Download D73819GC10 Sg Solaris11 What's New...
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Student Guide
D73819GC10
Edition 1.0
October 2011
D74667
Oracle University and ORACLE CORPORATION use only
What's New in Oracle Solaris 11
Copyright © 2011, Oracle and/or it affiliates. All rights reserved.
Michael Ernest Gary Riseborough
Disclaimer
Marcus Flieri Bart Smaalders Dave Miner Nicolas Droux Dan Price Cindy Swearingen Glenn Fadden Liane Praza
Technical Contributors and Reviewers Mike Tracey Mike Carew
Editor Malavika Jinka
Publishers Nita Brozowski Sumesh Koshy
This document contains proprietary information and is protected by copyright and other intellectual property laws. You may copy and print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way. Except where your use constitutes "fair use" under copyright law, you may not use, share, download, upload, copy, print, display, perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization of Oracle. The information contained in this document is subject to change without notice. If you find any problems in the document, please report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not warranted to be error-free. Restricted Rights Notice If this documentation is delivered to the United States Government or anyone using the documentation on behalf of the United States Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS The U.S. Government’s rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract. Trademark Notice Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Authors
Preface 1
Introduction Oracle Solaris: The Mission Critical OS 1-2 Raising the Bar Set by Solaris 10 1-3 SPARC Enterprise Servers 1-4 SPARC T3 Servers: Scaling to New Heights 1-5 Oracle Solaris: Platform Choice and Flexibility 1-6 Serious About Oracle Solaris 1-7 Oracle Addresses Range of Customer Needs 1-8 Topic Outline 1-10 Module Structure 1-11
2
Image Packaging System (IPS) and Automated Installer (AI) IPS Design Goals 2-2 IPS Implementation 2-3 IPS Package 2-4 Package Naming 2-5 IPS Repository 2-6 Starting the packagemanager GUI 2-7 Starting the packagemanager GUI - 2 2-8 pkg Subcommands 2-9 pkg Subcommands 2 2-10 Example: Search, List, and Install 2-11 Installing a Package with Dependencies 2-12 Verifying a Package 2-13 Fixing a Package 2-14 Listing Package Contents 2-15 Removing a Package 2-16 Updating a Package 2-17 Creating a Package 2-18 Group Packages 2-19 Other Commands and Utilities 2-20 AI: Why Replace JumpStart? 2-21 Rosetta Stone for Solaris 10 Users 2-22 AI Components and Features 2-23 AI Terminology 2-24
iii
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Contents
3
Network Virtualization 1 Feature: Overview 3-2 Virtual NICs (VNICs) 3-3 Virtual NICs (VNICs) 2 3-4 Virtual Switches 3-5 Physical Wire, Physical Machines 3-6 Virtual Network: Example 3-7 Creating VNICs and Etherstubs 3-8 Unified Data Link Properties 3-9 Virtual Bridges 3-10 ipadm 3-11 Managing Interfaces and IP Addresses 3-12 Managing Interface Properties 3-13 Creating Flows 3-14 Data Link Vanity Naming 3-15 Resource Pools 3-16 dlstat(1M) 3-17 Other Network Observability Enhancements 3-18 Rethinking Zones 3-19 Other Solaris 11 Enhancements 3-20
4
ZFS Features in Solaris 11 Enhancements 4-2 Boot Environments 4-3 Boot Environments (BE) 4-4 Creating a Boot Environment 4-5 Activating a Boot Environment 4-6 Destroying a Boot Environment 4-7 Mounting and Unmounting a Boot Environment Creating New Boot Environments 4-9 Creating New Boot Environments - 2 4-10 BE Upgrade with pkg-update 4-11 Deduplication 4-12 iv
4-8
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Flow of Automated Installation 2-25 Creating an AI Service 2-26 Creating an IPS Repository 2-28 Creating AI Clients 2-29 JumpStart to AI Mapping 2-30 IPS References 2-31 AI References 2-32
4-27
5
Zones Changes Since Solaris 10 FCS 5-2 Design and Features 5-7 Storage 5-8 Networking: Exclusive IP Zones 5-9 Networking: Shared IP Zones – IPMP 5-11 Zones Observability 5-12 zonestat Command 5-13 zonestat Interval: Example 5-14 zonestat by Resource: Example 5-15 Resource Management 5-16 Zones Security 5-17 Solaris 10 Containers 5-18 Solaris 10 Container: Expected Migration Path 5-19 References 5-20
6
Network Virtualization 2 Advanced Network Features 6-2 ilbadm: L3/L4 Integrated Load Balancing Load Balancing Components 6-4 v
6-3
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Deduplication Example - 1 4-13 Deduplication Example - 2 4-14 Root Pool Mirroring 4-15 Snapshot Differences 4-16 zfs diff Output 4-17 Send Stream Enhancements 4-18 Send Stream: Override Example 4-19 Send Stream: Enforce Example 4-20 Send Stream: Ignore Example 4-21 Pool Import: Log Device Recovery 4-22 Pool Import Recovery: Example 4-23 Pool Import: Read-Only Mode 4-24 Synchronous Write Behavior Property 4-25 Values for sync Property 4-26 ZFS Synchronous Behavior: Tuning Caveats RAIDZ/Mirror Performance 4-28 Integrating ZFS into Deployment 4-29 Performance Notes 4-30 Other ZFS Features 4-31 ZFS References 4-32
7
Security Features 7-2 Root Implemented as a Role 7-3 File system encryption: zfs(1M) 7-4 Configuring ZFS Encryption 7-5 File system encryption: lofiadm 7-6 Network Spoofing Protection 7-7 Zones: Delegated Administration 7-8 SMF: Delegated Administration 7-9 SMF: Method Context 7-10 SMF: Firewall Integration 7-11 Least Privilege Changes 7-12 “In-kernel pfexec” 7-13 Basic Privileges: More is Less 7-14 Role-Based Access Control 7-15 Sandboxing Enhancements 7-16 Kerberos Improvements 7-17 Key Management: pkcs11_kms Provider 7-18 Other Enhancements 7-19 Oracle Solaris 11 Trusted Extensions 7-20 Trusted Extensions Changes 7-21 Trusted Platform Modules (TPM) 7-22
8
Services Management Facility (SMF) SMF Design Goals 8-2 SMF Is the Glue in Solaris 11 8-3 Service Templates 8-4 vi
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
ilbadm: Example 6-5 IP Filter, Forwarding in a Zone 6-6 Hardware Lanes and Dynamic Polling 6-7 Hardware Lanes 6-8 ipmpstat: Observability for IPMP Groups 6-9 ipmpstat: Example 6-10 Fiber Channel over Ethernet (FCoE) 6-11 Virtual Router Redundancy Protocol (VRRP) 6-12 IP over Infiniband (IPoIB) 6-13 Non-Uniform Memory Architecture (NUMA) I/O 6-14 NUMA I/O Architecture: Overview 6-15 GLDv3 Public Driver APIs 6-16 Network Performance Highlights 6-17
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Early Manifest Imports 8-5 SMF Enhanced Profiles 8-6 Fault Notification 8-7 IPS Actuators 8-8 FMRI Stored in proc_t Structure 8-9
vii
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Preface
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
An understanding of Oracle Solaris features and working knowledge of the Oracle Solaris 10 Operating System is beneficial, but not required How This Course Is Organized S What's New in Oracle Solaris 11 is an instructor-led seminar featuring lecture and demonstrations. Online demonstrations and written practice sessions reinforce the concepts and skills introduced.
