What’s New in the Oracle Solaris 11.4.81 CBE release

The Common Build Environment (CBE) release for Oracle Solaris 11.4 SRU 81 is now available via “pkg update” from the release repository or by downloading the install images from the Oracle Solaris Downloads page. As with the first Oracle Solaris 11.4 CBE, this is licensed for free/open source developers and non-production personal use, and this is not the final, supported version of the 11.4.81 SRU, but the pre-release version on which the SRU was built. It contains all of the new features and interfaces, but not all of the final rounds of bug fixes, from the 11.4.81 SRU.

The previous version was the CBE for 11.4.42, so there’s more than 3 years worth of changes between these two releases. If you wanted to read about the changes in every intervening SRU, you can find the monthly SRU release announcements for every SRU, and the What’s New summaries for each quarterly feature release starting with SRU 63, on the Oracle Solaris blog. Some FOSS version updates are also listed in Oracle Solaris 11.4 Bundled Software Updates. You can also find posts about some of the new features from the SRUs on Joerg Moellenkamp’s blog and Marcel Hofstetter’s blog.

This blog post provides more details about selected new features and interface changes in this CBE release, as well as some preparation work for changes coming in future releases (which should come more often than once every three years going forward). Given the focus of the CBE release on software developers, this list highlights changes most relevant to them, and skips over changes more relevant to enterprise servers that should be using the supported SRU release train instead.

Note that this update includes marking a number of previous packages as Obsolete, which normally causes the IPS “pkg update” command to remove them when upgrading to the new release. For some of these, you can tell the system to keep the package when upgrading anyway, via the method described in Trapped by Older Software. This however won’t resolve any dependency issues or fix conflicts with newer package versions – it only allows keeping the older version of the package in place, as it was previously.

The End of Feature Notices for Oracle Solaris 11 page has a more complete list of the packages and features that have been removed already or announced as planned for removal in the future.

Programming language updates

The Oracle Solaris package repository includes compilers, interpreters, and other tools for a range of programming languages. Setting Up the Application Development Environment in Oracle Solaris 11.4 shows how to install the necessary packages for many of them.

GNU Compiler Collection (gcc)

Packages have been added for versions 12, 13, & 14 of the GCC compilers, including the C, C++, Fortran, Go, Objective C, and Ada (gnat) compilers. The packages for versions 7, 9, 10, & 11 have been marked obsolete and will be removed on upgrade. Users of the gccgo compiler need to note that the removal of these packages will also remove the Go runtime library used by Go programs compiled with that compiler version (libgo.so.14 for GCC 9, libgo.so.16 for GCC 10, and libgo.so.19 for GCC 11), and thus they will need to recompile any such programs with a newer version of gccgo before they can run on this release.

To install a specific compiler version, you can use a command such as “pkg install developer/gcc-14” to install the set of most commonly used compilers, or install individual compiler packages with a command such as “pkg install developer/gcc/gcc-c++-14”, substituting the version and language as appropriate. The gcc mediator controls which version is called when using the commands under /usr/bin. Specific versions can be run by using the versioned paths under /usr/gcc, such as /usr/gcc/14/bin/gcc.

Users of the C and C++ compilers may notice that GCC 14 has raised a number of issues from warnings to errors, which may impact your builds. See https://gcc.gnu.org/gcc-14/changes.html for more information on the changes in this generation of the GNU family of compilers, and Porting to GCC 14 for information on changes you may need to make to code and/or compiler flags in order to build it with GCC 14.

Go compiler

Version 1.23.5 of the Google Go compiler is now available, for x86 systems only, in the package developer/go. This compiler is not available for SPARC platforms.

Java

The bundled JDK 8 has been upgraded from version 1.8.0_311-b11 to 1.8.0_441-b7. JDK 11 is available for download for Solaris SPARC systems from Oracle’s Java Downloads page. Community-ported OpenJDK releases for both SPARC & x86 platforms are available from https://pkgs.tribblix.org/openjdk/ but those are not tested, certified, or supported by Oracle.

LLVM/clang compilers

Packages have been added for version 13 and version 19 of the LLVM/clang compilers. These replace the version 11 package in the previous CBE release. A new pkg(7) mediator named llvm allows choosing which version is used for the symlinks in /usr/bin. Specific command versions can be run by using the paths under /usr/llvm-13 or /usr/llvm-19.

Node.js

On x86 systems, packages have been added for version 20, and obsoleted for versions 14 & 16 of Node.js. Node.js is not available for SPARC platforms.

Perl

Packages have been added for Perl version 5.38 and obsoleted for version 5.32. See perl5340delta, perl5360delta, and perl5380delta for information on the changes between Perl 5.32 and 5.38.

PHP

Packages have been added for PHP versions 8.4, 8.3, 8.2, & 8.1, and have been obsoleted for versions 8.0, 7.4, and 7.3. The PHP 8.1 package has been marked legacy in preparation for removal in a future release, since the PHP community is ending support for 8.1 at the end of December 2025.

Python

Packages have been added for Python versions 3.11 & 3.13 and have been obsoleted for versions 2.7 & 3.7. The packages for version 3.9 have been marked legacy in preparation for removal in a future release, since upstream support for Python 3.9 will end in October 2025. See Porting to Python 3.10, Porting to Python 3.11, Porting to Python 3.12, and Porting to Python 3.13 to help with migrating your Python code to a later version.

Sunsetting Python 2 on Oracle Solaris discusses what changed with the removal of Python 2, and options for keeping it installed if necessary. Oracle Solaris has obsoleted Python 3.7. But I still need it – what do I do? covers the new package incorporations used starting with Python 3.7 to make it easier to unlock all the modules associated with a given Python version at once.

Python package management going forward explains how to install additional Python packages with pipx now that the system packaged Python directories are marked as externally managed to avoid conflicts between IPS and pip.

In this release we’ve also backported to our Python 3.9 and 3.11 packages the patches we contributed upstream for Python 3.13 to allow use of posix_spawn(3c) in more cases, which can improve the performance of spawning new processes from Python code on Solaris.

Ruby

Packages have been added for versions 3.1 & 3.3 of Ruby, and have been obsoleted for version 2.6. The version 3.1 package has been marked legacy in preparation for removal in a future release, since community support ended in March 2025.

Rust

The Rust compiler package has been upgraded from version 1.53 to 1.78. See the Rust Release Notes for information on the changes between these releases.

Other development tool changes

Build tool updates

GNU autoconf was upgraded from 2.69 to 2.71, cmake from 3.21 to 3.24, GNU make from 4.2.1 to 4.4.1, meson from 0.59.2 to 1.5.2, ninja from 1.9.0 to 1.12.1, and scons from 4.2.0 to 4.6.0.

