Sunteți pe pagina 1din 96

<Insert Picture Here>

Oracle Solaris 11 Principles and Architecture Sales Training


Lesson 2: Systems Architecture Oracle Solaris 11

Learning Goals
After completing this lesson, you should be able to:
Recognize the type of hardware on which the solution or
product runs.
Outline the system requirements needed to build the solution.
Describe the system architecture model.
List key architectural strengths and advantages.
List any architectural weaknesses (real or perceived).
Describe talking points to address weaknesses.
List and describe the value-add for Reference Architectures
which contain Solaris 11.

Oracle Solaris 11 Integrated Technologies


Boot Environment
ZFS
IPS
Security
Zones
AI
Resource Management
Network Virtualization
Ops Center
Cluster

Ops Center Supports Key Oracle Solaris 11


Technologies
AI / Manifests

Deploy Default Manifests within the same Ops Center deployment plan
interface.

IPS

Leverage Ops Center to control a local IPS MSR and gain insight to
changes via reports and agentless IPS management and provisioning.
Manage and manipulate the IPS repositories. Load in and sync to local
customized repositories.

SMF

Obtain insight into service awareness over just process awareness.


Observe and control the relationship of operating system daemons and
connection/utility points. Connect services to PIDs and enter OS
Analytics.

ZFS/BE

Take snapshots of boot environments and turn them into active boot
environments.

Network V12N

Manage bandwidth and priority control over NICs

DTrace / FMA

Explore process performance through OS Analytics while subscribing


to FMA events.

Oracle Solaris 11 System Requirements

Disk Space

Memory

Architectures1

Locales and
Languages2

Live Media (x86): 5 GB (7 GB Recommended)


Text Installer (SPARC, x86): 2.5 GB (4.5 GB Recommended)
Automated Installer (SPARC, x86): 2.5 GB (13 GB Recommended)
1 GB (2 GB Recommended)
Oracle SPARC M and T series systems
Oracle x86 systems (64-bit only)
Non-Oracle x86 systems (64-bit only)
Oracle Solaris 11 supports over 200 locales.

See Oracle Solaris OS: Hardware Compatibility Lists at


http://my.oracle.com/site/pd/sss/products/solaris/index.htm

See Oracle Solaris 11 System Requirements documentation for complete list of locales and
languages at http://my.oracle.com/site/pd/sss/products/solaris/index.htm

Note: Application Availability Tracker (FTR): http://furl.oraclecorp.com/kj76

PROPERTIES
On passing, 'Finish' button:
On failing, 'Finish' button:
Allow user to leave quiz:
User may view slides after quiz:

Goes to Next Slide


Goes to Next Slide
After user has completed quiz
At any time

Oracle Solaris 11 Top Architectural Features


and Functionality

Image Packaging System


Automated Installer
Oracle Solaris ZFS
Virtual Networks and Oracle Solaris Zones
Oracle Solaris Security

Image Packaging System Overview

How IPS Works: Software Update Process

Default
Repository

Server
Client
CLI: pkg (1)
Desktop: Package Manager
Update Manager

Oracle IPS default repository:


http://pkg.oracle.com/solaris/release/

How IPS Works: Software Update Process

Default
Repository

Server

Local
Repository

Client

CLI: pkg (1)


Desktop: Package Manager
Update Manager

Local repository: Configured on your local network

10

How IPS Works: Software Update Process


Default
Repository
publisher:
solaris

Server

Client

Local
Repository
publisher:
xxxxxx

CLI: pkg (1)


Desktop: Package Manager
Update Manager

Local repository: Configured on your local network

11

How IPS Works: Installing and Managing


Packages
2
1

IPS checks
manifest.

3
Administrator requests
package.
IPS downloads
packages.

12

How IPS Works: Updating the Operating


System
Default
Repository

2
1
OS
Updates
Update
Request

Client
Update Manager

3
New Boot
Environment

13

How IPS Works: Boot Environments


A boot environment (BE) is a bootable instance of an
Oracle Solaris 11 operating system image.
Multiple boot environments can be maintained on a
system.
BEs make updating software a low-risk operation.
BEs can have different software versions installed.

