Tuesday Apr 08, 2014

Tech Article: Building a Cloud-Based Data Center - Part 1

Tech Article: Building a Cloud-Based Data Center - Part 1 by Ron Larson and Richard Friedman
This article discusses the factors to consider when building a cloud,
the cloud capabilities offered by Oracle Solaris 11, and the structure of Oracle Solaris Remote Lab, an Oracle implementation of an Oracle Solaris 11 cloud. 

Topics included in this article:

Why a Cloud? And Why Oracle Solaris 11?
Cloud Benefits—Solving Business Needs
The Cloud as Multitier Data Center Virtualization
OS Virtualization with Oracle Solaris Zones
The Cloud as a Service
Choosing the Virtualization Model That Fits
Advantages of Creating a Cloud Using Oracle Solaris Zones
Oracle Solaris Remote Lab—An Overview

This is the first in a series of articles that show how to build a cloud with Oracle Solaris 11.
In our next article, we take a look at how Oracle Solaris 11 provides data security for Oracle Solaris Remote Lab.


Sunday Dec 29, 2013

Presentations from Oracle & ilOUG Solaris Forum meeting, Dec 18th, Tel-Aviv

Thank you for attending the Israel Oracle User Group (ilOUG) Solaris Forum meeting on Wednesday. I am posting here presentations from the event. I am also pointing you to the dim_STAT tool, if you are looking for a powerful monitoring solution for Solaris systems.
The event was reasonably well attended with 20 people from various companies.

The meeting was broken up into two sections: presentations about Solaris eco system, Solaris as a big data platform with Hadoop as a use case; and comparison between Oracle Solaris and Linux and a customer use-case of Peta-scale data migration using Solaris ZFS.

I am posting here responses and links for the topics that came up during the evening:
During the meeting the participants asked us, “how can we verify if an application which is running in Solaris 10 will run smoothly in Solaris 11 and how to build an application that will able to leverage the new SPARC CPUs”.
For this task you can use the Oracle Solaris Preflight Applications Checker which enables you to determine the Oracle Solaris 11 “readiness” of an application by analyzing a working application on Oracle Solaris 10.
A successful check with this tool is a strong indicator that an ISV may run a given application without modifications on Oracle Solaris 11.
In addition, you can analyze and improve the application performance during the development phase using Oracle Solaris Studio 12.3

Another useful tool for performance analysis is the Solaris DTrace. You can leverage the DTrace Toolkit which is a collection of ~200 scripts that help troubleshoot problems on a system. You can find the latest version of these scripts from /usr/demo/dtrace in Oracle Solaris 11.
Another topic that came up was, “How to accelerate application deployment time by using pre-built Solaris images”.
For this task, you can use Oracle VM Templates which provide an innovative approach to deploying a fully configured software stack by offering per-installed and per-configured software images.
Use of Oracle VM Templates eliminates the installation and configuration costs, and reduces the ongoing maintenance costs, thus helping organizations achieve faster time to market and lower cost of operations.

During the Solaris vs Linux comparison presentation, the topic that received the most attention from the audience was, “ What are the benefits of Oracle Solaris ZFS versus Linux btrfs?” 
In addition to the link above, here is a link to COMSTAR which is a Solaris storage virtualization technology.
Common Multiprotocol SCSI Target, or COMSTAR, a software framework that enables you to convert any Oracle Solaris 11 host into a SCSI target device that can be accessed over a storage network by initiator hosts.

In the final section of the meeting, Haim Tzadok from Oracle partner Grigale and Avi Avraham from Walla presented together the customer use case of Peta-scale data migration using Oracle Solaris ZFS.
Walla is one of the most popular web portals in Israel with an unlimited storage for email accounts.
Walla uses Solaris ZFS for their Mail server storage, the ZFS feature that allows them to reduce storage cost and improve DISK I/O performance is the ZFS ability to change the block size (4 KB up-to 1 MB) when creating the file system.
Like many Mail systems you have many small files and by using the Solaris ZFS ability to change to the ZFS default block size you can optimize your storage subsystem and align it to application (Mail server).
The final result is DISK I/O performance improvement without the need to invest extra budget in superfluous storage hardware.
For more information about ZFS block size
A big thank-you to the participants for the engaged discussions and to ilOUG for a great event!
Register to ilOUG and get the latest updates.