The package developer/build/autoconf-archive was added to provide the macros from the GNU Autoconf Archive.

Source code manager & editor updates

The developer/versioning/cvs package has been marked obsolete and will be removed on upgrade.

The git package has been upgraded from 2.31.1 to 2.48.1, Mercurial (hg) from 5.1.1 to 6.8, and subversion from 1.14.1 to 1.14.5.

The emacs editor was upgraded from 27.2 to 29.3, nano from 5.9 to 8.2, and vim from 8.2 to 9.1.

Debugger updates

The gdb debugger was upgraded from 10.2 to 15.1, and valgrind (which is only available on x86 systems) was upgraded from 3.18.1 to 3.24.0.

There were many enhancements to the mdb debugger – so many that we’ll need a separate blog to cover them.

CTF changes

The CTF (Compact C Type Format) utilities, ctfconvert, ctfdump, and ctfmerge, long used to build the Solaris OS itself, are now delivered in /usr/bin as documented system utilities. CTF is used by important observability tools such as mdb and DTrace. Those who know these utilities from the versions found in other systems should note that some options differ from those versions. See the manpages for details. We have expanded the number of userspace binaries that contain CTF data, and plan to add CTF to more userspace binaries in future releases.

Support for CTF has also been added directly to the Solaris linker. The new “ld -z ctf” option provides the abilities of the ctfmerge(1) utility as part of the link-edit, thereby eliminating the need to run ctfmerge afterwards as a post processing step. The ctfmerge(1) utility remains supported for existing build systems, but this simplifies the process of adding CTF support to builds that don’t already run ctfmerge. Both of these tools now put CTF data in the .SUNW_ctf ELF section using the newly assigned section type SHT_SUNW_ctf, instead of SHT_PROGBITS as was previously used.

The previous release supported versions 1 and 2 of CTF. This release adds support for Solaris CTF version 3. Solaris CTF version 3 lifts the severe limits on the number and size of types found in version 2. The 16-bit integer values used in Version 2 are widened to 32-bits. The ctf(5) manual page was added to document these changes. ctfconvert, ctfmerge, and ld -z ctf now generate CTF version 3 data by default. ctfconvert and ctfmerge offer a new -V option that allows the user to explicitly choose the version to generate. The ld -z ctf option was similarly extended with a ‘version’ keyword to allow the CTF version to be specified. libctf internally supports all known CTF versions (1-3), through the existing libctf interfaces. As such, mdb, kmdb, DTrace, and any other CTF consumers are immediately able to use the new format. Users of these tools should not experience any change in operation.

This release also adds “ctf” to the list of strip classes accepted by ‘ld -z strip-class’, and ‘strip -c’, in order to allow CTF sections to be treated independently of the debug sections generated by the compilers for debuggers such as dbx and gdb.

elfdump -L option for displaying PLT details

The new -L option to the elfdump command displays the Procedure Linkage Table (PLT) used for dynamic linking to resolve symbols at runtime.

kldd support for multiple sysroots, _depends_on[], and platform selection

The kldd utility extended the -S option to accept a colon-separated path of directories, added the -P option to specify platform directories to search, and added support for finding dependencies specified via the deprecated _depends_on mechanism. See the kldd(1) man page for more information.

Predefined conditional mapfile identifiers for high level object types

Linker mapfiles can now check for the output object type using conditionals for the values _ZTYPE_EXEC, _ZTYPE_KMOD, _ZTYPE_PIE, and _ZTYPE_SHARED; corresponding to the object types that may be set with the -z type option to ld(1). For example, the /usr/lib/ld/map.vas47 sample mapfile provided with Solaris uses this to define a reserved segment when generating a regular executable or a position-independent executable, but not when building a shared library or a kernel module. For more information see Mapfile Structure and Syntax: Conditional Input in the Oracle Solaris 11.4 Linkers and Libraries Guide.

compcom section class keyword for elfcompress, ld, and strip

The following ld, strip, and elfcompress options share a common set of section class keywords, used to specify sections to be stripped (removed) or compressed:

• ld -z strip-class=[!]class1,[!]class2,...
• ld -z compress-class=[!]class1,[!]class2,...
• strip -c [!]class1,[!]class2,...]
• elfcompress -c [!]class1,[!]class2,...

This release adds a new class selection keyword, compcom, to the set of class selection keywords. See the man pages elfcompress(1), ld(1), and strip(1) for more information.

libc & system call changes

New functions in libc

A number of new functions are available in libc, some of which provide access to new system calls to the Solaris kernel. For details on each, see the man pages for core_get_process_content(3C), core_set_process_content(3C), core_get_process_path(3C), core_set_process_path(3C), getpeereid(3C), getumask(2), mremap(2), preadv(2), pwritev(2), and ucred_getprinc(3C).

access(2) family of system calls always return EACCES for X_OK for ordinary files without any X bit set

Historically, the access(2) family of system calls on Unix always returned that uid 0 had all access to files, including the execute bit (X_OK) on files without the execute bit set in the file permissions. This caused various issues, so over time a number of other Unix-like systems have moved to only returning that execute access is allowed for uid 0 if at least one of the executable bits is set on a regular file, and the POSIX/UNIX standards encourage that behavior. In this release, the access(2) system calls for accounts with a uid of 0 will return failure and set errno to EACCES if the X_OK bit is checked and the target file has no executable bits set in the file permissions.

IOV_MAX increased from 16 to 1024

The value of IOV_MAX in the <limits.h> header has been raised from 16 to 1024. This increases the number of members which may be passed in an iovec array in each call to the functions listed on the send(3c), recv(3c), writev(2), and readv(2) man pages. The higher value will also be returned when calling sysconf(_SC_IOV_MAX), except in Solaris 10 branded zones.

TIOCGWINSZ on new pseudo tty does not return EINVAL

Previously, newly created pseudo terminals returned EINVAL if the TIOCGWINSZ ioctl was called to get the size before TIOCSWINSZ was used to set it. This behaved differently from ordinary terminals and differently from most other OS’es, which simply returned a value of (0, 0) but not an error. As it was confusing Python, it was decided to change to do what the rest of the OSes were doing, and return (0, 0) instead.

Unicode 14 support added to u8_strcmp(3c) & u8_textprep_str(3C)

Support for the characters added between Unicode 5 and 14 has been made available to the u8_strcmp(3c) & u8_textprep_str(3C) functions via the new Unicode version value U8_UNICODE_1400_ORCL.

