You are on page 1of 331

Copyright 2011 Oracle ,d/or it affiliates. All rights reserved.

Authors
Disclaimer

Michael Ernest
Gary Riseborough
This document contains proprietary information and is protected by copyright
and
other intellectual property laws. You may copy and print this document sole
ly for your
Marcus Flieri
own use in an Oracle training course. The document may not be modified or a
ltered
in any way. Except where your use constitutes \"fair use\" under copyright
law, you
Bart Smaalders
may not use, share, download, upload, copy, print, display, perform, reprod
uce,
Dave Miner
publish, license, post, transmit, or distribute this document in whole or i
n part without
Nicolas Droux
the express authorization of Oracle.
Dan Price
The information contained in this document is subject to change without not
ice. If you
find any problems in the document, please report them in writing to: Oracle
University,
Cindy Swearingen
500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is
not
Glenn Fadden
warranted to be error-free.
Liane Praza
Restricted Rights Notice

If this documentation is delivered to the United States Government or anyon


e using
Technical Contributors
the documentation on behalf of the United States Government, the following n
otice is
and Reviewers

applicable:
Mike Tracey
U.S. GOVERNMENT RIGHTS
Mike Carew
The U.S. Government s rights to use, modify, reproduce, release, perform, dis
play, or
disclose these training materials are restricted by the terms of the applic
able Oracle
license agreement and/or the applicable U.S. Government contract.
Editor
Trademark Notice
Malavika Jinka
Oracle and Java are registered trademarks of Oracle and/or its affiliates.
Other names
may be trademarks of their respective owners.
Publishers
Nita Brozowski
Sumesh Koshy

Oracle Universi
ty and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. CO
PYING eKIT

Contents

Preface
1 Introduction
Oracle Solaris: The Mission Critical OS
Raising the Bar Set by Solaris 10
1-3

1-2

SPARC Enterprise Servers 1-4


SPARC T3 Servers: Scaling to New Heights

1-5

Oracle Solaris: Platform Choice and Flexibility


1-6
Serious About Oracle Solaris

1-7

Oracle Addresses Range of Customer Needs


Topic Outline 1-10
Module Structure

1-8

1-11

2 Image Packaging System (IPS) and Automated Installer


(AI)
IPS Design Goals

2-2

IPS Implementation
IPS Package
2-4
Package Naming
IPS Repository

2-3
2-5
2-6

Starting the packagemanager GUI 2-7


Starting the packagemanager GUI - 2
2-8
pkg Subcommands
2-9
pkg Subcommands 2
2-10
Example: Search, List, and Install
2-11
Installing a Package with Dependencies
2-12
Verifying a Package
2-13
Fixing a Package
2-14
O
racle University and ORACLE CORPORATION use only
Listing Package Contents

2-15

Removing a Package

2-16

Updating a Package
Creating a Package

2-17
2-18

Group Packages

2-19

Other Commands and Utilities


2-20
AI: Why Replace JumpStart?
2-21
Rosetta Stone for Solaris 10 Users
AI Components and Features
2-23
AI Terminology

2-22

2-24

iii
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYIN
G eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Flow of Automated Installation

2-25

Creating an AI Service
2-26
Creating an IPS Repository
2-28
Creating AI Clients
2-29
JumpStart to AI Mapping
2-30
IPS References
AI References

2-31
2-32

3 Network Virtualization 1
Feature: Overview
3-2
Virtual NICs (VNICs)
3-3
Virtual NICs (VNICs) 2
Virtual Switches
3-5

3-4

Physical Wire, Physical Machines


Virtual Network: Example
3-7
Creating VNICs and Etherstubs
Unified Data Link Properties

3-6
3-8
3-9

Virtual Bridges
ipadm 3-11

3-10

Managing Interfaces and IP Addresses


Managing Interface Properties
Creating Flows 3-14
Data Link Vanity Naming
Resource Pools
3-16

3-12

3-13

3-15

dlstat(1M) 3-17
Other Network Observability Enhancements
Rethinking Zones
3-19
Other Solaris 11 Enhancements

3-18

3-20

4 ZFS Features in Solaris 11


O
racle University and ORACLE CORPORATION use only
Enhancements
4-2
Boot Environments
4-3
Boot Environments (BE)
4-4
Creating a Boot Environment
4-5
Activating a Boot Environment
Destroying a Boot Environment

4-6
4-7

Mounting and Unmounting a Boot Environment


Creating New Boot Environments

4-9

Creating New Boot Environments - 2


BE Upgrade with pkg-update
4-11
Deduplication

4-8

4-10

4-12

iv
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYIN
G eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Deduplication Example - 1

4-13

Deduplication Example - 2
4-14
Root Pool Mirroring
4-15
Snapshot Differences
4-16
zfs diff Output
4-17
Send Stream Enhancements
4-18
Send Stream: Override Example
4-19
Send Stream: Enforce Example
Send Stream: Ignore Example

4-20
4-21

Pool Import: Log Device Recovery


4-22
Pool Import Recovery: Example
4-23
Pool Import: Read-Only Mode
4-24
Synchronous Write Behavior Property

4-25

Values for sync Property


4-26
ZFS Synchronous Behavior: Tuning Caveats
RAIDZ/Mirror Performance
4-28
Integrating ZFS into Deployment
Performance Notes
Other ZFS Features
ZFS References

4-27

4-29

4-30
4-31
4-32

5 Zones
Changes Since Solaris 10 FCS
Design and Features 5-7

5-2

Storage 5-8
Networking: Exclusive IP Zones
Networking: Shared IP Zones
Zones Observability 5-12

5-9

zonestat Command 5-13


zonestat Interval: Example

IPMP

5-11

5-14
O

racle University and ORACLE CORPORATION use only


zonestat by Resource: Example
Resource Management 5-16
Zones Security 5-17
Solaris 10 Containers