Tuesday Dec 17, 2013

Performance Analysis in a Multitenant Cloud Environment Using Hadoop Cluster and Oracle Solaris 11

Oracle Solaris 11 comes with a new set of commands that provide the ability to conduct
performance analysis in a virtualized multitenant cloud environment. Performance analysis in a
virtualized multitenant cloud environment with different users running various workloads can be a
challenging task for the following reasons:

Each virtualization software adds an abstraction layer to enable better manageability. Although this makes it much simpler to manage the virtualized resources, it is very difficult to find the physical system resources that are overloaded.

Each Oracle Solaris Zone can have different workload; it can be disk I/O, network I/O, CPU, memory, or combination of these.

In addition, a single Oracle Solaris Zone can overload the entire system resources.It is very difficult to observe the environment; you need to be able to monitor the environment from the top level to see all the virtual instances (non-global zones) in real time with the ability to drill down to specific resources.


The benefits of using Oracle Solaris 11 for virtualized performance analysis are:

Observability. The Oracle Solaris global zone is a fully functioning operating systems, not a propriety hypervisor or a minimized operating system that lacks the ability to observe the entire environment—including the host and the VMs, at the same time. The global zone can see all the non-global zones’ performance metrics.

Integration. All the subsystems are built inside the same operating system. For example, the ZFS file system and the Oracle Solaris Zones virtualization technology are integrated together. This is preferable to mixing many vendors’ technology, which causes a lack of integration between the different operating system (OS) subsystems and makes it very difficult to analyze all the different OS subsystems at the same time.

Virtualization awareness. The built-in Oracle Solaris commands are virtualization-aware,and they can provide performance statistics for the entire system (the Oracle Solaris global zone). In addition to providing the ability to
drill down into every resource (Oracle Solaris non-global zones), these commands provide accurate results during the performance analysis process.

In this article, we are going to explore four examples that show how we can monitor virtualized environment with Oracle Solaris Zones using the built-in Oracle Solaris 11 tools. These tools provide the ability to drill down to specific resources, for example, CPU, memory, disk, and network. In addition, they provide the ability to print statistics per Oracle Solaris Zone and provide information on the running applications.


Read it 
Article: Performance Analysis in a Multitenant Cloud Environment

Monday Dec 09, 2013

Presentations from Oracle Week 2013

Thanks for attending the Oracle week 2013, the largest paid IT event in Israel with 140 technical seminars and 1800 participants.


Source

Oracle ISV Enginerring ran two seminars Built for Cloud: Virtualization Use Cases and Technologies in Oracle Solaris 11 with two Oracle partners Grigale and 4NET Plus and Hadoop Cluster Installation and Administration – Hands on Workshop

I am posting here presentations and link to the Hadoop hands-on lab, for further reading on Hadoop and Oracle Solaris.

A big thank-you to the participants for the engaged discussions and to the organizers from John Bryce especially Yael Dotan and Yaara Raz for a great event!












Tuesday Oct 22, 2013

How to Set Up a Hadoop Cluster Using Oracle Solaris (Hands-On Lab)


Oracle Technology Network (OTN) published the "How to Set Up a Hadoop Cluster Using Oracle Solaris" OOW 2013 Hands-On Lab.
This hands-on lab presents exercises that demonstrate how to set up an Apache Hadoop cluster using Oracle Solaris
11 technologies such as Oracle Solaris Zones, ZFS, and network virtualization. Key topics include the Hadoop Distributed File System
(HDFS) and the Hadoop MapReduce programming model.
We will also cover the Hadoop installation process and the cluster building blocks:
NameNode, a secondary NameNode, and DataNodes. In addition, you will see how you can combine the Oracle Solaris 11 technologies for better
scalability and data security, and you will learn how to load data into the Hadoop cluster and run a MapReduce job.

