Oracle Business Breakfast Oracle Solaris 11.4 Beta Jörg Möllenkamp Oracle Elite Engineering Exchange

V 0.13 21.03.2018 dd/jm

Copyright Copyright © © 2018,2018,Oracle and/or its affiliates. All rights reserved. |Oracle and/or its affiliates. All rights reserved. Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 3 Scope What you can take away from this presentation? • How we will develop and deliver Oracle Solaris in the future. • Insight into the new and innovative features of Oracle Solaris 11.4 Beta • Practical command line examples you can try for yourself • No marketing slides. (unfortunately)

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 4 Oracle Solaris Strategy Best UNIX For Mission Critical Workloads • Continuous Delivery Model – Innovation and critical fixes through dot releases, Quarterly Critical Patch Updates, and monthly Support Repository Updates • Secure and Stable – Integrated security and availability features to simplify deployments and operations • Oracle Database Integration – Data/systems management, networking, and performance features to enable optimal Oracle Database results on SPARC/Solaris

Mission Critical Operating System

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 5 What Customers told us: Oracle Solaris Priorities A Non-disruptive stream of innovation • Consistent Operational Model • Operational Compatibility • Simple OS Deployment and Patching Methodology • Continuous Application Compatibility – No ISV Re-Qualification • Long support lifespan

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 6 What we delivered: Continuous Delivery of Security, Stability and Software Enhancements

Legacy Oracle Solaris Less Major Releases Slow Adoption Continuous Delivery Model Disruptive Quicker

Simpler Smaller More High Risk Complex Disruptive Frequent

Slow and Expensive Re-Qualifications

Seamless Upgrades Enable Agile Incorporation of New Capabilities with Guaranteed Compatibility for 1,000’s of Oracle, ISV, and Customer Applications

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 7 Oracle Lifetime Support Hardware and Operating Systems http://www.oracle.com/us/support/lifetime-support/lifetime-support-hardware-337183.html • Premier Support • Provides maintenance for your Oracle hardware and integrated software (for example, firmware). Maintenance and software upgrades are included for Oracle operating systems and Oracle VM for ten years from their general availability date - extended to 20 years for Oracle Solaris 11 (2031) http://www.oracle.com/us/support/library/lifetime-support-hardware-301321.pdf on p.34 (37) • Extended Support for Operating Systems • Puts you in control of your operating system upgrade strategy by providing additional maintenance and upgrades for Oracle Solaris operating system for an additional fee (2034) • Sustaining Support for Operating Systems • Maximizes your investment protection by further extending support for operating systems and firmware. Features include access to Oracle online support tools, operating system upgrade rights, pre-existing fixes, patches and assistance from technical support experts

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 8 One Support Stream

11.0 11.1 11.2 11.3

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 9 Monthly Support Repository Updates (SRUs)

SRU 1 SRU 2 SRU 3 SRU 4 SRU 5 SRU 6 SRU 7 SRU 8 SRU 9 SRU 10 SRU 11

11.Update

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 10 Quarterly Critical Patch Updates (CPUs)

CPU CPU CPU CPU

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 11 Continuous Minor Enhancement Delivery

CPU CPU CPU CPU

Minor Minor Minor Enhancements Enhancements Enhancements

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 12 Critical Patch Updates Practical Example • Install: pkg install solaris-11-cpu – It‘s higher in the hierarchy than entire. Not installed by default – Provides additional CPU detail for the administrator – Must be installed for the examples on the next slide to work. – The commands work with Oracle Solaris 11.3 as well.

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 13 Critical Patch Updates Practical Example # pkg search CVE-2014-7187:

INDEX ACTION VALUE PACKAGE CVE-2014-7187 set pkg://solaris/shell/[email protected],5.11-0.175.2.2.0.8.0 pkg:/support/critical-patch- update/[email protected] CVE-2014-7187 set pkg://solaris/shell/[email protected],5.11-0.175.2.2.0.8.0 pkg:/support/critical-patch- update/[email protected] ... CVE-2014-7187 set pkg://solaris/shell/[email protected],5.11-0.175.2.2.0.8.0 pkg:/support/critical-patch- update/[email protected]

$ pkg contents -rHo value -a name=info.cve solaris-11-cpu@latest

CVE-1999-0103 CVE-2002-2443 CVE-2003-0001 CVE-2004-0230 ... # pkg search -l CVE-2014-7187

INDEX ACTION VALUE PACKAGE info.cve set CVE-2014-7187 pkg:/support/critical-patch-update/[email protected]

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 14 Critical Patch Updates A side note • In a recent CPU (Q4/CY2017) Solaris wasn‘t mentioned at all. • Because the restructuring took place not long before that, this led to a multitude of rumors. • In reality this was great news. • The simple reason for not being in the CPU: – The number of security vulnerabilities in Oracle owned software in Oracle Solaris was ZERO! – In that quarter ZERO security vulnerabilties were fixed in the kernel or Oracle software shipped inside Oracle Solaris. Thus no CPU for Oracle Solaris. – We fixed security vulnerabilities in Software like Samba in that SRU, but that is not Oracle owned Software. (https://blogs.oracle.com/solaris/oracle-solaris-not-in-latest-cpu-like-a-boss)

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 15 New features in Oracle Solaris SRU • The „minor enhancements by SRU“ already started with 11.3 • We didn‘t want to wait for a dot-release to introduce some minor enhancements, so we did release them already with 11.3 • This was done by introducing them into 11.3 SRU. • Example: – One-Time Passwords in SRU17 – Libdax for Solaris 11.3 x86 in SRU 29 (a library that emulates DAX in software so a software dependent on libdax developed on Solaris/SPARC will run on Solaris/x86 as well) – ... and much more

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 16 Oracle Solaris Continuous Delivery Some new Capabilities delivered in recent 11.3 SRUs • Security • New platform support • Two-Factor Authentication • Oracle SPARC M8 • Packet Filter Firewall • Fujitsu SPARC M10 and M12 • MIT Kerberos V5 update • Intel Skylake • Virtualization • Broadcom 25Gb, Intel 10GbE Ethernet • DAX APIs for SPARC M7, M8 • Fast SRIOV I/O failover • DAX Support in Kernel Zones • VLAN aware Kernel Zones • Updated FOSS Packages • 148 components updated in SRU since release of Oracle Solaris 11.3

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 17 One Time Password for SSH Configuration • Frequently asked customer question • It was introduced in Oracle Solaris 11.3 SRU17. • Not very difficult – Switch to OpenSSH – Install pkg – Setup OTP – Setup PAM

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 18 One Time Passwords Practical Example: Convert to OpenSSH (in Oracle Solaris 11.3, 11.4 is OpenSSH-only) root@nfsclient:~# pkg install network/openssh root@nfsclient:~# pkg set-mediator -I openssh ssh root@nfsclient:~# echo "AuthenticationMethods password,keyboard-interactive" >> /etc/ssh/sshd_config root@nfsclient:~# svcadm disable ssh;svcadm enable ssh; sleep 10; svcs -x ssh svc:/network/ssh:default (SSH server) State: online since Wed May 03 14:17:58 2017 See: sshd(1M) See: /var/svc/log/network-ssh:default.log Impact: None.

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 19 One Time Passwords Practical Example: Install otp pkg root@nfsclient:~# pkg install otp Packages to install: 1 [...] Updating package cache 1/1 root@nfsclient:~#

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 20 One Time Password for SSH Practical Example: Setup OTP jmoekamp@nfsclient:~$ otpadm set secret New TOTP secret=MSQF 4RYZ OXCH 4ZUI FNYX CZEN NBNJ 5HEA Enter current code from authenticator:

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 21 One Time Password Practical Example: Setup OTP

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 22 One Time Password Practical Example: Setup OTP

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 23 One Time Password Practical Example: Setup OTP and PAM jmoekamp@nfsclient:~$ otpadm set secret New TOTP secret=MSQF 4RYZ OXCH 4ZUI FNYX CZEN NBNJ 5HEA Enter current code from authenticator: 009538 root@nfsclient:~# cat <> /etc/pam.d/sshd-kbdint > auth required pam_unix_cred.so.1 > auth required pam_otp_auth.so.1 > EOT

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 24 One Time Password Practical Example: Try it out glamdring:~ jmoekamp$ ssh -v [email protected] [...] debug1: Authentications that can continue: password debug1: Next authentication method: password [email protected]'s password: supersecret Authenticated with partial success. debug1: Authentications that can continue: keyboard-interactive debug1: Next authentication method: keyboard-interactive OTP code: 369249 debug1: Authentication succeeded (keyboard-interactive). [...] Last login: Wed May 3 14:14:26 2017 from 192.168.1.2 Oracle Corporation SunOS 5.11 11.3 March 2017 jmoekamp@nfsclient:~$

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 25 Our commitment to approachable innovation 7+ years and counting of seamless innovation delivery # pkg update