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Profile Before You Begin This Course You should be able to configure and manage a system running the Oracle Solaris Operating system. How This Course Is Organized
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Related Publications • System release bulletins
• Installation and user’s guides
• read.me files
• International Oracle User’s Group (IOUG) articles
• Oracle Magazine
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle University and ORACLE CORPORATION use only
Introduction
If It Must Work, It Runs on Solaris
• •
The #1 deployment platform for the #1 mission critical Oracle Database Extreme data integrity: ZFS
•
Hardened security: Secure by Default, Cryptographic Framework, Least Privilege model
• •
Predictive Self Healing—FMA, SMF Complete Virtualization with application isolation and resource management: Containers Production Safe Observability: DTrace Scalable to thousands of threads, terabytes of memory
• •
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 1 - 2
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Oracle Solaris: The Mission Critical OS
Oracle Solaris 11 The Only Completely Virtualized OS •
Availability: Greatly improved with new packaging tools, safe online upgrades, faster reboots
•
Scalability and Performance: Thousands of threads, terabytes of RAM, hundreds of Gbps network bandwidth
•
Efficiency: Virtualized network, storage and server resources; binary compatibility; advanced power management
•
Security: On-disk data encryption, secure process execution, HW certification of the OS at boot time
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 1 - 3
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Raising the Bar Set by Solaris 10
The Leader in System Scalability 5 Year Trajectory Cores Threads Memory Capacity Database TPM Java Ops Per Second
T-Series 1-4 Socket + 2x Throughput
M-Series 1-64 Socket + 20%
Solaris 11 Express
2010
4x 32x 16x 40x 10x
T-Series 1-8 Sockets +3x M-Series 8-64 Sockets Throughput +6x Throughput T-Series +1.5x Single 1-4 Sockets Strand +3x Single Strand
Solaris 11
2011
Solaris 11 Update
2012
M-Series 8-64 Sockets +2x Throughput
Solaris 11 Update
2013
SPARC 1-64 Sockets +2x Throughput +1.5x Single Strand
Solaris 11 Update
2014
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 1 - 4
2015
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
SPARC Enterprise Servers
Integrated, High Throughput SPARC Systems for Massive Scale
SPARC T3-4
World’s First 16 Core Processor SPARC T3-2 SPARC T3-1 SPARC T3-1B Blade for Blade 6000 • 16 cores • 128 threads • Best density
• 32 cores • 256 threads
• 16 cores
• Medium scale
• 128 threads
• Middleware
• Entry-level • Price/performa
nce
• 64 cores • 512 threads • Best scale • Most security • Enterprise-
ready
consolidation • Enterpriseready
• Best RAS
CONSOLIDATION
HIGH
VIRTUALIZATION
HIGH
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 1 - 5
Oracle University and ORACLE CORPORATION use only
SYSTEM THROUGHPUT HIGH
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
SPARC T3 Servers: Scaling to New Heights
Solaris 8 or 9 Zone*
Solaris Zone
Oracle SPARC
x86
Solaris Zone
Solaris 10 Zone*
Oracle x86
• Built-in scalable, platform• Consolidation path for older Solaris independent virtualization versions • Native, bare metal performance • Leverages server virtualization technology Binary Compatibility Guaranteed Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 1 - 6
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Oracle Solaris: Platform Choice and Flexibility
• •
SPARC, x86 support Exadata and Exalogic Compute, Storage, Network
• • • • •
Over 2,700 projects, over 400 inventions Over 20 million hours of development Over 60 million hours of testing Over 56 million tests Over 11,000 applications
Solaris 11: Coming in 2011
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 1 - 7
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Serious About Oracle Solaris Investments in Oracle Solaris 11
High Performing Application-to-Disk Solutions from a Single Vendor
Oracle’s Optimized Solutions Applications Fusion Middleware Database VM Solaris/OEL Compute, Storage, Network, Server Software Storage
Manageability and Simplicity HIGH
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 1 - 8
Oracle University and ORACLE CORPORATION use only
Engineered Systems Efficiency HIGH
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Oracle Addresses Range of Customer Needs
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 1 - 9
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remain at the sole discretion of Oracle.
•
Morning – Image Packaging System – Automated Installer – Networking (Crossbow)
•
Afternoon – – – –
Solaris Containers ZFS Security SMF (Application Deployment)
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 1 - 10
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Topic Outline
Focus on enhancements since Oracle Solaris 10 9/10 release Command-line examples included with slides Feature demonstrations at instructor's discretion • Use cases blogged daily • Demo environment is generic – VirtualBox instance — Unless special arrangements are made – Text install, slim_profile added
•
Demo scripts available to those interested
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 1 - 11
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Module Structure
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle University and ORACLE CORPORATION use only
Image Packaging System (IPS) and Automated Installer (AI)
Use one process for installing, patching, and upgrading • Minimize system downtime • Reverse install operations easily
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 2
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
IPS Design Goals
Relies on ZFS for safety • Makes fast, safe copies with snapshots and clones • Can apply changes to cloned BEs when desired • Avoids conditions imposed by patches that overwrite files – Single-user mode to prevent untimely access – Deferred activation to prevent uncoordinated access —
—
Problem: A file that has been patched is available immediately for use. A program that depends on it, however, will not work until the system is rebooted. http://blogs.oracle.com/patch/entry/deferred_activation_patching
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 3
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
IPS Implementation
New model incorporates all software change types • Includes dependencies automatically • Installs only what is required to complete a package • Each package is associated with a publisher • Replaces metacluster model with profiles that can overlap • Supports signed packages • Uses a fat package model – All variations in one: SPARC/x86/debug/nondebug
•
Available from a repository
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 4
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
IPS Package
•
Packages use a Fault Management Resource Identifier (FMRI) – pkg://solaris/library/
[email protected],5.110.75:20071001T163427Z
•
Package categories establish a namespace – Similar to SMF service names
•
Each version has its own tuple –
[email protected],5.11-0.75:20071001T163427Z
– ,-:
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 5
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Package Naming
•
Networked software catalog service – – – – – –
•
Incremental or monolithic downloads Built-in software release versioning Avoids media size as a delivery constraint Publishes catalog of available software Automates retrieval of new dependencies, updates Download/unzip/install steps unnecessary
Default publisher – http://pkg.oracle.com/solaris/release/
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 6
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
IPS Repository
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 7
Oracle University and ORACLE CORPORATION use only
Starting the packagemanager GUI
or
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 8
Oracle University and ORACLE CORPORATION use only
Starting the packagemanager GUI - 2
• •
/usr/bin/pkg pkg list – List packages installed on the system
•
pkg search – Identify the package that a file (or pattern) belongs to – Install packages and configure repositories – Limit search to local packages with -l option
•
pkg info – Lists package details
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 9
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
pkg Subcommands
• • •
pkg install pkg uninstall pkg verify – Validate a package’s installation
•
pkg fix – Fix errors reported by pkg verify
•
pkg contents – Display the objects making up a package
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 10
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
pkg Subcommands 2
# pkg search /usr/bin/ncftp INDEX ACTION VALUE PACKAGE path file usr/bin/ncftp pkg:/network/ftp/
[email protected] # pkg list pkg:/network/ftp/ncftp pkg list: no packages matching 'pkg:/network/ftp/ncftp' installed # pkg install ncftp Packages to install: Create boot environment: DOWNLOAD Completed PHASE Install Phase
1 No PKGS 1/1
FILES 13/13
ACTIONS 39/39
PHASE Package State Update Phase Image State Update Phase
ITEMS 1/1 2/2
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 11
XFER (MB) 0.5/0.5
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Example: Search, List, and Install
# pkg install gimp Refreshing catalog 1/1 solaris Caching catalogs ... Creating Plan Packages to install: Create boot environment: Services to restart: DOWNLOAD library/desktop/libgweather ... image/library/gegl Completed PHASE Install Phase ... Install Phase
24 No 6 PKGS 0/24
FILES 0/8732
XFER (MB) 0.0/68.0
23/24 24/24
8714/8732 8732/8732
68.0/68.0 68.0/68.0
ACTIONS 1/10557 10557/10557
PHASE Package State Update Phase ...
ITEMS 1/24
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 12
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Installing a Package with Dependencies
# pkg verify ncftp # ls -l /usr/bin/ncftp -r-xr-xr-x 1 root bin
276012 Dec
7 20:39 /usr/bin/ncftp
# chmod 775 /usr/bin/ncftp # pkg verify ncftp Verifying: PACKAGE STATUS pkg://solaris/network/ftp/ncftp file: usr/bin/ncftp Mode: 0775 should be 0555
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 13
ERROR
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Verifying a Package
# pkg fix ncftp Verifying: pkg://solaris/network/ftp/ncftp file: usr/bin/ncftp Mode: 0775 should be 0555 Created ZFS snapshot: 2010-12-07-23:29:09 Repairing: pkg://solaris/network/ftp/ncftp DOWNLOAD Completed
ERROR
PKGS 1/1
PHASE Update Phase
FILES 2/2
ACTIONS 2/2
PHASE Package State Update Phase Package Cache Update Phase Image State Update Phase
ITEMS 1/1 1/1 2/2
# pkg verify ncftp
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 14
XFER (MB) 0.1/0.1
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Fixing a Package
# pkg contents ncftp PATH usr usr/bin usr/bin/ncftp usr/bin/ncftpbatch usr/bin/ncftpbookmarks usr/bin/ncftpget usr/bin/ncftpls usr/bin/ncftpput usr/bin/ncftpspooler usr/sfw usr/sfw/bin usr/sfw/bin/ncftp ...
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 15
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Listing Package Contents
# pkg uninstall ncftp Creating Plan Packages to remove: Create boot environment: PHASE Removal Phase Removal Phase
1 No ACTIONS 1/33 33/33
PHASE Package State Update Phase Package State Update Phase
ITEMS 1/1 1/1
Package Cache Update Phase
1/1
Image State Update Phase Image State Update Phase Image State Update Phase
1/2 2/2 2/2
PHASE Reading Existing Index Reading Existing Index Reading Existing Index Indexing Packages
ITEMS 1/8 5/8 8/8 1/1
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 16
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Removing a Package
Updating all installed packages to the latest version # pkg update Packages to install: Packages to update: Create boot environment: DOWNLOAD Completed
1 795 Yes PKGS 796/796
FILES 4754/4754
XFER (MB) 205.2/205.2
PHASE ACTIONS Removal Phase 2561/2561 Install Phase 3967/3967 Update Phase 6277/6277 ... A clone of solaris-39 exists and has been updated and activated. On the next boot the Boot Environment solaris-40 will be mounted on '/'. Reboot when ready to switch to this updated BE.
