What’s New in Oracle Solaris 11.4 SRU63

Oracle Solaris 11.4 SRU63 is now available via ‘pkg update’ from the support repository or by downloading the SRU from My Oracle Support Doc ID 2433412.1. Highlights of the changes in this release are given in the release announcement and important information to read before installing it is provided in the Readme linked from the above support document. This document provides more details about selected new features and interface changes in this SRU, as well as some preparation work for changes coming in future SRUs.

Security and Compliance Features

Extended audit record by kerberos principal

The per-file audit record for files accessed on mounted kerberized NFS shares was extended to add the Kerberos principal to the subject token which holds information about the user.

The audit.log(5) and ucred_get(3C) man pages were updated with more information.

sxadm(8) update for AMD’s BTC_NO and Intel SMEP

The sxadm status command now displays the status of the SMEP extension to report whether Supervisor Mode Execution Prevention (SMEP) is enabled, which is automatically selected on all Intel and AMD processors with hardware support. (SMEP has been enabled since Oracle Solaris 11.1 on Intel’s Ivy Bridge and later processors, but was not previously reported by the sxadm command.)

SRU 63 also added the BTC_NO extension for AMD processors that will be listed as enabled if the processor is not susceptible to the Branch Type Confusion vulnerability (CVE-2022-23825).

Data Management Features

ZFS delegatable column for the “zfs help -l properties” command

The zfs_allow(8) man page includes a list of properties that can have delegated permissions set on them. That information is now also available in the output of the zfs help -l properties command.

The zfs help -l properties command already had columns listing YES or NO to what properties can be edited and what properties can be inherited. This SRU adds to the zfs help -l properties output a column titled “DELEG” which includes a YES/NO value showing whether a ZFS property is delegatable.

ZFS Filesystem Retention Autodelete and Hold

SRU 63 adds options to ZFS File Retention for what happens after the retention of a file (rtime) expires. Normally after retention expires, the file is left alone, but may be deleted by a process with the appropriate privileges.

A ZFS property named retention.policy.onexpiry was added to allow some options for what to do when rtime is passed. retention.policy.onexpiry may be set to “off”, “delete”, or “hold”.

If retention.policy.onexpiry is set to “delete”, retained files are automatically deleted after their retention has expired.

If retention.policy.onexpiry is set to “hold”, files with expired retention are treated as if retention has not expired and deleting them continues to be blocked. With this property set to “hold”, a filesystem with mandatory retention policy and its pool are blocked from destruction.

For more information, see the updated zfs(8) and zpool(8) man pages.

ZFS Filesystem Retention Changing ACL

SRU 63 adds the option to ZFS File Retention to allow users to change file permissions and ACLs other than write on a retained file. Prior to this, permissions could not be altered on retained files.

A new ZFS property named retention.policy.changeacl may be set to “on” or “off” to control this.

For more information, see the updated zfs(8) man page.

SMB1 client repackaged and moved to legacy state

Solaris includes an SMB client that allows access to remote SMB file shares. This client only supports version 1 of the SMB protocol. The SMB1 protocol is outdated and insecure and its use is not recommended.

In SRU 63, the SMB packages in Solaris were refactored to isolate the SMB1 client (smbfs) into its own package so that it does not have to be installed anymore if it is not wanted. This package was also marked as legacy.

The files needed by the SMB server are now included in the service/file-system/smb package and objects needed by the SMB1 client are now in the system/file-system/smb package. A new package system/file-system/smb/common was created that contains files that are needed by both the SMB server and the SMB1 client.

The group/feature/storage-server package used to include both service/file-system/smb and system/file-system/smb. This package was updated to remove the SMB1 client. It also now includes system/file-system/smb/common instead of system/file-system/smb.

Networking Features

Support for svc:/network/service:default configuration of DNS client “search” parameter by a dhcp4 server supplied option

The Solaris 11.4 dhcp client in conjunction with the svc:/network/service SMF service support configuration of the DNS client default instance “search” list parameter based on an option supplied via dhcp6 servers. Up until now, equivalent functionality was not provided for DNS client “search” list configuration via dhcp4 servers. This support has been added in SRU 63.

See the updated dhcp_inittab(5) and dhcpinfo(1) manual pages for more information.

The snoop(8) command was also updated to decode the dhcp4 option 119 in a similar format to the existing decoding of the dhcp6 option 24. Wireshark already decoded these options.

Performance and Observability

prstat use of “sys” and “usr” as additional sort keys

Up until now, prstat could sort output by CPU usage as a whole only, which is the default, and it means SYS+USR. Starting in SRU 63, prstat(8) can also sort by either SYS or USR usage by specifying the sys or usr keywords for the -s option. The manual page for prstat(8) has additional details.

Virtualization Features

New v12n_get_env_type() function for libv12n

To simplify the process of finding out the type of virtualization environment a program is running in, a new function named v12n_get_env_type() was added which returns an integer (enum) describing the type of virtualization environment, using the virt_env_t defined in /usr/include/sys/virt.h. See the v12n(3ext) manual page for details.

Strict Mode for Live Memory Reconfiguration for Kernel Zones

SRU 63 now offers a new optional Live Memory Reconfiguration (Memory LZR) mode called “strict” which treats the Memory LZR operation as successful only if the final memory configuration matches the requested one.