T4 T5, M5, M6 M7 S7 M8

ASLR Kernel Zones DAX, SSM, PF, KMIP Svcbundle PTP Compliance Multi-factor Much more to come! Per user auth. reporting authentication Solaris 11.1 Solaris 11.2 Solaris 11.3 Solaris 11.4 … Solaris 11.Next Solaris 11 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020

Solaris Binary Compatibility protects your application software investment

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 26 March 2018: https://www.oracle.com/assets/sparc-roadmap-slide-2076743.pdf

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 27 Oracle Solaris 11.4 Beta Priorities Available to public: 30.01.2018 • Security and Compliance • System Management • Data Management • Install and Software Management • Networking • Bundled Software Updates • Performance and Observability • Enhancements for Developers • Virtualization

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 28 Oracle Solaris 11.4 Beta Top New Features – Security and Compliance – Virtualization • Application Sandboxing • Delegated Oracle Solaris Zones Restarter • More Integration of SPARC SSM • Dataset LZR for Oracle Solaris Native Zones – Data Management – System Management • Raw and Resumable ZFS Send Streams • Oracle Solaris Dashboard with Performance Analysis • ZFS Read and Write Throughput Limits • Host Evacuation – Networking – Install and Software Management • Network Configuration in SMF • x86 WAN Boot for Automated Installer • IEEE 802.1x Client Support • Dehydrate and Rehydrate for Unified Archives – Performance and Observability – Bundled Software Updates • Dtrace Providers for SCSI and fileops • GNOME 3.24 Desktop • Kstat v2 Framework • OpenSSH 7.6 Standard – Enhancements for Developers

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 29

Let‘s start with something really simple but useful uname • uname –v finally gives some information about the SRU-level: $ uname –v 11.4.0.12.0 • The format is 11.... • The output of pkg list now shows something more obviously related to the version number. We report $ pkg list -H entire entire 11.4-11.4.0.0.0.12.1 i-- instead of $ pkg list -H entire entire 0.5.11-0.175.3.28.0.4.0 i--

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 30 Security and Compliance Features • File and Process Labeling • Verified Boot Auditing • Secure Sandboxes • KMIP Client Support • Remote Compliance Assessment • ftp-proxy • Per File Auditing • libsasl2 • Privileged Command Execution • libucrypto library History Reporting • PKCS #11 v2.40 • Silicon Secured Memory Security Exploit Mitigations • Migration from IPF to PF necessary

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 31 Migration from IPF to Packet Filter New host-based firewall now mandatory. • Since Oracle Solaris 11.3 it was possible to install Packet Filter (PF) as an alternative to IP Filter (IPF). • In Oracle Solaris 11.4 only PF is available. • You have to migrate if you run IPF on your system. – IPF rulesets and PF ruleset look similar, but they are not the same. – You can and should migrate it now as both IPF and PF are available in Oracle Solaris 11.3. So no surprises when migrating to 11.4 – In 11.4 there is some help from the svc:/network/ipf2pf service. This is a first- boot service running the ipf2pf tool to migrate the tools (Beware: It‘s a simple tool. Don‘t expect too much. Always check the results!)

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 32 Security Labels in Oracle Solaris Security and Compliance Features • Label Security is one of the biggest additions in Oracle Solaris 11.4 • It‘s based on years of experience with Trusted Solaris and Trusted Extensions • It‘s always activated in any Oracle Solaris 11.4 • It helps you to protect data in your filesystem.

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 33 Security Labels in Oracle Solaris Security and Compliance Features • Classification – Specifies the level of trust – Think of „TOP SECRET(TS)“, „SECRET(S)“, „CONFIDENTIAL(C)“ and “RESTRICTED(R)“ – It‘s an hierarchy. • When you are trusted on the TS level your are trusted on levels S, C and R as well. • When you are trusted on S you are trusted S and R as well. – Represented in Oracle Solaris by an integer • Public (1), Restricted (2), Confidential (3), Secret (4), Top Secret (5) • A Classification with a higher value dominates a Classification with a lower value.

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 34 Security Labels in Oracle Solaris Security and Compliance Features • Compartment – Specifies where the level of trust applies – You may be trusted on a certain level, but just for a subset of all information of this level. E.g. „Ingredients of the sausages in the canteen“ or „Ingredients of the “. If you are just trusted in the the first compartment, you are not allowed to documents specifying what's in the soup, despite being trusted on the necessary level. – Represented by a bitmap. – The bits in the bitmap have no hierarchical relation.

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 35 Security Labels in Oracle Solaris Security and Compliance Features • Label – Oracle Solaris labels files and processes. – A label assigned to a process is called clearance. – A process can lower its clearance. There is no way that it can raise it. – A label consists of the Classification integer and the Compartment bitmap – There are two unchangeable labels • ADMIN_LOW - Integer Value 0/no compartment bits set – is dominated by everything • ADMIN_HIGH – Integer Value 255/all compartments bits set – dominates everything • Never try to change the ADMIN_HIGH of root

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 36 Access Control with Security Labels in Oracle Solaris On an Oracle Solaris 11.4 Beta this is the default label configuration root@server:/export/importantapp# labelcfg info minclass=Confidential - title=Sample Information Protection Policy min_label=Public classification=Public clearance=ADMIN_HIGH level=1 classification=Confidential - root@server:/export/importantapp# labelcfg list level=2 "Confidential - Highly Restricted" compartment=Highly Restricted "Confidential - Restricted" bit=0 "Confidential - Internal" subcompartments="Restricted" Public minclass=Confidential - compartment=Restricted bit=1 subcompartments="Internal" minclass=Confidential - compartment=Internal bit=2

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 37 Security Labels in Oracle Solaris Security and Compliance Features • When are you allowed to access a labeled object? – The clearance of the process must dominate the label of the object. • When does a clearance dominate a label of an object? – If two conditions are BOTH fulfilled: • The classification integer of the clearance is higher than the one of the label • There are at least all compartment bits in the clearance set, that match the label compartment bits. • Does a clearance dominates the DAC (rwx) of an file? – No, DAC still applies! You can have the correct clearance to access an object, but still get a „permission denied“

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 38 Security Labels in Oracle Solaris Security and Compliance Features • There is no Oracle Solaris 11.4 system without labels – However it‘s transparent. – Per default all processes have the clearance ADMIN_HIGH – Per default all files have no label or the default label ADMIN_LOW – The clearance ADMIN_HIGH dominates the label ADMIN_LOW. – So per default the labeling stuff just stays out of the way.

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 39 Access Control with Security Labels in Oracle Solaris Defaults root@server:/export/importantapp# create MacBook-Pro:~ jmoekamp$ ssh [email protected] rpool/export/labeltest Password: root@server:/export/importantapp# zfs set Oracle Corporation SunOS 5.11 11.4.Beta multilevel=on rpool/export/labeltest January 2018 root@server:/export/labeltest# touch test narf@server:~$ ls root@server:/export/labeltest# getlabel test local.cshrc local.login local.profile test: ADMIN_LOW narf@server:~$ getlabel local.cshrc local.cshrc: Unlabeled narf@server:~$ plabel ADMIN_HIGH

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 40 Access Control with Security Labels in Oracle Solaris Sounds interesting, but what‘s the every-day usecase? • It‘s an extra layer of protection – Enabling further data access restriction • Why should a user, able to login ... – ... see more than the configfiles and binaries ? – ... even ... – ... when the processes of the application running with the same UID need a datafile ? • Why should the admin user see the datafile?

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 41 Access Control with Security Labels in Oracle Solaris Practical Example root@server:~# zfs create rpool/export/importantapp

root@server:~# zfs set multilevel=on rpool/export/importantapp

root@server:~# useradd -m iappadm1 80 blocks

root@server:~# passwd iappadm1 New Password: Re-enter new Password: passwd: password successfully changed for iappadm1

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 42 Access Control with Security Labels in Oracle Solaris Practical Example root@server:~# cat /export/importantapp/binary #!/bin/bash id >> /tmp/narf date >> /tmp/narf plabel >> /tmp/narf ls -l /export/importantapp >> /tmp/narf

root@server:~# mkfile 10k /export/importantapp/datafile root@server:~# mkfile 1k /export/important/configfile root@server:~# chown -R iappadm1 /export/importantapp root@server:~# usermod -d /export/importantapp iappadm1 root@server:~# touch /tmp/nary root@server:~# 666 /tmp/narf

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 43 Access Control with Security Labels in Oracle Solaris Practical Example root@server:/export/importantapp# ls -l total 26 -rwxr-xr-x 1 iappadm1 root 107 März 2 23:21 binary -rw------1 iappadm1 root 1024 März 2 22:49 configfile -rw------1 iappadm1 root 10240 März 2 22:49 datafile

root@server:/export/importantapp# setlabel "Confidential - Restricted" binary root@server:/export/importantapp# setlabel "Confidential - Restricted" configfile root@server:/export/importantapp# setlabel "Confidential - Highly Restricted" datafile root@server:/export/importantapp# usermod -K clearance="Confidential - Restricted" iappadm1 root@server:/export/importantapp# getlabel binary binary: Confidential - Restricted root@server:/export/importantapp# getlabel datafile datafile: Confidential - Highly Restricted root@server:/export/importantapp# getlabel configfile configfile: Confidential - Restricted

