Wednesday Jun 08, 2011

ZFS zpool and file system version numbers and features

Often enough I have had to check the version of a ZFS pool or file system version. Sometimes, I am curious where a specific feature was delivered. So I imagine this could be useful for others. (Updated 21 Feb 2012 for Solaris 10 8/11 and Solaris 11.)

One note is that ZFS versions are backward compatible, which means that a kernel with a newer version can import an older version. The reverse is not true. So it is important to know what the oldest kernel version you might want to attach a pool to is, and make sure you don't upgrade your pool or file system to something newer. This table may help with that as well.

Note: This table is sorted by pool version, then file system version. The availability dates of the releases are not chronological, as a feature delivered in a version of Solaris 11 may be delivered in later Solaris 10 update.

delivered in zpool version zfs version features comments
Solaris 11 11/11 33 5
  • Encryption
  • Label support for Trusted Extensions
Solaris 11 Express 2010.11 31 5
  • deduplication
  • diff for snapshots
  • read-only pool import
  • pool import with missing log device
Solaris 10 8/11 29 5
  • ZFS installation with Flash Archives (not really a ZFS feature)
  • ZFS send will include file system properties
  • ZFS diff
  • Pool import with missing log device
  • Pool import as read-only
  • Synchronous writes
  • ACL improvements
  • Improvements in pool messages
Solaris 10 9/10 22 4
  • triple parity RAID-Z (raidz3)
  • logbias property
  • pool recovery
  • mirror splitting
  • device replacement enhancements
  • ZFS system process
Solaris 10 10/09 10 3
  • ZFS with flash installation
  • user and group quotas
  • ZFS cache devices (L2ARC)
  • set ZFS properties at file system creation
  • primarycache and secondarycache properties
  • log device recovery
Solaris 10 5/09 10 3
  • zone clone creates ZFS clone
Solaris 10 10/08 10 3
  • separate ZIL log devices
  • ZFS boot/root file system
  • zone on ZFS
  • recursive snapshot renaming
  • snapshot rollback improvements
  • snapshot send improvements
  • gzip compression
  • multiple user data copies

  • quotas and reservations can exclude snapshots/clones
  • failure mode options
  • ZFS upgrade option
  • delegated administration
In Solaris 10 10/08 and later, zpool and zfs have the version option. It shows the version of the pool or file system, even if it is an older ZFS pool.
Solaris 10 5/08 4 1 Pool version determined using zdb(1M) on Solaris 10 5/08
Solaris 10 8/07 4 1
  • iSCSI support
  • zpool history
  • ability to set properties when creating file system
Pool version determined using zdb(1M) on Solaris 10 8/07
Solaris 10 11/06 3 1
  • recursive snapshots
  • double parity RAID-Z (raidz2)
  • clone promotion
Pool version determined using zdb(1M) on Solaris 10 11/06
Solaris 10 6/06 2 1
  • pool upgrade
  • restore of destroyed pool
  • integration into Solaris FMA
  • file system monitoring (fsstat)
Initial release of ZFS in Solaris 10

Pool version determined using zdb(1M) on Solaris 10 6/06

The details of all the ZFS features introduced in the Solaris 10 updates are listed in Chapter 1 of the ZFS Administration Guide and for Solaris 11 Express in its ZFS Administration Guide.

Hope this helps!

Steffen

Tuesday Nov 23, 2010

Getting GDM to work on text Solaris 11 Express 2010.11 installs

One of the features of Solaris 11 Express is to install into a ZFS pool, which allows updates to be easily managed using ZFS snapshots and clones. The LiveCD install, however, does not offer the option to save space for another ZFS pool. I prefer to have a separate pool for data, even on my single-disk laptop. The only way to do that as I can tell is to install using the text installer. One side effect of the test installer is that it does not install everything necessary to run a GUI desktop, which is very handy on a laptop.

Thanks to some replies to an internal question I posted, there is a relatively easy way to add the necessary packages to allow GDM and related tools to work. I have used them several times, and this writeup describes them.

The initial text based install put 494 packages on the system.

Solaris 11 Express 2010.11# pkg list | wc -l
495
Solaris 11 Express 2010.11# pkg list | head
NAME (PUBLISHER)                              VERSION         STATE      UFOXI
SUNWcs                                        0.5.11-0.151.0.1 installed  -----
SUNWcsd                                       0.5.11-0.151.0.1 installed  -----
archiver/gnu-tar                              1.23-0.151.0.1  installed  -----
compress/bzip2                                1.0.6-0.151.0.1 installed  -----
compress/gzip                                 1.3.5-0.151.0.1 installed  -----
compress/p7zip                                4.55-0.151.0.1  installed  -----
compress/unzip                                5.53.7-0.151.0.1 installed  -----
compress/zip                                  2.32-0.151.0.1  installed  -----
consolidation/SunVTS/SunVTS-incorporation     0.5.11-0.151.0.1 installed  -----
To add the required packages to the system, the slim_install package has to be added. This adds an additional 390 packages to the system.
Solaris 11 Express 2010.11# pkg install slim_install
               Packages to install:   390
           Create boot environment:    No
               Services to restart:    10
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                              390/390 42204/42204  410.5/410.5

