a future SRU. All locally built applications and ISV applications that use the system provided Python 3.9 need to migrate to a later version as soon as possible. See Porting to Python 3.10, Porting to Python 3.11, Porting to Python 3.12, and Porting to Python 3.13 to help with this. Migration of Solaris delivered core functionality is ongoing and is being delivered incrementally over a number of SRUs.