U8_UNICODE_1400_ORCL uses a slightly modified version of the Unicode 14.0.0 tables. Where Unicode 14.0.0 says that the uppercase equivalent of U+0131 LATIN SMALL LETTER DOTLESS I is U+0049 LATIN CAPITAL LETTER I, this implementation does not; it leaves U+0131 without an uppercase equivalent. This change helps to reduce conflicts between English and Turkish uses of dotted and dotless I.

This mapping table is also exposed to the u8_strcmp(9f) & u8_textprep_str(9F) kernel APIs, and as the 14.0.0 value of the unicode property for case-insensitive ZFS file systems. See Specifying Unicode Versions in Managing ZFS File Systems in Oracle Solaris.

lastlog, utmpx, & wtmpx timestamp range extended from 2038 to 2106

Previously, these file formats used signed 32-bit integers representing the number of seconds since January 1, 1970 to record timestamps for login, logout, reboot, and similar events. Since no Solaris systems were operating prior to 1970, this release changes the definition of these file formats to use unsigned 32-bit integers, resulting in the range of possible timestamps moving from 1901–2038 to 1970–2106. The core OS software in Solaris has been modified to reflect this, but other software that reads from or writes to these files may need modification or recompilation with the updated system headers to handle timestamps in these files with the highest bit set as being post-2037 instead of pre-1970.

struct log_ctl timestamps extended

The timestamps embedded in struct log_ctl messages read from /dev/log have been extended to cover dates past January 2038 and to include subsecond-resolution. Existing binaries and 32-bit programs will continue to receive data in the old format, but once code is recompiled with the new headers in 64-bit mode, and thus requests the new struct size from the kernel, the additional data will be available to it. For instance, this patch we’ve applied to rsyslog allows reading the new fractional second values from log messages.

Changes to other libraries

OpenSSL 1.0.2 & 1.1 removed, migration to 3 completed

The previous CBE release provided packages for versions 1.0.2, 1.1.1, & 3.0 of the OpenSSL libraries. The packages for OpenSSL 1.0.2 & 1.1.1 have been obsoleted in this release. All locally built applications and ISV applications that use the system provided OpenSSL 1.0.2 or 1.1.1 need to migrate to OpenSSL 3.0 before they can run on this release. The OpenSSL Foundation has supplied a OpenSSL 3.0 migration guide to help with this.

Note that in OpenSSL 3.0 some older/weak cryptographic algorithms are no longer available by default, they can be made available in Oracle Solaris by installing the legacy provider package: library/security/openssl-3/legacy-provider and changing the activate property in /etc/openssl/3/conf.d/legacymodule.cnf.

To run the system in FIPS 140-2 mode, install the package crypto/fips-140. This package will also ensure that the library/security/openssl-3/fips-140-provider package is installed. Note that having the fips-140-provider package installed causes OpenSSL to apply the FIPS-140-2 restrictions, including disabling some newer cryptographic algorithms that are not allowed by the older FIPS-140-2 standard. Systems which do not want these restrictions can uninstall the fips-140 packages manually after upgrade.

libscf(3lib) extended to provide API for logfile property retrieval

A new function smf_get_logfile_propval was added to the libscf(3lib) library. It takes an FMRI argument that names an instance of a service. The function returns the value of the logfile property on success and NULL on failure. On success, the caller is responsible for freeing the memory. A man page is available for this function as smf_get_logfile_propval(3SCF).

New v12n_get_env_type() function for libv12n

To simplify the process of finding out the type of virtualization environment a program is running in, a new function named v12n_get_env_type() was added which returns an integer (enum) describing the type of virtualization environment, using the virt_env_t defined in /usr/include/sys/virt.h. See the v12n(3ext) manual page for details.

libjpeg upgraded from version 6 to version 9

The previous CBE release included version 6b2 of the libjpeg library. This release has upgraded the package to version 9e, which is not binary compatible with version 6. All locally built applications and ISV applications that use the system provided libjpeg will need to migrate to the new version before they can run on this release.

FOSS libraries added

Packages have been added to the Solaris CBE package repo for a number of open source libraries, including:

• compress/zstd
• library/audio/pcaudiolib
• library/bdw-gc
• library/desktop/libadwaita
• library/fmt
• library/gnome/gcr-4
• library/libpaper
• library/libsoup-3
• library/libuv
• library/libyaml
• library/speech/espeak-ng
• x11/library/libxcvt

FOSS libraries removed

The packages for a number of open source libraries have been marked obsolete, causing them to be removed on upgrade, including:

• library/aalib
• library/audio/libmusicbrainz5
• library/cloog
• library/desktop/clutter
• library/desktop/clutter/clutter-gst
• library/desktop/clutter/clutter-gst3
• library/desktop/clutter/clutter-gtk
• library/desktop/c++/gtkmm
• library/desktop/gtk2
• library/desktop/gtkspell
• library/desktop/libchamplain
• library/desktop/libvisual-plugins
• library/desktop/libvisual
• library/desktop/libxklavier
• library/desktop/webkitgtk4
• library/gnome/folks
• library/gnome/libzapojit
• library/graphics/cogl
• library/libconfuse
• library/libcroco
• library/libee
• library/libgnuefi
• library/libtorrent
• library/telepathy-glib
• system/library/libdaq
• web/css/sass/libsass
• x11/library/libdmx
• x11/library/libxevie
• x11/library/libxfont
• x11/library/libxp
• x11/library/libxxf86misc

Changes to bundled Python modules

Python modules added

Packages have been added to the Solaris CBE package repo for a number of open source Python modules, including:

• developer/python/maturin
• library/python/build
• library/python/dill
• library/python/distlib
• library/python/exceptiongroup
• library/python/filelock
• library/python/flit_core
• library/python/iniconfig
• library/python/installer
• library/python/oracledb
• library/python/pipx
• library/python/platformdirs
• library/python/pymemcache
• library/python/pynose
• library/python/pyproject_hooks
• library/python/referencing
• library/python/semantic_version
• library/python/tomli
• library/python/tomlkit
• library/python/wheel

Python modules removed

The packages for a number of open source Python modules have been marked obsolete, causing them to be removed on upgrade, including:

• library/python/asn1crypto
• library/python/atomicwrites
• library/python/backports.functools_lru_cache
• library/python/boto
• library/python/cx_oracle
• library/python/enum
• library/python/extras
• library/python/funcsigs
• library/python/ipaddress
• library/python/lazy-object-proxy
• library/python/pathlib2
• library/python/pygtk2
• library/python/python-memcached
• library/python/py
• library/python/scandir
• library/python/six
• library/python/toml

Other development frameworks & integrations

Apache Tomcat

The web/java-servlet/tomcat-9 package has been added in this release. See the Apache Tomcat 9 Documentation for more information. The web/java-servlet/tomcat-8 package for the previous version, 8.5, has been marked obsolete and will be removed on upgrade.

