Documente Academic
Documente Profesional
Documente Cultură
D74667
Edition 1.0
October 2011
D73819GC10
11
Student Guide
What's New in Oracle Solaris
Gary Riseborough This document contains proprietary information and is protected by copyright and
other intellectual property laws. You may copy and print this document solely for your
Marcus Flieri
own use in an Oracle training course. The document may not be modified or altered
Bart Smaalders in any way. Except where your use constitutes "fair use" under copyright law, you
may not use, share, download, upload, copy, print, display, perform, reproduce,
Dave Miner publish, license, post, transmit, or distribute this document in whole or in part without
Nicolas Droux the express authorization of Oracle.
Dan Price The information contained in this document is subject to change without notice. If you
Cindy Swearingen find any problems in the document, please report them in writing to: Oracle University,
500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not
Contents
Preface
1 Introduction
Oracle Solaris: The Mission Critical OS 1-2
Raising the Bar Set by Solaris 10 1-3
iii
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
iv
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
5 Zones
Changes Since Solaris 10 FCS 5-2
Design and Features 5-7
Storage 5-8
Networking: Exclusive IP Zones 5-9
Networking: Shared IP Zones – IPMP 5-11
Zones Observability 5-12
zonestat Command 5-13
zonestat Interval: Example 5-14
zonestat by Resource: Example 5-15
Resource Management 5-16
Zones Security 5-17
Solaris 10 Containers 5-18
Solaris 10 Container: Expected Migration Path 5-19
References 5-20
6 Network Virtualization 2
Advanced Network Features 6-2
ilbadm: L3/L4 Integrated Load Balancing 6-3
Load Balancing Components 6-4
v
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
7 Security
Features 7-2
Root Implemented as a Role 7-3
File system encryption: zfs(1M) 7-4
Configuring ZFS Encryption 7-5
File system encryption: lofiadm 7-6
Network Spoofing Protection 7-7
Zones: Delegated Administration 7-8
SMF: Delegated Administration 7-9
SMF: Method Context 7-10
SMF: Firewall Integration 7-11
Least Privilege Changes 7-12
“In-kernel pfexec” 7-13
Basic Privileges: More is Less 7-14
Role-Based Access Control 7-15
Sandboxing Enhancements 7-16
Kerberos Improvements 7-17
Key Management: pkcs11_kms Provider 7-18
Other Enhancements 7-19
Oracle Solaris 11 Trusted Extensions 7-20
Trusted Extensions Changes 7-21
Trusted Platform Modules (TPM) 7-22
vi
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
vii
Oracle University and ORACLE CORPORATION use only
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED
Preface
Profile
Before You Begin This Course
You should be able to configure and manage a system running the Oracle Solaris
Operating system.
How This Course Is Organized
An understanding of Oracle Solaris features and working knowledge of the Oracle
Solaris 10 Operating System is beneficial, but not required
How This Course Is Organized
S What's New in Oracle Solaris 11 is an instructor-led seminar featuring lecture and
• read.me files
• Oracle Magazine
Related Publications
• System release bulletins
• Installation and user’s guides
Introduction
Oracle Solaris 11
The Only Completely Virtualized OS
• Availability: Greatly improved with new packaging tools, safe
online upgrades, faster reboots
SPARC T3-4
World’s First 16
SYSTEM THROUGHPUT HIGH
Core Processor
CONSOLIDATION HIGH
VIRTUALIZATION HIGH
Engineered Systems
Oracle’s Optimized
Solutions
Applications
Fusion Middleware
Database
Compute, VM Solaris/OEL
Storage, Network, Server
Software Storage
Topic Outline
• Morning
– Image Packaging System
– Automated Installer
– Networking (Crossbow)
Module Structure
IPS Implementation
IPS Package
Package Naming
IPS Repository
or
pkg Subcommands
• /usr/bin/pkg
• pkg list
– List packages installed on the system
•
pkg Subcommands 2
PHASE ACTIONS
Install Phase 39/39
PHASE ITEMS
Package State Update Phase 1/1
Image State Update Phase 2/2
PHASE ACTIONS
Install Phase 1/10557
...
Install Phase 10557/10557
PHASE ITEMS
Package State Update Phase 1/24
...
Verifying a Package
Fixing a Package
PHASE ACTIONS
Update Phase 2/2
PHASE ITEMS
Package State Update Phase 1/1
Package Cache Update Phase 1/1
Image State Update Phase 2/2
Removing a Package
# pkg uninstall ncftp
Creating Plan
Packages to remove: 1
Create boot environment: No
PHASE ACTIONS
Removal Phase 1/33
Removal Phase 33/33
PHASE ITEMS
Reading Existing Index 1/8
Reading Existing Index 5/8
Reading Existing Index 8/8
Updating a Package
PHASE ACTIONS
Removal Phase 2561/2561
Install Phase 3967/3967
Update Phase 6277/6277
...
A clone of solaris-39 exists and has been updated and activated.
On the next boot the Boot Environment solaris-40 will be mounted on '/'.
Reboot when ready to switch to this updated BE.
