Oracle Solaris 11.4 SRU 72 is now available via ‘pkg update’ from the support repository or by downloading the SRU from My Oracle Support Doc ID 2433412.1. Highlights of the changes in this release are given in the release announcement and important information to read before installing it is provided in the Readme linked from the above support document. This blog post provides more details about selected new features and interface changes in this SRU, as well as some preparation work for changes coming in future SRUs.
Security and Compliance Features
audit_syslog output enhanced for file access events
New fields were added to audit records for per-file access events:
- proto name
- name is the protocol identifier. For example “NFS” or “SMB”.
- access mode
- mode is the access mask (in hex) that was used when accessing the audited object.
The body of the syslog message now contains the fields proto and access if the event was generated by remote per-file access. For example:
Apr 13 22:20:58 loghost audit: [ID 702911 audit.notice]
unlink(2) ok proto SMB access 0x10000 by user1@mydomain.com as
user1@mydomain.com:Domain Users@mydomain.com from
server.example.com obj /export/share/file1
For more details, see the updated audit_syslog(7) man page.
p_event_ts option to enable event timestamps in audit_syslog
Historically, the timestamp in a syslog message has been added by the log infrastructure and is the time the syslog message arrived at that particular logger which could be very different to the time the event actually happened. Audit records include a timestamp for when the event occurred, but that has not been available when using the audit_syslog module to write audit records to syslog.
The new p_event_ts property for configuring the audit_syslog module adds the actual event timestamp from the audit record to the syslog message, in UTC using an ISO8601 format. For example:
Aug 4 09:51:02 loghost audit: [ID 702911 audit.notice]
2023-08-04T08:49:06 su failed session 3197120401 by alice as
root:staff in global from server.example.com root
For more details, see the updated audit_syslog(7) man page.
pam_krb5 option to limit expiry warning period
Warnings of upcoming Kerberos password expiration are now only printed by default when the expiry date is within 30 days, to reduce noise when password lifetimes may be set to much longer time periods. A new warndays option allows customizing the time period for which warnings are given.’ For more details, see the updated pam_krb5(7) man page.
Suricata introduced to replace Snort
Oracle Solaris currently includes version 2 of the Snort open source network intrusion prevention and detection system (IDS). Snort version 3 requires the LuaJIT language which does not support SPARC CPUs, so we have begun the End-of-Feature process to remove Snort from Solaris and starting with this SRU, are providing the Suricata package as a replacement. Suricata documentation can be found at https://docs.suricata.io/en/suricata-7.0.5/.
System Account Check Service
A new SMF service, svc:/system/check/user, was added to monitor the /etc/passwd and /etc/shadow files. At startup and on any modification of the files it verifies the attributes of all system accounts defined in packages from the solaris publisher matches the IPS user action definition, other than the password for the root account.
Any mismatched attributes are reported in the service log and the service will be placed into maintenance. Once the service is in maintenance it will not be able to run again until manually cleared or the system is rebooted. For systems registered with ASR this will cause an SR to be logged.
Data Management Features
ZFS clonedir mountpoints under .zfs/clone
Setting the mountpoint of a ZFS clone to clonedir will now cause that clone to be mounted under the head filesystem’s .zfs/clone directory. Doing a mkdir of a clone name in the .zfs/clone directory will create a snapshot of the dataset and then clone it. The zfs(8) man page was updated with more information.
TLS support for ICAP connections from Virus Scan service
ICAP connections from the Virus Scan service may now be made using TLS encryption. New use_tls, host_match, and trusted_certs_path properties have been added to the svc:/system/filesystem/vscan SMF service and can be set or queried via the vscanadm(8) command.
Networking Features
‘noresvport’ mount option for NFS
Prior to this SRU, Solaris has used port numbers less than 1024 to contact NFS servers. The new ‘noresvport’ mount option changes the NFS client to pick randomized port numbers starting at 1024, to avoid issues when multiple NFS clients using the same port number are behind the same NAT gateway. For more details, see the updated mount_nfs(8) man page.
Performance and Observability
iostat collection in Statistics Store
Storage subsystem related statistics usually accessed using iostat(8) are now also available in the Statistics Store (sstore) in a new collection called io-stats. This will allow output of these statistics in JSON format for further processing.