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 44 Access Control with Security Labels in Oracle Solaris Practical Example MacBook-Pro:~ jmoekamp$ ssh [email protected] Password: Last login: Fri Mar 2 22:55:35 2018 from 10.0.10.1 Oracle Corporation SunOS 5.11 11.4.Beta January 2018

$ ./binary $ cat /tmp/narf […] uid=1114(iappadm1) gid=10(staff) Freitag, 2. März 2018 um 23:39:54 Uhr UTC Confidential - Restricted total 5 -rwxr-xr-x 1 iappadm1 root 107 März 2 23:21 binary -rw------1 iappadm1 root 1024 März 2 22:49 configfile

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 45 Access Control with Security Labels in Oracle Solaris Practical Example root@server:/export/importantapp# svcbundle -i -s service-name=testing/labeledsvc -s start- method=/export/importantapp/binary Waiting for testing/labeledsvc to reach online state. It is safe to interrupt. Creates an SMF Manifest for a transient SMF service, imports the manifest and enables the service afterwards

root@server:/export/importantapp# cat /tmp/narf […] id=0(root) gid=0(root) Friday, March 2, 2018 at 11:21:51 PM UTC ADMIN_HIGH total 26 -rwxr-xr-x 1 iappadm1 root 107 Mar 2 23:21 binary -rw------1 iappadm1 root 1024 Mar 2 22:49 configfile -rw------1 iappadm1 root 10240 Mar 2 22:49 datafile

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 46 Access Control with Security Labels in Oracle Solaris Practical Example root@server:/export/importantapp# svccfg -s testing/labeledsvc sac:/testing/labeledsvc> setprop start/user = astring: iappadm1 svc:/testing/labeledsvc> refresh svc:/testing/labeledsvc> exit root@server:/export/importantapp# svcadm restart testing/labeledsvc root@server:/export/importantapp# cat /tmp/narf […] uid=1114(iappadm1) gid=10(staff) Friday, March 2, 2018 at 11:27:07 PM UTC ADMIN_HIGH total 26 -rwxr-xr-x 1 iappadm1 root 107 Mar 2 23:21 binary -rw------1 iappadm1 root 1024 Mar 2 22:49 configfile -rw------1 iappadm1 root 10240 Mar 2 22:49 datafile

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 47 Access Control with Security Labels in Oracle Solaris Practical Example root@server:/export/importantapp# atohexlabel "Confidential - Highly Restricted" 0x0002-08-e0 root@server:/export/importantapp# svccfg -s testing/labeledsvc svc:/testing/labeledsvc> setprop start/clearance = astring: 0x0002-08-e0 svc:/testing/labeledsvc> refresh svc:/testing/labeledsvc> exit root@server:/export/importantapp# svcadm restart testing/labeledsvc root@server:/export/importantapp# cat /tmp/narf […] uid=1114(iappadm1) gid=10(staff) Saturday, March 3, 2018 at 01:46:42 AM UTC Confidential - Highly Restricted total 26 -rwxr-xr-x 1 iappadm1 root 107 Mar 2 23:21 binary -rw------1 iappadm1 root 1024 Mar 2 22:49 configfile -rw------1 iappadm1 root 10240 Mar 2 22:49 datafile

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 48 Isolated Execution Environments with Sandboxes Security and Compliance Features • Lightweight Application Containment – For additional Separation between running Programs – Only one user can access an (his) isolated sandbox • Isolate by restricting Process Attributes – Security Isolation • Files, Processes, Shared Memory, Privileges – Resource Isolation • File Allocation, Memory Allocation, CPU • Temporary sandboxes and Named sandboxes

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 49 Temporary Sandboxes Security and Compliance Features • Created by user • Non persistent • Can only execute programs from /usr or current directory • Optional: Restrict network access • Does not access other processes of the system and the user • Always get lowest Clearance of ADMIN_LOW

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 50 Temporary Sandboxes Security and Compliance Features # pkg install security/sandboxing demo@s11bk:~$ mkdir box # zfs set multilevel=on demo@s11bk:~$ cd box rpool/export/home/demo demo@s11bk:~/box$ sandbox -n # setlabel "ADMIN_LOW" /export/home/demo/ demo@s11bk:~/box$ plabel ß Show Process Clearance demo@s11bk:~$ plabel ADMIN_LOW ADMIN_HIGH demo@s11bk:~/box$ ls .. demo@s11bk:~$ cp /usr/bin/ls . box ls ß ls1 is missing in ls output demo@s11bk:~$ getlabel ls ls: ADMIN_LOW demo@s11bk:~/box$ ../ls bash: ../ls: Not ownerß Cannot execute in other Path demo@s11bk:~$ cp /usr/bin/ls ls1

# setlabel "ADMIN_HIGH" /export/home/demo/ls1

demo@s11bk:~$ getlabel ls1 ls1: ADMIN_HIGH

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 51 Temporary Sandboxes Security and Compliance Features demo@s11bk:~/box$ ssh srv demo@s11bk:~/box$ ppriv self socket: Permission denied 23487: ppriv self ssh: connect to host srv port 22: flags = PRIV_XPOLICY Permission denied Extended policies:

demo@s11bk:~/box$ ps -ef {proc_exec}:/export/home/demo/box/* UID PID PPID C STIME TTY CMD {proc_exec}:/usr/* demo 4363 4359 0 11:52:52 pts/2 ps -ef E: demo 4359 2356 0 11:52:14 pts/2 basic,!net_access,!proc_exec,!proc_info,!proc_ /usr/bin/bash --login session I: basic,!net_access,!proc_exec,!proc_info,!proc_ session P: basic,!net_access,!proc_exec,!proc_info,!proc_ session L: basic

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 52 Named Sandboxes Security and Compliance Features • Characteristics • UserID, Project Name, Clearance, Set of Attributes (Privileges, Resources,...) • Created by admin with sandboxadm(8) • Assign Rights Profile • Label Classifications • Hierarchical and Disjoint • Create hierarchical and disjoint sandboxes based on Classification and Compartments • Isolated Processes • Parents and Child Sandboxes • UID,GID, Project, Home Directory, Unique Labels

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 53 Named Sandboxes - Setup Encodings Security and Compliance Features Initialize Label Encodings for Sandboxes # labelcfg list # sandboxadm init -f /etc/security/tsol/label_encodings.sandboxes \ "LevelAll DeptAll" -c Level -i 3 -s "Level3 Level1 Level2 Dept -n 3 DeptAll" # labelcfg -e "Level3 Level1 DeptAll" /etc/security/tsol/label_encodings.sandboxes "Level3 Level2 DeptAll" commit "Level3 DeptAll" "Level2 Level1 DeptAll" # sandboxadm info -e "Level2 DeptAll" Classifications: "Level1 DeptAll" Public Public Level1 - Level3 LevelAll Compartments: Dept1 - Dept3 DeptAll

No current sandbox Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 54 Named Sandboxes - Setup Sandboxes Security and Compliance Features Create parent sandbox, assign a user, Create child sandboxes labeled home, project, security profile that can be accesses by parent sandbox Define the user (demo) who is allowed to # roleradd -m sbL1D1 enter the role and sandbox. # roleradd -m sbL1D2 # sandboxadm create -s sbL1D1 -u sbL1D1 -p # roleadd -m sbL1; passwd sbL1 sbL1 # usermod -R +sbL1 demo # sandboxadm create -s sbL1D2 -u sbL1D2 -p sbL1 # sandboxadm create -s sbL1 -u sbL1 -c Level1 # sandboxadm list -l sbL1 # sandboxadm list -l sbL1 username(uid): sbL1(107) sbL1 label: Level1 DeptAll username(uid): sbL1(104) sbL1D1 label: Level1 DeptAll username(uid): sbL1D1(104) label: Level1 Dept1 # zfs set multilevel=on sbL1D2 rpool/export/home/sbL1 username(uid): sbL1D2(105) # setlabel "Level1 DeptAll" ~sbL1 label: Level1 Dept2

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 55 Rights Profiles for Sandboxes Security and Compliance Features • Create Rights Profile and assign that profile to the sandbox user – profiles(1) • Resource definition in project, that is named like the created sandbox – projmod(8) • Enter sandbox to execute commands – Only the allowed user can enter a sandbox – The child sandboxes can be entered from the parent sandbox

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 56 Rights Profiles for Sandboxes Security and Compliance Features Create security profile # cat sb.profcfg set desc="Sandboxed"; add cmd=*; set privs=basic,!net_access,!proc_exec,!proc_info; add privs={proc_exec}:/usr/bin/*; end

Load and assign security profile to the sandboxes # profiles -p sbL1 -f sb.profcfg # rolemod -P +sbL1 sbL1 # rolemod -P +sbL1 sbL1D1