5-15

5-18

Solaris 10 Container: Expected Migration Path


-19
References

5-20

6 Network Virtualization 2
Advanced Network Features

6-2

ilbadm: L3/L4 Integrated Load Balancing


Load Balancing Components

6-3

6-4

v
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYIN
G eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

ilbadm: Example

6-5

IP Filter, Forwarding in a Zone


6-6
Hardware Lanes and Dynamic Polling
6-7
Hardware Lanes
6-8
ipmpstat: Observability for IPMP Groups
ipmpstat: Example
6-10
Fiber Channel over Ethernet (FCoE)

6-11

Virtual Router Redundancy Protocol (VRRP)


IP over Infiniband (IPoIB)

Non-Uniform Memory Architecture (NUMA) I/O


NUMA I/O Architecture: Overview

6-15

GLDv3 Public Driver APIs


6-16
Network Performance Highlights
6-17
7 Security
7-3

File system encryption: zfs(1M) 7-4


Configuring ZFS Encryption
7-5
File system encryption: lofiadm

7-6

Network Spoofing Protection 7-7


Zones: Delegated Administration
7-8
SMF: Delegated Administration
SMF: Method Context 7-10

6-12

6-13

Features
7-2
Root Implemented as a Role

6-9

7-9

6-1

SMF: Firewall Integration


7-11
Least Privilege Changes
7-12
In kernel pfexec
7
-13
Basic Privileges: More is Less
7-14
Role-Based Access Control
7-15
Sandboxing Enhancements
7-16
O
racle University and ORACLE CORPORATION use only
Kerberos Improvements
7-17
Key Management: pkcs11_kms Provider
Other Enhancements
7-19
Oracle Solaris 11 Trusted Extensions

7-18
7-20

Trusted Extensions Changes


7-21
Trusted Platform Modules (TPM) 7-22
8 Services Management Facility (SMF)
SMF Design Goals
8-2
SMF Is the Glue in Solaris 11
Service Templates

8-3

8-4

vi
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYIN
G eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Early Manifest Imports

8-5

SMF Enhanced Profiles


8-6
Fault Notification
8-7
IPS Actuators
8-8
FMRI Stored in proc_t Structure

8-9

O
racle University and ORACLE CORPORATION use only

vii
THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYIN
G eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

O
racle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYIN
G eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Preface

O
racle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYIN
G eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

O
racle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYIN
G eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Profile
Before You Begin This Course
You should be able to configure and manage a system
running the Oracle Solaris
Operating system.
How This Course Is Organized
An understanding of Oracle Solaris features and wor
king knowledge of the Oracle
Solaris 10 Operating System is beneficial, but not
required
How This Course Is Organized
S What's New in Oracle Solaris 11
ctor-led seminar featuring lecture and

is an instru

demonstrations. Online demonstrations and written p


ractice sessions reinforce the
concepts and skills introduced.

Oracle Universi
ty and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Related Publications
System release bulletins
Installation and user s guides
read.me

files

International Oracle User s Group (IOUG) articles


Oracle Magazine

Oracle Universi
ty and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Introduction

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Solaris: The Mission Critical OS


If It Must Work, It Runs on Solaris
The #1 deployment platform for the
#1 mission critical Oracle Database
Extreme data integrity : ZFS
Hardened
security: Secure by Default, Cryptographic
Framework, Least Privilege model
Predictive Self Healing
Complete Virtualization

FMA, SMF
with application isolation and res

ource
management: Containers
Production Safe Observability: DTrace
Scalable to thousands of threads, terabytes of memory

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11

1 - 2

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Raising the Bar Set by Solaris 10

Oracle Solaris 11
The Only Completely Virtualized OS
Availabilit : Greatly improved with new packaging tools, saf
e
online upgrades, faster reboots
Scalability and Performance

: Thousands of threads, teraby

tes of
RAM, hundreds of Gbps network bandwidth
Efficienc : Virtualized network, storage and server resource
s;
binary compatibility; advanced power management
Securit : On-disk data encryption, secure process execution,
HW
certification of the OS at boot time

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 1 - 3


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

SPARC E
nterprise Servers

The Leade
r in System Scalability

5 Year Trajectory
Cores

4x

Threads

32

x
Memory Capacity

16
SP

x
ARC
Database TPM

40
1

Java Ops Per Second

10
+

x
-64 Sockets
x
2x Throughput

+
1.5x Single
M-Series

trand
8-64 Sockets
+2x
T-Series

Throughput

1-8 Sockets
M-Series

+3x
Throughput

8-64 Sockets
+6x Throughput
T-S
eries
+1.5x Single
1-4
Sockets

Strand
M-Series
+3x

Single Strand
T-Series

1-64 Socket

1-4 Socket

+ 20%

+ 2x
Throughput
Solaris 11

So

laris 11

Solaris 11

Solaris 11

Solaris 11

Update

Express
Update

Update

2012

2010
2013

2011
2014

2015

Copyrig
ht 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Universi
ty and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COP
YING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

SPARC T3 Servers: Scaling to New He


ights
Integrated, High Throughput SPARC Syste
ms for Massive Scale

SPA
RC T3-4
World s First 16
HIGH
Core Processor
64
cores
SPARC T3-2
51
2 threads
Best
scale
SPARC T3-1

32 cores
Mo

st security

16 cores

256 threads
SPARC T3-1B Blade
Medium scale

Enterpri

sefor Blade 6000


re
ady
128 threads

Middleware
consolidation
16 cores

Entry-level
Price/performa

Enterprise-

128 threads
ready
SYSTEM THROUGHPUT
nce
Best density
Best RAS

CONSOLIDATION
HIGH

VIRTUALIZATION
HIGH

Copyrig
ht 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Universi
ty and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COP
YING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Solaris:

Platform Choice and Fl

exibility

Solaris
Solaris
laris

Solaris 10

ne

Zone*

Zone

So
8 or 9

Zo

Zone*

Oracle SPARC

x86

Oracle x86
Built-in scalable, platformolidation path for older Solaris
independent virtualization

Cons

versions
Native, bare metal performance
verages server virtualization
technology
Binary Compatibility Guaranteed

Le

Copyright 2011, Oracle and/or its


affiliates. All rights reserved.