Oracle Database clients

The database/oracle/instantclient-1915 package has been added alongside the existing Instant Client packages for earlier releases.

The library/python/cx_oracle packages have been marked obsolete and will be removed on upgrade. Maintainers of python code that use this API to access Oracle databases need to ensure their code is updated to use the oracledb Python module instead, as provided in the Solaris package library/python/oracledb. See Open Source Python Thin Driver for Oracle Database for more information on the differences and links to information on how to update Python code to use the new module.

Kernel DDI enhancements

Generic in-kernel I/O Resiliency events

I/O Resiliency (IOR) is an I/O virtualization (IOV) feature in sun4v. PCI Express devices that support IOV have virtual functions (VF) that can be assigned to other domains. When a domain that owns a physical device panics or reboots, other domains using related VFs temporarily lose access to the device. IOR manages this situation so the domains using VFs don’t panic due to the device being inaccessible.

In previous releases, there were only existing mechanisms to notify interested parties if device accessibility is changed. IOR uses Live Suspend and Resume (LSR) to interact with the drivers for the affected devices. (LSR is based on ddi_cb_register(9F) interfaces.) Also, kernel modules which open the affected devices may receive LDI events asking them to close devices.

However, the existing mechanisms were insufficient. Generic events were needed to announce whenever device access is lost or restored by IOR so the activities can be monitored by other interested parties. This allows a module to monitor the status of another driver’s devices and inform LDI consumers when previously closed devices can be re-opened.

To monitor IOR activities, a kernel module will register a callback handler with ddi_cb_register(9F) with the DDI_CB_FLAG_IOR flag. It must use one of its own device nodes for this registration, and the device node must not represent a physical device that could actually be suspended by IOR. Otherwise, the registration will disappear and be rendered useless if the device in question is ever force detached by the FD-IOR feature. A non-physical pseudo node is preferred.

The manual page for ddi_cb_register(9F) was updated to cover this.

rw_enter_sig: interruptible kernel rwlock

This release adds a function rw_enter_sig(9F) which has the same behavior as rw_enter(9F), except on success 0 is returned and on failure the error number is returned. For example, if the operation is interrupted, EINTR is returned.

rw_enter_sig(9F) applies to lock types RW_DEFAULT, RW_DRIVER, RW_NUMA_DEFAULT, and RW_NUMA_READ_REENTRANT. An example of an interruptible operation is walking a filesystem path and dealing with a user generated interrupt like CTRL-C. See the rwlock(9F) man page for documentation of this function.

Desktop Features

GNOME 45

Much of the Gnome desktop in Solaris has been updated from version 3.38 to version 45 in this release. If you use the default desktop session, you will notice some cosmetic changes, including the dock being at the bottom instead of on the left side, and the ‘Activities’ indicator on the top left being replaced by a workspace indicator icon. The upstream community has been migrating more and more apps to GTK4. As we update the existing Gnome applications to newer versions in Solaris in the upcoming releases, you might notice some changes in the look and feel.

Some keyboard shortcuts have changed as well in the new release, see https://help.gnome.org/users/gnome-help/stable/shell-keyboard-shortcuts.html.en for the new shortcuts.

Firefox & Thunderbird 128

Mozilla Firefox and Thunderbird have been upgraded from the 91 ESR branch to the 128 ESR branch. For information on the changes, see the Firefox 128 ESR Release Notes, Firefox 115 ESR Release Notes, Firefox 102 ESR Release Notes, Thunderbird 128 ESR Release Notes, Thunderbird 115 Release Notes, and Thunderbird 102 Release Notes.

X servers & drivers

The X servers have been upgraded from the 1.20 branch to the 21.1 branch. This includes the removal of the Xdmx server that was dropped upstream in the 21.1 branch. Mesa was updated from version 20.0.2 to 21.3.8, and TigerVNC was updated from 1.10.1 to 1.13.1.

The NVIDIA graphics driver has been updated from 418.56 to 470.182. Systems with NVIDIA Fermi GPUs need to uninstall driver/graphics/nvidia and install driver/graphics/nvidiaR390.

The x11/server/xorg/driver/xorg-video-cirrus and x11/server/xorg/driver/xorg-video-openchrome packages have been marked obsolete and will be removed on upgrade.

Other User Environment Changes

OpenSSH upgraded from 8.4 to 9.6

The update from OpenSSH 8.4 to OpenSSH 9.6 contains the following potentially incompatible changes:

• RSA signatures using the SHA-1 hash algorithm are disabled by default. If needed, it is still possible to selectively re-enable RSA/SHA1 to allow connection and/or user authentication via the HostkeyAlgorithms and PubkeyAcceptedAlgorithms options.

• scp(1) switched to the SFTP protocol by default instead of the legacy scp/rcp protocol. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. “scp host:* .”) through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side.

  This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this quoting, and attempts to use it may cause transfers to fail.

  Another area of potential incompatibility relates to the use of remote paths relative to other user’s home directories, for example – “scp host:~user/file /tmp”. The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) supports a protocol extension “expand-path@openssh.com” to support this.

  In case of incompatibility, the scp(1) client may be instructed to use the legacy scp/rcp protocol using the -O flag.

• Both the client and server are now using a stricter configuration file parser. The new parser uses more shell-like rules for quotes, space and escape characters. It is also more strict in rejecting configurations that include options lacking arguments. Previously some options (e.g. DenyUsers) could appear on a line with no subsequent arguments. This release will reject such configurations. The new parser will also reject configurations with unterminated quotes and multiple ‘=’ characters after the option name.

The new version of OpenSSH also includes a new feature, enabled by default, that attempts to hide inter-keystroke timings by sending interactive traffic at fixed intervals (default: every 20ms) when there is only a small amount of data being sent. This feature can affect the performance of X11 forwarding over ssh – if problems are seen, it can be disabled by setting the ObscureKeyStrokeTiming option to no.

The /etc/ssh/sshd_config file now also reads configuration fragments from /etc/ssh/sshd_config.d/*.conf so that it is easier to add items to the system configuration. The equivalent was also added to /etc/ssh/ssh_config for the client even though it tends not to be configured system wide as much. See Including file fragments in ssh configuration for more information.

Printing services

The CUPS printing system has been upgraded from 2.3.3 to 2.4.11 in this release. The upstream CHANGES provides some information on changes in the new release. Additionally, the CUPS “driverless” printer driver has been delivered.

Starting with Oracle Solaris 11.4.75, the CUPS SMF services, cups/scheduler and cups/in-lpd, are disabled by default. If you intend to keep using the services, you must enable them via the “svcadm enable” command.

