What’s New in Oracle Solaris 11.4 SRU 69
Oracle Solaris 11.4 SRU 69 is now available via ‘pkg update’ from the support repository or by downloading the SRU from My Oracle Support Doc ID 2433412.1. Highlights of the changes in this release are given in the release announcement and important information to read before installing it is provided in the Readme linked from the above support document. This blog post provides more details about selected new features and interface changes in this SRU, as well as some preparation work for changes coming in future SRUs.
Security and Compliance Features
SSH Configuration via fragment files
The /etc/ssh/sshd_config file now also reads configuration fragments from /etc/ssh/sshd_config.d/*.conf so that it is easier to add items to the system configuration.
The equivalent was also added to /etc/ssh/ssh_config for the client even though it tends not to be configured system wide as much.
sxadm(8) update for Intel Gather Data Sampling Vulnerabilities
New sxadm(8) extensions are added for mitigations for Intel’s Gather Data Sampling (GDS) vulnerability (CVE-2022-40982, aka “Downfall”):
- GDS is a new extension for Intel machines that will be enabled if the processor has a mitigation available for the GDS vulnerability. The mitigation will be available after the CPU has been updated with Intel’s 2023.3 or later microcode release (also included in this SRU for systems who haven’t updated their firmware to a new enough level).
- GDS_NO is a new readonly extension that will be enabled if the CPU is not vulnerable to GDS. This feature bit will always be shown as enabled on SPARC and AMD systems, since they are not susceptible to GDS exploits, and will also be enabled on Intel CPUs that are not vulnerable after applying Intel’s 2023.3 microcode release.
The sxadm extensions were added in SRU 68, while the microcode update needed for them is included in SRU 69 for systems that haven’t already applied the firmware update from their hardware vendor. For more information, see the updated manual page for sxadm(8) and Oracle Solaris mitigations for Speculative Execution issues (My Oracle Support Doc ID 2578491.1).
Data Management Features
ZFS Filesystem Retention On-Expiry Delete Grace Period
The “retention.period.deletegrace” property was added to ZFS File Retention to allow setting a grace period between when a file’s retention expires and when onexpiry=delete will delete it. See the updated zfs(8) manual page for more information.
Automounter map auto-refresh
Up until now, automounter maps were loaded just once on service startup, and a long-running client would not notice changes to maps (e.g. a new shared resource) until an admin ran the automount binary by hand or restarted the autofs service.
In SRU 69, we’ve added refresh support to the autofs service, which runs automount to reload the maps, and added a thread to automountd to automatically run automount periodically.
xvattr support for NFSv4
The NFSv4 client and server have been updated to support the system attributes that are supported by the NFSv4 protocol: CREATETIME, ARCHIVE, SYSTEM, HIDDEN, and RETENTIONTIME.
Most applications on Solaris will not be affected as they already were able to access these attributes via the extended attribute support in libc, but this will expose them to kernel operations such as shadow migration. The manual pages sysattr(7) and zfs(8) were updated with more information.
Networking Features
mDNS implementation replaced with Avahi 0.8
The multicast DNS/zeroconf implementation included in previous Solaris 11.4 SRU’s, which was originally based on a port of Apple’s Bonjour software, has been replaced by Avahi version 0.8. The Avahi related services are pkg:/system/network/avahi and pkg:/system/network/avahi/gui.
IPv6 source address selection preference property
The “prefer-srcaddr” option was added to ipadm(8) to choose between “temporary” addresses (as specified in IETF RFC 6724) or “public” addresses (as specified in IETF RFC 3484) for IPv6 source addresses. The default value of “public” retains the behavior from prior Solaris 11.4 SRU’s. To select the RFC 6724 behavior:
root# ipadm set-prop -p prefer-srcaddr=temporary ipv6
See the updated manual pages for inet6(4P) and ipadm(8).
Performance and Observability
ps(1) now accepts -I for ISO 8601 time format
The ps command now accepts the -I flag to display the start time (“STIME”) column in an ISO 8601 format. Alternatively, the sitime keyword can be passed to the -o option to specify a start time in an ISO 8601 format. See the ps(1) man page for more information.
Virtualization Features
zoneadm(8) log subcommand
This SRU adds the “log” subcommand to zoneadm(8). This allows users to view the contents of the log files in the zones. Users delegated the “manage” RBAC authorization for a zone can view the logs even if they are restricted to root users in the zone. The zoneadm(8) man page was updated with more information.
Non-global zones on ZVOLs
The “rootzpool” and “zpool” resources of zonecfg(8) now support ZVOL based URIs, including the “create-size” property, for both the solaris and solaris10 branded zones. For more information, see the updated zonecfg(8) manual page.
dev:zvol/dsk/* storage URIs with lofi layer and create/destroy operation
Storage URIs, documented in the suri(7) manual page, now support an optional lofi layer for ZVOL based URIs. Note that a lofi layer is required to fully support ZFS pools on top of ZVOLs. This is used to add support for non-global zones on top of ZVOLs. The suriadm(8) and suri(7) manual pages were updated with details.
System Management Features
smtp-notify(8) now allows setting From: header
In previous SRU’s, smtp-notify(8) allows setting the values of the To: and Reply-To: headers in the email messages it generates. This SRU adds From: to the list of headers that can be set. For example:
root# svccfg setnotify problem-diagnosed "mailto:user@domain?from=user@domain&reply-to=user@domain"
ldapservercfg(8) to use Default System TLS Certificate
ldapservercfg(8) now configures OpenLDAP’s slapd(8) to use the Default System TLS Certificate as created by svc:/system/identity:cert. A new transient SMF instance svc:/network/ldap/identity:openldap is now enabled if slapd-config is configured to use the system identity certificate. The new service restarts svc:/network/ldap/server:openldap if the system certificate created by svc:/system/identity:cert changes. The manual pages for ldapservercfg(8) and identity(8s) were updated.