14

New Boot Environment Creation Example

OS

One boot
environment

OS Update

Two boot
environments

15

IPS Interface Options


IPS supports the following interfaces:
Command-line
GUI
Package Manager
Update Manager

You can use IPS CLI and GUI interfaces to:


Find out what packages are currently on the system
Search for packages
Display information about packages, their contents, and
publishers
Install, update, and uninstall packages
16

Package Management CLI Commands


Package Management Task

IPS Command

Display package state and version


information

pkg list

Display package information

pkg info

Display contents of a package

pkg contents

Install package updates

pkg update

Install package

pkg install

Verify package installation

pkg verify

Search for a package

pkg search

Uninstall a package

pkg uninstall

17

Package Manager GUI Overview

18

Update Manager Overview

To use Package Manager to update the operating system:


Click the Updates button.
or
Select the Package > Updates menu option.

19

Update Manager Overview

20

Boot Environment Administration


In Oracle Solaris 11, system administrators can:
Lists the boot environments currently on the system
Create a new boot environment
Rename an existing, inactive boot environment
Activate an existing, inactive boot environment
Destroy an existing, inactive boot environment
BE management utilities:
beadm command
Package Manager

21

BE Management beadm Commands


BE Management Task

beadm Command

Display a list of the boot environments


on the system

beadm list

Create a new boot environment

beadm create

Rename an existing, inactive boot


environment

beadm rename

Activate an existing, inactive boot


environment

beadm activate

Destroy an existing, inactive boot


environment

beadm destroy

22

BE Management with Package Manager

23

Ops Center Leverages Boot Environments

Minimize Exposure to Change


Fast Downtime
Leverage Modern File Systems
Also Controlled via Policies

24

IPS Strengths
Modernized software management with integrated
patching
Provides automatic dependency tracking
Updates software quickly and efficiently
Ensures safe system upgrades through boot
environments
Easily accessible network-based package repositories
that can be mirrored
Support for legacy SVR4 packages

25

IPS Weaknesses
IPS requires a mindset change.
The syntax of setting up publishers, mirrors, local
repositories, etc., is new for most people.
IPS is not OS-independent.
- Many middleware and application products are not
installable using IPS.
- This restriction impacts non solaris publishers
and repositories as well.
Install scripting is hard with IPS.
Analysis is slow with IPS.

26

PROPERTIES
On passing, 'Finish' button:
On failing, 'Finish' button:
Allow user to leave quiz:
User may view slides after quiz:

Goes to Next Slide


Goes to Next Slide
After user has completed quiz
At any time

IPS For More Information


Oracle Solaris 11 Package Management with IPS:
http://www.oracle.com/technetwork/serverstorage/solaris11/technologies/ips-323421.html
Product Documentation:
http://docs.oracle.com/cd/E23824_01/index.html

28

Automated Installer Overview


AI automates the installation of the OS on one or
more SPARC and x86 systems over a network.
AI uses an installation manifest to install systems.
The installations differ in architecture, software
packages, disk capacity, network configuration, and
other parameters.

29

Automated Installer Components


AI server: Provides the install service that contains
the installation instructions for the client system
Client system to be installed: Accesses the IP
address information from the DHCP server
DHCP server: Provides the initial IP addresses and
boot information
IPS repository: Provides the software packages that
are identified in the AI manifest file to the client system

30

Types of AI Manifests
Default AI manifest: Is an installation manifest that has
no criteria associated with it
Custom AI manifest: Provides installation criteria for a
specific client
Criteria file: Allows client-specific installation instructions
to be associated with AI services

31

Default AI Manifest (default.xml)