File extraction by cpio(1) restricted to the current working directory hierarchy by default

Up until now, cpio(1) has allowed files to be extracted anywhere based on the paths specified in the archive. Both absolute and relative pathnames (including those with a “..”) were extracted as normal. This included paths containing symbolic links to directories, where the symbolic link itself was created via the archive to point to an arbitrary location. This means that the user was responsible for making sure that the extractions do not occur to locations that they may not desire, which become even more important when the user has elevated privileges.

It took due diligence by a user if they could not completely trust an archive. In most cases, a user is content to let an archive extract relative to the current working directory, but extractions outside of this area are (or should be) treated with suspicion and scrutiny. While the telltale signs of absolute paths or ones with “..” are relatively easy to notice if one takes the time to look at an archive listing, symbolic links to directories that appear in the path may be more easily missed.

Due to the inherent risks described above, cpio is no longer able to extract to files outside of the current working directory by default. This can be relaxed using the -x option.

dd(1) support for size suffixes beyond kilo (k)

The values supported for the bs=, cbs=, ibs=, and obs= arguments to dd(1) had become somewhat outdated, supporting size suffixes of only k (kilo/1024), b (512-byte block), and w (2 byte word). This release adds support for larger scale factors: m (mega), g (giga), t (tera), p (peta), and e (exa).

ls -/V for less verbose attribute lists

The ls(1) command previously offered two options for listing system attributes:

• -/c – compact form, displaying 1 letter per attribute or a dash if that attribute is not enabled
• -/v – verbose form, displaying all attributes using full words and “no” prepended to the attribute if it is not enabled

This release adds a third choice, -/V, which is like the verbose form, but instead of displaying noattribute, displays nothing for those not enabled.

fsync() support in commands

To allow users and scripts to ensure changes are flushed to stable storage and not just in a temporary cache, a new -S flag has been added to cp(1) and mv(1), and a new fsync(1) command has been provided, all of which use the fsync(2) system call to ensure writes are completed.

/dev/full

Similar to FreeBSD and Linux, Solaris now supports the /dev/full device which returns zeroes on read and ENOSPC on a write to simulate a full filesystem. This can be useful for developers testing to see how their software handles out-of-space errors. A full(4d) man page has been added to document this.

mkfile(1) size argument update

mkfile(1) now accepts a wider range of scale suffixes, and supports fractional values (e.g. ‘.5t’). This result is a superset of what was previously accepted, and is fully backward compatible with it.

Also, the output is augmented to include the size in human readable format:

% mkfile -v 1m foo
foo 1048576 bytes (1M)

Data Management Features

ZFS clonedir mountpoints under .zfs/clone

Setting the mountpoint of a ZFS clone to clonedir will now cause that clone to be mounted under the head filesystem’s .zfs/clone directory. Doing a mkdir of a clone name in the .zfs/clone directory will create a snapshot of the dataset and then clone it. See Displaying and Accessing ZFS Clones, Creating a clone in .clone, and the zfs(8) man page for more information.

ZFS File Retention

This release adds File Retention to ZFS. File retention is controlled by a new system attribute timestamp for files that, once set, makes the file read-only and not deletable. Once the date/time specified by that timestamp has passed, the retention has expired, and the file may be deleted. No other modification is allowed, even after expiration.

For more information, see Retaining Files on Your ZFS File System, the man pages zfs(8) and zpool(8), and the blogs ZFS file retention, Prevent the destruction of a ZFS filesystem dataset, and ZFS File retention: No way back – and other topics.

ZFS mount/unmount -r option added

When mounting or unmounting filesystems, it is often useful to mount “everything”. However, zfs mount -a truly means “everything”, which is often far more than desired. This release introduces a new flag:

zfs mount -r dataset|path [dataset|path ...]
zfs unmount -r dataset|path [dataset|path ...]

This flag causes the mount or unmount to mount or unmount all descendent filesystems or filesystems mounted at or beneath the specified mount point. As part of this change, multiple filesystems/mount points are now allowed to be specified in a single command, with or without the -r option.

There is no wildcard matching or partial matching performed by the zfs command. (Shells may expand wildcard matches before passing the arguments to zfs though.) All matches must be whole filesystem names which start from the pool name or absolute paths. That is zfs unmount -r /a will not affect /alt nor will -r pool/b affect pool/beta. See Recursive mount/umount and the zfs(8) manual page for details.

ZFS send with raw crypto

In the previous release, when zfs send was used to replicate encrypted data, the data blocks were always decrypted before being sent. If encryption was enabled on the receiving end of the replication, then the data blocks were reencrypted. This release now provides the ability to specify ZFS send in raw crypto mode, where data blocks are sent without first decrypting them. Raw crypto mode is enabled by the -w crypto option to the zfs(8) send command.

For more information, see Sending and Receiving Encrypted ZFS Data and the zfs(8) man page.

Moving ZFS swap and dump volume configuration out of /etc

This release moves the configuration information for swap and dump zvols from /etc/vfstab and /etc/dumpadm.conf into ZFS properties. Admins will need to use the swap(8) and dumpadm(8) commands to add or remove swap & dump volumes – see their man pages for details.

mount option to enable/disable VFS_RWNUMA on per filesystem basis

Mount options vfsnumalock and novfsnumalock will enable and disable scalable locking. All Solaris delivered filesystems have this option enabled by default. All 3rd party filesystems will have this option disabled by default. See the mount(8) man page for documentation.

Samba updates

Samba has been upgraded from version 4.13.8 to 4.21.3. See Samba Release History for the release notes for each intervening version to learn about the changes.

SMB1 client repackaged and moved to legacy state

Solaris includes an SMB client that allows access to remote SMB file shares. This client only supports version 1 of the SMB protocol. The SMB1 protocol is outdated and insecure and its use is not recommended.

In this release, the SMB packages in Solaris were refactored to isolate the SMB1 client (smbfs) into its own package so that it does not have to be installed anymore if it is not wanted. This package was also marked as legacy to indicate it may be removed in a future release.

The files needed by the SMB server are now included in the service/file-system/smb package and objects needed by the SMB1 client are now in the system/file-system/smb package. A new package system/file-system/smb/common was created that contains files that are needed by both the SMB server and the SMB1 client.

The group/feature/storage-server package used to include both service/file-system/smb and system/file-system/smb. This package was updated to remove the SMB1 client. It also now includes system/file-system/smb/common instead of system/file-system/smb.

Performance and Observability

ACT (Autonomous Crash dump Tool) run by default

Oracle Autonomous Crash dump Tool or ACT is an mdb(1) dcmd which produces a human-readable summary of a Solaris kernel crash dump. ACT is useful to diagnose system panic issues quickly. Since Solaris 11.4.11, ACT gets loaded in mdb by default when mdb loads a crash dump.