Summary of Lab Exercises
This hands-on lab consists of 13 exercises covering various Oracle Solaris and Apache Hadoop technologies:
    Install Hadoop.
    Edit the Hadoop configuration files.
    Configure the Network Time Protocol.
    Create the virtual network interfaces (VNICs).
    Create the NameNode and the secondary NameNode zones.
    Set up the DataNode zones.
    Configure the NameNode.
    Set up SSH.
    Format HDFS from the NameNode.
    Start the Hadoop cluster.
    Run a MapReduce job.
    Secure data at rest using ZFS encryption.
    Use Oracle Solaris DTrace for performance monitoring.
 

Read it now

Thursday Sep 12, 2013

Solaris 11 Integrated Load Balancer Hands on Lab at Oracle Open World 2013

Oracle Solaris 11 offers a new feature called the Integrated Load Balancer (ILB). To find out more on this capability, and how to set up and configure ILB from scratch join a hands on lab I'm hosting at the Oracle Open World 2013 called  Oracle Solaris Integrated Load Balancer in 60 Minutes [HOL10181]

Open World Logo


The objective of this lab is to demonstrate how Oracle Solaris Integrated Load Balancer (ILB) provides an easy and fast way of deploying a load balancing system. Various Solaris 11 technologies such as Zones, ZFS and Networking Virtualization are used in order to create a virtual "data center " in the box in order to test different load balancing scenarios.

During this session, you are going to configure and use ILB inside an Oracle Solaris Zone, to balance the load towards three Apache Tomcat web servers running a simple Java Server Page (JSP) application specially developed for this lab.

Register Now

Tuesday Sep 10, 2013

The Network is the Computer -still

In 1984, John Gage was able to predict the future of computing with the phrase, "the network is the computer". In his visionary mind, he saw how computer networks would accelerate the capability of every device
that will be connected into the network.  Can you imagine iPhone without app-store? or web search without Google? It goes on and on...

Another aspect of this prediction is the ability of the network infrastructure to connect many systems together in order to become a huge computing environment - as we are seeing with the Cloud computing model.

As the system's hardware is more powerful in terms of CPU,  "In-Memory" capability, and advanced operating system virtualization, we see that most of the physical network infrastructure can be
"virtualized" using software without negligible performance degradation.

An excellent example of this capability is the Oracle Solaris 11 Network Virtualization. This allows us to build any physical network topology inside the Oracle Solaris Operating System including virtual network interface cards (VNICs), virtual switches (vSwitches), and more sophisticated network components (for example, load balancers, routers, and firewalls).

The benefits for using this networking technology are exemplified in reducing infrastructure cost since there is no need to invest in additional network equipment.

In addition, the infrastructure deployment is much faster, since all the network building blocks are based on software and not in hardware.

Although we have the flexibility in building rapid network infrastructure, we also need to be able to monitor, benchmark and predict  future growth, so how we can do this?

In the upcoming white paper this is demonstrated using three main use cases: how we can analyze, benchmark and monitor our physical and virtualized network environment.  In addition, we can demonstrate the benefits of using the built in Solaris 11 Networking Tools.

For further reading see  "Advanced Network Monitoring Using Oracle Solaris 11 Tools"



Thursday Aug 22, 2013

Hadoop Cluster with Oracle Solaris Hands on Lab at Oracle Open WORLD 2013

If you want to learn how-to build a Hadoop cluster using Solaris 11 technologies please join me at the following Oracle Open WORLD 2013 lab.
How to Set Up a Hadoop Cluster with Oracle Solaris [HOL10182]



In this Hands-on-Lab we will preset and demonstrate using exercises how to set up a Hadoop cluster Using Oracle Solaris 11 technologies like: Zones, ZFS, DTrace  and Network Virtualization.
Key topics include the Hadoop Distributed File System and MapReduce.
We will also cover the Hadoop installation process and the cluster building blocks: NameNode, a secondary NameNode, and DataNodes.
In addition how we can combine the Oracle Solaris 11 technologies for better scalability and data security.
During the lab users will learn how to load data into the Hadoop cluster and run Map-Reduce job.
This hands-on training lab is for system administrators and others responsible for managing Apache Hadoop clusters in production or development environments.