Creating a Package
• Or emit a manifest
$ pkgsend generate ~/fu
file gnome_terminal_fu group=bin mode=0644 owner=root
path=gnome_terminal_fu pkg.size=326
file netbeans_fu group=bin mode=0644 owner=root path=netbeans_fu
pkg.size=283
file awk_fu group=bin mode=0644 owner=root path=awk_fu pkg.size=110
Group Packages
• To make updating/patching:
– Faster
– More reliable
– Easily reversible
Solaris 10 Solaris 11
AI Terminology
Creating an AI Service
Creating an AI Service
Creating AI Clients
JumpStart to AI Mapping
JumpStart AI
setup_install_server installadm create-service
add_install_client installadm create-client
IPS References
AI References
Network Virtualization 1
Feature: Overview
Virtual Switches
Virtual
Client Router Host 1 Host 2
Etherstub 3 Etherstub 1
• dladm [set,reset,show]-linkprop
• Alternative to ndd(1M) utility
• Single, stable interface for network property consumers
• Changes can be made temporary or persistent
Virtual Bridges
ipadm
• Consolidates management of
– Network interface state
– IP address assignment
– TCP/IP protocol properties
#
# ipadm up-addr play1/v4static2
# ipadm show-addr play1/v4static2
ADDROBJ TYPE STATE ADDR
play1/v4static2 static ok 10.2.3.5/24
Creating Flows
• Vanity naming
– Set desired name via dladm(1M)
– List device interfaces in /dev/net
• Supports alternative to so-called PPA hack
knickknack@os11e:/dev/net$ ls -l
total 0
crw-rw-rw- 1 root sys 58, 1001 2010-12-19 17:37 beatnic0
crw-rw-rw- 1 root sys 20, 1 2010-12-19 14:22 e1000g0
Resource Pools
dlstat(1M)
• IP-layer observability
– Snoop loopback traffic between zones using shared-IP
— # snoop -I lo0
• Network DTrace providers
Rethinking Zones
Enhancements
Boot Environments
• ZFS is required.
• A BE is a special-purpose ZFS snapshot.
– beadm(1M) replaces lu* commands.
• All BEs reside in the root pool.
• Active flags
– N = Active Now
– R = Active next Reboot
PHASE ACTIONS
Install Phase 39/39
PHASE ITEMS
Package State Update Phase 1/1
Image State Update Phase 2/2
PHASE ITEMS
Reading Existing Index 8/8
Indexing Packages 1/1
# beadm list
BE Active Mountpoint Space Policy Created
-- ------ ---------- ----- ------ -------
S11-BE-1 N / 352.0K static 2010-12-09 04:23
S11-BE-2 - - 12.08M static 2010-12-09 04:53
S11-BE-3 R - 2.85G static 2010-12-09 05:19
Deduplication
Deduplication Example - 1
bayle@os11e:~$ ls -l /usr/java/src.zip
-rw-r--r-- 1 root bin 19160179 2010-12-06 04:44
/usr/java/src.zip
bayle@os11e:~$ zfs set dedup=on rpool1/home/deirdre
bayle@os11e:~$ cp /usr/java/src.zip /home/deirdre/src1.zip
Deduplication Example - 2
Snapshot Differences
RAIDZ/Mirror Performance
Performance Notes
ZFS References
Zones
• Core
– Configurable privileges (limitpriv)
— Supports DTrace inside a zone
– Zone rename and move operations
• Resource management
– Overhauled and simplified (zone.*)
– CPU Caps added
— zone.cpu-cap, zone.cpu-shares
• Networking
– ip-type
– defrouter
• Brands
Solaris 11
Changes in Oracle
• lofiadm support
• v2v and p2v migration
• Branded Oracle Solaris 10 containers
• Exclusive-IP network stack enhancements
Storage
Exclusive-IP options
• allowed-address property defines usable
address/range.
• defrouter property supports ip-type=exclusive.
Zones Observability
zonestat Command
$ zonestat 5
Collecting data for first interval...
Resource Management
Zones Security
• Delegated administration
• Authorizations can be configured directly in zonecfg
– login, manage, clonefrom
Solaris 10 Containers
Solaris 10
db27-prod
References
Network Virtualization 2
• ilbadm
• IP Filtering, forwarding in a zone
• Hardware Lanes and dynamic polling
•
• Operational modes
– Stateless Direct Server Return (DSR)
– Half or Full NAT
• Algorithms supported
• pkg://solaris/service/network/load-
balancer/ilb@0.5.11,5.11-0.148:…
• To configure:
– Server group: list of host+port addresses
ilbadm: Example
# ilbadm create-servergroup \
> -s servers=apache-zone1:80,apache-zone2:80 \
> apache_group
Hardware Lanes
ipmpstat: Example
MAC Layer
Rx/Tx Ring Rx/Tx Ring
DMA DMA
Channel Channel
Admin
Interface Core NUMA I/O
• Dynamic polling
• Packet chaining
• Hardware checksumming offload
– Large Send Offload (LSO)
Security
Features
• Root as a role
• On-disk file encryption
• Network spoofing protection
• Delegated administration
• Application-specific attributes
$ svcadm enable ipfilter
$ svccfg -s ipfilter:default setprop
firewall_config_default/policy = allow
proc_fork
proc_exec
net_priv_addr
“In-kernel pfexec”
Software Installation
DTrace Analysis
Developer
Dataset Management
Backup Operator
Sys
Admin
Sandboxing Enhancements
Kerberos Improvements
Other Enhancements
Service Templates
smf_template(5)
Fault Notification
# svccfg listnotify -g
Event: to-maintenance (source: svc:/system/svc/global:default)
Notification Type: smtp
Active: true
to: admin@domain.com
IPS Actuators
#!/usr/sbin/dtrace –s
syscall:::entry
{