PHASE                                        ACTIONS
Install Phase                            67952/67952

PHASE                                          ITEMS
Package State Update Phase                   390/390
Image State Update Phase                         2/2
After this, I did a reboot, just to make sure. Then I uninstalled the slim_install package, which removed only that one. The other 389 packages must have been dependencies of slim_install.
Solaris 11 Express 2010.11# pkg uninstall slim_install
                Packages to remove:     1
           Create boot environment:    No
PHASE                                        ACTIONS
Removal Phase                                828/828

PHASE                                          ITEMS
Package State Update Phase                       1/1
Package Cache Update Phase                       1/1
Image State Update Phase                         2/2
Once I enable GDM, the screen show action and shortly I have the familiar GUI login prompt.
Solaris 11 Express 2010.11# svcs gdm
STATE          STIME    FMRI
disabled       12:26:40 svc:/application/graphical-login/gdm:default

Solaris 11 Express 2010.11# svcadm enable gdm

Solaris 11 Express 2010.11# svcs gdm
STATE          STIME    FMRI
online         12:38:11 svc:/application/graphical-login/gdm:default
I hope this helps others. I certainly know where to look when I have to do this again!

Steffen

[Updated 2010.11.23]

First, I'd like to acknowledge Keith Mitchell who provided me with the suggestion to do the install and uninstall of the slim_install package.

Second, in the process of checking in with Keith, he suggested taking care when doing the above operations while logged in on the console. If you leave yourself logged in at the console when GDM starts, there are small possibilities of certain devices not being configured properly when logging into gnome, due to how logindevperm works. Suggestions include:

svcadm enable gdm && exit
or
svcadm enable gdm; exit
I did this remotely, at least the most recent time, to capture the output for this blog. I did not notice any effects when I had done this the first time on a different system, however, I might have reboot at that point anyway.

Thanks again to Keith for his tips!

Friday Oct 15, 2010

New privilege added to the 'basic' Least Privilege set

Oracle Solaris 10 9/10 (update 9) has added another privilege to the basic set of privileges, the set that all unprivileged (non-root) users have by default.

With Least Privileges, a non-root process by default has the ability to get process information, create and delete files, fork and exec, and now separately open TCP or UDP end points. The ppriv(1) command prints the list of privileges.

Solaris 10 9/10# ppriv -l basic
file_link_any
proc_exec
proc_fork
proc_info
proc_session
net_access
A verbose listing includes basic descriptions, which are also described in privileges(5).

Solaris 10 9/10# ppriv -lv basic
file_link_any
       Allows a process to create hardlinks to files owned by a uid
       different from the process' effective uid.
proc_exec
       Allows a process to call execve().
proc_fork
       Allows a process to call fork1()/forkall()/vfork()
proc_info
       Allows a process to examine the status of processes other
       than those it can send signals to.  Processes which cannot
       be examined cannot be seen in /proc and appear not to exist.
proc_session
       Allows a process to send signals or trace processes outside its
       session.
net_access
       Allows a process to open a TCP or UDP network endpoint.
With the addition of the net_access privilege, it is now possible to prevent a process from creating sockets and network end points, isolating the process from the network. By default, processes have this privilege, so any action would be to remove it.

To demonstrate this I am using the ppriv command to limit the privilege of a command and see with the debug flag what is happening.

Even as an unprivileged user I can see if a specific IP address is in use with the ping command. So lets see what happens when I don't have the net_access privilege. I am doing this as a basic user.

Solaris 10 9/10$ ppriv -D -s I-net_access -e /usr/sbin/ping 172.16.1.1
ping[14942]: missing privilege "net_access" (euid = 1001, syscall = 5) 
   for "devpolicy" needed at spec_open+0xd0
ping[14942]: missing privilege "net_access" (euid = 1001, syscall = 5) 
   for "devpolicy" needed at spec_open+0xd0
ping[14942]: missing privilege "net_access" (euid = 1001, syscall = 5) 
   for "devpolicy" needed at spec_open+0xd0
/usr/sbin/ping: unknown host 172.16.1.1
Since I am forking a process with the -e option, I limit the I (inherited) privilege set with the net_access removed. The debug output shows that its net_access that is missing, and it happens three time.

To see how it would look with the privilege, I run the same command with the basic set inherited.

Solaris 10 9/10$ ppriv -D -s I=basic -e /usr/sbin/ping 172.16.1.1
172.16.1.1 is alive 
Everything worked, and no debug output.

Its a good idea to use predefined sets such as basic, so that changes in the set don't affects script in the future.

Steffen

About

stw

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today