Oracle Universi
ty and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Serious About Oracle Solaris


Investments in Oracle Solaris 11
SPARC, x86 support
Exadata and Exalogic
Compute, Storage, Network
Over 2,700 projects, over 400 inventions

Over 20 million hours of development


Over 60 million hours of testing
Over 56 million tests
Over 11,000 applications
Solaris 11: Coming in 2011

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 1 - 7


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Addresses Range of Customer Needs


High Performing Application-to-Disk Solutions from
a Single Vendor

Engineered Systems
Oracl
e s Optimized
HIGH
Solut
ions
App
lications
Fusio
n Middleware
Efficiency
Datab
ase
VM So
laris/OEL
Compute,
Storage, Network,

Server

Software
Stora
ge

Manageability and Simplicity

HIGH

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

The preceding is intended to outline our general product


direction. It is intended for information purposes only, and ma
y
not be incorporated into any contract. It is not a commitment t
o
deliver any material, code, or functionality, and should not be
relied upon in making purchasing decisions.

The development, release, and timing of any features or


functionality described for Oracle s products remain at the sole
discretion of Oracle.

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 1 - 9


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Topic Outline

Morning
Image Packaging System
Automated Installer
Networking (Crossbow)
Afternoon
Solaris Containers
ZFS
Security
SMF (Application Deployment)

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 1 - 10


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Module Structure

Focus on enhancements since Oracle Solaris 10 9/10 release


Command-line examples included with slides
Feature demonstrations at instructor's discretion
Use cases blogged daily
Demo environment is generic
VirtualBox instance
Unless special arrangements are made
Text install, slim_profile
added
Demo scripts available to those interested

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 1 - 11


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

O
racle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYIN
G eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Image Packaging System (IPS) and


Automated Installer (AI)

Copyright 2011, Oracle and/or its affiliates. All rig


hts reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

IPS Design Goals

Use one process for installing, patching, and upgrading


Minimize system downtime
Reverse install operations easily

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 2 - 2


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

IPS Implementation

Relies on ZFS for safety


Makes fast, safe copies with snapshots and clones
Can apply changes to cloned BEs when desired
Avoids conditions imposed by patches that overwrite files
Single-user mode to prevent untimely access
Deferred activation to prevent uncoordinated access
Problem: A file that has been patched is available i
mmediately
for use. A program that depends on it, however, w
ill not work
until the system is rebooted.

http://blogs.oracle.com/patch/entry/deferred_activat
ion_patching

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 2 - 3


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

IPS Package

New model incorporates all software change types


Includes dependencies automatically

Installs only what is required to complete a package


Each package is associated with a

publisher

Replaces metacluster model with profiles that can overlap


Supports signed packages
Uses a

f package model

All variations in one: SPARC/x86/debug/nondebug


Available from a repository

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 2 - 4


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Package Naming

Packages use a Fault Management Resource Identifier


(FMRI)
pkg://solaris/library/libc@5.11,5.110.75:20071001T163427Z
Package categories establish a namespace
Similar to SMF service names
Each version has its own tuple
libc@5.11,5.11-0.75:20071001T163427Z
< component

>,< bui >-< branch >:< time stamp >

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 2 - 5


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

IPS Repository

Networked software catalog service


Incremental or monolithic downloads
Built-in software release versioning
Avoids media size as a delivery constraint
Publishes catalog of available software
Automates retrieval of new dependencies, updates
Download/unzip/install steps unnecessary
Default publisher
http://pkg.oracle.com/solaris/release/

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 2 - 6


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Starting the

ackagemanager

GUI

or

pkg

Subcommands

/usr/bin/pkg
pkg list
List packages installed on the system
pkg search <
pkg_name|pattern

>

Identify the package that a file (or pattern) belongs to


Install packages and configure repositories
Limit search to local packages with
-l option
pkg info <

pkg_name

>

Lists package details

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 2 - 9


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

pkg

Subcommands 2

pkg install <pkg_name>


pkg uninstall <pkg_name>
pkg verify <pkg_name>
Validate a package s installation
pkg fix <pkg_name>
Fix errors reported by

pkg verify

pkg contents <pkg_name>


Display the objects making up a package

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 2 - 10


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Example: Search, List, and Inst


all

# pkg search /usr/bin/ncftp


INDEX
ACTION VALUE
PACKAGE
path
file usr/bin/ncftp pkg:/network/ftp/

ncftp@3.2.3-0.151.0.1
# pkg list pkg:/network/ftp/ncftp
pkg list: no packages matching 'pkg:/network/ftp/
ncftp' installed
# pkg install ncftp
Packages to install:
1
Create boot environment:

o
FILES

XFER (MB)

13/13

0.5/0.5

DOWNLOAD

PKGS

Completed

1/1

PHASE

ACTI

ONS
Install Phase

39

PHASE

IT

/39
EMS
Package State Update Phase
1/1
Image State Update Phase
2/2

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Installing a Package with Dependencies


# pkg install gimp
Refreshing catalog 1/1 solaris
Caching catalogs ...
Creating Plan
Packages to install:
24
Create boot environment:
o
Services to restart:
6
FILES

XFER (MB)

0/8732

0.0/68.0

DOWNLOAD

PKGS

library/desktop/libgweather

0/24

8714/8732

68.0/68.0

8732/8732

68.0/68.0

...
image/library/gegl

23/24

Completed

24/24

PHASE

ACTI

Install Phase

1/10

...
Install Phase

10557/10

ONS
557

557
PHASE

IT

EMS
Package State Update Phase

/24
...

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Verifying a Package

# pkg verify ncftp


ls -l /usr/bin/ncftp

-r-xr-xr-x 1 root

bin

276012 Dec 7 20:39 /usr/

bin/ncftp
# chmod 775 /usr/bin/ncftp
# pkg verify ncftp
Verifying: PACKAGE
STATUS
pkg://solaris/network/ftp/ncftp
ERROR
file: usr/bin/ncftp
Mode: 0775 should be 05
55

Copyright 2011, Oracle and/or


its affiliates. All rights reserved.