This Lab will cover the following topics:

    1. How to install Hadoop

    2. Edit the Hadoop configuration files

    3. Configure the Network Time Protocol

    4. Create the Virtual Network Interfaces

    5. Create the NameNode and the Secondary NameNode Zones

    6. Configure the NameNode

    7. Set Up SSH between the Hadoop cluster member

    8. Format the HDFS File System

    9. Start the Hadoop Cluster

   10. Run a MapReduce Job

   11. How to secure data at rest using ZFS encryption

   12. Performance monitoring using Solaris DTrace

Register Now


Monday Jul 08, 2013

Oracle SPARC Software on Silicon

This past week (1-July-2013) Oracle ISV Engineering participated in the Oracle Technology Day, one of the largest IT event in Israel with over 1,000 participants.
During the event Oracle showed the latest technology including the Oracle Database 12c and the new SPARC T5 CPU



Angelo Rajadurai presented the new SPARC T5 CPU and covered the latest features of this technology.




The topics that Angelo presented were:

The SPARC T5 CPU architecture is unique in terms of how it can handle multi-thread workload in addition to very good single thread performance.
When Oracle switched from 40 nanometer technology to a 28 nanometer, the T5 performance doubled; for example :
16 cores versus 8 cores on the T4 – doubled the throughput of this CPU.

Doubled the number of memory links, from 2 in the T4 into 4 on the T5, Each memory link is 12 lanes southbound and 12 lanes northbound and operates at 12.8 Gb/sec.

The I/O subsystem use PCI Express Rev 3 vs Rev 2 on the previous model, which means that we doubled the I/O bandwidth also!

New coherency protocol (e.g. directory-based) which allows near linear fashion from one to eight sockets as well there are seven coherence links, each with 12 lanes in each direction running at 153.6 Gb/sec.

Sixteen cryptography units per SPARC T5 processor.

In addition we increased the CPU clock from 3GHz to 3.6 GHz which improves single thread performance by ~20% without any code modification.

Another CPU capability of the SPARC T5 CPU is the ability to change the core behavior based on the workload.
For example: if the Solaris operating system recognizes that the workload is single threaded, it can change automatically the core characteristic for a single thread performance.
If needed the user can change the core behavior manually.

SPARC T5 brings all of these great features with the same pricing model so the new SPARC T5 servers double your price/performance metric.
No wonder that this server won so many world records

Oracle is the only vendor that published Public CPU roadmap for their future CPUs, and delivered it before time !



Oracle used the SPARC T5 servers as a building block for the Oracle SuperCluster T5-8 which is Oracle’s fastest engineered system.
Combining powerful virtualization and unique Exadata and Exalogic optimizations

You can use the Oracle SuperCluster T5-8 in order to run the most demanding Enterprise applications.



Although the SPARC T5 doubled the performance, we're approaching the limit of physics and we need to think about new approaches for CPU performance acceleration.

The technology that will allow us to keep doubling the performance every two years is the “Software on Silicon” CPU technology.
This technology will run CPU intensive instruction inside the CPU versus in software so it can accelerate the workload performance by order of magnitude.

The first implementation of the “Software on Silicon” is the the Encryption Accelerator.
This intrinsic CPU capability allows us to accelerate the most common bulk encryption ciphers like AES and DES. 
SPARC T5 also supports asymmetric key exchange with RSA and ECC and authentication or hash functions like SHA and MD5.

This built in encryption capability provides end-to-end data center encryption without the performance penalty usually associated with a multi layer data protection.

During our performance encryption benchmarks,we saw negligibly performance overhead when running the same workload using the CPU encryption accelerator (<5%). 