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 17
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Updating a Package
•
Easy to package existing software
$ pkgrepo -s file:/tmp/test-repo create $ pkgrepo -s file:/tmp/test-repo set publisher/prefix=michael.oow.com $ eval `pkgsend -s file:/tmp/test-repo open
[email protected]` $ pkgsend -s file:/tmp/test-repo import ~/ilb_demo $ pkgsend -s file:/tmp/test-repo close pkg://michael.oow.com/
[email protected],5.11:20110912T012101Z PUBLISHED
•
Or emit a manifest
$ pkgsend generate ~/fu file gnome_terminal_fu group=bin mode=0644 owner=root path=gnome_terminal_fu pkg.size=326 file netbeans_fu group=bin mode=0644 owner=root path=netbeans_fu pkg.size=283 file awk_fu group=bin mode=0644 owner=root path=awk_fu pkg.size=110
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 18
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Creating a Package
• •
Part of manual or automated install process Controls other installed packages (or package groups) – babel_install installs slim_install – slim_install is LiveCD content
•
Must uninstall group packages to customize what they control – Remove babel_install to manage slim_install – Remove slim_install to manage individual packages – The automated installer will do this for you
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 19
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Group Packages
Other pkg(5) utilities • pkg publisher • pkg set-publisher • pkgrepo(1) • pkgsend(1) • pkgrecv(1) • pkgdepend(1) • pkg.depotd(1M) • pkgmogrify(1M)
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 20
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Other Commands and Utilities
•
To make updating/patching: – Faster – More reliable – Easily reversible
•
To leverage current technology – Integrate with ZFS – Leverage the IPS repository – Apply SMF naming scheme
•
To separate client and server dependencies – Make the installer platform-neutral – Let clients select their software repository
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 21
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
AI: Why Replace JumpStart?
Solaris 10
Solaris 11
SVR4 Packages
IPS (SVR4 still supported)
Install media
Starter image + IPS repository
Live Upgrade
beadm(1M)
Upgrade option
pkg update, Update Manager
JumpStart
Automated Installer(AI)
JumpStart Profiles
AI Manifests
Flash Install replication
No equivalent yet
Blueprints for custom DVDs
Distribution Constructor
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 22
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Rosetta Stone for Solaris 10 Users
•
Three service components – DHCP server (requires mDNS) – SMF-based installer – IPS repository
•
Tools for managing and observing process – Configure with installadm(1M) – Observe clients using livessh install parameter – Manage image with beadm(1M)
•
AI is WAN Boot-ready
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 23
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
AI Components and Features
•
Client (installation target) – Can be physical or virtual (not zones, yet)
•
SMF Services – svc:/network/dhcp-server:default – svc:/system/install/server:default – svc:/application/pkg/server
• •
Manifest – SMF-named install configuration Criteria – Properties that match client details to an appropriate manifest
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 24
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
AI Terminology
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 25
Oracle University and ORACLE CORPORATION use only
Flow of Automated Installation
• •
Use Oracle Solaris DHCP or ISC DHCP installadm(1M) will manage DHCP if: – svc:/network/physical:default (Not nwam) – svc:/network/dns/multicast:default – /etc/netmasks entry exists – Default route is set
•
Use AI-specific image – sol-11-exp-201011-ai-{x86|sparc}.iso – Server and client platforms do not have to match – Cannot super-size the AI image from Text or LiveCD
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 26
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Creating an AI Service
# pkg verify installadm … # installadm create-service -a sparc -n solaris_11 \ > -i 192.168.1.10 -c 3 -s ai_sparc_image.iso \ > /export/ai/sparc/solaris_11 … # installadm list …
-n Install service name -i DHCP start address -c DHCP range -s AI source image
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 27
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Creating an AI Service
•
Download Repository Image (two files) – http://www.oracle.com/technetwork/serverstorage/solaris11/downloads/index.html
•
Combine the files and: – Burn it to media – Or, mount it by using lofiadm(1M) – Or, copy it to a ZFS file system with rsync(1)
•
Enable repository service – svc:/application/pkg/server:default
•
For more details, see “How to Copy An Oracle Solaris 11 Software Package Repository.”
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 28
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Creating an IPS Repository
• • •
The client will get AI service location from DHCP. The client will get boot image, configuration, and repository location from AI service. AI service identifies clients by MAC address. – x86 clients can add other boot parameters.
•
AI service binds clients to a named install service.
# installadm create-client -b "console=ttya,livessh=enable" \ > -e 0:e0:81:5d:bf:e0 -n s11-x86 … # installadm create-client -e 00:14:4f:a7:65:70 -n s11-sparc …
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 29
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Creating AI Clients
JumpStart
AI
setup_install_server installadm create-service add_install_client installadm create-client begin script Client profiles, rules finish script sysidcfg file
Manifests, driver updates, custom image from Distribution Constructor Manifests with client criteria pkg actuators (before reboot) “First-boot” SMF services SMF profile
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 30
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
JumpStart to AI Mapping
Adding and Updating Oracle Solaris 11 Software Packages http://www.oracle.com/pls/topic/lookup?ctx=E23824&id=AUOSS
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 31
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
IPS References
•
Creating a Custom Oracle Solaris Installation Image http://www.oracle.com/pls/topic/lookup?ctx=E23824&id=CCOSI
•
Transitioning From Oracle Solaris 10 JumpStart to Oracle Solaris 11 Automated Installer http://www.oracle.com/pls/topic/lookup?ctx=E23824&id=MFJAI
•
Creating and Administering Oracle Solaris 11 Boot Environments http://www.oracle.com/pls/topic/lookup?ctx=E23824&id=CMBEA
•
Installing Oracle Solaris 11 Systems http://www.oracle.com/pls/topic/lookup?ctx=E23824&id=IOSUI
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 2 - 32
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
AI References
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle University and ORACLE CORPORATION use only
Network Virtualization 1
• • •
Virtualized NICs, switches, and bridges Dynamic IP address management Quality of Service (QoS) – Control bandwidth by transport, service, protocol, or connection
• •
Vanity naming for devices Fencing compute resources – Assign NICs/VNICs to processor sets or pools
•
Real time usage and history
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 3 - 2
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Feature: Overview
•
Same control as a physical NIC – Private TCP/IP stack – Managed with ifconfig, dladm, and so on
•
Dedicated MAC address – May be random, chosen, or device-assigned
•
Can be bound to hardware and kernel resources
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 3 - 3
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Virtual NICs (VNICs)
•
Private TCP/IP stack – Data path is separate, does not rely on modules added to a global stack
•
A complete, standards-based virtualization solution – VLAN tags supported – Priority Flow Control (PFC) – With supporting hardware, can be fully encapsulated to the switch
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 3 - 4
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Virtual NICs (VNICs) 2
• •
VNICs sharing a VLAN id on one data link need a switch MAC layer provides built-in switching semantics – Data path among VNICs sits on top of the data link – Connects VNIC to physical network – Isolates broadcast domains
•
Want an explicit virtual switch? Use an etherstub: – Makes any virtual network topology possible – Can reduce or eliminate trips to physical NIC – Can also manage resource controls
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 3 - 5
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Virtual Switches
Client Port 6 20.0.03