<!DOCTYPE auto_install SYSTEM "file:///usr/share/install/ai.dtd.1">
<auto_install>
<ai_instance>
<target>
<logical>
<zpool name="rpool" is_root="true">
<filesystem name="export" mountpoint="/export"/>
<filesystem name="export/home"/>
<be name="solaris"/>
</zpool>
</logical>
</target>
<software type="IPS">
<source>
<publisher name="solaris">
<origin name="http://pkg.oracle.com/solaris/release"/>
</publisher>
</source>
<software_data action="install">
<name>pkg:/entire@latest</name>
<name>pkg:/group/system/solaris-large-server</name>
</software_data>
</software>
</ai_instance>
</auto_install>

32

AI Installation Server Requirements


Hardware

Requirement

Disk space

Approximately 0.75 GB additional disk space for each


AI installation service after Oracle Solaris 11 OS has
been installed

Memory

Recommended minimum: 1 GB

Software

Requirement

Operating system

Oracle Solaris 11 must be installed.

IP address

A static IP address must be used.

Router

The default route must be set.

DHCP

DHCP must be set up.

IPS repository

The repository must be set up locally.

33

Automated Installation Process for a


Customized Installation

3
2

34

How the Automated Installer Works

35

System Configuration Profile


Specifies client system configuration as a set of
configuration parameters in the form of an SMF profile
Applied during the first boot of the system after
installation
Allows configuration of anything configurable via smf(5)
properties
Allows multiple sets of system configuration instructions
for each install service
Allows for multiple SC profiles to be associated with
each client
Is added to the svcname install service using the
installadm create-profile command

36

System Configuration Profile Example


<?xml version='1.0'?>
<!-Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
-->
(comments omitted)
<!DOCTYPE service_bundle SYSTEM
"/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<service_bundle type="profile" name="system configuration">
<service name="system/config-user" version="1">
<instance name="default" enabled="true">
<property_group name="user_account">
<propval name="login" value="jack"/>
<propval name="password" value="9Nd/cwBcNWFZg"/>
<propval name="description" value="default_user"/>
<propval name="shell" value="/usr/bin/bash"/>
<propval name="gid" value='10'/>
<propval name="type" value="normal"/>
<propval name="roles" value="root"/>
<propval name="profiles" value="System Administrator"/>
</property_group>
<property_group name="root_account">
<propval name="password" value="encrypted_password"/>
<propval name="type" value="role"/>
</property_group>
</instance>
</service>

37

How AI Installs Non-Global Zones


Non-global zones are installed using the configuration
element in the AI manifest.
<configuration type="zone" name="zone1" source="http://server/zone1/config"/>

After global zone installation and reboot, the zones


self-assembly SMF service (svc:/system/zonesinstall:default) configures and installs each nonglobal zone per the AI manifest.
If the zone is configured with autoboot=true, the
system/zones-install service boots the zone after the
zone is installed.

38

Automated Installer Strengths


Integrated into the OS
Simplifies complexity of installation and reduces initial
and ongoing costs of deploying Oracle Solaris reliably
Can provision Oracle Solaris 11 zones as part of its base
functionality

Provides an intuitive installation service


management interface to manage different
installation services across different architectures
Offers derived manifest functionality to enable
dynamic parameter changes in AI Install manifest
Can convert Oracle Solaris 10 Jumpstart rules and
profiles to AI manifests

39

Automated Installer Weaknesses


AI is very different from Jumpstart.
AI requires XML knowledge.
Jumpstart rules, profiles, and configuration files
must be converted to AI criteria, AI manifests, and
SMF system configuration profiles.
AI requires a specific DHCP configuration.
For more information, see Transitioning From
Oracle Solaris 10 Jumpstart to Oracle Solaris 11
Automated Installer:
http://docs.oracle.com/cd/E23824_01/index.html

40

PROPERTIES
On passing, 'Finish' button:
On failing, 'Finish' button:
Allow user to leave quiz:
User may view slides after quiz:

Goes to Next Slide


Goes to Next Slide
After user has completed quiz
At any time

Automated Installer For More Information


Simplified Installation and Cloud Provisioning with
Oracle Solaris 11:
http://www.oracle.com/technetwork/serverstorage/solaris11/technologies/modernizedinstaller
-461041.html
Product Documentation:
http://docs.oracle.com/cd/E23824_01/index.html