In this release, we have enhanced the process of extracting a crash dump to additionally create a file containing the output of the ::act dcmd and save it in the crash dump directory. A new service instance svc:/system/dump:act will uncompress the crash dump if it is compressed, run ACT, and then remove the uncompressed dump if the configuration is to set to dump a compressed dump. The service instance start method checks to prevent the rpool or system pool from filling up.

More details are provided in Introducing Oracle Solaris ACT Service.

iostat & vmstat collections in Statistics Store

Storage subsystem related statistics usually accessed using iostat(8) are now also available in the Statistics Store (sstore) in a new collection called io-stats. Similarly, virtual memory related statistics usually accessed using vmstat(8) are now also available in the Stats Store in a new collection called vmstats. This will allow output of these statistics in JSON format for further processing.

iostat -b option for backend statistics of LDom/KZ guest devices

This release adds a new command line option -b to the iostat(8) tool to display backend statistics for virtual devices assigned to guests (Kernel Zones or LDom guests). The virtual device in this context is either a virtual block device, a “vdisk” (LDoms) or “zvblk” (Kernel Zones), or it is a physical SCSI device such as a SCSI disk or tape device exported through the Virtual Storage Area Network (SAN) service.

The user can limit the output by passing device names as command line arguments or by using iostat‘s option -z to omit devices with no IO activity from the report.

See the ldm(8) manual page for the definition of the “backend”, and the iostat(8) man page for more on this option.

iostat wildcard character support for disk report selection

The iostat(8) tool has always accepted a ‘disk’ argument to explicitly select devices to report. The device matching algorithm has used simple string matching to compare device names in the system against the argument string. However, this was impractical on systems with many disk or with long disk names as typing a disk name that includes WWN (SAN) is inconvenient.

To make the tool more user-friendly, this release adds wildcard matching using the fnmatch(3C) API. See Wildcards for iostat, iostat -b and wildcards, and the iostat(8) man page for details of this feature, and fnmatch(5) for details of the pattern matching syntax.

iostat -S option for sample separator line

This release added a new -S option to iostat(8) to add a separator line after each record. See Sample separation in iostat for more information.

kstat2 human-readable output does not URI encode anymore

The kstat2 command no longer uses URI encoding for special characters in the human-readable output mode (though it still does in the parsable and JSON output modes). For instance, a comma in a kstat name that was previously displayed as “%2C” is now shown simply as “,”.

modinfo(8) additions: SYS field, -x, -h/–scale, -?/–help options

The modinfo(8) utility was extended with the ability to distinguish kernel modules built and delivered with Solaris from those delivered from other sources. This is displayed via a new SYS field that replaced REV in the default output. The new -x option limits the output to non-system objects.

Options were also added to modinfo(8) to display scaled values in the SIZE column (-h/--scale) and to print help for the command (-?/--help). The modinfo(8) manual page was updated to cover all these changes.

pagesize -h option for human scaled values

The pagesize(1) command now takes a -h flag to print page sizes as human-scaled numbers instead of raw byte counts. For instance, it would print 1G instead of 1073741824 for a one gigabyte page size.

pbind reports on all LWPs

The pbind(8) command output was changed to report binding of all LWPs for a process which is composed of multiple LWPs, instead of just one LWP as it previously did. Please refer to the pbind(8) man page for details.

New pgrep(1) & pkill(1) options

A new option -Z limits the matching to processes in the current zone. This is only useful in the global zone as other zones cannot see processes from outside their zone.

Another new option “-r pidlist” limits the matching to processes which are part of the processes rooted in the listed processes.

These options can be combined the same way as other options. For example, “pgrep -r 1 -v” returns all kernel processes as these are not direct children of init. See New options for pgrep/pkill for more examples.

prstat use of “sys” and “usr” as additional sort keys

Up until now, prstat could sort output by CPU usage as a whole only, which is the default, and it means SYS+USR. Starting in Solaris 11.4.63, prstat(8) can also sort by either SYS or USR usage by specifying the sys or usr keywords for the -s option. The manual page for prstat(8) has additional details.

ps(1) & svcs(1) options for ISO 8601 time format

The ps command now accepts the -I flag to display the start time (“STIME”) column in an ISO 8601 format. Alternatively, the sitime keyword can be passed to the -o option to specify a start time in an ISO 8601 format. See the ps(1) man page for more information.

The svcs command now displays the start time (“STIME”) column in an ISO 8601 format by default, and accepts the -i flag to display the time in the legacy non-parsable output format. An environment variable SMF_SVCS_DATE_FMT is also supported. When it is unset or is set to iso8601 explicitly then ISO 8601-1:2019 dates are used, while the value of legacy indicates the old format should be used.

ptree(1) option -g to list direct global zone parents for -z option

The ptree command now accepts a new option -g that may be used with the -z zone option to show parent processes in the global zone for processes in the specified non-global zone. Those parents will have a suffix of ‘*’ on the process ID to identify them as global zone processes:

$ ptree -z kzone -g
26489* zlogin -U kzone
  26490 <defunct>
26491* zlogin -U kzone
  26492 <defunct>
26471 zsched

See the ptree(1) man page for further details.

–scale support added to dlstat, flowstat, ipstat, quota, ramdiskadm, savecore, & tcpstat

The dlstat(8), flowstat(8), ipstat(8), quota(8), ramdiskadm(8), savecore(8), and tcpstat(8) commands have added support for the --scale option found in other Solaris commands to specify human-readable scaled output, as described in the scale(7) man page and the man pages for each of these commands.

New sstoreadm option to purge all SSIDs

This release adds an option -a to sstoreadm purge to clear all the statistics related data over a given time range, or if the time range is not specified, to remove all statistics from the repository. See the sstoreadm(1) man page.

Installation and Software Management Features

pkg(7) user action uid selection change of reserved range

Previously, if a user action in an IPS package did not specify a uid, it was assigned the next available free uid from the 0-99 range reserved for use by the OS, even if it was a non-OS-provided package, which could cause conflicts if an OS package that used the same uid was installed later.

Starting in Solaris 11.4.78, IPS was changed to allocate the first free uid in the install image that is in the range 100-499, which is now reserved for package use; and useradd(8) was changed to allocate the first free uid above 1000 when no explicit uid is given. Equivalent changes were made for gid assignment when no explicit gid is given.

HTTP, HTTPS, and signature support removed from SVR4 packaging tools

The SVR4 packaging tools can no longer install SVR4 packages directly from HTTP or HTTPS URLs, nor create or check cryptographic signatures for SVR4 packages. Software developers should be creating IPS packages instead, which offer all of this functionality and much more, including better integration with the Solaris 11 operating system packages which are all managed via IPS.