O
racle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Fixing a
Package

# pkg fix ncftp


Verifying: pkg://solaris/network/ftp/ncftp
ERROR
file: usr/bin/ncftp
Mode: 0775 should be 05
55
Created ZFS snapshot: 2010-12-07-23:29:09
Repairing: pkg://solaris/network/ftp/ncftp

FILES

XFER (MB)

2/2

0.1/0.1

DOWNLOAD

PKGS

Completed

1/1

PHASE
Update Phase

ACTIONS
2/2

PHASE

ITEMS

Package State Update Phase


Package Cache Update Phase
Image State Update Phase
#

1/1
1/1
2/2

pkg verify ncftp

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Listing Package Contents

# pkg contents ncftp


PATH
usr
usr/bin
usr/bin/ncftp
usr/bin/ncftpbatch
usr/bin/ncftpbookmarks
usr/bin/ncftpget
usr/bin/ncftpls
usr/bin/ncftpput
usr/bin/ncftpspooler
usr/sfw
usr/sfw/bin
usr/sfw/bin/ncftp
...

Copyright 2011, Oracle and/or


its affiliates. All rights reserved.

O
racle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Removing a Packa
ge

# pkg uninstall ncftp


Creating Plan
Packages to remove:
1
Create boot environment:

o
PHASE

ACTI

ONS
Removal Phase

Removal Phase

33

PHASE

IT

/33
/33
EMS
Package State Update Phase
1/1
Package State Update Phase
1/1
Package Cache Update Phase
1/1
Image State Update Phase
1/2
Image State Update Phase
2/2
Image State Update Phase
2/2
PHASE

IT

EMS
Reading Existing Index
1/8
Reading Existing Index
5/8
Reading Existing Index
8/8
Indexing Packages
1/1

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Updating a Pa
ckage

Updating all installed packages to the latest version

# pkg update
Packages to install:
Packages to update:
Create boot environment:

1
795

DOWNLOAD
FILES

Yes

PKGS

XFER (MB)
Completed

796/796

4754

/4754 205.2/205.2
PHASE
Removal Phase

ACTIONS
2561/2561

Install Phase

3967/3967

Update Phase
...

6277/6277

A clone of solaris-39 exists and has been updated and


activated.
On the next boot the Boot Environment solaris-40 will
be mounted on '/'.
Reboot when ready to switch to this updated BE.

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating a Pa
ckage

Easy to package existing software


$ pkgrepo -s file:/tmp/test-repo create
$ pkgrepo -s file:/tmp/test-repo set publisher/pre
fix=michael.oow.com
$ eval `pkgsend -s file:/tmp/test-repo open ilb_de
mo@1.0`
< exports a PKG_TRANS_ID value into shell environmen
t

>
pkgsend -s file:/tmp/test-repo import ~/ilb_dem

o
$
$ pkgsend -s file:/tmp/test-repo close
pkg://michael.oow.com/ilb_demo@1.0,5.11:20110912T01
2101Z
PUBLISHED

Or emit a manifest
$ pkgsend generate ~/fu
file gnome_terminal_fu group=bin mode=0644 owner=ro
ot
path=gnome_terminal_fu pkg.size=326
file netbeans_fu group=bin mode=0644 owner=root pat
h=netbeans_fu
pkg.size=283
file awk_fu group=bin mode=0644 owner=root path=awk
_fu pkg.size=110

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Group Packages

Part of manual or automated install process


Controls other installed packages (or package groups)
babel_install
slim_install

installs lim_install
is LiveCD content

Must uninstall group packages to customize what they


control
Remove

babel_install

to manage

slim_install

Remove

slim_install

to manage individual packa

ges
The automated installer will do this for you

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 2 - 19


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Other Commands and Utilities

Other

pkg(5)

utilities

pkg publisher
pkg set-publisher
pkgrepo(1)
pkgsend(1)
pkgrecv(1)
pkgdepend(1)
pkg.depotd(1M)
pkgmogrify(1M)

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 2 - 20


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

AI: Why Replace JumpStart?

To make updating/patching:
Faster
More reliable
Easily reversible
To leverage current technology
Integrate with ZFS
Leverage the IPS repository
Apply SMF naming scheme
To separate client and server dependencies
Make the installer platform-neutral
Let clients select their software repository

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 2 - 21


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Rosetta Stone for Solaris 10 Users

Solaris 10
Solaris 11
SVR4 Packages
IPS (SVR4 still supported)
Install media
arter image + IPS repository

St

beadm(1M)
Live Upgrade
Upgrade option
update

pkg

, Update Manager
JumpStart

Automated Installer(AI)
JumpStart Profiles
AI Manifests
Flash Install replication
No equivalent yet
Blueprints for custom DVDs
Distribution Constructor

Copyright 2011, Oracle and/or its


affiliates. All rights reserved.

Oracle Universi
ty and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

AI Components and Features

Three service components


DHCP server (requires mDNS)
SMF-based installer
IPS repository
Tools for managing

and observing process


installadm(1M)

Configure with
Observe clients using
Manage image with

livessh

install parameter

beadm(1M)

AI is WAN Boot-ready

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 2 - 23


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

AI Terminology

Client (installation target)


Can be physical or virtual (not zones, yet)
SMF Services
svc:/network/dhcp-server:default
svc:/system/install/server:default
svc:/application/pkg/server
Manifest

SMF-named install configuration

Criteria

Properties that match client details to an

appropriate manifest

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 2 - 24


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Flow of Automated Installation

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 2 - 25


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating an AI Service

Use Oracle Solaris DHCP or ISC DHCP


installadm(1M)

will manage DHCP if:

svc:/network/physical:default

(Not nwam

)
svc:/network/dns/multicast:default
/etc/netmasks

entry exists

Default route is set


Use AI-specific image
sol-11-exp-201011-ai-{x86|sparc}.iso
Server and client platforms do not have to match
Cannot super-size the AI image from Text or LiveCD

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 2 - 26


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating an AI Service
# pkg verify installadm
# installadm create-service -a sparc -n solaris_11 \
> -i 192.168.1.10 -c 3 -s ai_sparc_image.iso \
> /export/ai/sparc/solaris_11
# installadm list

-n name
-i IP>

> Install service name


DHCP start address

-c count > DHCP range


-s fil .iso> AI source image
target_directory

>

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 2 - 27


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating an IPS Repository

Download Repository Image (two files)

http://www.oracle.com/technetwork/serverstorage/solaris11/downloads/index.html
Combine the files and:
Burn it to media
Or, mount it by using

lofiadm(1M)

Or, copy it to a ZFS file system with

rsync(1)

Enable repository service


svc:/application/pkg/server:default
For more details, see

How to Copy An Oracle Solaris 11

Software Package Repository.