42

Oracle Solaris ZFS Overview

Integrated file and volume management


Data protection with replication and migration
Data security with industry standard encryption
Space savings with deduplication and compression

Integrated File and


Volume Management

Replication /
Migration

Encryption

Deduplication

Compression

43

ZFS: Integrated File and Volume Management


Eliminates partitions, provisioning, wasted bandwidth, and
stranded storage
Enables multiple file systems to draw from a common
storage pool

Storage Pool

Financial

Marketing

Accounts
Receivable

Accounts
Payable

Documentation

Financial
Reports
(property=compressed)

44

ZFS: Data Protection with Redundancy

Mirrored storage pool configuration


RAID-Z storage pool configuration
Self-healing data in a redundant configuration
Dynamic striping in a storage pool

Stripe 1

Mirror Device

Data

Stripe 2

Mirror Device

Stripe 1
RAID-Z Device

Data

Stripe 2

RAID-Z Device

45

ZFS: Data Protection with Migration


Shadow migration enables file systems to be migrated
from:
A local or remote ZFS file system to a target ZFS file system
A local or remote UFS file system to a target ZFS file system

Shadow migration process is as follows:


Administrator creates an empty ZFS file system.
Administrator sets the shadow property on an empty ZFS file
system to point to the file system to be migrated.
Data from file system to be migrated is copied over to the
shadow file system in the background while normal operations
occur.
# zfs create -o shadow=file:///rpool/old users/home/shadow

46

ZFS: Data Security with Industry Standard


Encryption
ZFS encryption is integrated with the ZFS command set.
An encryption policy can be set when a ZFS file system is
created, but the policy cannot be changed.
The encryption policy on a new file system is enabled by
setting the encryption property to on: encryption=on
ZFS encryption is inheritable to descendent file systems.
ZFS encryption uses the Oracle Solaris Cryptographic
Framework, which gives it automatic access to:
Hardware assisted cryptographic acceleration
Optimized encryption algorithms
# zfs create -o encryption=on hrpool/home/reports
Enter passphrase for hrpool/home/reports': xxxxxxx
Enter again: xxxxxxxx

47

ZFS: Space Savings with Deduplication


The ZFS deduplication property (dedup) removes redundant
data from ZFS file systems as the data is being written.
When the deduplication property is enabled, duplicate data
blocks are removed synchronously to data as the data is
written.
The property is enabled by setting the deduplication property
to on: dedup=on

Deduplication is performed across the entire ZFS storage


pool but only on the datasets that have deduplication
enabled.
Deduplication can be used in combination with ZFS
compression and encryption.
# zfs set dedup=on rpool/home

48

ZFS: Space Savings with Compression


The ZFS compression property is used to enable and
disable compression for a file system.
The compression property is disabled by default.
The property is enabled by setting the compression property
to on: compression=on
The values are on, off, lzjb, gzip, and gzip-N.
Enabling compression on a file system with existing data
compresses only new data.
The compression ratio is inherited by child file systems.
# zfs set compression=on datapool/software/solaris
# zfs get -r compression datapool
NAME
PROPERTY
VALUE
datapool
compression off
datapool/software
compression off
datapool/software/solaris
compression on
datapool/software/solaris/ar compression on

SOURCE
default
default
local
inherited from datapool/software/solaris

49

ZFS Strengths
Unparalleled, end-to-end data integrity
Unlimited data capacity
Built-in modern data services

Integrated file and volume management


Data protection with replication and migration
Data security with industry standard encryption
Space savings with deduplication and compression
RAID support

ZFS as root file system


Integrated with zones, IPS, and SMF
BEs for safe system upgrades
Backups with ZFS snapshots and clones

50

ZFS Weaknesses
Customers believe that ZFS is only designed for JBOD,
not for enterprise-class storage.