Automatic access to support repo from OCI compute instances

Beginning with 11.4.79, OCI compute instances can install additional software or updates from the Oracle Solaris Support Repository immediately; for older versions you will need to register for a user key and certificate.

System Management Features

x86 boot loader upgraded to GRUB 2.12 & Shim 15.8

The boot loader used on x86 systems has been upgraded to GRUB 2.12, and the secure boot shim has been upgraded to version 15.8. With this update, UEFI platforms will always have the secure boot loader image installed, and it will no longer be necessary to run “bootadm install-bootloader -s” to enable secure boot, nor will it be needed to disable secure boot when doing an OS install. Systems already running secure boot may require that the admin accepts the hash for the new grub2securex64.efi image after the update.

The boot loader image will be updated after the first boot into a release containing GRUB 2.12, by the boot-loader-update SMF service. After the update, the version of GRUB displayed on the menu will be “GNU GRUB 2.12,<SRU version>”.

From Oracle Solaris 11.4.81 onwards, the installadm command places the boot files for x86 Automated Install clients configured with “installadm create-client” under the directory /etc/netboot/client/<client id>. If you are managing the DHCP server configuration outside of installadm, you will need to modify the configuration for newly-created clients to reflect the changed path. The specific path for each client will be printed by installadm when the client is created.

If your Automated Install server is not updated to 11.4.81, x86 installation clients that are not assigned to a specific service using installadm create-client may fail to boot as the shim will be unable to locate GRUB. This can be worked around by placing a symbolic link to the updated GRUB in /etc/netboot. We suggest the following:

ln -s service/default-i386/boot/grub/grub2netx64.efi /etc/netboot/grubx64.efi

NTP Monitor Only mode

There is a new SMF network/ntp instance for the NTP SMF service called svc:/network/ntp:monitor. The new instance differs from ntp:default by disabling NTP’s ability to adjust the system clock and also when enabled causes the PTP daemon to ignore all ntpd processes. This allows NTP to be used to ensure PTP is updating the clock correctly without risking two different time sources making conflicting time updates. The ntpd(8) manual page has been updated to cover this change.

One important impact of this change to administrators is that there are now two instances of NTP when there previously was only one. The administrative commands for SMF generally allow the admin to specify a SMF service with an abbreviation if it is unique and if that service has only one instance the command would act on that instance. So, when NTP had only one instance merely using ntp was enough. For example, to enable the NTP service the admin could type “svcadm enable ntp”. This will no longer work for commands that need a unique instance to function and will produce an error like:

        svcadm: Pattern 'ntp' matches multiple instances:
                svc:/network/ntp:default
                svc:/network/ntp:monitor

Instead it will be necessary to type either ntp:default or ntp:monitor to uniquely identify the instance. This may require updating any scripts that have been written to interact with the NTP service. In general, Oracle recommends using fully qualified instance names instead of abbreviations in scripts to avoid issues when new services or instances are added to the system.

OpenLDAP 2.6

OpenLDAP has been updated from the 2.4 release train to the 2.6 train in this release. For those building software to use OpenLDAP libraries, note that the directory /usr/include/openldap is deprecated, and headers are now in the standard /usr/include location.

Users of ldap commands should note that the common options -h and -p on ldap commands have been deprecated since OpenLDAP 2.4 and were officially removed in 2.6. Currently a reprieve has been put in place to accept both options and display a warning if used with remediation advice to use ‘-H URI‘. The warning can be disabled if the environment variable LDAP_OPT_REPRIEVE is set. Beware though that a future update will remove those options or, worse, repurpose them! Stop using them now and modify your scripts.

Where openldap is being used to provide an LDAP service, transitional requirements must be completed both prior to and after booting into the new Boot Environment (BE). See the openldap-transition.org file for required steps to migrate an OpenLDAP server.

mDNS implementation replaced with Avahi 0.8

The multicast DNS/zeroconf implementation included in the previous release, which was originally based on a port of Apple’s Bonjour software, has been replaced by Avahi version 0.8. The Avahi related services are in pkg:/system/network/avahi and pkg:/system/network/avahi/gui.

Ansible added

The basic Ansible command set was delivered and the basic configuration allowing admins to use it straight away but also pull in Ansible community resources. The package name is pkg:/system/management/ansible-core.

Puppet changes

This release upgrades puppet from version 5.5.21 to 7.27.0. This includes marking the system/management/puppet-master package as obsolete so it will be removed on upgrade, as it no longer supports Solaris in Puppet 6 and later releases. See Puppet 6 on Oracle Solaris 11.4 for more information.

Unbound added

Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards. It’s now available in the Solaris package repo as service/network/unbound.

Memory Reservation for OSM

On some more heavily loaded systems that experience memory contention or sufficiently fragmented memory, it can be difficult for an administrator to guarantee that critical database workloads can allocate the memory they need to start or restart. To combat this issue, a new SMF service instance was introduced to facilitate the use of Memory Reservation Pools (MRPs) allowing memory to be reserved at boot time for later use by OSM memory allocations.

The new SMF instance of svc:/system/memory-reserve:osm was introduced with properties for a Solaris administrator to configure the MRP in the global zone. The instance is disabled by default. The available properties are documents in the memory-reserve(8s) man page.

Comments for reboot(8), halt(8), and poweroff(8)

This release added a -c flag to reboot(8), halt(8), and poweroff(8) to specify a comment giving a reason for the reboot or shutdown. The comment is added to the shutdown record in the wtmpx file, so it can be seen later by running last(1). If a kernel core dump is being generated, the comment will also be recorded in the core so it can be reported by ::status in mdb(1).

SMF audit records added to admhist(8)

The admhist(8) command now also includes SMF audit records in its output.

Obsolesence of rdate(8) and in.timed(8)

rdate(8) is a client of the in.timed(8) server. These programs use the protocol defined in IETF RFC 868 to communicate the current time from server to client. The protocol represents the current time as an unsigned 32-bit number of seconds since January 1, 1900, and thus will suffer from integer overflow in February 2036.

Since this protocol is not widely used, is disabled by default, and NTP provides a much better alternative, we updated the man pages to mark these Obsolete and unusable past the end of their epoch, and to recommend sites use NTP instead.

Virtualization Features

Hosting environment information in zones

Solaris now propagates hostname and system serial number information from the hosting environment in to the solaris(7) and solaris-kz(7) branded zones it hosts. virtinfo(8) now prints the hosting instance host name and serial number using the “virtinfo get all” command. For further details, see the v12n(3EXT) man page and virtinfo enhancements for Solaris Zones.