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 2 - 28


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating AI Clients

The client will get AI service location from DHCP.


The client will get boot image, configuration, and repositor
y
location from AI service.
AI service identifies clients by MAC address.
x86 clients can add other boot parameters.
AI service binds clients to a named install service.
# installadm create-client -b \"console=ttya,livessh=enable\"
\
> -e 0:e0:81:5d:bf:e0 -n s11-x86
# installadm create-client -e 00:14:4f:a7:65:70 -n s11-sparc

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 2 - 29


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

JumpStart to AI Mapping

JumpStart
AI
setup_install_server installadm create-service
add_install_client
installadm cre
ate-client
Manifests, dr
iver updates, custom image
begin script
from Distribu
tion Constructor
Client profiles, rules

Manifests with

client criteria
pkg actuators
(before reboot)
finish script

First-boot SMF s

ervices
sysidcfg file

SMF profile

Copyright 2011, Oracle and/or its


affiliates. All rights reserved.

Oracle Universi
ty and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

IPS References

Adding and Updating Oracle Solaris 11 Software Packages


http://www.oracle.com/pls/topic/lookup?ctx=E23824&id=AUOSS

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 2 - 31


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

AI References

Creating a Custom Oracle Solaris Installation Image


http://www.oracle.com/pls/topic/lookup?ctx=E23824&id=CCOS
I
Transitioning From Oracle Solaris 10 JumpStart to Oracle
Solaris 11 Automated Installer

http://www.oracle.com/pls/topic/lookup?ctx=E23824&id=MFJA
I
Creating and Administering Oracle Solaris 11 Boot
Environments
http://www.oracle.com/pls/topic/lookup?ctx=E23824&id=CMBE
A
Installing Oracle Solaris 11 Systems
http://www.oracle.com/pls/topic/lookup?ctx=E23824&id=IOSU
I

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 2 - 32


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Network Virtualization 1

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Feature: Overview

Virtualized NICs, switches, and bridges


Dynamic IP address management
Quality of Service (QoS)
Control bandwidth by transport, service, protocol, or
connection
Vanity naming for devices
Fencing compute resources
Assign NICs/VNICs to processor sets or pools
Real time usage and history

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

Virtual NICs (VNICs)

Same control as a physical NIC


Private TCP/IP stack
ifconfig dladm
Managed with
,
Dedicated MAC address

, and so on

May be random, chosen, or device-assigned


Can be bound to hardware and kernel resources

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 3 - 3


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Virtual NICs (VNICs) 2

Private TCP/IP stack


Data path is separate, does not rely on modules added to
a
global stack
A complete, standards-based virtualization solution
VLAN tags supported
Priority Flow Control (PFC)
With supporting hardware, can be fully encapsulated to t
he
switch

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 3 - 4


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Virtual Switches

VNICs sharing a VLAN id on one data link need a switch


MAC layer provides built-in switching semantics
Data path among VNICs sits on top of the data link
Connects VNIC to physical network
Isolates broadcast domains
Want an explicit virtual switch? Use an

etherstub :

Makes any virtual network topology possible


Can reduce or eliminate trips to physical NIC
Can also manage resource controls

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 3 - 5


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Physical Wire, Physical Machine


s

Client

Router

Host 1

Host 2
Port 6

Port 9
Port 2
20.0.01
10.0.02

Port 1
20.0.03
10.0.01
1 Gbps
Gbps

100 Mbps

Port 3
10.0.03

1 Gbps
1 Gbps

Switch 3
Switch 1

Virtual Wire, V

irtual Machines

Virtual
Router

Client
Host 1

Host 2

VNIC6

VNIC9
VNIC2
20.0.01
10.0.02

VNIC1
20.0.03
10.0.01
1 Gbps
Gbps

100 Mbps

VNIC3

1 Gbps
1 Gbps

10.0.03
1

Etherstub 3
Etherstub 1

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Virtual Network: Example

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 3 - 7


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating VNICs and Etherstubs

dladm create-vnic -l bge1 vnic1


# dladm create-vnic -l bge1 -m random

p maxbw=100M

-p cpus=4,5,6 vnic2
dladm create-etherstub vswitch1
# dladm show-etherstub
LINK
vnic2
=100M

bge1

random

2:5:6:7:8:9

max

4,5,6
vnic3

max=1000M
0M -p cpus=1,2 vnic9

vswitch1 random
4:3:4:7:0:1
# dladm create-vnic -l ixgbe0 -v 1055 -p maxbw=50

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Unified Data Link Propert


ies

dladm [set,reset,show]-linkprop
Alternative to

ndd(1M)

utility
Single, stable interface for network property
consumers
Changes can be made temporary or persistent
$

dladm show-linkprop e1000g0


PROPERTY
PERM VALUE

LINK

DEFAULT

OSSIBLE
1000

1000

full

full

up

up

no

bi

--

e1000g0

speed

r-

e1000g0

duplex
half,full

r-

e1000g0

state
up,down

r-

e1000g0
no,tx,rx,bi
e1000g0

flowctrl

rw

maxbw
--

rw

--

-e1000g0

high

high
e1000g0

--

--

priority
rw
low,medium,high
protection
rw
mac-nospoof,
restricted,
ip-nospoof,
dhcp-nospoof