Potentially, we can use the “Software on Silicon” concept and implement it for other CPU intensive tasks such as :

Java acceleration
Database Query
Compression
Cluster Interconnect
Application Data Protection



See Angelo's presentation here


Conclusion - In this post, we described Oracle has improved the SPARC T5 performance in the CPU subsystem ,I/O and coherency capabilities.
In addition, we took a look at what are the possible future plans for the “Silicon on software” CPU technology.


Monday Jun 24, 2013

How to Set Up a MongoDB NoSQL Cluster Using Oracle Solaris Zones

This article starts with a brief overview of MongoDB and follows with an example of setting up a MongoDB three nodes cluster using Oracle Solaris Zones.
The following are benefits of using Oracle Solaris for a MongoDB cluster:

• You can add new MongoDB hosts to the cluster in minutes instead of hours using the zone cloning feature. Using Oracle Solaris Zones, you can easily scale out your MongoDB cluster.
• In case there is a user error or software error, the Service Management Facility ensures the high availability of each cluster member and ensures that MongoDB replication failover will occur only as a last resort.
• You can discover performance issues in minutes versus days by using DTrace, which provides increased operating system observability. DTrace provides a holistic performance overview of the operating system and allows deep performance analysis through cooperation with the built-in MongoDB tools.
ZFS built-in compression provides optimized disk I/O utilization for better I/O performance.
In the example presented in this article, all the MongoDB cluster building blocks will be installed using the Oracle Solaris Zones, Service Management Facility, ZFS, and network virtualization technologies.

Figure 1 shows the architecture:


Friday Jun 14, 2013

Public Cloud Security Anti Spoofing Protection

This past week (9-Jun-2013) Oracle ISV Engineering participated in the IGT cloud meetup, the largest cloud community in Israel with 4,000 registered members.
During the meetup, ISV Engineering presented two presentations: 

Introduction to Oracle Cloud Infrastructure presented by Frederic Pariente
Use case : Cloud Security Design and Implementation presented by me 
In addition, there was a partner presentation from ECI Telecom
Using Oracle Solaris11 Technologies for Building ECI R&D and Product Private Clouds presented by Mark Markman from ECI Telecom 
The Solaris 11 feature that received the most attention from the audience was the new Solaris 11 network virtualization technology.
The Solaris 11 network virtualization allows us to build any physical network topology inside the Solaris operating system including virtual network cards (VNICs), virtual switches (vSwitch), and more sophisticated network components (e.g. load balancers, routers and fire-walls).
The benefits for using this technology are in reducing infrastructure cost since there is no need to invest in superfluous network equipment. In addition the infrastructure deployment is much faster, since all the network building blocks are based on software and not in hardware. 
One of the key features of this network virtualization technology is the Data Link Protection. With this capability we can provide the flexibility that our partners need in a cloud environment and allow them root account access from inside the Solaris zone. Although we disabled their ability to create spoofing attack  by sending outgoing packets with a different source IP or MAC address and packets which aren't types of IPv4, IPv6, and ARP.

The following example demonstrates how to enable this feature:
Create the virtual VNIC (in a further step, we will associate this VNIC with the Solaris zone):

# dladm create-vnic -l net0 vnic0

Setup the Solaris zone:
# zonecfg -z secure-zone
Use 'create' to begin configuring a new zone:
zonecfg:secure-zone> create
create: Using system default template 'SYSdefault'
zonecfg:secure-zone> set zonepath=/zones/secure-zone
zonecfg:secure-zone> add net
zonecfg:secure-zone:net> set physical=vnic0
zonecfg:secure-zone:net> end
zonecfg:secure-zone> verify
zonecfg:secure-zone> commit
zonecfg:secure-zone> exit

Install the zone:
# zoneadm -z secure-zone install
Boot the zone: # zoneadm -z secure-zone boot
Log In to the zone:
# zlogin -C secure-zone

NOTE - During the zone setup select the vnic0 network interface and assign the 10.0.0.1 IP address.