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 57 Rights Profiles for Sandboxes Security and Compliance Features First enter the parent sandbox to get access into child sandboxes with different clearances demo@s11bk:~$ su - sbL1 Password: ... sbL1@s11bk:~$ sandbox -s sbL1 "pwd;plabel;ping" /export/home/sbL1 Level1 DeptAll /bin/sh: /usr/sbin/ping: cannot execute [Exec format error] sbL1@s11bk:~$ sandbox -s sbL1D1 "plabel" Level1 Dept1 sbL1@s11bk:~$ sandbox -s sbL1D2 "plabel;ps -ef" Level1 Dept2 UID PID PPID C STIME TTY TIME CMD sbL1D2 5960 5910 0 14:46:01 pts/2 0:00 ps -ef

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 58 Compliance Assessments Security and Compliance Features • Run and store compliance assessments remotely – Uses Remote Administration Daemon (RAD) • Tag compliance assessments for identification and filtering • Plan assessments with compliance-roster(8)

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 59 Scheduled Compliance Assessments Practical Example root@solaris:~# compliance get-policy Benchmark: solaris Profile: Baseline Tailoring: root@solaris:~# compliance set-policy -b pci-dss root@solaris:~# svccfg -s compliance:default svc:/application/security/compliance:default> setprop scheduled/interval =astring: day svc:/application/security/compliance:default> refresh svc:/application/security/compliance:default> exit

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 60 Remote Assessments Security and Compliance Features • Example: – user cpltester is allowed to run compliance tests – central system called server where assessments are initiated and the results stored. – Systems to check: client1, client2 • Based on RAD with SSH passwordless authentication – ... You need to set up passwordless authentication. – ... You need to manually ssh between clients and server (in both directions) to manually setup the key – Check correct nodenames and a working resolution of the hostnames.

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 61 Remote Assessments Security and Compliance Features • The example – A user cpltester is allowed to do compliance tests – A central system called server from which tests are started and where the assesments are stored. – Systems to check called client1 and client2 • Keep in mind: It‘s based on SSH based RAD, ... – ... so you have set up passwordless authentication. – ... you have to ensure that when you login remotely, that you manually accept the key by logging in at least from client1 and client2 to server and vice versa. – Check correct nodenames and a working resolution of the hostnames.

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 62 Remote Assessments Practical Example On server1:

root@server:~# useradd -c "Assessment Admin" -u 1111 -m -s /usr/bin/pfbash -K profiles="Compliance Assessor" -S files cpltester 80 blocks root@server:~# echo "10.0.10.2 server" >> /etc/hosts;echo "10.0.10.3 client1" >> /etc/hosts;echo "10.0.10.4 client2" >> /etc/hosts root@server:~# passwd cpltester New Password: Re-enter new Password: root@client1:~# ssh [email protected] cpltester@server:~$ ssh-keygen -t rsa -P "“ Generating public/private rsa key pair. Enter file in which to save the key (/export/home/cpltester/.ssh/id_rsa): Created directory '/export/home/cpltester/.ssh'. Your identification has been saved in /export/home/cpltester/.ssh/id_rsa. Your public key has been saved in /export/home/cpltester/.ssh/id_rsa.pub. The key fingerprint is: SHA256:dD1hYrcWkh/e/2gXq69MKq36nibaTyxqtB/rxBMzUlA cpltester@server [...] cpltester@server:~$ cd; cat .ssh/id_rsa.pub | ssh 10.0.10.2 'cat >> /export/home/cpltester/.ssh/authorized_keys && echo "Key copied"‘ cpltester@server:~$ cd; cat .ssh/id_rsa.pub | ssh 10.0.10.3 'cat >> /export/home/cpltester/.ssh/authorized_keys && echo "Key copied"'

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 63 Remote Assessments Practical Example On client1:

root@client1:~# useradd -c "Assessment Admin" -u 1111 -m -s /usr/bin/pfbash -K profiles="Compliance Assessor" -S files cpltester 80 blocks root@client1:~# echo "10.0.10.2 server" >> /etc/hosts;echo "10.0.10.3 client1" >> /etc/hosts;echo "10.0.10.4 client2" >> /etc/hosts root@client1:~# passwd cpltester New Password: Re-enter new Password: root@client1:~# ssh [email protected] cpltester@client1:~$ ssh-keygen -t rsa -P "“ Generating public/private rsa key pair. Enter file in which to save the key (/export/home/cpltester/.ssh/id_rsa): Created directory '/export/home/cpltester/.ssh'. Your identification has been saved in /export/home/cpltester/.ssh/id_rsa. Your public key has been saved in /export/home/cpltester/.ssh/id_rsa.pub. The key fingerprint is: SHA256:dD1hYrcWkh/e/2gXq69MKq36nibaTyxqtB/rxBMzUlA cpltester@client1 [...] cpltester@client1:~$ cd; cat .ssh/id_rsa.pub | ssh 10.0.10.4 'cat >> /export/home/cpltester/.ssh/authorized_keys && echo "Key copied"‘ cpltester@client1:~$ cd; cat .ssh/id_rsa.pub | ssh 10.0.10.2 'cat >> /export/home/cpltester/.ssh/authorized_keys && echo "Key copied"'

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 64 Remote Assessments Practical Example On client2:

root@client2:~# useradd -c "Assessment Admin" -u 1111 -m -s /usr/bin/pfbash -K profiles="Compliance Assessor" -S files cpltester 80 blocks root@client2:~# echo "10.0.10.2 server" >> /etc/hosts;echo "10.0.10.3 client1" >> /etc/hosts;echo "10.0.10.4 client2" >> /etc/hosts root@client2:~# passwd cpltester New Password: Re-enter new Password: root@client2:~# ssh [email protected] cpltester@client2:~$ ssh-keygen -t rsa -P "“ Generating public/private rsa key pair. Enter file in which to save the key (/export/home/cpltester/.ssh/id_rsa): Created directory '/export/home/cpltester/.ssh'. Your identification has been saved in /export/home/cpltester/.ssh/id_rsa. Your public key has been saved in /export/home/cpltester/.ssh/id_rsa.pub. The key fingerprint is: SHA256:dD1hYrcWkh/e/2gXq69MKq36nibaTyxqtB/rxBMzUlA cpltester@client2 [...] cpltester@client2:~$ cd; cat .ssh/id_rsa.pub | ssh 10.0.10.3 'cat >> /export/home/cpltester/.ssh/authorized_keys && echo "Key copied"‘ cpltester@client2:~$ cd; cat .ssh/id_rsa.pub | ssh 10.0.10.2 'cat >> /export/home/cpltester/.ssh/authorized_keys && echo "Key copied"'

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 65 Remote Assessments Practical Example cpltester@server:~/.ssh$ pfexec compliance assess -b solaris -N 10.0.10.3 Assessment will be named 'solaris.2018-02-26,17:55' Remote assessment(s) will be stored via 'ssh://cpltester@server'

Package integrity is verified OSC-54005 fail [...] Check all default audit properties OSC-02000 fail

cpltester@server:~/.ssh$

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 66 Remote Assessments Practical Example cpltester@server:~/.ssh$ pfexec compliance roster -r roster-joerg *** compliance roster: No existing roster: 'roster-joerg', initializing roster:roster-joerg> add node roster:roster-joerg/node> node client1 roster:roster-joerg/node:client1> end roster:roster-joerg> add node roster:roster-joerg/node> node client2 roster:roster-joerg/node:client2> end roster:roster-joerg> info;expand info: roster:roster-joerg, 2 node(s) node:client1 node:client2 roster:roster-joerg> commit roster:roster-joerg> list roster-joerg roster:roster-joerg> exit

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 67 Remote Assessments Practical Example cpltester@server:~/.ssh$ pfexec compliance roster -r roster-joerg roster:roster-joerg> select node=client1 roster:roster-joerg/node:client1> policy -b solaris -p Recommended roster:roster-joerg/node:client1> end roster:roster-joerg> select node=client2 roster:roster-joerg/node:client2> policy -b solaris -p Recommended roster:roster-joerg/node:client2> end roster:roster-joerg> commit roster:roster-joerg> info info: roster:roster-joerg, 2 node(s) roster:roster-joerg> expand node:client1 profile=Recommended benchmark=solaris node:client2 profile=Recommended benchmark=solaris roster:roster-joerg> exit

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 68 Remote Assessments Practical Example cpltester@server:~/.ssh$ pfexec compliance assess -r roster-joerg Assessment will be named 'roster-joerg.2018-02-26,18:07' Remote assessment(s) will be stored via 'ssh://cpltester@server'