Router Port 9 20.0.01
1 Gbps
Port 3 10.0.03
1 Gbps
1 Gbps
Switch 3
Host 1 Port 1 10.0.01 100 Mbps
Host 2 Port 2 10.0.02 1 Gbps
Switch 1
Virtual Wire, Virtual Machines Virtual Router
Client VNIC6 20.0.03
VNIC9 20.0.01
1 Gbps
VNIC3 10.0.03
1 Gbps
Etherstub 3
1 Gbps
Host 1 VNIC1 10.0.01 100 Mbps
Etherstub 1
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 3 - 6
Host 2 VNIC2 10.0.02 1 Gbps
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Physical Wire, Physical Machines
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 3 - 7
Oracle University and ORACLE CORPORATION use only
Virtual Network: Example
# dladm create-vnic -l bge1 vnic1 # dladm create-vnic -l bge1 -m random –p maxbw=100M -p cpus=4,5,6 vnic2 # dladm create-etherstub vswitch1 # dladm show-etherstub LINK vswitch1 # dladm create-vnic -l vswitch1 -p maxbw=1000M –p cpus=4,5,6 vnic3 # dladm show-vnic LINK OVER MACTYPE MACVALUE BANDWIDTH CPUS vnic1 bge1 factory 0:1:2:3:4:5 vnic2 bge1 random 2:5:6:7:8:9 max=100M 4,5,6 vnic3 vswitch1 random 4:3:4:7:0:1 max=1000M # dladm create-vnic -l ixgbe0 -v 1055 -p maxbw=500M -p cpus=1,2 vnic9
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 3 - 8
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Creating VNICs and Etherstubs
• • • •
dladm [set,reset,show]-linkprop Alternative to ndd(1M) utility Single, stable interface for network property consumers Changes can be made temporary or persistent
$ dladm show-linkprop e1000g0 LINK PROPERTY PERM e1000g0 speed re1000g0 duplex re1000g0 state re1000g0 flowctrl rw e1000g0 maxbw rw e1000g0 priority rw e1000g0 protection rw
VALUE 1000 full up no -high --
DEFAULT 1000 full up bi -high --
e1000g0
--
--
rxrings
rw
POSSIBLE -half,full up,down no,tx,rx,bi -low,medium,high mac-nospoof, restricted, ip-nospoof, dhcp-nospoof --
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 3 - 9
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Unified Data Link Properties
• • • • •
•
Data Link (Layer 2), 802.1D Detects MAC addresses Connects NICs, etherstubs, link aggregations Lets you move a VNIC without changing IP address Supports RBridges (TRILL – Transparent Interconnect of Lots of Links) Manages with dladm
VNIC
VNIC
VNIC
Bridge
etherstub
NIC
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 3 - 10
NIC
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Virtual Bridges
•
Consolidates management of – Network interface state – IP address assignment – TCP/IP protocol properties
•
Uses action-object subcommands like dladm – create-if, show-if, disable-addr, and so on
•
Supercedes various commands and files – ifconfig – /etc/hostname. – ndd
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 3 - 11
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
ipadm
# dladm create-vnic –l bge0 play1 # ipadm create-addr –T static –d –a 10.2.3.5/24 play1/v4static2 # ipadm show-if IFNAME STATE CURRENT PERSISTENT lo0 ok -m-v------46 --bge0 ok bm--------46 --play1 down bm--------46 -46 # ipadm show-addr ADDROBJ TYPE STATE ADDR play1/v4static2 static down 10.2.3.5/24 # # ipadm up-addr play1/v4static2 # ipadm show-addr play1/v4static2 ADDROBJ TYPE STATE play1/v4static2 static ok
ADDR 10.2.3.5/24
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 3 - 12
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Managing Interfaces and IP Addresses
# ipadm show-ifprop play1 IFNAME PROPERTY play1 arp play1 forwarding play1 metric play1 mtu play1 exchange_routes play1 usesrc play1 forwarding play1 metric play1 mtu play1 nud play1 exchange_routes play1 usesrc
PROTO ipv4 ipv4 ipv4 ipv4 ipv4 ipv4 ipv6 ipv6 ipv6 ipv6 ipv6 ipv6
PERM rw rw rw rw rw rw rw rw rw rw rw rw
CURRENT on off 0 1500 on none off 0 1500 on on none
PERSISTENT -------------
DEFAULT on off 0 1500 on none off 0 1500 on on none
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 3 - 13
POSSIBLE on,off on,off -68-1500 on,off -on,off -1280-1500 on,off on,off --
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Managing Interface Properties
•
Define a flow by: – – – –
• •
Service (protocol + port address) Transport type (TCP, UDP, SCTP, iSCSI, and so on) IP address/subnet Differentiated Service Code Point (DSCP) label
Flows can assign bandwidth caps (maxbw) Flows maintain their own kstat counters – Use flowstat(1M) – Use extended accounting for historical reference
# flowadm create-flow -l bge0 protocol=tcp,local_port=443 -p maxbw=50M http-1 # flowadm set-flowprop -l bge0 -p maxbw=100M http-1
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 3 - 14
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Creating Flows
•
Vanity naming – Set desired name via dladm(1M) – List device interfaces in /dev/net
•
Supports alternative to so-called PPA hack – PPA: Physical Point of Attachment – Name calculated with (VID*1000 + instance) – Example: bge + (487 * 1000 + 1) = bge487001
knickknack@os11e:/dev/net$ ls -l total 0 crw-rw-rw- 1 root sys 58, 1001 2010-12-19 17:37 beatnic0 crw-rw-rw- 1 root sys 20, 1 2010-12-19 14:22 e1000g0
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 3 - 15
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Data Link Vanity Naming
•
Assigned CPUs process network traffic for a data link – Both kernel threads and network interrupts
•
Configured through pools data link property – # dladm show-linkprop –p pool – Alternative to manual setting (cpus property)
•
Pool configuration determines the CPUs selected – svc:/system/pools:default – Automatically updated if CPUs migrate to other pools
•
Some zones use dynamic pools – svc:/system/pools/dynamic:default – Assigns CPUs on zone bootup, releases on shutdown
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 3 - 16
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Resource Pools
•
Observability for data link and flow statistics – Measured per hardware/software ring For VirtualBox instance: # kstat -n mac_rx_ring0
—
• •
Includes network traffic spread to other CPUs (aka fanout) Hardware lane counters (if NIC supports them)
$ dlstat -i 30 LINK bge0 play0 play1
IPKTS 25.89K 5.64K 5.55K
RBYTES 16.90M 1.51M 1.49M
OPKTS 18.23K 226 131
OBYTES 4.42M 15.61K 7.63K
bge0 play0 play1
81 62 62
13.29K 9.37K 9.37K
19 0 0
7.13K 0 0
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 3 - 17
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
dlstat(1M)
•
IP-layer observability – Snoop loopback traffic between zones using shared-IP —
•
# snoop -I lo0
Network DTrace providers – udp: send, receive probes – ip: send, receive, drop-in, drop-out probes – tcp: send, receive, state-change,connect[request|refused|established|, accept[refused|established]
• • •
tcpdump and wireshark are IPS packages Observe flows with flowstat Observe IPMP groups with ipmpstat
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 3 - 18
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Other Network Observability Enhancements
•
Consider using the global zone (GZ) as a system service processor – NGZs isolate processes, software stacks – Resource controls cap NGZ consumption — — —
CPU binding, psets, or pools Virtual, resident set size (RSS), or paging memory Shared memory, semaphores
– An exclusive TCP/IP stack completes the picture.
•
L2/L3 boundary: Data links (exclusive-IP property) —
•
Per-NIC in Solaris 10, per-VNIC in Solaris 11
One example: the Immutable Service Container – http://blogs.sun.com/video/entry/immutable_service_containers
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 3 - 19
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Rethinking Zones
•
Still more stuff in dladm(1M) – VLAN, WiFi, IP tunnel management
•
Network Auto-Magic (NWAM) service – svc:/network/physical:nwam – Automagic setup – User can modify security, name services — —
Manual control (CLI or GUI) Location-specific configurations
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 3 - 20
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Other Solaris 11 Enhancements
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle University and ORACLE CORPORATION use only
ZFS Features in Solaris 11
Key enhancements discussed in this module: • Root pool boot environments (BE) • Deduplication • Root pool mirroring • Snapshot diff capability • Synchronous write behavior property • Send stream enhancements • Improved pool recovery
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 2
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Enhancements
• •
Makes updates safe, reliable, and recoverable Similar to Solaris 10 Live Upgrade – ZFS only
• •
Managed by beadm(1M) Subcommands provide means to: – – – –
List Activate Create, Destroy, Rename Mount, Unmount
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 3
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Boot Environments
• •
ZFS is required. A BE is a special-purpose ZFS snapshot. – beadm(1M) replaces lu* commands.