From the global zone enable link protection on vnic0:

We can set different modes: ip-nospoof, dhcp-nospoof, mac-nospoof and restricted.
ip-nospoof:
Any outgoing IP, ARP, or NDP packet must have an address field that matches either a DHCP-configured IP address or one of the addresses listed in the allowed-ips link property.
mac-nospoof: prevents the root user from changing the zone mac address. An outbound packet's source MAC address must match the datalink's configured MAC address.
dhcp-nospoof: prevents Client ID/DUID spoofing for DHCP.
restricted:
only allows IPv4, IPv6 and ARP protocols. Using this protection type prevents the link from generating potentially harmful L2 control frames.

# dladm set-linkprop -p protection=mac-nospoof,restricted,ip-nospoof vnic0

Specify the 10.0.0.1 IP address as values for the allowed-ips property for the vnic0 link:

# dladm set-linkprop -p allowed-ips=10.0.0.1 vnic0

Verify the link protection property values:
# dladm show-linkprop -p protection,allowed-ips vnic0

LINK PROPERTY PERM VALUE DEFAULT POSSIBLE
vnic0 protection rw mac-nospoof, -- mac-nospoof,
restricted, restricted,
ip-nospoof ip-nospoof,
dhcp-nospoof
vnic0 allowed-ips rw 10.0.0.1 -- --

We can see that 10.0.0.1 is set as allowed ip address.

Log In to the zone

# zlogin secure-zone

After we login into the zone let's try to change the zone's ip address:

root@secure-zone:~# ifconfig vnic0 10.0.0.2
ifconfig:could not create address: Permission denied

As we can see we can't change the zone's ip address!

Optional - disable the link protection from the global zone:

# dladm reset-linkprop -p protection,allowed-ips vnic0

NOTE - we don't need to reboot the zone in order to disable this property.

Verify the change

# dladm show-linkprop -p protection,allowed-ips vnic0 LINK PROPERTY PERM VALUE DEFAULT POSSIBLE
vnic0 protection rw -- -- mac-nospoof,
restricted,
ip-nospoof,
dhcp-nospoof
vnic0 allowed-ips rw -- -- --

As we can see we don't have restriction on the allowed-ips property.

Conclusion In this blog I demonstrated how we can leverage the Solaris 11 Data link protection in order to prevent spoofing attacks.

Monday May 20, 2013

How To Protect Public Cloud Using Solaris 11 Technologies

When we meet with our partners, we often ask them, “ What are their main security challenges for public cloud infrastructure.? What worries them in this regard?”
This is what we've gathered from our partners regarding the security challenges:

1.    Protect data at rest in transit and in use using encryption
2.    Prevent denial of service attacks against their infrastructure
3.    Segregate network traffic between different cloud users
4.    Disable hostile code (e.g.’ rootkit’ attacks)
5.    Minimize operating system attack surface
6.    Secure data deletions once we have done with our project
7.    Enable strong authorization and authentication for non secure protocols

Based on these guidelines, we began to design our Oracle Developer Cloud. Our vision was to leverage Solaris 11 technologies in order to meet those security requirements.


First - Our partners would like to encrypt everything from disk up the layers to the application without the performance overhead which is usually associated with this type of technology.
The SPARC T4 (and lately the SPARC T5) integrated cryptographic accelerator allow us to encrypt data using ZFS encryption capability.
We can encrypt all the network traffic using SSL from the client connection to the cloud main portal using the Secure Global Desktop (SGD) technology and also encrypt the network traffic between the application tier to the database tier. In addition to that we can protect our Database tables using Oracle Transparent Data Encryption (TDE).
During our performance tests we saw that the performance impact was very low (less than 5%) when we enabled those encryption technologies.
The following example shows how we created an encrypted file system

# zfs create -o encryption=on rpool/zfs_file_system

Enter passphrase for 'rpool/zfs_file_system':
Enter again:

NOTE - In the above example, we used a passphrase that is interactively requested but we can use SSL or a key repository.
Second  - How we can mitigate denial of service attacks?
The new Solaris 11 network virtualization technology allow us to apply virtualization technologies to  our network by splitting the physical network card into multiple virtual network ‘cards’. in addition, it provides the capability to setup flow which is sophisticated quality of service mechanism.
Flows allow us to limit the network bandwidth for a specific network port on specific network interface.