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 69 Remote Assessments Practical Example cpltester@server:~/.ssh$ compliance list -av 'roster-joerg.2018- Architecture=i86pc 02-26,18:07' Timestamp=2018-02-26T18:07:59 roster-joerg.2018-02-26,18:07 Username=cpltester UUID: f900a9c4-1b1f-11e8-a572-af2c45cb8184 UserID=1111 Benchmark=solaris Profile=Recommended Status=Running Node=client1 Platform=cpe:/o:oracle:solaris:11 Architecture=i86pc Timestamp=2018-02-26T18:07:57 Username=cpltester UserID=1111 UUID: fa8d1cdc-1b1f-11e8-8048-019f68132597 Benchmark=solaris Profile=Recommended Status=Running Node=client2 Platform=cpe:/o:oracle:solaris:11

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 70 Remote Assessments Practical Example cpltester@server:~/.ssh$ compliance list -av 'roster-joerg.2018- Architecture=i86pc 02-26,18:07' Timestamp=2018-02-26T18:19:41 roster-joerg.2018-02-26,18:07 Username=cpltester UUID: f900a9c4-1b1f-11e8-a572-af2c45cb8184 UserID=1111 Benchmark=solaris Profile=Recommended Status=Complete Node=client1 Platform=cpe:/o:oracle:solaris:11 Architecture=i86pc Timestamp=2018-02-26T18:19:26 Username=cpltester UserID=1111 UUID: fa8d1cdc-1b1f-11e8-8048-019f68132597 Benchmark=solaris Profile=Recommended Status=Complete Node=client2 Platform=cpe:/o:oracle:solaris:11

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 71 Remote Assessments Practical Example cpltester@server:~/.ssh$ compliance list Benchmarks: pci-dss solaris Assessments: roster-joerg.2018-02-26,18:07 UUID: f900a9c4-1b1f-11e8-a572-af2c45cb8184 UUID: fa8d1cdc-1b1f-11e8-8048-019f68132597 solaris.2018-02-26,17:55

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 72 Per File Auditing Security and Compliance Features • Fine-grained, on-access auditing of specific files and directories • Local, NFS, SMB • For any reads or writes, success and denied access • Also for metadata changes

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 73 Per File Auditing Why is this really useful? • Previously, auditing was activated per process or per user or per default • This showed ALL file write audit events of a user or a process • This could be quite overwhelming • Per File allows you to focus only on the file or files you care about

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 74 Per File Auditing Security and Compliance Features # ls -v /etc/shadow -r------1 root sys 1002 Feb 20 00:00 /etc/shadow 0:owner@:read_data/read_xattr/write_xattr/read_attributes /write_attributes/read_acl/write_acl/write_owner/synchronize:allow 1:group@:read_xattr/read_attributes/read_acl/synchronize:allow 2:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow # chmod A+everyone@:read_data:failed_access:audit /etc/shadow

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 75 Per File Auditing Security and Compliance Features demo ~$ cat /etc/shadow cat: cannot open /etc/shadow: Permission denied

# auditreduce -o file=/etc/shadow | praudit -s file,2018-02-20 13:13:06.000+01:00, header,147,2,AUE_OPEN_R,ace:fp:fe,s11bk,2018-02-20 13:13:06.929+01:00 path,/etc/shadow attribute,100400,root,sys,65538,176198,18446744073709551615 subject,demo,demo,staff,demo,staff,23367,2367331890,189 1 s11bk use of privilege,failed use of priv,file_dac_read return,failure: Permission denied,-1 file,2018-02-20 13:13:06.000+01:00,

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 76 Privileged Command Execution History Reporting Security and Compliance Features • Show a summary of system administration related events • admhist(8) to leverage audit data • Narrow the results by date, time, zone and audit-tag

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 77 Privileged Command Execution History Reporting Security and Compliance Features # admhist -d "today" -v 2018-02-21 10:01:20.605+01:00 demo@s11bk cwd=/root /usr/sbin/zpool zpool list 2018-02-21 10:01:24.812+01:00 demo@s11bk cwd=/root /usr/sbin/zfs zfs list 2018-02-21 10:01:34.690+01:00 demo@s11bk cwd=/root /usr/sbin/zfs zfs umount /export/home/sbox1 2018-02-21 10:01:39.874+01:00 demo@s11bk cwd=/root /usr/sbin/zfs zfs mount /export/home/sbox1 2018-02-21 10:01:48.749+01:00 demo@s11bk cwd=/root /usr/sbin/zfs zfs list

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 78 Silicon Secured Memory Security Exploit Mitigations Security and Compliance Features • SSM now in standard libc and libumem memory allocator – SSM can now be used for applications that absolutely need to use the libc malloc. • Enabled through use of tag in the ELF header of the binary – Not enabled for all binaries – Can be enabled/disabled through use of sxadm • libadimalloc stays for compatibility

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 79 Silicon Secured Memory Security Exploit Mitigations Security and Compliance Features $ sxadm status EXTENSION STATUS CONFIGURATION aslr enabled (tagged-files) default (default) nxstack enabled (all) default (default) nxheap enabled (tagged-files) default (default) adiheap enabled (tagged-files) default (default) adistack enabled (tagged-files) default (default)

$ sxadm exec -s adistack=enable -s adiheap=enable /path/to/program

# sxadm enable adistack,adiheap

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 80 Kernel ADI Silicon Secured Memory for the kernel • Protects kernel memory • Currently undocumented • Planned to be exposed via sxadm • Planned for 11.4 release or soon after • KADI is enabled by default with precise traps with the debugging build of the kernel: # pkg change-variant debug.osnet=true

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 81 Data Management Features • Deduplication 2.0 • Preserving ZFS ACL Inheritance • ZFS Meta Devices • NFS V4.1 Server Support • Fast ZFS Based File Copying • NFSv3 Mount Using TCP • ZFS Raw Send Streams • Extended Attributes in • Resumable ZFS Send Streams • Configurable ZFS Read and Write • SMB 3.0 Support Throughput Limits • Monitor and Manage ZFS Shadow Migration

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 82 ZFS Meta Devices Data Management Features • ZFS in Oracle Solaris 11.4 has a new type of devices called Meta Devices • A Meta Device stores copies of critical metadata, that need to be accessed in a non-sequential manner • These devices are currently used in particular /dedcufor the Deduplication Table (DDT) • This yields better performance, as if the DDT is too large to be kept in memory it would access disk. If this is an rotating disk, performance suffers. You don’t need Metadevices on a all-flash pool. • As the metadata are written to the main pool as well, there is no need to mirror them as I/O errors can be recovered from there.

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 83 ZFS Meta Devices Data Management Features root@sol114s1:~# zpool create narfpool /root/test1 meta /root/test2 root@sol114s1:~# zpool status narfpool pool: narfpool state: ONLINE scan: none requested config:

NAME STATE READ WRITE CKSUM narfpool ONLINE 0 0 0 /root/test1 ONLINE 0 0 0 metas /root/test2 ONLINE 0 0 0

errors: No known data errors

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 84 Fast ZFS Based File Copying Data Management Features • Copy files very quickly using ZFS • The "dedup" for files • Copy a file without reading or writing the underlying data blocks • The files must reside in the same zpool • The first copy does a lot of extra stuff so is not considerably faster, but subsequent copies are much faster.

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 85 Fast ZFS Based File Copying Data Management Features demo@s11bk:~$ zfs list rpool/export/home/demo NAME USED AVAIL REFER MOUNTPOINT rpool/export/home/demo 52.1M 12.5G 52.1M /export/home/demo demo@s11bk:~$ time mkfile 1g file1 real 0m3.571s demo@s11bk:~$ zfs list rpool/export/home/demo NAME USED AVAIL REFER MOUNTPOINT rpool/export/home/demo 1.05G 11.5G 1.05G /export/home/demo demo@s11bk:~$ time cp -z file1 file2 real 0m11.511s demo@s11bk:~$ time cp -z file1 file3 real 0m0.365s demo@s11bk:~$ zfs list rpool/export/home/demo NAME USED AVAIL REFER MOUNTPOINT rpool/export/home/demo 3.05G 12.5G 3.05G /export/home/demo

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 86 ZFS raw, resumable send Streams, async Destroy Data Management Features • Send compressed ZFS streams in Raw Format – Originally ZFS decompressed compressed datasets, before sending the stream – In 11.4 Beta it's sent in Raw (compressed) Format – zfs send -w compress • Suspend and resume ZFS send Stream Operations – zfs send –C , zfs receive -C • Asynchronously destroy ZFS Datasets – zfs destroy works asynchronously by default (use -s for sync) – Watch destroy with zpool monitor -t destroy

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 87 Configurable ZFS Read and Write Throughput Limits Data Management Features • Optimize ZFS I/O resources in a multitenant environment • Limit a ZFS file system's reads and writes to disk – Related to ZFS Filesystems – Set readlimit and writelimit properties, in units of bytes per second

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 88 Throughput Limit Practical Example # zfs set writelimit=500mb pond/apps/web # zfs set readlimit=200mb pond/apps/logdata

# zfs get -r writelimit,readlimit pond/apps NAME PROPERTY VALUE SOURCE pond/apps writelimit default default pond/apps readlimit default default pond/apps/logdata writelimit default default pond/apps/logdata readlimit 200M local pond/apps/web writelimit 500M local pond/apps/web readlimit default default pond/apps/web/tier1 writelimit default default pond/apps/web/tier1 readlimit default default

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 89 Control and Monitor Shadow Migration Data Management Features • Improved handling of Shadow Migration • Monitoring status of Shadow Migration • Check for cause of errors • Control Shadow Migration

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 90 Control and Monitor Shadow Migration Practical Example # shadowstat EST BYTES BYTES ELAPSED DATASET XFRD LEFT ERRORS TIME tank/logarchive 16.4M 195M 1 00:01:20 pond/dbarchive 4.49M 248M - 00:00:51 tank/logarchive 16.6M 194M 1 00:01:21 pond/dbarchive 4.66M 248M - 00:00:52 tank/logarchive 16.7M 194M 1 00:01:22 pond/dbarchive 4.80M 248M - 00:00:53 tank/logarchive 17.1M 194M 1 00:01:23 pond/dbarchive 5.00M 248M - 00:00:54 tank/logarchive 17.3M 194M 1 00:01:24 pond/dbarchive 5.16M 247M - 00:00:55

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 91 Control and Monitor Shadow Migration Practical Example # shadowstat -E tank/logarchive: PATH ERROR e-dir/socket Operation not supported pond/dbarchive: No errors encountered.