Mapping LDoms kstats into sstore and WebUI
SRU 72 now maps data from various LDoms modules’ kstats into sstore SSIDs, and added three WebUI sheets, one for control domains, one for service domains, and one for guest domains. The LDoms Manager (ldmd) now also publishes stats directly to sstore, including the number of bound and active domains, available via sstore(1) and the WebUI. More information can be found in the new sheets available in WebUI’s Analytics page.
Per-device kstats for virtual storage drivers
This SRU added kstats representing IO metrics and error counters to drivers that run in a host’s Global Zone or a service domain and provide virtual disks (block volumes) to LDom guests or Kernel Zones:
- vds (Virtual Disk Server)
- host zvblk (Kernel Zone block driver)
Also added were per-device kstats for the vsan module, which cooperates with the sun4v vhba module to implement a virtual SCSI Host Bus Adapter (HBA) device.
kstat2 human-readable output does not URI encode anymore
The kstat2 command no longer uses URI encoding for special characters in the human-readable output mode (though it still does in the parseable and JSON output modes). For instance, a comma in a kstat name that was previously displayed as “%2C” is now shown simply as “,”.
Virtualization Features
vHBA protocol 1.3
This release updates the vHBA protocol version to 1.3, adding the ability to support both asynchronous I/O and pass-through reporting of transport status directly to the vHBA client simultaneously. Asychronous I/O is now enabled by default for vHBA.
System Management Features
lastlog, utmpx, & wtmpx timestamp range extended from 2038 to 2106
Previously, these file formats used signed 32-bit integers representing the number of seconds since January 1, 1970 to record timestamps for login, logout, reboot, and similar events. Since no Solaris systems were operating prior to 1970, this SRU changes the definition of these file formats to use unsigned 32-bit integers, resulting in the range of possible timestamps moving from 1901–2038 to 1970–2106. The core OS software in Solaris has been modified to reflect this, but other software that reads from or writes to these files may need modification or recompilation with the updated system headers to handle timestamps in these files with the highest bit set as being post-2037 instead of pre-1970.
Enhancements for Developers
access(2) family of system calls always return EACCES for X_OK for ordinary files without any X bit set
Historically, the access(2) family of system calls on Unix always returned that uid 0 had all access to files, including the execute bit (X_OK) on files without the execute bit set in the file permissions. This caused various issues, so over time a number of other Unix-like systems have moved to only returning that execute access is allowed for uid 0 if at least one of the executable bits is set on a regular file, and the POSIX/UNIX standards encourage that behavior. Starting with this SRU, the access(2) system calls for accounts with a uid of 0 will return failure and set errno to EACCES if the X_OK bit is checked and the target file has no executable bits set in the file permissions.
IOV_MAX increased from 16 to 1024
The value of IOV_MAX in the <limits.h> header has been raised from 16 to 1024. This increases the number of members which may be passed in an iovec array in each call to the functions listed on the send(3c), recv(3c), write(2), and read(2) man pages. The higher value will also be returned when calling sysconf(_SC_IOV_MAX), except in Solaris 10 branded zones.
LibYAML added
LibYAML, a YAML parser and emitter library, is now available in pkg:/library/libyaml. Documentation for it is available from the upstream website at https://pyyaml.org/wiki/LibYAML.
MDB annotations API additions
A new mdb_get_annotation_byval() function was added to the mdb API to get annotations for an immediate value instead of a target address as the mdb_get_annotation() function requires. A second new function, mdb_get_annotation_flags() allows specifying additional flags for the annotation to lookup, with the MGAF_NONE flag making it return the same value as mdb_get_annotation().
Additionally functions have been added to help annotation callbacks discover information about the item to be displayed. These functions are mdb_annotation_is_signed(), mdb_annotation_is_stack(), mdb_annotation_is_printf(), mdb_annotation_nbits(), and mdb_annotation_radix().
MDB constants API addition
In the mdb debugger, constants are immediate values that can be declared on the mdb command line and more commonly by modules. Constants are added by default when modules register annotations that use any of the mdb_annotate_uint8, mdb_annotate_uint16, mdb_annotate_uint32, mdb_annotate_uint64, and mdb_annotate_uint callbacks. The new mdb_register_constants function allows a module to add a constant explictly, without having to call one of those functions.