New Options for Live Zone Reconfiguration for Kernel Zones

Live zone reconfiguration (LZR) already allows users to change a configuration of many aspects of running zones without the need to reboot those zones. This release adds the ability to change the amount of memory and the CPU bindings for live kernel zones.

For more information see Changing memory size of running Solaris Kernel Zones, Kernel Zone Live Reconfiguration for existing CPU pool binding, and Live Zone Reconfiguration of Kernel Zones.

Live storage migration for Kernel Zones

The zones(7) framework was enhanced to move storage of a running Kernel Zone (KZ) instance from a full set of devices (disks) comprising its root zpool to a new set of disks, in a single step, thus automating live storage migration. The existing zoneadm(8) move subcommand is used. In previous releases, the subcommand only supported installed solaris(7) and solaris10(7) branded zones. For more information, see Live storage migration for Solaris Kernel Zones in a single step and the solaris-kz(7) and zoneadm(8) manual pages.

Non-global zone init(8) and zsched given virtual PIDs 1 and 0

Inside a non-global zone, the process id for the zone’s zsched process is now reported as 0, and the process id for the zone’s init(8) process is now reported as 1. Their process ids remain unchanged when seen from the global zone. This helps with software that checks for a parent process id of 1 to determine if its parent has exited, since we reparent such processes to the non-global zone’s instance of init instead of the global zone instance since Solaris 11.4.66.

zoneadm(8) log subcommand

This release adds the log subcommand to zoneadm(8). This allows users to view the contents of the log files in the zones. Users delegated the manage RBAC authorization for a zone can view the logs even if they are restricted to root users in the zone. The zoneadm(8) man page was updated with more information.

zlogin support for ~Ctrl-Z to suspend itself

You can now type ~ followed by Ctrl-Z to suspend a zlogin command and return to the shell it was started from, much like ssh(1). The ~? sequence was also added to display the available escape sequences. Additionally, “-e none” is now the same as “-E” (no escape character) instead of accepting it as the useless “-e n”.

Other Changes

Other notable FOSS Updates

ImageMagick has been upgraded from the legacy version 6 branch to the current version 7 branch. This delivers a single /usr/bin/magick command that replaces all the individual commands in the previous version, such as /usr/bin/convert and /usr/bin/identify. For compatibility, the package delivers symlinks from the old command paths to /usr/bin/magick, but using those will display a deprecation warning suggesting you convert to using the magick command instead.

The PSUtils package provided a number of utilities for manipulating Postscript files, but has been abandoned by the original author for a while now. In this release, it has been replaced by a new version from a new author, which adds PDF support among other changes. Some previous utilities, like psmerge to merge Postscript files, are no longer included.

The previous release included version 2 of the Snort open source network intrusion prevention and detection system (IDS). Snort version 3 requires the LuaJIT language which does not support SPARC CPUs, so we marked the snort package obsolete, and are providing the Suricata package as a replacement. Suricata documentation can be found at https://docs.suricata.io/en/suricata-7.0.8/, including information on converting configuration from snort.conf to suricata.yaml.

Man page improvements

In addition to documenting the changes listed above, the man pages in this release include a number of other updates, including:

• Async-Signal-Safe attributes were added to the man pages for more system calls and libc functions.
• Internationalization man pages: added information about which sets of interfaces are currently recommended (the gettext family) and which are provided mainly for backwards compatibility with older standards such as SVID and older X/Open standards (the gettxt and catgets families).
• SVR4 packaging man pages: provided information about IPS replacements that should be used instead on Solaris 11.
• System Attributes are now summarized in the new sysattr(7) man page, and their effects are documented on the individual system call man pages.
• TCP/IP man pages: improved integration of IPv6 replacements for IPv4 functionality.
• History sections added to many pages, including getconf(1), fcntl(2), fpathconf(2), confstr(3c), sysconf(3c), limits.h(3head), libc(3lib), proc(5), filesystem(7), and zfs(8).
• Intro(2) discussion of file descriptors has been expanded and updated, and the description of various errors has been improved.
• string(3c) has been split up into separate man pages for specific function families: strcat(3c), strchr(3c), strcmp(3c), strdup(3c), strlen(3c), and strtok(3c). string(3c) continues to provide an overview of string handling functionality in libc.
• stat.h(3head) better describes the macros defined in this header and adds an example of how to (and not to) use them.
• shadow(5) added information on the special values of the password field: *LK*, *AL*, NP, and UP.
• filesystem(7) added descriptions of more filesystem entries.
• luxadm(7) added to document the modern commands that replace the old luxadm(8) command for fibre channel storage configuration.
• scale(7) added to document the --scale option accepted by many Solaris commands to produce numeric output in more human readable format, by scaling the value and adding a scale suffix (K, M, G, T, etc.).
• in.timed(8) & rdate(8) have added warnings that RFC 868’s 32-bit unsigned int protocol runs out of time on Feb. 7, 2036 and that admins should configure NTP instead.
• nscd(8) has added more examples for configuring it.

Preparation for Upcoming Releases

The following are a subset of the removals planned for future releases. See End of Feature Notices for Oracle Solaris 11 for the complete list of removals announced so far.

Migration from older versions to MySQL 8.4

This release adds packages for versions 8.0 and 8.4 of the MySQL database and obsoletes the previously packaged version 5.7. Upstream support for MySQL 8.0 is scheduled to end in April 2026 and it is planned for removal in a future release. Administrators of older MySQL databases should follow the instructions in MySQL 8.4 Reference Manual: Upgrading MySQL to migrate their databases to version 8.4.

Migration from PCRE to PCRE2

This release provides packages for both ABI versions 1 and 2 of the Perl Compatible Regular Expressions (PCRE) library, as provided by library/pcre (version 8.45) and library/pcre2 (version 10.42). Upstream ended support for the version 1 API/ABI after June 2021 and recommends all users port to version 2. Migration of the Solaris delivered packages to the new version is ongoing and continues to be delivered incrementally over a number of releases. Once this is complete, the package for version 1 will be obsoleted and removed on upgrade. All locally built applications and ISV applications that use the system provided libpcre need to migrate to libpcre2 as soon as possible.

Migration from DSA to newer SSH key types

This release provides OpenSSH 9.6. We plan to migrate to OpenSSH 10 in a future release. OpenSSH 10 has completely removed support for the DSA signature algorithm, which is available, but disabled by default in OpenSSH 7 through 9 releases.

Users relying on ssh-dss keys for passwordless logins should set up keys using newer algorithms now, before updating to a release that removes support for DSA keys. For connections to machines running SunSSH on Solaris 11.3 or older, an ssh-rsa key will be required.