e1000g0
--

--

rxrings
--

rw

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Virtual Bridges

Data Link (Layer 2), 802.1D


Detects MAC addresses
NIC

VNIC

VNIC

Connects NICs, etherstubs,


link aggregations
Lets you move a VNIC

Bridge

without changing IP address


Supports RBridges
(TRILL

Transparent

etherstub
Interconnect of Lots of
Links)
NIC
NIC
Manages with

dladm

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 3 - 10


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

ipadm

Consolidates management of
Network interface state
IP address assignment
TCP/IP protocol properties
Uses action-object subcommands like
create-if show-if disable-addr
,
,

dladm
, and so o

n
Supercedes various commands and files
ifconfig
/etc/hostname.<

interface

>

ndd

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11

3 - 11

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Managing Interfaces and IP


Addresses

# dladm create-vnic l bge0 play1


# ipadm create-addr T static d a 10.2.3.5/2
4 play1/v4static2
# ipadm show-if
IFNAME
STATE

CURRENT

lo0
bge0

-m-v------46 --bm--------46 ---

PERSISTE

NT
ok
ok

play1
down
bm--------46 -46
# ipadm show-addr
ADDROBJ

TYPE

STATE

play1/v4static2

static

down

DDR
0.2.3.5/24
#
# ipadm up-addr play1/v4static2
# ipadm show-addr play1/v4static2
ADDROBJ

TYPE

STATE

play1/v4static2

static

ok

DDR
0.2.3.5/24

Copyrig
ht 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Universi
ty and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COP
YING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Managing Inte
rface Properties

# ipadm show-ifprop play1


IFNAME
PROPERTY
PROTO PERM CUR
RENT

PERSISTENT DEFAULT

POSSIBLE
on

play1
-play1
--

forwarding

off

ipv4
off

play1
--

metric

ipv4
0

play1
--

mtu

1500

on

play1
--

exchange_routes ipv4
on

play1
--

usesrc

none

play1
--

forwarding

off

play1
--

metric

1500

play1
--

mtu

ipv6 rw
1280-1500

on

play1
--

nud

ipv6 rw
on,off

on

play1
--

exchange_routes ipv6
on

play1
--

usesrc

none

ipv4 rw
on,off
rw

arp
on

on,off
rw
-ipv4 rw
68-1500
rw

1500

on,off
ipv4 rw

none

-ipv6 rw
off

on,off
ipv6 rw
0

--

rw

1500
on

on,off
ipv6 rw
--

none

Copyrig
ht 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Universi
ty and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COP
YING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating Flows

Define a flow by:


Service (protocol + port address)
Transport type (TCP, UDP, SCTP, iSCSI, and so on)
IP address/subnet
Differentiated Service Code Point (DSCP) label
maxbw
Flows can assign bandwidth caps (
)
Flows maintain their own kstat counters
Use

flowstat(1M)

Use extended accounting for historical reference


flowadm create-flow -l bge0 protocol=tcp,local_port=443 -p m
axbw=50M http-1
flowadm set-flowprop -l bge0 -p maxbw=100M http-1

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 3 - 14


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Data Link Vanity Naming

Vanity naming
Set desired name via

dladm(1M)
/dev/net
List device interfaces in
Supports alternative to so-called PPA hack
PPA: Physical Point of Attachment
Name calculated with (VID*1000 + instance)
Example: bge + (487 * 1000 + 1) = bge487001
knickknack@os11e:/dev/net$ ls -l
total 0
crw-rw-rw- 1 root sys 58, 1001 2010-12-19 17:37 beatnic0
crw-rw-rw- 1 root sys 20,
1 2010-12-19 14:22 e1000g0

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 3 - 15


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Resource Pools

Assigned CPUs process network traffic for a data link


Both kernel threads and network interrupts
Configured through
pools
data link property
# dladm show-linkprop p pool <
datalink
>
Alternative to manual setting (

cpus property)

Pool configuration determines the CPUs selected


svc:/system/pools:default
Automatically updated if CPUs migrate to other pools
Some zones use dynamic pools
svc:/system/pools/dynamic:default
Assigns CPUs on zone bootup, releases on shutdown

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 3 - 16


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

dlstat(1M)

Observability for data link and flow statistics


Measured per hardware/software ring
For VirtualBox instance:
# kstat -n mac_rx_ring0
Includes network traffic spread to other CPUs (aka
fanout)
Hardware lane counters (if NIC supports them)
dlstat -i 30

LINK

IPKTS

RBYTES

OPKTS

bge0

25.89K

16.90M

18.23K

play0

5.64K

1.51M

226

15

play1

5.55K

1.49M

131

BYTES
4.42M
.61K
.63K
bge0

81

13.29K

19

7.13K
play0

62

9.37K

play1

62

9.37K

0
0

Copyright 2011, Oracle and/or


its affiliates. All rights reserved.

O
racle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Other Network Observability Enhancements

IP-layer observability
Snoop loopback traffic between zones using shared-IP
# snoop -I lo0
Network DTrace providers
udp: send , ceive
probes
ip: send , ceive dro, in drop-ou ,
tcp: send , ceive sta, -change,connect[request|refused|established| accept[refused|established]
tcpdump
and wireshark
Observe flows with
Observe IPMP groups with

probes
,

are IPS packages

flowstat
ipmpstat

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 3 - 18


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Rethinking Zones

Consider using the global zone (GZ) as a system service


processor
NGZs isolate processes, software stacks
Resource controls cap NGZ consumption
CPU binding, psets, or pools
Virtual, resident set size (RSS), or paging memory
Shared memory, semaphores
An exclusive TCP/IP stack completes the picture.
L2/L3 boundary: Data links (

exclusive-IP

prop

erty)
Per-NIC in Solaris 10, per-VNIC in Solaris 11
One example: the Immutable Service Container
http://blogs.sun.com/video/entry/immutable_service_conta
iners

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 3 - 19


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Other Solaris 11 Enhancements

Still more stuff in

dladm(1M)

VLAN, WiFi, IP tunnel management


Network Auto-Magic (NWAM) service
svc:/network/physical:nwam
Automagic setup
User can modify security, name services
Manual control (CLI or GUI)
Location-specific configurations

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 3 - 20


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

ZFS Features in Solaris 11

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Enhancements

Key enhancements discussed in this module:


Root pool boot environments (BE)
Deduplication
Root pool mirroring
Snapshot diff capability

Synchronous write behavior property


Send stream enhancements
Improved pool recovery

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 4 - 2


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Boot Environments

Makes updates safe, reliable, and recoverable


Similar to Solaris 10 Live Upgrade
ZFS only
Managed by
beadm (1M)
Subcommands provide means to:
List

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 4 - 3


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Boot Environments (BE)

ZFS is required.
A BE is a special-purpose ZFS snapshot.
beadm(1M)

replaces lu*

commands.