•
All BEs reside in the root pool. – No need to maintain partitions
•
Integrated with IPS – New BEs with package actuators
•
Make new BE with pkg image-update or pkg update
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 4
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Boot Environments (BE)
•
Initial boot environment after installation
# beadm BE -solaris
•
list Active Mountpoint Space Policy Created ------ ---------- ----- ------ ------NR / 2.81G static 2010-12-06 03:48
Create a new boot environment by using beadm create
# beadm create S11-BE-1 && BE Active Mountpoint ------- ---------S11-BE-1 solaris NR /
•
beadm list Space Policy ----- -----110.0K static 2.81G static
Created ------2010-12-09 04:23 2010-12-06 03:48
Active flags – N = Active Now – R = Active next Reboot
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 5
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Creating a Boot Environment
•
Activating a boot environment
# beadm activate S11-BE-1 # beadm list BE Active Mountpoint ------- ---------S11-BE-1 R solaris N /
•
Space ----2.81G 120.5K
Policy -----static static
Created ------2010-12-09 04:23 2010-12-06 03:48
After reboot
# beadm list BE Active ------S11-BE-1 NR solaris -
Mountpoint ---------/ -
Space ----2.82G 7.37M
Policy -----static static
Created ------2010-12-09 04:23 2010-12-06 03:48
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 6
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Activating a Boot Environment
Destroying a boot environment # beadm destroy solaris Are you sure you want to destroy undone(y/[n]): y # beadm list BE Active Mountpoint Space ------- ---------- ----S11-BE-1 NR / 2.83G
solaris? This action cannot be
Policy Created ------ ------static 2010-12-09 04:23
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 7
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Destroying a Boot Environment
Mounting and unmounting a boot environment # beadm create S11-BE-2 && BE Active Mountpoint ------- ---------S11-BE-1 NR / S11-BE-2 -
beadm Space ----2.83G 45.0K
list Policy -----static static
Created ------2010-12-09 04:23 2010-12-09 04:53
# beadm mount S11-BE-2 /mnt && beadm list BE Active Mountpoint Space Policy Created ------- ---------- ----- ------ ------S11-BE-1 NR / 2.83G static 2010-12-09 04:23 S11-BE-2 /mnt 11.67M static 2010-12-09 04:53 # beadm unmount BE Active ------S11-BE-1 NR S11-BE-2 -
S11-BE-2 && beadm Mountpoint Space ---------- ----/ 2.83G 12.08M
list Policy -----static static
Created ------2010-12-09 04:23 2010-12-09 04:53
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 8
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Mounting and Unmounting a Boot Environment
Create a new BE with an IPS package change # beadm list BE Active ------S11-BE-1 NR S11-BE-2 -
Mountpoint ---------/ -
Space ----2.84G 12.08M
Policy -----static static
Created ------2010-12-09 04:23 2010-12-09 04:53
# pkg install --require-new-be --be-name=S11-BE-3 ncftp Packages to install: 1 Create boot environment: Yes DOWNLOAD PKGS FILES Completed 1/1 13/13 PHASE Install Phase
ACTIONS 39/39
PHASE Package State Update Phase Image State Update Phase
ITEMS 1/1 2/2
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 9
XFER (MB) 0.5/0.5
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Creating New Boot Environments
PHASE Reading Existing Index Indexing Packages
ITEMS 8/8 1/1
A clone of S11-BE-1 exists and has been updated and activated. On the next boot the Boot Environment S11-BE-3 will be mounted on '/'. Reboot when ready to switch to this updated BE. # beadm list BE Active ------S11-BE-1 N S11-BE-2 S11-BE-3 R
Mountpoint ---------/ -
Space ----352.0K 12.08M 2.85G
Policy -----static static static
Created ------2010-12-09 04:23 2010-12-09 04:53 2010-12-09 05:19
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 10
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Creating New Boot Environments - 2
New BE names are incremented by default # pkg update … A clone of zfsBE exists and has been updated and activated. On the next boot the Boot Environment zfsBE-1 will be mounted on '/'. Reboot when ready to switch to this updated BE. # init 6 # beadm list BE Active Mountpoint Space Policy Created ------- ---------- ----- ------ ------zfsBE 9.38M static 2010-10-15 09:18 zfsBE-1 NR / 10.76G static 2010-11-05 09:57
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 11
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
BE Upgrade with pkg-update
• •
Drops redundant data blocks Enabled per-file system: dedup property
•
To determine benefit on the existing ZFS storage: – # zdb -S – http://hub.opensolaris.org/bin/view/Community +Group+zfs/dedup
• •
Benefit is expressed similarly to compressratio Observable via zpool status
– Dedup operations have pool scope.
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 12
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Deduplication
bayle@os11e:~$ ls -l /usr/java/src.zip -rw-r--r-- 1 root bin 19160179 2010-12-06 04:44 /usr/java/src.zip bayle@os11e:~$ zfs set dedup=on rpool1/home/deirdre bayle@os11e:~$ cp /usr/java/src.zip /home/deirdre/src1.zip bayle@os11e:~$ zfs list rpool1/home/deirdre NAME USED AVAIL REFER MOUNTPOINT rpool1/home/deirdre 110M 8.10g 110M /home/deirdre
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 13
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Deduplication Example - 1
bayle@os11e:~$ zpool list NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT rpool1 15.9G 6.61G 9.27G 41% 6.00x ONLINE bayle@os11e:~$ rm /home/deirdre/*zip bayle@os11e:~$ zpool list NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT rpool1 15.9G 6.61G 9.27G 41% 1.00x ONLINE bayle@os11e:~$ zfs list rpool1/home/deirdre NAME USED AVAIL REFER MOUNTPOINT rpool1/home/deirdre 31K 8.12G 31K /home/deirdre
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 14
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Deduplication Example - 2
• Root pools can be mirrored after installation # zpool attach rpool • Allow resilvering to complete # zpool status rpool • •
Boot blocks are installed automatically Verify bootability
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 15
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Root Pool Mirroring
The zfs diff command lists differences between two snapshots. $ ls /home/timh fileA $ zfs snapshot tank/home/timh@old $ ls /home/timh fileA fileB $ zfs snapshot tank/home/timh@new $ zfs diff tank/home/timh@old tank/home/timh@new M /tank/home/timh/ + /tank/home/timh/fileB
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 16
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Snapshot Differences
Differences listed for files and directories: • M: Modification or link count change • -: Object is present in the first snapshot only • +: Object is present in the second snapshot only • R: Object has been renamed
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 17
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
zfs diff Output
• • •
Modify property values in a received dataset Enforce property value(s) in a sent dataset Disable property settings in a received dataset
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 18
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Send Stream Enhancements
File compression is off for the tank/data file system. You want to enable compression for the bpool/data file system. # zfs get compression tank/data NAME PROPERTY VALUE SOURCE tank/data compression off default # zfs send -p tank/data@snap1 | zfs recv -o compression=on -d bpool # zfs get -o all compression bpool/data NAME PROPERTY VALUE RECEIVED SOURCE bpool/data compression on off local
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 19
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Send Stream: Override Example
The -b option declares the file system as a property source. # zfs send -b bpool/data@snap1 | zfs recv -d restorepool # zfs get -o all compression restorepool/data NAME restorepool/data
PROPERTY compression
VALUE off
RECEIVED off
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 20
SOURCE received
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Send Stream: Enforce Example
•
The receive -x option ignores property settings. – Applies recursively to contained file systems
•
For example: Ignore quota property setting:
# zfs send -R tank/home@1020 | zfs recv -x quota bpool/home # zfs get -r quota bpool/home NAME PROPERTY VALUE SOURCE bpool/home quota none default bpool/home@1020 quota bpool/home/cindys quota none local bpool/home/cindys@1020 quota bpool/home/tom quota none local bpool/home/tom@1020 quota -
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 21
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Send Stream: Ignore Example
•
Importing a pool with a missing log causes an error.
# zpool import dozer The devices below are missing, use '-m' to import the pool anyway: c3t3d0 [log] cannot import 'dozer': one or more devices is currently unavailable
•
Now, you can import the pool as-is (-m).
• • •
Attach the missing log device. Use zpool clear to resolve errors. Works for mirrored log devices
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 22
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Pool Import: Log Device Recovery
Example: Import Pool With Missing Log Device # zpool import -m dozer # zpool status dozer pool: dozer state: DEGRADED status: One or more devices could not be opened. Sufficient replicas exist for the pool to continue functioning in a degraded state. action: Attach the missing device and online it using 'zpool online'. see: http://www.sun.com/msg/ZFS-8000-2Q config: NAME STATE READ WRITE CKSUM dozer DEGRADED 0 0 0 mirror-0 ONLINE 0 0 0 c3t1d0 ONLINE 0 0 0 c3t2d0 ONLINE 0 0 0 logs 14685044587769991702 UNAVAIL 0 0 0 was c3t3d0
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 23
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Pool Import Recovery: Example
• • •
May help in recovering a damaged pool All datasets are mounted in the read-only mode. Disables pool transaction processing – No pending synchronous writes in the intent log are played. – Ignored attempts to set a pool property
# zpool import -o readonly=on tank # zpool scrub tank cannot scrub tank: pool is read-only
•
To revert to read-write, export, and import the pool
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 24
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Pool Import: Read-Only Mode
• • •
The sync property defines per-file system write behavior Replaces the zil_disable tunable parameter The default setting is standard – Write synchronous transactions to the intent log, flush devices
# zfs set sync=always tank/home/perrin
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 25
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Synchronous Write Behavior Property
Possible sync property values include: • standard – Synchronous-write transactions: all fsync(3C) calls, open(2) calls flagged with O_DSYNC, O_SYNC. • always – Write and flush all transactions to stable storage. The system call returns upon completion. • disabled – Commit transactions to stable storage with the next flush, regardless of delay. Fast performance, no risk of pool corruption. Data corruption is another matter.
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 26
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Values for sync Property
•
A sync property value of disabled on the active BE or /var may produce undefined behavior. – Increases vulnerability to replay attacks – Understand all the risks before using this value
•
Processes that rely on synchronous behavior can lose data with the disabled value.
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 27
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
ZFS Synchronous Behavior: Tuning Caveats
•
Latest-and-greatest RAIDZ pools automatically mirror latency-sensitive metadata. – Pools created with b148 or later – Pool version 29 or later
• • •
Boosts I/O throughput Applies to all newly-written data Trades off space for time – Does not improve resilience to failure
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 28
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
RAIDZ/Mirror Performance
• •
Consider a separate file system per significant application. Monitor with fsstat(1M).
• •
Use snapshots for easy rollbacks. Use zfs diff to monitor changes.
• •
Apply encryption if appropriate. Use zfs send/receive for replication or backup.