Tuning recommendations
http://www.solarisinternals.com/wiki/index.php/ZFS_Evil_Tuning_Guide#
Cache_Flushes

Customers have the impression that ZFS uses a lot of


memory.
Memory recommendations:
http://www.solarisinternals.com/wiki/index.php/ZFS_Best_Practices_Gui
de#System.2FMemory.2FSwap_Space

ZFS is hard to tune to use with the Oracle database.


Best practices/considerations:
http://www.solarisinternals.com/wiki/index.php/ZFS_for_Databases

ZFS does not offer device removal from a pool.


51

PROPERTIES
On passing, 'Finish' button:
On failing, 'Finish' button:
Allow user to leave quiz:
User may view slides after quiz:

Goes to Next Slide


Goes to Next Slide
After user has completed quiz
At any time

Oracle Solaris ZFS For More Information


Oracle Solaris 11 ZFS Technology:
http://www.oracle.com/technetwork/serverstorage/solaris11/technologies/zfs-338092.html

Product Documentation:
http://docs.oracle.com/cd/E23824_01/index.html

ZFS Best Practices Guide:


http://www.solarisinternals.com/wiki/index.php/ZFS_Be
st_Practices_Guide

Integrated File and


Volume Management

Replication /
Migration

Encryption

Deduplication

Compression

53

Network Virtualization with Oracle Solaris


Zones

Network virtualization and virtual networks


Virtual network components
Zone configuration using VNICs
Resource management for both zones and the virtual
network
Zone system resource monitoring (zonestat)

Networking highlights

54

Network Virtualization and Virtual Networks


Network virtualization
Is the process of combining hardware network
resources and software network resources
Provides efficient, controlled, and secure sharing of
network resources
Virtual networks
External networks: Several local networks administered
by software as a single entity
Internal networks: One system using virtual machines
or zones that are configured over at least one
pseudonetwork interface

55

Virtual Network Components


System
Zone 1

Zone 2

Zone 3

VNIC 1

VNIC 2

VNIC 3

Virtual Switch

NIC

Switch

Internet

56

Zone Configuration Using VNICs


Step 3: Configure the
zones to use the
VNICs.
Step 2: Create the
VNICs.

System
Zone 1

Zone 2

Zone 3

VNIC 1

VNIC 2

VNIC 3

Virtual Switch

Step 1: Create the


virtual switch or
etherstub.

57

Zone Configuration Using VNICs Example


# zonecfg -z hrzone
hrzone: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:hrzone> create
zonecfg:hrzone> set zonepath=/zones/hrzone
zonecfg:hrzone> set autoboot=true
zonecfg:hrzone> set ip-type=exclusive
zonecfg:hrzone> add net
zonecfg:hrzone:net> set physical=vnic1
zonecfg:hrzone:net> end
zonecfg:hrzone> verify
zonecfg:hrzone> commit
zonecfg:hrzone> exit
#

58

System Resource Allocation to a Zone


To allocate system resources to a zone, perform the
following steps:
Specify a subset of the systems processors that
should be dedicated to a zone while it is running.
Limit the amount of CPU resources that can be
consumed by a zone.
Control the allocation of available CPU resources
among zones, based on their importance.
Limit the amount of physical memory.

59

System Resource Allocation Management


to a Zone
System resource allocation to a zone can be controlled
by:
Resource pools: Used primarily to manage CPU
usage
Resource capping: Used to regulate physical
memory consumption
Process scheduling: Used to control the allocation of
available CPU resources to processes

60

Network Resource Control


Set bandwidth limit on a
VNIC (virtual link speed)
QoS integrated in the core
stack, no separate
component to configure
Constrain the CPUs used
by VNICs or data links by
CPU ids or pool names
Integrated with Solaris
resource management
and zones

# dladm create-vnic -l net0 \


-p maxbw=100M vnic0

61

Controlling and Observing Flows


Bandwidth limits can be
applied to traffic flows
specified by the
administrator; this includes
datalinks in non-global zones
Flows are managed by
flowadm(1M) and specified
by source and destination IP
addresses, protocol, port
number, etc.
Flows can be observed in
real time with
flowstat(1M), or a history
can be obtained using
extended accounting.
62

Highly Available VNICs


Link Aggregation provides
transparent failover and
increased throughput to
VNICs and zones.
Compliant with IEEE 802.3ad
IP Multipathing (IPMP) can
also be used but needs to be
configured from within zones.