Installation and Software Management Features
Python environment marked as externally managed
Starting with Oracle Solaris 11.4 SRU 69, the Python system environment is marked as externally managed, as defined in PEP 668. This means that tools like pip will no longer allow you to modify or install additional Python packages into directories where system applications can see and import them.
In order to keep the installation of Python applications as simple as possible, you can install the pipx tool. Python applications installed with pipx are fully isolated in their own virtual environment and hence cannot affect the system.
For further information see the Python package management going forward blog post, or /usr/share/doc/release-notes/python-externally-managed-detail.txt on a system running SRU 69 or later.
modinfo(8) additions: SYS field, -x, -h/–scale, -?/–help options
The modinfo(8) utility was extended with the ability to distinguish kernel modules built and delivered with Solaris from those delivered from other sources. This is displayed via a new SYS field that replaced REV in the default output. The new -x option limits the output to non-system objects.
Options were also added to modinfo(8) to display scaled values in the SIZE column (-h/--scale) and to print help for the command (-?/--help). The modinfo(8) manual page was updated to cover all these changes.
Enhancements for Developers
Support for preadv() and pwritev() system calls
Up until now, Solaris supported the following read/write system calls: read(), pread(), readv(), write(), pwrite(), and writev(). We were missing preadv() and pwritev(). As more and more FOSS is asking for these functions, they were added in this SRU. The read(2), write(2), and lf64(7) manual pages were updated with details.
TIOCGWINSZ on new pseudo tty does not return EINVAL
Previously, newly created pseudo terminals returned EINVAL if the TIOCGWINSZ ioctl was called to get the size before TIOCSWINSZ was used to set it. This behaved differently from ordinary terminals and differently from most other OS’es, which simply returned a value of (0, 0) but not an error. As it was confusing Python, it was decided to change to do what the rest of the OSes were doing, and return (0, 0) instead.
mdb enum annotations
There are a number of places where enum values are stored in non-enum types. To annotate those values, rather than using mdb_annotate_uint() which requires an mdb_bitmask_t with the enum values, a new helper, mdb_annotate_enum(), was added.
mdb search path for kernel crash dumps extended
Up until now, when given a numerical argument mdb only searched the current directory for a system crash dump with that suffix. The search path has been extended that so that it also searches in the current directory for a directory named after that suffix, and then searches in there. If that fails it then searches in the directory specified for crash dumps by dumpadm(8) and again looks in a subdirectory named after the suffix.
If mdb is given the argument “latest” and there is no file called “latest” in the current directory mdb will follow a similar search, looking in the current directory and then in the system crash dump directory for a directory called “latest”, and then finding the newest system crash dump in that directory.
New MDB_OPT_FLAGS option for mdb_getopts
A new mdb_getopt() option MDB_OPT_FLAGS was added. If MGF_QUIET is set in the provided mdb_getopt_opt_t it will cause mdb_getopt() to return silently on failure to parse options, allowing the dcmd to do special processing of the arguments.
Desktop Features
GNOME 45
Much of the Gnome desktop in Solaris has been updated to version 45. Upgrades to individual applications will continue in future SRUs.
If you use the default desktop session, you will notice some cosmetic changes, the most noticeable being the ‘Activities’ indicator on the top left being replaced by a workspace indicator icon. The upstream community has been migrating more and more apps to GTK4. As we update the existing Gnome applications to newer versions in Solaris in the upcoming releases, you might notice some changes in the look and feel.
Preparation for Upcoming SRUs
The following are a subset of the removals planned for future SRUs. See End of Feature Notices for Oracle Solaris 11 for the complete list of removals announced so far.
Migration from OpenSSL 1.0.2 to 3.0
SRU 69 provides packages for both versions 1.0.2 & 3.0 of the OpenSSL libraries. OpenSSL 1.0.2 will be removed in a future SRU; likely no earlier than the January 2025 SRU. All locally built applications and ISV applications that use the system provided OpenSSL 1.0.2 need to migrate to OpenSSL 3.0 as soon as possible. Migration to OpenSSL 3 of Solaris delivered core functionality and FOSS is ongoing and continues to be delivered incrementally over a number of SRUs.
Migration from Python 3.7 to 3.9 or 3.11
SRU 69 provides packages for Python versions 3.7, 3.9, and 3.11. Upstream support for Python 3.7 ended on June 27, 2023. Python 3.7 will be removed in a future SRU. All locally built applications and ISV applications that use the system provided Python 3.7 need to migrate to a later version as soon as possible. Migration of Solaris delivered core functionality has been delivered incrementally over a number of SRUs.
After upgrading to SRU 69, the packages for each Python version, including both the runtime and per-version FOSS modules, will be included in an incorporation specific to that version of Python, for instance, runtime/python-37-incorporation. This will allow systems that need to keep unsupported versions of Python installed after the point they would normally be removed by upgrades to new SRUs to keep all the packages by unlocking and freezing just that incorporation package instead of having to do that for every single package it incorporates.
Migration from PCRE to PCRE2
SRU 69 provides packages for both ABI versions 1 and 2 of the Perl Compatible Regular Expressions (PCRE) library, as provided by library/pcre (version 8.45) and library/pcre2 (version 10.42). Upstream ended support for the version 1 API/ABI after June 2021 and recommends all users port to version 2. Migration of the Solaris delivered packages to the new version is ongoing and continues to be delivered incrementally over a number of SRUs. Once this is complete, the package for version 1 will be obsoleted and removed on upgrade. All locally built applications and ISV applications that use the system provided libpcre need to migrate to libpcre2 as soon as possible.