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 29
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Integrating ZFS into Deployment
• • • • • •
On-disk encryption costs ~7% on random I/O and ~3% on sequential I/O. RAID-Z mirror allocation – Some workloads show 2-4x speedup on directory searches. Scrub/resilver ops now prefetch their metadata. System duty cycle (SDC) scheduler balances thread priorities for CPU time. Slim ZIL reduces metadata I/O if data blocks are not full. Explicit ZIL behavior is controlled via sync property.
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 30
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Performance Notes
•
Dynamic LUN expansion – autoexpand property
• • • •
Splittable mirrored pools (zpool split) Triple-parity RAID-Z (raidz3) Improved ACL compatibility with CIFS Automatic snapshots/Time Slider – SMF service auto-snapshot
•
User/group quotas – Via userspace and groupspace subcommands
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 31
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Other ZFS Features
Oracle Solaris Administration: ZFS File Systems http://www.oracle.com/pls/topic/lookup?ctx=E23824&id=ZFSADMIN
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 4 - 32
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
ZFS References
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle University and ORACLE CORPORATION use only
Zones
•
Core – Configurable privileges (limitpriv) —
Supports DTrace inside a zone
– Zone rename and move operations – Zone migration (attach, detach) – Software update on attach — —
Default update is conservative Option -U will update all
– Boot arguments (bootargs)
•
Packaging – Parallel patching, turbo SVR4 packaging – Live Upgrade support
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 5 - 2
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Changes Since Solaris 10 FCS
•
Resource management – Overhauled and simplified (zone.*) – CPU Caps added — —
zone.cpu-cap, zone.cpu-shares See resource_controls(5)
– Enhanced observability —
•
Supported by getvmusage(2)
Integration with ZFS – Assign datasets to zones – Faster provisioning with clones and snapshots
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 5 - 3
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Changes Since Solaris 10 FCS
•
Networking – ip-type – defrouter
•
Brands – – – –
•
Oracle Solaris 8 Containers Oracle Solaris 9 Containers Trusted extensions Sun Cluster integration
Oracle Enterprise Manager Ops Center 2.5 Integration
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 5 - 4
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Changes Since Solaris 10 FCS
Physical to virtual (p2v) migration • Consolidate legacy instances as zones onto new hardware – Available for Oracle Solaris 8, 9, and (other) 10 instances
•
Process – Create a system image – Transfer to zonepath location – Install the zone
•
Image automatically updated during installation – User-land/kernel need to be in sync
•
Need to emulate Host ID
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 5 - 5
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Changes Since Solaris 10 FCS
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 5 - 6
Oracle University and ORACLE CORPORATION use only
Changes in Oracle Solaris 11
•
lofiadm support
• • • • •
v2v and p2v migration Branded Oracle Solaris 10 containers Exclusive-IP network stack enhancements zonestat IPMP support for ip-type
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 5 - 7
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Design and Features
• •
lofiadm(1M), lofi(7D) supported New resource control to limit lofi devices – zone.max-lofi
zonecfg:zone1> add rctl zonecfg:zone1:rctl> set name=zone.max-lofi zonecfg:zone1:rctl> add value (priv=privileged, limit=10, action=none) zonecfg:zone1:rctl> end zonecfg:zone1>
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 5 - 8
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Storage
Exclusive-IP options • allowed-address property defines usable address/range. • defrouter property supports ip-type=exclusive. # zonecfg -z zone1 zonecfg:zone1> set zonecfg:zone1> add zonecfg:zone1:net> zonecfg:zone1:net> zonecfg:zone1:net> zonecfg:zone1:net>
ip-type=exclusive net set allowed-address=192.168.1.10/32 set physical=vnic1 set defrouter=192.168.1.1 end
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 5 - 9
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Networking: Exclusive IP Zones
•
Administration/tools available inside a zone – dladm, flowadm, ipadm – IP Tunnels – IPMP
•
Zones are ideal for virtual networking – Configurable with multiple vnics – Internal namespace for flows
•
Layers 2 and 3 network protection – Prohibit mischievous traffic from exclusive-IP zones – (Try dladm show-linkprop protection)
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 5 - 10
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Networking: Exclusive IP Zones
•
Solaris 10 IPMP, interface name changes on failover, creating issues for some users – For example: Using interface ce0:2 one moment, ce1:1 the next – Zone admin has no control
•
Solaris 11 IPMP – Zone retains same interface —
ipmp0:2 remains ipmp0:2 for the zone session
– Zone admin can test interface for IPMP flag —
If set, the address is highly available.
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 5 - 11
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Networking: Shared IP Zones – IPMP
•
Improved utilization monitoring – CLI and Oracle Enterprise Manager integration – Uses extended accounting (see acctadm) —
Also svcs extended-accounting
– Reports on both shared and dedicated resources – Measures utilization against configured limits
•
zonestat(1M)
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 5 - 12
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Zones Observability
•
zonestatd daemon performs monitoring – Nonroot users and nonglobal zone users can see (some of) the information
•
zonestat can monitor: – Virtual, physical, and locked memory – Pools, psets, LWPs, and processes – Shared-memory, semaphore, and message resources
• • •
Can report specific zones, resource types Supports sorting by column Machine-parseable output is also available
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 5 - 13
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
zonestat Command
End-of-run reporting for average, high, and total usage $ zonestat 5 Collecting data for first interval... Interval: 1, Duration: 0:00:05 SUMMARY Cpus/Online: 32/32 Physical: 32.0G ----------CPU---------- ----PHYSICAL----ZONE USED %PART %CAP %SHRU USED PCT %CAP [total] 1.57 4.92% - 5660M 17.2% [system] 0.09 0.28% - 5086M 15.5% kodiak-dp 1.00 100% - 100% 46.0M 0.14% 4.49% global 0.48 1.56% - 1.56% 419M 1.27% kodiak-ab 0.00 0.00% - 0.01% 67.0M 0.20% kodiak-rie 0.00 0.00% - 0.02% 41.6M 0.12% -
Virtual: 47.9G -----VIRTUAL----USED PCT %CAP 9.9G 20.6% 9275M 18.8% 36.2M 0.07% 1.17% 673M 1.37% 115M 0.23% 62.4M 0.12% -
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 5 - 14
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
zonestat Interval: Example
Example: Monitor lwps and processes $ zonestat -r processes,lwps 5 PROCESSES SYSTEM LIMIT system-limit 292K ZONE USED [total] 191 [system] 0 global 167 foo 24 LWPS system-limit
SYSTEM LIMIT 2047M ZONE USED [total] 713 [system] 0 global 618 foo 95
PCT 0.63% 0.00% 0.55% 0.08%
CAP %CAP 300 8.00%
PCT 0.00% 0.00% 0.00% 0.00%
CAP %CAP 1000 9.50%
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 5 - 15
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
zonestat by Resource: Example
•
New max-processes resource control
# zonecfg -z zone1 zonecfg:zone1> set max-processes=300
…
•
prctl now reports resource utilization
# prctl -i zone foo zone: 4: foo NAME PRIVILEGE zone.max-lofi usage system zone.max-swap usage privileged system …
VALUE
FLAG
ACTION
0 18.4E
max
deny
28.3MB 3.00GB 16.0EB
max
deny deny
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 5 - 16
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Resource Management
• •
Delegated administration Authorizations can be configured directly in zonecfg – login, manage, clonefrom
# zonecfg -z zone1 zonecfg:zone1> add admin zonecfg:zone1:admin> set user=jack zonecfg:zone1:admin> set auths=login,manage zonecfg:zone1:admin> end zonecfg:zone1> commit
•
Authorizations are added to user/role entry in /etc/user_attr by zonecfg.
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 5 - 17
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Zones Security
•
Solaris 10 branded zone – Similar to the existing solaris8 and solaris9 brand settings on Solaris 10
•
Promote adoption and compatibility of Oracle Solaris 11 – Leverage existing investment in Solaris 10 —
Infrastructure, training, support
– Allow new technology to support Oracle Solaris 10 context —
Virtualized networking among Solaris 10 instances
– Application recertification for Solaris 11 unnecessary
•
Use p2v installation process – Or v2v for moving the existing Solaris 10 zones
•
Support instances on Solaris 10 10/09 or later
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 5 - 18
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Solaris 10 Containers
redeploy
zone: db27-prod
Solaris 10
Solaris10 Brand zone: db27-prod
p2v Solaris 11
Solaris 10 db27-prod
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 5 - 19
zone: db27-prod
Solaris 11
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Solaris 10 Container: Expected Migration Path
Oracle Solaris Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource Management http://www.oracle.com/pls/topic/lookup?ctx=E23824&id=SYSADRM
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 5 - 20
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
References
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle University and ORACLE CORPORATION use only
Network Virtualization 2
•
ilbadm
• • •
IP Filtering, forwarding in a zone Hardware Lanes and dynamic polling ipmpstat
• • • •
Fiber Channel over Ethernet (FCoE) VRPP support NUMA I/O Public GLDv3 APIs
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 6 - 2
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Advanced Network Features
•
Operational modes – Stateless Direct Server Return (DSR) – Half or Full NAT
•
Algorithms supported – Round robin – IP hashing: Source address or source address + port
•
Health-checking built-ins – TCP, UDP, ICMP probes – Apply as parameters to user-scripted tests
•
Performance comparable to IP forwarding
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 6 - 3
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
ilbadm: L3/L4 Integrated Load Balancing
• •
pkg://solaris/service/network/loadbalancer/
[email protected],5.11-0.148:… To configure: – – – –
• •
Server group: list of host+port addresses Virtual IP (aka “logical host”) Algorithm, operational type Healthcheck program and parameters (optional)
The configured elements form a rule. ilbadm subcommands follow dladm model.