63

Zone System Resource Monitoring


# zonestat -r network 1 1
Collecting data for first interval...
Interval: 1, Duration: 0:00:01
NETWORK-DEVICE
aggr1
ZONE TOBYTE
global 1196K

SPEED
STATE
TYPE
2000mbps
up
AGGR
MAXBW %MAXBW PRBYTE %PRBYTE POBYTE %POBYTE
710K
0.28%
438K
0.18%

ZONE TOBYTE
[total] 7672K
global 5344K
zoneB
992K
zoneA 1336K

1000mbps
up
PHYS
MAXBW %MAXBW PRBYTE %PRBYTE POBYTE %POBYTE
- 6112K
4.89% 1756K
1.40%
100m* 42.6% 2414K
1.93% 1616K
1.40%
100m 15.8% 1336K
0.76%
140K
0.13%
50m 10.6%
950K
1.07%
0
0.00%

ZONE TOBYTE
global
126M

1000mbps
up
PHYS
MAXBW %MAXBW PRBYTE %PRBYTE POBYTE %POBYTE
63M
6.30%
63M
6.30%

ZONE TOBYTE
[total] 3920K
global 1960K
zoneA 1960K

n/a
n/a
ETHERSTUB
MAXBW %MAXBW PRBYTE %PRBYTE POBYTE %POBYTE
0
0
100M* 1.96%
0
0
50M 3.92%
0
0
-

e1000g0

e1000g1

etherstub1

64

Networking Highlights

Manual and Automatic Networking


Default Names for Datalinks
InfiniBand, Enabled and Optimized
Load Balancing
Link Protection
Bridging and Tunneling
IP Observability
IP Multipathing
IPMP Administration through ipadm(1M)

IPMP Transitive Probing for Less Restrictive


Availability

65

PROPERTIES
Allow user to leave interaction:
Show Next Slide Button:
Completion Button Label:

Anytime
Show upon completion
Next Slide

Ops Center Network Virtualization


Automatically leverages
NIC-level virtualization
with zones
Exposes throughput and
priority control over pipes
Allows for a virtualized
workload that needs a
dedicated TCP/IP stack
while sharing the same
kernel

67

Virtual Networks and Oracle Solaris Zones


Strengths
Virtual Networks
Built-in, low latency
Easy to configure and administer
Network resource controls

Oracle Solaris Zones Secure, rapid application


deployments

Integrated with IPS, AI, ZFS, and virtual networks


Immutable zones
Delegated administration
Solaris 10 Zones on Oracle Solaris 11
System resource controls

Together Fully simulate production environments


68

Virtual Networks and Oracle Solaris Zones


Weaknesses
A lot has changed on the network side (specifically the
networking commands), which requires customers to
change how they have done things for years.
Customers do not understand the advantages of virtual
networking. They see the technology as disruptive.
Customers can easily overload a server if the amount of
total traffic on all virtual networks exceeds the physical
capabilities of the NICs.
Customers are not clear as to the differences between
each of the virtualization technologies and which
technology is better suited to address their specific issues.

69

PROPERTIES
On passing, 'Finish' button:
On failing, 'Finish' button:
Allow user to leave quiz:
User may view slides after quiz:

Goes to Next Slide


Goes to Next Slide
After user has completed quiz
At any time

Virtual Networks and Oracle Solaris Zones


For More Information
Oracle Solaris 11 Networking Virtualization
Technology:
http://www.oracle.com/technetwork/serverstorage/solaris11/technologies/networkvirtualization312278.html

Product Documentation:
http://docs.oracle.com/cd/E23824_01/index.html

71

Oracle Solaris Security Overview


Security is managing risk
Security is a very high priority in Oracle Solaris 11.
Oracle Solaris security technologies protect data,
applications, users, and the OS from external and
internal threats.
Oracle Solaris is developed using the Oracle Software
Security Assurance process.