All BEs reside in the root pool.


No need to maintain partitions
Integrated with IPS
New BEs with package actuators
Make new BE with
pkg image-update

or kg up

date

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 4 - 4


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating a Boot Environme


nt

Initial boot environment after installation


# beadm list
BE
--

Active Mountpoint Space Policy Created


------ ---------- ----- ------ -------

solaris NR

2.81G static 2010-12-06 03:

48
Create a new boot environment by using
beadm create
# beadm create S11-BE-1 && beadm list
BE
--

Active Mountpoint Space Policy Created


------ ---------- -----

------ ------S11-BE-1 -

110.0K

static 2010-12-09 04:23


solaris

NR

2.81G static 2010-1

2-06 03:48
Active flags
N = Active ow

R = Active next eboot

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Activating a Boot Environment

Activating a boot environment


# beadm activate S11-BE-1
# beadm list
BE
Active Mountpoint Space Policy Created
--

------ ---------- -----

------ ------S11-BE-1 R

2.81G s

tatic 2010-12-09 04:23


solaris

120.5K static 2010-12-

06 03:48
After reboot
# beadm list
BE
Active Mountpoint Space Policy Created
-S11-BE-1 NR

------ ---------- ----- ------ ------/


2.82G static 2010-12-09 04:2

solaris

3
-

7.37M st

atic 2010-12-06 03:48

Copyright 2011, Oracle and/or


its affiliates. All rights reserved.

O
racle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Destroying a Boot Environment

Destroying a boot environment


# beadm destroy solaris
Are you sure you want to destroy solaris? This action c
annot be
undone(y/[n]):

# beadm list
BE
Active Mountpoint Space Policy Created
-S11-BE-1 NR

------ ---------- ----- ------ ------/


2.83G static 2010-12-09 04:2

Copyright 2011, Oracle and/or


its affiliates. All rights reserved.

O
racle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Mounting and Unmounting a Boot Environment

Mounting and unmounting a boot environment


# beadm create S11-BE-2 && beadm list
BE
Active Mountpoint Space Policy Created
-S11-BE-1 NR

------ ---------- ----- ------ ------/

2.83G static 2010-12-09 04

:23
S11-BE-2 static 2010-12-09 04:53

45.0K

# beadm mount S11-BE-2 /mnt && beadm list


BE
Active Mountpoint Space Policy Created
--

------ ---------- -----

------ ------S11-BE-1 NR

2.83G static 2010-12-09 0

4:23
S11-BE-2 -

/mnt

11.67M

static 2010-12-09 04:53


# beadm unmount S11-BE-2 && beadm list
BE
Active Mountpoint Space Policy Created
--

------ ---------- -----

------ ------S11-BE-1 NR

2.83G static 2010-12-09 0

4:23
S11-BE-2 -

12.08M

static 2010-12-09 04:53

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating New Boot Environments

Create a new BE with an IPS package change


# beadm list
BE
Active Mountpoint Space Policy Created
--

------ ---------- -----

------ ------S11-BE-1 NR

2.84G static 2010-12-09 0

4:23
S11-BE-2 -

12.08M

static 2010-12-09 04:53


# pkg install --require-new-be --be-name=S11-BE-3 ncf
tp
Packages to install:
1
Create boot environment: Yes
FILES

XFER (MB)

13/13

0.5/0.5

DOWNLOAD

PKGS

Completed

1/1

PHASE
Install Phase

ACTIONS
39/39

PHASE

ITEMS

Package State Update Phase


Image State Update Phase

1/1
2/2

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Creating New Boot Environments - 2

PHASE
Reading Existing Index

ITEMS
8/8

Indexing Packages

1/1

A clone of S11-BE-1 exists and has been updated and act


ivated.
On the next boot the Boot Environment S11-BE-3 will be
mounted
on '/'.
Reboot when ready to switch to this updated BE.
beadm list
BE
Active Mountpoint Space Policy Created
--

------ ---------- -----

------ ------S11-BE-1 N

352.0K static 2010-12-09 04:

23
S11-BE-2 -

12.08M s

tatic 2010-12-09 04:53


S11-BE-3 R

2.85G s

tatic 2010-12-09 05:19

Copyright 2011, Oracle and/or


its affiliates. All rights reserved.

O
racle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

pkg-update
BE Upgrade with

New BE names are incremented by default


# pkg update
A clone of zfsBE exists and has been updated and
activated.
On the next boot the Boot Environment zfsBE-1 will be
mounted on '/'.
Reboot when ready to switch to this updated BE.
# init 6
# beadm list
BE
Active Mountpoint Space Policy Created
--

------ ---------- -----

------ ------zfsBE

9.38M s

tatic 2010-10-15 09:18


zfsBE-1 NR

10.76G static 2010-11-05 09:57

Copyright 2011, Oracle and/or its


affiliates. All rights reserved.

Oracle Universi
ty and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Deduplication

Drops redundant data blocks


Enabled per-file system:

dedup

property

To determine benefit on the existing ZFS storage:


# zdb -S <pool>
http://hub.opensolaris.org/bin/view/Community
+Group+zfs/dedup
Benefit is expressed similarly to
Observable via
Dedup

compressratio

zpool status
operations have pool scope.