In the following example we limit the SSL traffic to 100Mb on the vnic0 network interface

# dladm create-vnic vnic0 –l net0
# flowadm add-flow -l vnic0 -a transport=TCP,local_port=443 https-flow
# flowadm set-flowprop -p maxbw=100M https-flow


During any (Denial of Service) DOS attack against this web server, we can minimize the impact on the rest of the infrastructure.
Third -  How can we isolate network traffic between different tenants of the public cloud?
The new Solaris 11 network technology allow us to segregate the network traffic on multiple layers.

For example we can limit the network traffic based on the layer two using VLANs

# dladm create-vnic -l net0  -v 2 vnic1

Also we can be implement firewall rules for layer three separations using the Solaris 11 built-in firewall software.
For an example of Solaris 11 firewall see
In addition to the firewall software, Solaris 11 has built-in load balancer and routing software. In a cloud based environment it means that new functionality can be added promptly since we don't need an extra hardware in order to implement those extra functions.

Fourth - Rootkits have become a serious threat is allowing the insertion of hostile code using custom kernel modules.
The Solaris Zones technology prevents loading or unloading kernel modules (since local zones lack the sys_config privilege).
This way we can limit the attack surface and prevent this type of attack.

In the following example we can see that even the root user is unable to load custom kernel module inside a Solaris zone

# ppriv -De modload -p /tmp/systrace

modload[21174]: missing privilege "ALL" (euid = 0, syscall = 152) needed at modctl+0x52
Insufficient privileges to load a module

Fifth - the Solaris immutable zones technology allows us to minimize the operating system attack surface
For example: disable the ability to install new IPS packages and modify file systems like /etc
We can setup Solaris immutable zones using the zonecfg command.

# zonecfg -z secure-zone
Use 'create' to begin configuring a new zone.
zonecfg:secure-zone> create
create: Using system default template 'SYSdefault'
zonecfg:secure-zone> set zonepath=/zones/secure-zone
zonecfg:secure-zone> set file-mac-profile=fixed-configuration
zonecfg:secure-zone> commit
zonecfg:secure-zone> exit

# zoneadm -z secure-zone install

We can combine the ZFS encryption and immutable zones for more examples see:

Sixth - The main challenge of building secure BIG Data solution is the lack of built-in security mechanism for authorization and authentication.
The Integrated Solaris Kerberos allows us to enable strong authorization and authentication for non-secure by default distributed systems like Apache Hadoop.

The following example demonstrates how easy it is to install and setup Kerberos infrastructure on Solaris 11

# pkg install pkg://solaris/system/security/kerberos-5
# kdcmgr -a kws/admin -r EXAMPLE.COM create master


Finally - our partners want to assure that when the projects are finished and complete, all the data is erased without the ability to recover this data by looking at the disk blocks directly bypassing the file system layer.
ZFS assured delete feature allows us to implement this kind of secure deletion.
The following example shows how we can change the ZFS wrapping key to a random data (output of /dev/random) then we unmount the file system and finally destroy it.

# zfs key -c -o  keysource=raw,file:///dev/random rpool/zfs_file_system
# zfs key -u rpool/zfs_file_system
# zfs destroy rpool/zfs_file_system


Conclusion
In this blog entry, I covered how we can leverage the SPARC T4/T5 and the Solaris 11 features in order to build secure cloud infrastructure. Those technologies allow us to build highly protected environments without  the need to invest extra budget on special hardware. They also  allow us to protect our data and network traffic from various threats.
If you would like to hear more about those technologies, please join us at the next IGT cloud meet-up

Wednesday Feb 06, 2013

Building your developer cloud using Solaris 11

Solaris 11 combines all the good stuff that Solaris 10 has in terms
of enterprise scalability, performance and security and now the new cloud
technologies
.