72

Oracle Solaris Security: Data Protection


ZFS protects data with:
Data redundancy with mirrored and RAID-Z
storage pool configurations
Self-healing data in redundant storage pool
configurations
Data encryption
Access control lists (ACLs)

73

Oracle Solaris Security: Application and


User Containment

74

Oracle Solaris Security: Immutable Zones


Configuration Options
By default, a zone is configured to have a writable root
dataset.
Using the zonecfg utility and the file-mac-profile
property, a zone can be configured with one of the options
presented in the table below.
/, /usr,
/lib,

/etc

/var

other

None

Writeable

Writeable

Writeable

Writeable

Flexible

Read-only

Writeable

Writeable

Read-only

Fixed

Read-only

Read-only

Writeable

Read-only

Strict

Read-only

Read-only

Read-only

Read-only

75

Oracle Solaris Security: Insider Attacks


Risk Reduction
RBAC controls user access
to tasks based on roles and
rights profiles.
Root is a role by default.
Process rights management
uses privileges to restrict
processes at the command,
user, role, or system level.

Commands with
Security Attributes

Users

Roles

Rights
Profiles

Authorizations

Supplementary
Rights Profiles

Privileges

76

Oracle Solaris Security: Outsider Attacks


Risk Reduction
Authentication services
Secure by default - SSH only network
accessible service post install
Kerberos
PAM local authentication
SSH PKI
LDAP naming service
Active Directory client

Network services protection

Security by Default networking profile


IP Filter firewall
TCP wrappers
Labeled IPsec/IKE
77

Oracle Solaris Security: Compliance


Assistance
Logging
Must be set up
Troubleshoot
user/application
problems

Auditing
Audit on by default
Monitor/record
specific, securityrelated events

78

Oracle Solaris Security: Mandatory Access


Control with Trusted Extensions
Mandatory access control creates mandatory security
policies outside of user control
Oracle Solaris 11 introduces these enhancements:
Per-label and per-user credentials
Per-zone encryption key for each label of every user's home
directory
New command, tncfg(1M), to create, modify and display
configuration of networking properties related to Trusted
Extensions
Security labels on ZFS datasets

79

Oracle Solaris Security Strengths and


Weaknesses
Strengths
Provides an assured system because security is integrated, not bolted
on
Protects data at rest and in motion with discretionary and mandatory
access control, data encryption, and integrity protection
Contains applications and users by using zones, privileges, and rolebased access control
Reduces risk of insider attacks using role-based access control and
process rights management
Reduces risk of outsider attacks with authentication services and
network service protection
Assists in compliance with auditing and logging
Provides mandatory access control with Trusted Extensions

Weakness: Security features must be configured locally (or via AI).

80

PROPERTIES
On passing, 'Finish' button:
On failing, 'Finish' button:
Allow user to leave quiz:
User may view slides after quiz:

Goes to Next Slide


Goes to Next Slide
After user has completed quiz
At any time

Oracle Solaris Security For More


Information
Oracle Solaris 11 Security:
http://www.oracle.com/technetwork/serverstorage/solaris11/technologies/security-422888.html

Product Documentation:
http://docs.oracle.com/cd/E23824_01/index.html

82

Oracle Solaris Cluster


High Availability and Disaster Recovery Solution for Solaris
Local data
center cluster

Multi-site
stretched/campus cluster

Multi-site, multiple clusters

Enables high availability of mission-critical applications and services


Limits outages with automatic failover procedures
Protects enterprise data integrity and services reliability
From local data center high availability to multi-site, multiple clusters
disaster recovery
In physical and virtual IT environments

83

Oracle Solaris Cluster


Robust High Availability Architecture

Monitors health of the cluster


components
Servers, Storage, Network
OS, Virtual Machines
Applications

Tolerates any failure


Exploits hardware redundancy
Uses robust software algorithms
Heartbeats, Membership
Cluster Configuration
Resource Group Manager