# shadowadm cancel tank/logarchive

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 92 NFSv3 Mount via TCP Data Management Features • Up to Oracle Solaris 11.3, NFSv3 used UDP for establishing the mount, even when TCP was specified. It uses TCP after the mount is established. • Oracle Solaris 11.4 uses TCP from the start • Small change, significant advantage: – Simplification of firewall rules – NFSv3 is now possible in environments with blocked UDP

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 93 NFSv3 Mount Using TCP Practical Example root@sol114c1:~# mount -o vers=3,proto=tcp 192.168.1.129:/export/nfsshare /mnt113 root@sol114c1:~# mount -o vers=3,proto=tcp 192.168.1.131:/export/nfsshare /mnt114 root@sol113c1:~# mount -o vers=3,proto=tcp 192.168.1.131:/export/nfsshare /mnt114 root@sol113c1:~# mount -o vers=3,proto=tcp 192.168.1.129:/export/nfsshare /mnt113 sol114c1 → sol113s1 Portmap 126 V2 GETPORT Call MOUNT(100005) V:3 TCP sol114c1 → sol114s1 Portmap 126 V2 GETPORT Call MOUNT(100005) V:3 TCP sol113c1 → sol114s1 Portmap 98 V2 GETPORT Call MOUNT(100005) V:3 UDP sol113c1 → sol113s1 Portmap 98 V2 GETPORT Call MOUNT(100005) V:3 UDP

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 94 Networking Features • Deploy complex network • Live Migration and HA Failover for configurations through AI with SC SR-IOV enabled anets Profiles • Specifying a name for a persistent • Client Side support for IEEE 802.1x static route • IP networking configuration in SMF • Open Fabric Enterprise Distribution 3.18 • ISC Bind 9.10.3 • Datacenter TCP

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 95 IP networking configuration in SMF Practical Example # svcprop svc:/network/ip-interface-management:default […] interfaces/net0/address-family astring ipv4 ipv6 interfaces/net0/v4/ipv4-address astring 192.168.1.92 interfaces/net0/v4/prefixlen count 24 interfaces/net0/v4/up astring yes interfaces/net0/v6/interface-id astring :: interfaces/net0/v6/prefixlen count 0 interfaces/net0/v6/stateful astring yes interfaces/net0/v6/stateless astring yes […]

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 96 IP networking configuration in SMF Practical Example # svcprop svc:/network/ip-interface-management:default […] interfaces/net0/address-family astring ipv4 ipv6 interfaces/net0/v4/ipv4-address astring 192.168.1.92 interfaces/net0/v4/prefixlen count 24 interfaces/net0/v4/up astring yes interfaces/net0/v6/interface-id astring :: interfaces/net0/v6/prefixlen count 0 interfaces/net0/v6/stateful astring yes interfaces/net0/v6/stateless astring yes But have you seen the property names? […] Nested property groups!

More about this later …

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 97 Named Routes Practical Example root@sol114s1:~# route -p add 10.0.20.1/24 192.168.1.1 -name narf add net -name narf 10.0.20.1/24: gateway 192.168.1.1 root@sol114s1:~# route get -name narf route to: 10.0.20.1 name: narf destination: 10.0.20.0 mask: 255.255.255.0 gateway: 192.168.1.1 interface: net0 flags: recvpipe sendpipe ssthresh rtt,ms rttvar,ms hopcount mtu expire 0 0 0 0 0 0 1500 0 root@sol114s1:~# route delete -name narf delete net -name narf 10.0.20.1/24: gateway 192.168.1.1

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 98 Performance and Observability • Dtrace SCSI Provider • Pfiles for core files • Dtrace fileops Provider • Monitor I/O latency via fsstat • Dtrace MIB Provider for TCP, UDP • SCSI I/O response time distribution and IP statistics • Kstats v2 Framework • FMA core file Diagnostics

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 99 iostat Latency Distribution Practical Example root@solaris:~# iostat -x -L 1 64-128us 138242 34,11% extended device statistics 68,47% device r/s w/s kr/s kw/s wait actv wsvc_t 128-256us 55524 13,70% asvc_t %w %b 82,17% sd0 0,9 12,4 14,8 182,0 0,0 0,0 0,0 256-512us 37997 9,38% 0,2 0 0 91,54% latency range count density 512-1024us 18057 4,46% distribution 96,00% <64ns 0 0,00% 1-2ms 6045 1,49% 0,00% 97,49% 64-128ns 17 0,00% 2-4ms 5616 1,39% 0,00% 98,88% 128-256ns 211 0,05% 4-8ms 2325 0,57% 0,06% 99,45% 256-512ns 109 0,03% 8-16ms 1966 0,49% 0,08% 99,93% 512-1024ns 157 0,04% 16-32ms 254 0,06% 0,12% 100,00% 1-2us 35 0,01% 32-64ms 8 0,00% 0,13% 100,00% 2-4us 38 0,01% 64-128ms 3 0,00% 0,14% 100,00% 4-8us 112 0,03% 128-256ms 2 0,00% 0,17% 100,00% Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 100 8-16us 284 0,07% 256-512ms 1 0,00% 0,24% 100,00% fsstat Latency Practical Example root@solaris:~# fsstat -l / read read read read write write write write rddir rddir rddir rddir ops bytes time actv ops bytes time actv ops bytes time actv 648K 1,11G 15,0n 35 180K 2,77G 0n 2 50,3K 17,6M 42,0n 0 /

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 101 Virtualization Features • Continued Support of Oracle Solaris • Multipathing for LDOMs Virtual 10 Branded Zones SCSI HBAs • Delegated Oracle Solaris Zones • Oracle Solaris Kernel Zones Support Restarter for SPARC M7/M8 DAX • LZR for Datasets on Oracle Solaris • VLAN Aware Oracle Solaris Kernel native Zones Zones • Moving Oracle Solaris Zones • Configure Immutable Zones by • Zone Cold Migration running in the Trusted Path • SSM support in Oracle Solaris Kernel Zones

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 102 Oracle Solaris 11.4: Built-in Investment Protection • 20+ years of binary compatibility V2V FUSION APPLICATIONS – Applications just work on Solaris Zone

newer Oracle Solaris releases Oracle Solaris 10 FUSION APPLICATIONS DATABASE • Fast & simple migration: Solaris 10 Zone Solaris 10 Zone – Reduce risk with automated Oracle Solaris 11 DATABASE checks before you move

– Oracle Solaris 10 Tools move you quickly and P2V simply – Migrate your S10 Oracle Solaris Zones environments in minutes System Preflight Checker

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Oracle Confidential - NDA Required 103 Delegated Oracle Solaris Zones Restarter Virtualization Features • Enable the control of Zones boot – Zones start/restart with SMF Instances – Dependencies, Priorities, Boot Order – Boot Zones in Parallel • Add Milestone/Goal to identify when the Zone is "up" • Automatically start/re-start complex application environments • See svc.zones(8)

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 104 Delegated Oracle Solaris Zones Restarter Virtualization Features # zoneadm list -cv | grep zone1 - zone1 installed /system/zones/zone1 solaris excl

# svcs zones online Feb_18 svc:/system/zones:default

# svcs -a zones/zone disabled 18:12:24 svc:/system/zones/zone:zone1

# zoneadm -z zone1 boot # svcs zone1 online 18:20:52 svc:/system/zones/zone:zone1

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 105 Delegated Oracle Solaris Zones Restarter Virtualization Features root@s11bk:/root# svcprop -p general/enabled zone1 false