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 6 - 4
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Load Balancing Components
# > > # # > > > > >
ilbadm create-servergroup \ -s servers=apache-zone1:80,apache-zone2:80 \ apache_group ilbadm create-rule –e –p –I vip=10.1.2.3,port=80 -m lbalg=rr,type=HALF-NAT -h hc-name=/var/hc/apache_check -o servergroup=apache_group apacheload_rrobin
\ \ \ \ \
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 6 - 5
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
ilbadm: Example
• •
Same operational semantics as the GZ For IP Filter in a zone – # pkg install ipfilter; pkg contents ipfilter
– Filter/NAT configuration files in the /etc/ipf directory See /usr/share/ipfilter/examples – # svcadm enable ipfilter —
•
Or just forwarding – # svcadm enable ipv4-forwarding
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 6 - 6
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
IP Filter, Forwarding in a Zone
•
A Hardware Lane is defined by – NIC-supported partitions (Receive/Transmit Rings, DMA) – Kernel queues/threads bound to CPU, pset, or pool
• •
Same CPUs assigned to a VNIC or a flow Dynamic polling – Switches from interrupt handling to polling rate in low traffic
•
Reduces context switching and lock contention mpstat output with NIC and legacy driver: intr ithr csw icsw migr smtx srw syscl 10818 8607 4558 1547 161 1797 289 19112
usr sys wt idl 17 69 0 12
mpstat with NIC and GLDv3-based driver: intr ithr csw icsw migr smtx srw 2823 1489 875 151 93 261 1
usr sys wt idl 15 57 0 27
syscl 19825
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 6 - 7
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Hardware Lanes and Dynamic Polling
Intended for multicore platforms with multi-10gigE NICs • Hardware Lanes + dedicated resources = linear scaling • Integrated with virtualization and QoS controls • Dynamic polling, packet chaining boost efficiency
Switch
VLAN Separated
Physical Machine Physical NIC C Hardware Kernel Threads VNIC L Rings/DMA and Queues A Hardware Lane Hardware Kernel Threads S VNIC Rings/DMA and Queues S I F I Hardware Kernel Threads E Flow Rings/DMA and Queues R
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 6 - 8
Virtual Machine/Zone Virtual Machine/Zone
Application
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Hardware Lanes
•
Reads sockets opened by in.mpathd
•
Five output modes – – – – –
•
Address (-a) Group (-g) Interface (-i) Probe (-p) Target (-t)
VNICs are valid IPMP group members. – Useful for testing
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 6 - 9
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
ipmpstat: Observability for IPMP Groups
# ifconfig blut0 ipmp # ifconfig play0 group blut0 # ifconfig play1 group blut0 # ipmpstat -a ADDRESS STATE fe80::897f:b644:ae41:e0b up 10.2.3.5 up 10.9.8.7 up # ifconfig play0 group "" # ipmpstat -a ADDRESS STATE fe80::897f:b644:ae41:e0b up 10.2.3.5 up 10.9.8.7 up #
GROUP blut0 blut0 blut0
INBOUND -play1 play0
OUTBOUND -play1 play0 play1 play0
GROUP blut0 blut0 blut0
INBOUND -play1 play1
OUTBOUND -play1 play1
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 6 - 10
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
ipmpstat: Example
MAC Layer APIs To Create VNICs, Dedicate Resources, Bandwidth for both Network Stack and FCoE
Virtualized Data Link Layer
App Network Stack
Leadville Fiber Channel Stack
Virtual NIC
FCoE Glue
MAC Client
MAC Client
MAC Layer Rx/Tx Ring DMA Channel
Rx/Tx Ring DMA Channel
H/W Flow Classifier
Pseudo FC instance presented to storage
Ethernet Port Port 10gB10g Port FCoE
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 6 - 11
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Fiber Channel over Ethernet (FCoE)
• •
HA support for routers and load balancers Treats active server as a primary – Other servers are passive
• •
Solaris framework monitors control messages Upon primary failure, framework elects a new primary –
•
Moves the Virtual IP address (VIP)
Each VRRP router associates a VNIC with the VRRP id – VNIC attributes are set via dladm(1M).
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 6 - 12
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Virtual Router Redundancy Protocol (VRRP)
• • •
Used in Exalogic systems (BOND0 interface) Runs on top of IB's verb layer Control over IB partitions in dladm(1M) – *-part subcommands – IB data links show up as Host Channel Adapter (HCA) ports – Create partition data links over IB data links —
Plumb them with IP addresses, assign them to zones
– All dladm(1M) link properties apply
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 6 - 13
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
IP over Infiniband (IPoIB)
•
On NUMA platforms, I/O performance factors include: – Kernel resource location (memory placement) – Hardware topology – Device location (backplane attachment)
•
NUMA I/O Framework – – – –
Defines “affinity” for all I/O subsystems I/O subsystems register affinity to needed resources Framework uses affinity to determine memory placement Consumer-transparent process
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 6 - 14
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Non-Uniform Memory Architecture (NUMA) I/O
Admin Interface CPUS/pool constraints
I/O Subsystem
Device Driver
I/O topology
Core NUMA I/O Framework
Bind interrupt
Interrupt handles
I/O topology constructor
NUMA topology
PCI/DDI Framework
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 6 - 15
NUMA lgrp sub-system
Oracle University and ORACLE CORPORATION use only
I/O Subsystem
Kernel Affinity APIs
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
NUMA I/O Architecture: Overview
• • •
Dynamic polling Packet chaining Hardware checksumming offload – Large Send Offload (LSO)
•
Revamped driver property interface – Simplify driver development – Extensibility for future releases
• •
First supported in Solaris 10 U9 (09/10 release) See Chapter 19, Document #816-4854
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 6 - 16
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
GLDv3 Public Driver APIs
• • •
Dynamic polling on receive rings boosts efficiency Aggregation, flow control on transmit rings Binding available to psets or pools – Supports Message Signaled Interrupts (MSI) — —
•
Used in PCI Express (PCIe) hardware Alternative to traditional Pin-Based Interrupt
Hardware Lanes – Improve cache locality, isolates traffic
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 6 - 17
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Network Performance Highlights
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle University and ORACLE CORPORATION use only
Security
• • • •
Root as a role On-disk file encryption Network spoofing protection Delegated administration – Zones, SMF services
•
“In-kernel” pfexec
•
Forced Privilege and Stop Profile
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 7 - 2
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Features
• •
User defined during installation receives the root role sudo is enabled with 5-minute grace
installer@os11e:~$ roles root installer@os11e:~$ profiles Console User Suspend To RAM Suspend To Disk Brightness CPU Power Management Network Autoconf User Network Wifi Info Desktop Removable Media User Basic Solaris User All
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 7 - 3
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Root Implemented as a Role
• •
Applicable to datasets or volumes Need a wrapper key to mount file system – Passphrase or file-based, delegatable key control
•
See man page examples 22-27 for zfs(1M)
$ zfs create -o encryption=on rpool1/home/fng Enter passphrase for 'rpool1/home/fng': Enter again: $ zfs list rpool1/home/fng NAME USED AVAIL REFER MOUNTPOINT rpool1/home/fng 31K 8.29G 31K /export/home/fng fir@os11e:/$ zfs get all rpool1/home/fng | grep key rpool1/home/fng keysource passphrase,prompt local rpool1/home/fng keystatus available rpool1/home/fng rekeydate Fri Dec 10 10:35 2010 local
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 7 - 4
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
File system encryption: zfs(1M)
You can also write a key to a file • keysource attribute specifies format and file path •
Encryption policy is inherited and read-only
# pktool genkey keystore=file outkey=/dmkey.file keytype=aes keylen=256 # zfs create -o encryption=aes-256-ccm -o keysource=raw,file:///dmkey.file rpool1/home/fng # zfs clone rpool1/home/fng@final rpool1/home/delivered Enter passphrase for 'rpool1/home/delivered': Enter again: # zfs set encryption=off rpool1/home/delivered cannot set property for 'rpool1/home/delivered: 'encryption' is readonly
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 7 - 5
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Configuring ZFS Encryption
Full scenario: Example 6, lofiadm(1M) man page marty@os11e:/$ mkfile 64m /var/tmp/setec marty@os11e:/$ lofiadm -c aes-256-cbc -a /var/tmp/setec Enter passphrase: Re-enter passphrase: /dev/lofi/1 marty@os11e:/$ newfs /dev/rlofi/1 newfs: construct a new file system /dev/rlofi/1: (y/n)? y ... marty@os11e:/$ lofiadm Block Device File Options /dev/lofi/1 /var/tmp/setec Encrypted
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 7 - 6
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
File system encryption: lofiadm
• • • •
mac-nospoof: Cannot change MAC address restricted: Outbound ipv4, ipv6, and ARP packets only ip-nospoof: Checks outbound packets against allowedips property dhcp-nospoof: Multiple conditions apply. See dladm(1M).