Recovers cluster infrastructure


and applications
Protects data integrity
Quorum
Fencing

84

Oracle Solaris Cluster and Key Oracle


Solaris 11 Technologies
Kernel
integration

Deep integration with Oracle Solaris 11 for fastest, load resilient fault
detection and recovery

IPS

Unified installation experience


Error-free software updates
Automatic patch dependencies resolution

BE

Instant snapshot and rollback


Lower risk updates

AI

Common provisioning tool


Easy full stack, multi-node installation

ZFS

Zones

High availability for Oracle Solariss built-in file system


Outage protection for virtualized applications, native or Solaris 10
zones
Policy based management for customized recovery behavior
Increased security with zones based delegated administration
extended to virtual cluster

85

Oracle Solaris Cluster


Oracle Integration for Mission-Critical Clouds HA

(optional)

86

Oracle Solaris Cluster


Additional Resources
Oracle Solaris Cluster web pages
http://www.oracle.com/us/products/servers-storage/solaris/cluster-067314.html
http://www.oracle.com/technetwork/server-storage/solaris-cluster/index.html

Oracle Solaris Cluster Internal web site


http://my.oracle.com/site/pd/sss/products/solaris/cluster/index.htm

Oracle Solaris Cluster Community on MOS


https://communities.oracle.com/portal/server.pt/community/oracle_solaris_cluster/393

Oracle Solaris Cluster Partner web site


http://www.oracle.com/partners/secure/engage-with-oracle/solaris-cluster-product-info076306.html

Download Evaluation and Development


http://www.oracle.com/technetwork/server-storage/solaris-cluster/downloads/index.html

Documentation
http://www.oracle.com/technetwork/server-storage/solariscluster/documentation/index.html

87

Oracle Solaris 11 System Architecture


Value Add
Cloud

Physical
Virtual Servers

Oracle Solaris 11

Logical Domain
Virtual
Networking

VNIC

Logical Domain

Virtual NIC

VNIC

Virtual Switch Virtual Switch


Virtual Storage

Storage Pools

Oracle Solaris 11 with Oracle Enterprise Manager 12c is the best


solution to manage both virtual and physical infrastructures.
88

Built for Clouds

89

Ops Center vDC (Virtual Datacenter)


Leverage SPARC and
Solaris
Little exposure to
technology in use
Enforce resource
allocations: CPU, MEM,
Storage, Network

90

Best for Enterprise Applications

91

Engineered for Oracle

92

Additional Resources
Oracle Solaris 11 Product Page (External)
http://www.oracle.com/us/products/serversstorage/solaris/solaris11/overview/index.html

Oracle Solaris on Oracle Technology Network (External)


http://www.oracle.com/technetwork/serverstorage/solaris11/overview/index.html

Oracle Solaris Documentation


http://docs.oracle.com/cd/E23824_01/index.html

Oracle Optimized Solutions


http://www.oracle.com/oos/

93

Additional Resources (Continued)


Oracle Solaris App Availability Checker (FTR)
Internal Only
http://furl.oraclecorp.com/kj76

Oracle Solaris Product Management Internal Page


http://my.oracle.com/site/pd/sss/products/solaris/index.htm

Oracle Solaris Information for Partners


http://www.oracle.com/partners/en/knowledge-zone/serverstorage/solaris-050760.html

Oracle Solaris blogs: blogs.oracle.com


Oracle Solaris on Twitter: @ORCL_Solaris
Oracle Solaris on Facebook: facebook.com/oraclesolaris
Oracle Solaris Insider Group on LinkedIn
94

Conclusion
The following areas were covered in Lesson 2:
System Architecture:
Oracle Solaris 11 System Requirements
Oracle Solaris 11 Top Architectural Characteristics,
Strengths, and Weaknesses
Oracle Solaris 11 System Architecture Value Add

95

Next Steps
Lesson 2: Systems Architecture
Lesson 3: Market Definitions and Trends

Built for clouds


Best for enterprise applications
Engineered for Oracle

96