# zonecfg -z zone1 zonecfg:zone1> set autoboot=true zonecfg:zone1> commit zonecfg:zone1> exit

# zoneadm -z zone1 apply # svcprop -p general/enabled zone1 true

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 106 LZR for Datasets on Oracle Solaris Native Zones Virtualization Features • Live Zone Reconfiguration (LZR) to push zonecfg changes to a running zone (permanent or temporary ) • No need to reboot the Zone. • Add/remove ZFS datasets with LZR

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 107 LZR for Datasets on Oracle Solaris Native Zones Virtualization Features # zfs create rpool/zone1-set # zonecfg -z zone1 add dataset rpool/zone1-set # zoneadm -z zone1 apply zone 'zone1': Checking: Adding dataset name=rpool/zone1-set zone 'zone1': Applying the changes # zlogin zone1 zone1 # zfs list zone1-set1 cannot open 'zone1-set1': filesystem does not exist zone1 # zpool import zone1-set zone1 # zfs list zone1-set NAME USED AVAIL REFER MOUNTPOINT zone1-set 31K 12.5G 31K /zone1-set

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 108 LZR for Datasets on Oracle Solaris Native Zones Virtualization Features zone1 # zpool export zone1-set

# zonecfg -z zone1 remove dataset rpool/zone1-set # zoneadm -z zone1 apply zone 'zone1': Checking: Removing dataset name=rpool/zone1-set zone 'zone1': Applying the changes

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 109 Moving Oracle Solaris Zones Virtualization Features • Use zoneadm move to move an installed Oracle Solaris zone across different storage URIs – Move from a local file system to shared storage – Move from shared storage to a local file system – Move from one shared storage location to another – Change the zonepath without moving the Oracle Solaris zone installation

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 110 Zone Cold Migration Virtualization Features • Migrate Native Zones in installed state using shared storage

(SAS, SAN, iSCSI) Solaris 11 Zone Solaris 11 Zone

• Migrate to another node, using Oracle Solaris Oracle Solaris

zoneadm migrate SAN • Migration is also used from sysadm evacuate iSCSI SAS

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 111 zoneadm migrate sysadm Utility Solaris 11.4 Beta Zone System Management Features s11bk: Oracle Solaris 11.4 Beta s11bk2: Oracle Solaris 11.4 Beta • Put System into maintain State – Prevent Zone Boot or inward Migration

• Initiate One step Host Evacuation Shared Storage – Live Migrate Kernel Zones, Cold Migrate Native Zones – To predefined evacuation/target of each SMF Instance • After ending maintain State, single step Zone repopulation

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 112 sysadm Utility Practical Example root:nacaozumbi:~# sysadm maintain -s -m "updating to new build" root:nacaozumbi:~# sysadm maintain -l TYPE USER DATE MESSAGE admin root 2018-02-02 01:10 updating to new build

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 113 sysadm Utility Practical Example root:nacaozumbi:~# zoneadm -z on-fixes attach zoneadm: zone 'on-fixes': attach prevented due to system maintenance: see sysadm(8) root:nacaozumbi:~# svccfg -s svc:/system/zones/zone:on-fixes \ setprop evacuation/target = astring: "ssh://nacaozumbi/" root:nacaozumbi:~# svcadm refresh zone:on-fixes root:bjork:~# zoneadm -z on-fixes migrate ssh://root@nacaozumbi zoneadm: zone 'on-fixes': Using existing zone configuration on destination. zoneadm: zone 'on-fixes': Attaching zone. zoneadm: zone 'on-fixes': attach failed: zoneadm: zone 'on-fixes': attach prevented due to system maintenance: see sysadm(8)

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 114 sysadm Utility Practical Example Set default evacuation target for the node root:nacaozumbi:~# svccfg -s svc:/system/zones/zone \ setprop evacuation/target = astring: "ssh://bjork/" root:nacaozumbi:~# svcadm refresh zone

root:nacaozumbi:~# sysadm evacuate -va sysadm: preparing 5 zone(s) for evacuation ... sysadm: initializing migration of evac1 to bjork ... [...] sysadm: evacuating 5 zone(s) ... sysadm: migrating tzone1 to bjork ... [...] sysadm: evacuation completed successfully. sysadm: evac1: evacuated to ssh://root@bjork [...]

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 115 sysadm Utility Practical Example root:nacaozumbi:~# sysadm evacuate -l sysadm: evacuation in progress root:nacaozumbi:~# zoneadm list -cv ID NAME STATUS PATH BRAND IP 0 global running / solaris shared - tzone1 configured /system/zones/tzone1 solaris excl - evac1 configured - solaris- kz excl - on-fixes configured - solaris- kz excl - evac4 configured - solaris- kz excl - zts configured - solaris-kz excl - evac3 configured Copyright - © 2018, Oracle and/or its affiliates. All rights reserved. | solaris116- kz excl sysadm Utility Practical Example jpechane:bjork::~$ zoneadm list -cv ID NAME STATUS PATH BRAND IP 0 global running / solaris shared 57 evac3 running - solaris-kz excl 58 evac1 running - solaris-kz excl 59 evac2 running - solaris-kz excl - on-fixes installed - solaris-kz excl - tzone1 installed /system/zones/tzone1 solaris excl - zts installed - solaris-kz excl

- evac4 installed Copyright -© 2018, Oracle and/or its affiliates. All rights reserved. | 117 solaris-kz excl sysadm Utility Practical Example root:nacaozumbi:~# sysadm maintain -l TYPE USER DATE MESSAGE admin root 2018-02-02 01:10 updating to new build root:nacaozumbi:~# sysadm maintain -e root:nacaozumbi:~# sysadm evacuate -ra sysadm: preparing zones for return ... 5/5 sysadm: returning zones ... 5/5 sysadm: return completed successfully.

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 118 System Management Features 1/2 • System Data Visualization and Performance Analysis with Oracle Solaris Web Dashboard • sysadm Utility • useradm Tool • fcinfo Utility • IPS HA Client • Displaying DAX Utilization and Performance

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 119 System Management Features 2/2 • SMF Nested Property Groups • Automating OpenLDAP and OUD • New SMF Profile Layers Server Configuration • Goal Services • Puppet Configuration Management Software • Diagnosing Device Hotplugging Failures • Mcollective • Augeas • Default User Attributes for LDAP Accounts • FMA Output Identifies Bugs

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 120 Nested Property Groups Remember this one? # svcprop svc:/network/ip-interface-management:default […] interfaces/net0/address-family astring ipv4 ipv6 interfaces/net0/v4/ipv4-address astring 192.168.1.92 interfaces/net0/v4/prefixlen count 24 interfaces/net0/v4/up astring yes interfaces/net0/v6/interface-id astring :: interfaces/net0/v6/prefixlen count 0 interfaces/net0/v6/stateful astring yes interfaces/net0/v6/stateless astring yes […]

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 121 Nested Property Groups Why? • Allows a finer separation of properties • Properties are much clearer arranged – without emulating structure with _-propertynames – Meaningful subsets without grep root@sol114s1:~# svcprop -p interfaces/net0/v4 svc:/network/ip-interface- management:default interfaces/net0/v4/ipv4-address astring 192.168.1.92 interfaces/net0/v4/prefixlen count 24 interfaces/net0/v4/up astring yes

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 122 Goal Services Why? • The problem: A disabled service does nothing. That’s the reason why it’s disabled. • There are no notifications of the state of disabled services • Goal services allows you to create a service that monitors the state (enable, disable, running etc) of specificed SMF services • When a required service is disabled for some reason, the goal service will notify you about this

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 123 Goal Services Practical Example root@solaris:~# svcadm goals svc:/network/http:apache24 svc:/network/smb:default svc:/milestone/multi-user-server:default root@solaris:~# svcs -d milestone/goals STATE STIME FMRI online 12:22:15 svc:/network/smb:default online 12:23:52 svc:/milestone/multi-user-server:default online 22:49:40 svc:/network/http:apache24 root@solaris:~# svcadm disable svc:/network/http:apache24

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 124 Goal Services Practical Example # svcadm disable apache24 # fmdump –v Feb. 25 22:54:15.6830 7aade7be-3983-4f52-be4e-d49f830597a4 SMF-8000-YX Diagnosed 100% defect.sunos.smf.svc.maintenance Problem in: svc:///milestone/goals:default Affects: svc:///milestone/goals:default FRU: - FRU Location: - Feb. 25 22:54:15.6983 7aade7be-3983-4f52-be4e-d49f830597a4 FMD-8000-9L Isolated 100% defect.sunos.smf.svc.maintenance Problem in: svc:///milestone/goals:default Affects: svc:///milestone/goals:default FRU: - FRU Location: -

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 125 Goal Services Practical Example # svcadm enable apache24 # fmdump –v Feb. 25 22:55:35.7377 7aade7be-3983-4f52-be4e-d49f830597a4 FMD-8000-4M Repaired 100% defect.sunos.smf.svc.maintenance Repair Attempted Problem in: svc:///milestone/goals:default Affects: svc:///milestone/goals:default FRU: - FRU Location: - Feb. 25 22:55:35.7392 7aade7be-3983-4f52-be4e-d49f830597a4 FMD-8000-6U Resolved 100% defect.sunos.smf.svc.maintenance Repair Attempted Problem in: svc:///milestone/goals:default Affects: svc:///milestone/goals:default FRU: - FRU Location: -

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 126 FMA output contains BugID • There is a correlation between raw stack trace and an existing bug • This knowledge was put into a database – It’s in pkg:/system/diagnostic/stackdb – It’s an unincorporated package with just the DB. You always get the newest version indepent from the SRU. – No need to update the whole system or rebooting the system.