Predefined conditional mapfile identifiers for high level object types
Linker mapfiles can now check for the output object type using conditionals for the values _ZTYPE_EXEC, _ZTYPE_KMOD, _ZTYPE_PIE, and _ZTYPE_SHARED; corresponding to the object types that may be set with the -ztype option to ld(1). For example, the /usr/lib/ld/map.vas47 sample mapfile provided with Solaris uses this to define a reserved segment when generating a regular executable or a position-independent executable, but not when building a shared library or a kernel module. More information will be provided in an upcoming update to the Oracle Solaris 11.4 Linkers and Libraries Guide.
elfdump -L option for displaying PLT details
The new -L option to the elfdump command displays the Procedure Linkage Table (PLT) used for dynamic linking to resolve symbols at runtime.
getumask(2) system call & pr_umask field in /proc/<pid>/psinfo
The traditional umask(2) system call does not allow querying the current umask without specifying a new process-wide umask to put in place, making it unsuitable for use in multi-threaded programs. This SRU adds a new getumask(2) system call to read the current umask value without setting it. A new pr_umask field was also added to the /proc/pid/psinfo file to allow other programs to query the umask currently in use by a process, and the pfiles(1) command has been modified to print the current umask value for the target process.
Before Upgrading to SRU 72
Migration from Python 3.7 to 3.9 or 3.11
Previous SRUs provided packages for Python versions 3.7, 3.9, and 3.11. Upstream support for Python 3.7 ended on June 27, 2023. All Solaris-provided Python 3.7 packages will be removed on upgrade to SRU 72. All locally built applications and ISV applications that use the system provided Python 3.7 need to be migrated to 3.9 or 3.11 before upgrading. The Python Foundation has provided information on Porting from Python 3.7 to 3.8 and Porting from Python 3.8 to 3.9 to assist with this. Migration of Solaris delivered Python code was delivered incrementally over a number of SRUs.
If systems need to keep the no-longer-supported Python 3.7 packages installed when upgrading to SRU 72 or later, admins can unlock runtime/python-37-incorporation to prevent its removal, following the instructions in Trapped by Older Software.
Migration from Apache Tomcat 8.5 to 9.0
Previous SRUs provided two versions of the Apache Tomcat application server, 8.5.x in the web/java-servlet/tomcat-8 package, and 9.0.x in the web/java-servlet/tomcat-9 package. Upstream support for Tomcat 8.5.x ended on March 31, 2024. Tomcat 8.5 will be removed on upgrade to SRU 72. All locally built applications and ISV applications that use the system provided Tomcat need to be migrated to 9.0 before upgrading. The Apache Foundation has published a Tomcat 8 to 9 Migration Guide to aid with this.
Preparation for Upcoming SRUs
The following are a subset of the removals planned for future SRUs. See End of Feature Notices for Oracle Solaris 11 for the complete list of removals announced so far.
Migration from gcc 11 to a later version
SRU 72 provides packages for versions 11, 12, and 13 of the GNU Compiler Collection. GCC 11 will be removed in a future SRU. Users of the gccgo compiler need to note that the removal of GCC 11 will also include the removal of the libgo.so.19 library used by Go programs compiled with GCC 11, and that they thus will need to recompile any such programs with a newer version of gccgo before upgrading to the SRU that removes it.
Migration from OpenSSL 1.0.2 to 3.0
SRU 72 provides packages for both versions 1.0.2 & 3.0 of the OpenSSL libraries. OpenSSL 1.0.2 will be removed in a future SRU; likely no earlier than the January 2025 SRU. All locally built applications and ISV applications that use the system provided OpenSSL 1.0.2 need to migrate to OpenSSL 3.0 as soon as possible. The OpenSSL Foundation has supplied a OpenSSL 3.0 migration guide to help with this. Migration to OpenSSL 3 of Solaris delivered packages is ongoing and continues to be delivered incrementally over a number of SRUs.
Migration from PCRE to PCRE2
SRU 72 provides packages for both ABI versions 1 and 2 of the Perl Compatible Regular Expressions (PCRE) library, as provided by library/pcre (version 8.45) and library/pcre2 (version 10.42). Upstream ended support for the version 1 API/ABI after June 2021 and recommends all users port to version 2. Migration of the Solaris delivered packages to the new version is ongoing and continues to be delivered incrementally over a number of SRUs. Once this is complete, the package for version 1 will be obsoleted and removed on upgrade. All locally built applications and ISV applications that use the system provided libpcre need to migrate to libpcre2 as soon as possible.