# dladm show-linkprop -p protection play0 LINK PROPERTY PERM VALUE play0 protection rw --
DEFAULT --
# dladm set-linkprop -p protection=mac-nospoof play0
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 7 - 7
POSSIBLE mac-nospoof, restricted, ip-nospoof, dhcp-nospoof
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Network Spoofing Protection
• • •
Per-user, per-zone authorizations Limits NGZ access from the GZ zonecfg(1) syncs with GZ /etc/user_attr file.
zonecfg:webber> info zonename: webber zonepath: /home/webber/zone ... admin: user: hen3ry auths: login,manage zonecfg:webber> verify; exit UX: /usr/sbin/usermod: hen3ry is currently logged in, some changes may not take effect until next login.
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 7 - 8
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Zones: Delegated Administration
•
Set authorizations in manifest – Enable/disable (value_authorization) – Restart/refresh (action_authorization) – Modify values in all or select property groups
• •
Assign auths to profiles/users via rbac(5) Complete list in smf_security(5)
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 7 - 9
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
SMF: Delegated Administration
Execution attributes include: • Security – User, group, privileges
•
Also resource management and environment
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 7 - 10
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
SMF: Method Context
•
Application-specific attributes $ svcadm enable ipfilter $ svccfg -s ipfilter:default setprop firewall_config_default/policy = allow $ svcadm refresh network/ipfilter $ svcadm enable ftp $ svccfg -s ftp setprop firewall_config/policy = allow $ svccfg -s ftp setprop firewall_config/apply_to = network:192.168.1.0/24
•
Applications can participate in automatic firewall policy – Define firewall_context/name for RPC services. – Implement firewall_context/ipf_method for other services. – See svc.ipfd(1M) for more information.
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 7 - 11
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
SMF: Firewall Integration
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
proc_fork
proc_exec
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 7 - 12
Oracle University and ORACLE CORPORATION use only
Least Privilege Changes
net_priv_addr
• •
New PRIV_PFEXEC process flag Set by any profile shell, inherited across exec(2)
•
Applies RBAC attributes transparently – No need for pfexec
•
Other profile shells now available: – pfbash(1) – pftcsh(1) – pfzsh(1)
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 7 - 13
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
“In-kernel pfexec”
•
basic privilege set expanded – – – –
•
file_read, file_write, file_link_any proc_exec, proc_fork proc_info, proc_session net_access
Easier to disable certain privileges: – Read-only process: !file_write – Host-only process: !net_access
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 7 - 14
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Basic Privileges: More is Less
Software Installation DTrace Analysis Developer
Audit Review File Integrity Verification
Dataset Management Backup Operator
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 7 - 15
Internal Auditor
Sys Admin
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Role-Based Access Control
•
User profiles are cumulative, processed in list order – /etc/user_attr, /etc/security/policy.conf
•
Ignored any profiles assigned after Stop is read – Either by file (policy.conf) or by command
•
Provides an explicit limit to a user's authorizations
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 7 - 16
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Sandboxing Enhancements
•
“Zero-configuration” client via DNS – Authentication via Active Directory available – Enhancements to PAM configurations – Better interoperability for Windows clients
•
Initial authentication possible with public keys – RFC 4556 (PKINIT) implemented
•
New kdcmgr(1M) tool – Sets up Kerberos Key Distribution Center
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 7 - 17
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Kerberos Improvements
• •
Consumer for Key Management Server (KMS) Configured with kmscfg(1M) – pkg:/system/library/security/crypto/pkcs11_kms@...
•
KMS configuration required for each consumer – See “KMS 2.2 Administration Guide” for details – http://docs.sun.com/app/docs/doc/316195103AA
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 7 - 18
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Key Management: pkcs11_kms Provider
• •
NSA Suite B algorithms support Internet Key Exchange – Accepts Elliptic Curve Cryptography (ECC) – Also RSA and DSA
•
AES Cipher Feedback (CFB) mode – Available on SPARC T3 processor – Used by Oracle Database Advanced Security Option – Supports acceleration of table-level encryption
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 7 - 19
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Other Enhancements
• Need-toknow
Internal Use
Public
• •
Multilevel Desktop Services (Global Zone)
Solaris Kernel net
net
net
net
• • •
•
Mandatory Access Control (MAC) Zones are classified (“labeled”) Processes need proper clearance to access labelled assets Networks, printers also labeled Runs all Solaris applications Designed for defense and intelligence industry requirements Meets Common Criteria Certifications at EAL4+ levels
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 7 - 20
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Oracle Solaris 11 Trusted Extensions
•
GNOME replaces CDE as Desktop – GNOME login manager asserts labeling – X server uses same X Access Control Extension (XACE) policy hooks as SELinux
•
New ZFS attribute: mlslabel – Prevents remounting on the wrong label
•
Labeled IPsec – – – –
Multilevel IKE daemon negotiates Security Associations Maintains the label’s confidentiality and integrity CIPSO data does not need to be sent in the clear Allows the use of single physical network
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 7 - 21
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Trusted Extensions Changes
Support for Trusted Platform Modules (TPM) • TSS 1.2 API • tpmadm(1M) CLI • pkcs11_tpm(5) Crypto module
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 7 - 22
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Trusted Platform Modules (TPM)
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Oracle University and ORACLE CORPORATION use only
Services Management Facility (SMF)
•
Increase application availability – Monitor services in run time – Restart failed processes
•
Graph-dependent services – Start independent service paths concurrently
•
Common naming for all services – Not just daemon processes – It is either disabled or some variation of enabled.
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 8 - 2
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
SMF Design Goals
•
Services are first-class objects – – – –
•
Health monitoring FMRI-based naming Universal lifecycle Tools to observe services, not just processes
Automated restarts after errors and faults – Integrated refresh upon reconfiguration
•
Control for many service attributes – Privileges – User/group delegation – Resource controls
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 8 - 3
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
SMF Is the Glue in Solaris 11
•
Service properties include: – Decorations – Descriptions – Simple constraints
•
Online help – Store property descriptions with the service
•
Catch errors during configuration: – Validate constraints in APIs and commands
smf_template(5)
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 8 - 4
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Service Templates
•
Two import services – svc:/system/early-manifest-import:default – svc:/system/manifest-import:default
• •
Solves potential race condition with manifest upgrades Reads new manifest location – /lib/svc/manifest – /var/svc/manifest remains for compatibility —
manifest-import service reads /lib/svc/manifest, and then /var/svc/manifest.
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 8 - 5
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Early Manifest Imports
•
Customize configuration for mutliple services – Example: enabling/disabling services in one action —
•
# netservices limited | open
Easy deployment of services configurations – – – –
Drop-in during system deployment Installer support for SMF profiles in the works /etc/svc/profile Use site/ subdirectory for local customization
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 8 - 6
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
SMF Enhanced Profiles
• •
Set and list notification types for SMF/FMA faults. Default parameters kept as a service – svc:/system/svc/global:default # svccfg setnotify -g to-maintenance mailto:
[email protected] # svccfg listnotify -g Event: to-maintenance (source: svc:/system/svc/global:default) Notification Type: smtp Active: true to:
[email protected]
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 8 - 7
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Fault Notification
• •
Signals additional behavior, usually on a live system restart_fmri prompts a service restart. – Per-file attribute —
•
Remember that IPS only updates objects as needed.
reboot-needed indicates that a reboot is required.
dir group=bin mode=0755 owner=root path=opt timestamp=20101109T051058Z dir group=bin mode=0755 owner=root path=opt/app timestamp=20101109T051110Z file opt/app/app-bin group=bin mode=0555 owner=root path=opt/app/app-bin pkg.size=48088 reboot-needed=true file opt/app/app.conf group=bin mode=0644 owner=root path=opt/app/app.conf pkg.size=267 file lib/svc/manifest/application/lianep-app.xml mode=0444 owner=root path=lib/svc/manifest/application/lianep-app.xml restart_fmri=svc:/system/manifest-import:default
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 8 - 8
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
IPS Actuators
#!/usr/sbin/dtrace –s inline string fmri = stringof(curthread->t_procp->p_ct_process->conp_svc_fmri->rs_string); syscall:::entry { @[fmri] = count(); }
dtrace: script '/var/tmp/foo' matched 228 probes ^C … svc:/system/sysevent:default svc:/network/smtp:sendmail svc:/network/physical:nwam svc:/network/ntp:default svc:/system/hal:default svc:/network/datalink-management:default svc:/application/graphical-login/gdm:default
10 21 40 50 65 428 274792
Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
What's New in Oracle Solaris 11 8 - 9
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
FMRI Stored in proc_t Structure
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