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 127 FMA output contains BugID • When there is a stack in an FMA event and it looks like an software defect: – FMA will start a lookup in the StackDB – If possible it will add a message with a potential Bug Description : A diagnostic core file was dumped in /var/diag/e83476f7-104d-4c85-9de4-bf7e45f261d1 for RESOURCE /usr/bin/pstack whose ASRU is . The ASRU is the Service FMRI for the resource and will be NULL if the resource is not part of a service. The following are potential bugs. stack[0] - 24522117 – You can search for it in MOS or in the package repository – So FMA will tell you that this is a known and fixed bug before Oracle Support is telling you the same …

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 128 Oracle Solaris 11.4: Stats Store Near Zero-Overhead Diagnosis System Management Features • Always-available real-time and historical data – Essential statistics collected by default – Additional performance data acquired instantly – Extensible to any application • For any VM, on premises or in the cloud – Accessible and customizable by any authorized user – Near-zero overhead • Zero administrative overhead – No extra software to manage – No configuration necessary

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 129 Oracle Solaris 11.4 Beta: Admin Web Dashboard System Management Features • Real-time and historical data – Essential statistics collected continuously – More health and performance data acquired instantly – Compliance and security statistics for authorized users • Lightweight intuitive web based UI – Designed for minimal overhead – No agents to install

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 130 Oracle Solaris 11.4: Web Dashboard System Management Features Specialized diagnostics sheets Select resource System resources, applications, …

Drill-down

Navigate in time

Dashboard - System Status at a glance Basic system configuration Explore specific data sets Historical system data System faults and activities Correlate different time periods and statistics

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 131 Installation and Software Management Features • Tool to create First Boot Service and Package - svc-create-first-boot(1) • x86 WAN Boot for Automated Installer • Automated Installer Support for HMAC-SHA256 • Dehydrate and Rehydration for Unified Archives • Support for cloudbase-init • Boot Oracle Solaris through Boot Pools over iSCSI-iSER • UEFI Secure Boot • RAD API for Automated Installer

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 132 x86 WAN Boot for Automated Installer Installation and Software Management Features • Enable x86 AI Installation via WAN • ToDo: • Secure from early Boot through Install – Configure AI Service • Requires • Optionally for HMAC-256 usage – • UEFI-enabled x86 System Set HMAC policy to hmac-sha256 for AI – Set credential for AI server and service • WANboot enable x86 System – Set service authentication policy • Optional use HMAC-256 protocol – Generate Keys – Benefits – Configure WANBoot Client in UEFI BIOS • AI server can verify identity of client • Optionally • Data encryption on network – Set SHA256 HMAC Key • Only authenticated clients can access data – Set AES Encryption Key

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 133 Dehydrate and Rehydration for Unified Archives Installation and Software Management Features • Dehydrate uar during creation – Remove all noneditable package files • Rehydrate reinstalls removed files • Save deployment time by rehydrating before using uar • Use Case: Deliver "shrinked" Archives to customers without delivering the "real OS bits" – See OS distribution rights ...

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 134 Dehydrate and Rehydration for Unified Archives Installation and Software Management Features

# archiveadm create zone1.uar -z zone1 # ls -l zone1.uar -rw-r--r-- 1 root root 858071040 Feb 11 12:15 zone1.uar

# archiveadm create zone1.dhuar -z zone1 --dehydrate # ls -l zone1.dhuar -rw-r--r-- 1 root root 447897600 Feb 11 12:36 zone1.dhuar

# archiveadm rehydrate zone1.dhuar zone1.rhuar # ls -l zone1.rhuar -rw-r--r-- 1 root root 855715840 Feb 21 22:50 zone1.rhuar

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 135 Small, but Useful Changes • kldd • No need to define -lsocket, -lnsl, -lsendfile, or –lxnet . They were wrapped into libc, filter libaries under old names for compatibility • prtconf –v shows the PIDs of processes using devices. • Lite-mode pargs to get inital environment without the need to „stop- grab“ the process. • pfiles has now a „lite-mode“ as well. • mkfile –p to define a pattern instead of just zeros

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 136 Small, but Useful Stuff kldd jmoekamp@server:~$ kldd /kernel/fs/amd64/zfs fs/specfs => /kernel/fs/amd64/specfs misc/kcf => /kernel/misc/amd64/kcf misc/idmap => /kernel/misc/amd64/idmap misc/sha2 => /kernel/misc/amd64/sha2 fs/fifofs => /kernel/fs/amd64/fifofs sys/doorfs => /kernel/sys/amd64/doorfs strmod/rpcmod => /kernel/strmod/amd64/rpcmod misc/tlimod => /kernel/misc/amd64/tlimod unix (parent) => /platform/i86pc/kernel/amd64/unix genunix (parent dependency) => /kernel/amd64/genunix

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 137 Small, but Useful Stuff mkfile -p root@server:~# mkfile -p narf 512 test1 root@server:~# tail ./test1 narfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfn arfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfna rfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnar fnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarf narfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfn arfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfnarfna rfnarfnarfnarfnarfnarfnarf root@server:~#

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 138 Small, but Useful Stuff prtconf –v # prtconf –v xsvc, instance #0 Device Hold: mod='specfs' id=3 value='Device opened.‘ [...] Device Minor Nodes: dev=(232,0) dev_path=/xsvc@0,0:xsvc spectype=chr type=minor nodetype=ddi_pseudo dev_link=/dev/xsvc Device Minor Opened By: proc='vbiosd' pid=246 cmd='/usr/sbin/vbiosd' user='root[0]'

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 139 Additional Misc • Improved Locale Support • User-Mode Watchpoints • GNOME 3.24 – No more multi-level labeled Trusted Extensions desktop – No more SunRay Support • man command Enhancements • Various bundled Software Updates

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 140 Additional You will be not able to run Oracle Solaris 11.4 on a number of older systems • Oracle Solaris 11.4 doesn‘t run on a number of older systems: – SPARC Enterprise M3000, M4000, M5000, M8000, and M9000 systems that use SPARC64 VI, VII, or VII+ CPUs. – Platforms based on UltraSPARC T1 CPUs Sun Fire T1000 and T2000, Sun SPARC Enterprise T1000 and T2000, Netra CP3060, Netra T2000, and Sun Blade T6300 – Platforms based on UltraSPARC T2 CPUs Sun SPARC Enterprise T5120 and T5220, Sun Blade T6230, Netra CP3260, and Netra T5220 – Platforms based on UltraSPARC T2+ CPUs Sun SPARC Enterprise T5140, T5240 and T5440, Sun Blade T6340, Sun Netra T6340, and Netra T5440 – Platforms based on SPARC T3 CPUs SPARC T3-1, T3-1B, T3-2 and T3-4, Netra SPARC T3-1, and Netra SPARC T3-1BA – Sun Java Workstation models: W1100z, W2100z – Sun Ultra Workstation models: 20, 20 M2, 40, 40 M2 – Sun Fire server models: V20z, V40z, X2100, X2100 M2, X2200 M2, X4100, X4100 M2, X4140, X4200, X4200 M2, X4240, X4440, X4540, X4600, X4600 M2, X4640 – Sun Blade server modules X6220, X6240, X6440, X8400, X8420, X8440 – Netra X4200 M2

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 141 Summary: Oracle Solaris • Continuous Delivery Model • Best for Oracle Database and Java – Innovation through dot releases – Data/Systems Management – Regularly updated widely used open – Networking Features source packages – Performance Features – Quarterly Critical Patch Updates • Long Term Investment Protection – Monthly Support Repository Updates – Oracle Solaris 11 Support through at • Secure, Stable, Virtualized least 2034 – Integrated security and Virtualization – Lifetime Support for Oracle Solaris – Availability Features Legacy environments – Simplify Deployments and Operations – Application Binary Compatibility Mission Critical Operating System

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 142 References • Oracle Solaris 11.4 Beta Blog Index https://blogs.oracle.com/solarium/public-oracle-solaris-114-beta • Oracle Solaris 11.4 Beta Doc Library (What's New, Release Notes, ...) https://docs.oracle.com/cd/E37838_01/ • EOF Announcement Link http://www.oracle.com/technetwork/systems/end-of-notices/index.html • Critical Patch Updates, Security Alerts and Bulletins https://www.oracle.com/technetwork/topics/security/alerts-086861.html • Reference Index of CVE IDs and Oracle Solaris Patches (Doc ID 1448883.1)

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 143 Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 144 Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 145