The strict mode is enabled by setting a newly introduced capped-memory:memlzr property to value strict. The property is available only for brand solaris-kz and it is not set by default. To reset the behavior to the default and accept the partial success again, it is needed to clear the property via select capped-memory; clear memlzr.

See the updated solaris-kz(7) and zonecfg(8) manual pages for further information.

System Management Features

Automated LDAP setup for use with an Active Directory domain

Active Directory (AD) is typically used as the directory service for Windows users whereas LDAP has been used as the directory service for POSIX / Linux / Solaris users. We are seeing more customers who want to use AD for both Windows and POSIX users. This could be manually configured in previous SRUs, but this SRU simplifies the work required.

A new adldap subcommand was added in the Solaris nscfg command to provide the functionality on a Solaris 11.4 global or non-global host instance. See the updated nscfg(8) man page and the Add Information About Creating an Active Directory and LDAP Client section of the Oracle Solaris 11.4 Documentation Update Addendum for more information.

ansible package replaced by ansible-core

As part of the upgrade to version 2.15, the system/management/ansible package was renamed to system/management/ansible-core to follow the upstream community changes.

OpenLDAP 2.6

OpenLDAP has been updated from the 2.4 release train to the 2.6 train in SRU 63. This change requires some special considerations. See Note 48 in the SRU 63 README and the openldap-transition.txt file for more information.

Temporarily disabling system reboot/halt

System admins sometimes need to ensure that “long running” jobs have completed before a reboot. To support this, SRU 63 has provided the ability for an authorised administrator to temporarily disable system reboot/halt by adding a new maintenance type to the existing sysadm maintain subcommand.

The default system policy can be set using the config/noreboot boolean property of the svc:/system/boot-config service.

If the pkg auto-update SMF service is enabled and configured to reboot the system it will not be able to do so if reboot is disabled.

Further information can be found in the updated versions of the halt(8), init(8), shutdown(8), and sysadm(8) manual pages.

Installation and Software Management Features

Legacy network utilities package split

The packages network/legacy-remote-utilities and service/network/legacy-remote-utilities have been split in SRU63 to allow better control over which servers and clients are installed, and to allow sites to remove the insecure legacy BSD sockets software while retaining the ONC-RPC software.

The new packages and their contents are:

network/legacy-remote-bsd-utilities

rcp, rdate, remsh, rlogin, rsh, ruptime, rwho, sunw,rcp

network/legacy-rpc-utilities

rup, rusers, rwall

service/network/legacy-remote-bsd-services

in.rexecd, in.rlogind, in.rshd, in.rwhod

service/network/legacy-rpc-services

rpc.rstatd, rpc.rusersd, rpc.rwalld

These packages are not included in the solaris-auto-install, solaris-desktop, and solaris-large-server groups as their predecessors had been, so sites that still need these will need to add them to the list of packages to install on fresh installations.

Enhancements for Developers

GCC 13 added

Version 13 of the GNU Compiler Collection has been added in SRU 63. See https://gcc.gnu.org/gcc-13/changes.html for more information on the changes in this family of compilers.

Preparation for Upcoming SRUs

The following are a subset of the removals planned for future SRUs. See End of Feature Notices for Oracle Solaris 11 for the complete list of removals announced so far.

GCC 10 marked legacy

The packages for the version 10 GNU compilers have been marked as legacy in preparation for their removal in a later SRU.

Users of the gccgo compiler need to note that the removal of GCC 10 will also include the removal of the libgo.so.16 library used by Go programs compiled with GCC 10, and that they thus will need to recompile any such programs with a newer version of gccgo before upgrading to the SRU that removes it.

Migration from MySQL 5.7 to 8.0

SRU 63 provides packages for both versions 5.7 & 8.0 of the MySQL database. Upstream support for MySQL 5.7 ended on October 25, 2023, and it is planned for removal in a future Solaris 11.4 SRU. Administrators of MySQL 5.7 databases should follow the instructions in MySQL 8.0 Reference Manual: Upgrading MySQL to migrate their databases to version 8.0 before upgrading to an SRU in which 5.7 has been removed.

Migration from OpenSSL 1.0.2 to 3.0

SRU 63 provides packages for both versions 1.0.2 & 3.0 of the OpenSSL libraries. OpenSSL 1.0.2 will be removed in a future SRU; likely no earlier than the January 2024 SRU. All locally built applications and ISV applications that use the system provided OpenSSL 1.0.2 need to migrate to OpenSSL 3.0 as soon as possible. Migration to OpenSSL 3 of Solaris delivered core functionality and FOSS is ongoing and will be delivered incrementally over a number of SRUs.

Migration from Python 3.7 to 3.9 or 3.11

SRU 63 provides packages for Python versions 3.7, 3.9, and 3.11. Upstream support for Python 3.7 ended on June 27, 2023. Python 3.7 will be removed in a future SRU. All locally built applications and ISV applications that use the system provided Python 3.7 need to migrate to a later version as soon as possible. Migration of Solaris delivered core functionality and FOSS is ongoing and will be delivered incrementally over a number of SRUs.