During the last year I had the opportunity to work on one of the
most challenging engineering projects at Oracle,
building developer cloud for our OPN Gold members in order qualify their applications on Solaris 11.

This cloud platform provides an intuitive user interface for VM provisioning by selecting VM images pre-installed with Oracle Database 11g Release 2 or Oracle WebLogic Server 12c , In addition to that simple file upload and file download mechanisms.

We used the following Solaris 11 cloud technologies in order to build this platform, for example:


Oracle Solaris 11 Network Virtualization
Oracle Solaris Zones
ZFS encryption and cloning capability
NFS server inside Solaris 11 zone


You can find the technology building blocks slide deck here .


For more information about this unique cloud offering see .

Thursday Jan 24, 2013

How to Set Up a Hadoop Cluster Using Oracle Solaris Zones

This article starts with a brief overview of Hadoop and follows with an
example of setting up a Hadoop cluster with a NameNode, a secondary
NameNode, and three DataNodes using Oracle Solaris Zones.

The following are benefits of using Oracle Solaris Zones for a Hadoop cluster:

· Fast provision of new cluster members using the zone cloning feature

· Very high network throughput between the zones for data node replication

· Optimized disk I/O utilization for better I/O performance with ZFS built-in compression

· Secure data at rest using ZFS encryption






Hadoop use the Distributed File System (HDFS) in order to store data.
HDFS provides high-throughput access to application data and is suitable
for applications that have large data sets.

The Hadoop cluster building blocks are as follows:

· NameNode: The centerpiece of HDFS, which stores file system metadata,
directs the slave DataNode daemons to perform the low-level I/O tasks,
and also runs the JobTracker process.

· Secondary NameNode: Performs internal checks of the NameNode transaction log.

· DataNodes: Nodes that store the data in the HDFS file system, which are also known as slaves and run the TaskTracker process.

In the example presented in this article, all the Hadoop cluster
building blocks will be installed using the Oracle Solaris Zones, ZFS,
and network virtualization technologies.





Monday Dec 24, 2012

Accelerate your Oracle DB startup and shutdown using Solaris 11 vmtasks

last week I co-presented the Solaris 11.1 new features at the Solaris user group
I would like to thank the organizers and the audience
You can find the slide deck here
I presented the following Solaris 11.1 new features:


1. Installation enhancement adding iSCSI disks as boot device and Oracle Configuration Manager (OCM) and Auto Service Request (ASR) registration during operating system installation

2. New SMF tool svcbundle for creation of manifests and the brand new svccfg sub-command delcust

3. The pfedit command for secure system configuration editing

4. New logging daemon rsyslog for better scalability and reliable system logs transport

5. New aggregation option for the mpstat , cpustat and trapstat commands in order to display the data in a more condensed format

6. Edge Virtual Bridging (EVB) which extends network virtualization features into the physical network infrastructure

7. Data Center Bridging (DCB) which provides guaranteed bandwidth and lossless Ethernet transport for
converged network environments where storage protocols share the same
fabric as regular network traffic

8. VNIC Migration for better flexibility in network resource allocation

9.  Fast Zone updates for improved system up-time and short system upgrades

10. Zones on shared storage for a faster Solaris Zones mobility

11. File system statistics for Oracle Solaris Zones for better I/O performance observability

12. Oracle Optimized Shared Memory



The Solaris 11 feature that got the most attention was the new memory process called vmtasks.

This process accelerates shared memory operation like : creation locking, and destruction.
Now you can improve your system up-time because your Oracle DB startup and shutdown are much faster.

Any application that needs fast access to shared memory can benefit from this process.

For more information about vmtasts and Solaris 11.1 new features


9C3P6U4JRNT5

About

This blog covers cloud computing, big data and virtualization technologies

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today