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 4 - 12


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Deduplication Example - 1

bayle@os11e:~$

ls -l /usr/java/src.zip

-rw-r--r-- 1 root bin 19160179 2010-12-06 04:44


/usr/java/src.zip
bayle@os11e:~$
zfs set dedup=on rpool1/home/d
eirdre
bayle@os11e:~$

cp /usr/java/src.zip /home/dei

rdre/src1.zip
<copy in src[23456].zip>
bayle@os11e:~$
zfs list rpool1/home/deirdre

NAME
USED
rpool1/home/deirdre
110M /home/deirdre

AVAIL REFER MOUNTPOINT


110M
8.10

Copyright 2011, Oracle and/or


its affiliates. All rights reserved.

O
racle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Deduplication Example - 2

bayle@os11e:~$

zpool list

DEDUP

6.00x

NAME
SIZE ALLOC FREE
HEALTH ALTROOT
rpool1 15.9G 6.61G 9.27G
ONLINE bayle@os11e:~$
bayle@os11e:~$

DEDUP
1.00x

NAME
rpool1/home/deirdre
1K /home/deirdre

41%

rm /home/deirdre/*zip
zpool list

NAME
SIZE ALLOC FREE
HEALTH ALTROOT
rpool1 15.9G 6.61G 9.27G
ONLINE bayle@os11e:~$

CAP

CAP
41%

zfs list rpool1/home/deirdre


USED AVAIL REFER MOUNTPOINT
31K 8.12G
3

Copyright 2011, Oracle and/or


its affiliates. All rights reserved.

O
racle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Root Pool Mirroring

Root pools can be mirrored after installation


#

zpool attach rpool <root_disk> <new_disk>


Allow resilvering to complete

zpool status rpool


Boot blocks are installed automatically
Verify bootability

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 4 - 15


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Snapshot Differences

The

zfs diff

command lists differences betwee

n two
snapshots.
ls /home/timh
fileA
zfs snapshot
<Create fileB>

tank/home/timh@old

ls /home/timh
fileA fileB
zfs snapshot
zfs diff
M
+

tank/home/timh@new
tank/home/timh@old tank/home/timh@new

/tank/home/timh/
/tank/home/timh/fileB

Copyright 2011, Oracle and/or its


affiliates. All rights reserved.

Oracle Universi
ty and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

zfs diff

Output

Differences listed for files and directories:


M : Modification or link count change
: Object is present in the first snapshot only
: Object is present in the second snapshot only
R : Object has been renamed

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 4 - 17


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Send Stream Enhancements

Modify property values in a received dataset


Enforce property value(s) in a sent dataset
Disable property settings in a received dataset

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 4 - 18


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Send Stream: Override Example

File compression is off for the


file system. You

ta
bpool/data

tank/da

want to enable compression for the


file system.
# zfs get compression tank/data
NAME
PROPERTY
VALUE

SOURCE

tank/data compression off


default
# zfs send -p tank/data@snap1 | zfs recv -o

compression=on -d bpool
# zfs get -o all compression bpool/data
NAME

PROPERTY

VALUE RECEIVED SOURCE

bpool/data compression on

off

local

Copyright 2011, Oracle and/or its


affiliates. All rights reserved.

Oracle Universi
ty and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Send Stream: Enforce Example

The

-b

option declares the file system as a prope

rty source.
# zfs send -b bpool/data@snap1 | zfs recv -d restorepoo
l
# zfs get -o all compression restorepool/data
NAME

PROPERTY

VALUE

RECEIVED SOUR

CE
restorepool/data compression off
received

off

Copyright 2011, Oracle and/or


its affiliates. All rights reserved.

O
racle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Send Stream: Ignore Example

The

receive -x

option ignores propert

y settings.
Applies recursively to contained file systems
For example: Ignore

quota

proper

ty setting:
# zfs send -R tank/home@1020 | zfs recv -x quota
bpool/home
# zfs get -r quota bpool/home
NAME
PROPERTY VALUE SOURCE
bpool/home

quota

none

bpool/home@1020

quota

default

bpool/home/cindys

quota

local
bpool/home/cindys@1020 quota
-

none

bpool/home/tom
bpool/home/tom@1020

quota
quota

none
-

local

Copyright 2011, Oracle and/or its


affiliates. All rights reserved.

Oracle Universi
ty and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Pool Import: Log Device Recovery

Importing a pool with a missing log causes an error.

# zpool import dozer


The devices below are missing, use '-m' to import the
pool anyway:
c3t3d0 [log]
cannot import 'dozer': one or more devices is currently
unavailable
Now, you can import the pool as-is (

-m ).

Attach the missing log device.


Use

zpool clear

to resolve errors.

Works for mirrored log devices

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 4 - 22


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Pool Import Recovery: Example

Example: Import Pool With Missing Log Device


# zpool import -m dozer
# zpool status dozer
pool: dozer
state: DEGRADED
status: One or more devices could not be opened. Suf
ficient replicas
exist for the pool to continue functioning in a d
egraded state.
action: Attach the missing device and online it using
'zpool online'. see:
http://www.sun.com/msg/ZFS-8000-2Q
config:
NAME

STATE

READ WRIT

dozer

DEGRADED

E CKSUM
0

0
mirror-0
0

ONLINE

c3t1d0

ONLINE

c3t2d0

ONLINE

logs
14685044587769991702 UNAVAIL
0

0 was c3t3d0

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Pool Import: Read-Only Mode

May help in recovering a damaged pool


All datasets are mounted in the read-only mode.
Disables pool transaction processing
No pending synchronous writes in the intent log are play
ed.

Ignored attempts to set a pool property


zpool import -o readonly=on tank
zpool scrub tank
cannot scrub tank: pool is read-only
To revert to read-write, export, and import the pool

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 4 - 24


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Synchronous Write Behavior Property

The

sync property defines per-file system write behavior

Replaces the

zil_disable

The default setting is

tunable parameter

standard

Write synchronous transactions to the intent log, flush


devices
zfs set sync=always tank/home/perrin
#

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 4 - 25


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Values for

Possible

sync

Property

sync property values include:

standard

Synchronous-write transactions: all

fsync(3C)

calls, pen(2)

calls flagged with

O_DSYNC,
O_SYNC

always
Write and flush all transactions to stable
storage. The system call returns upon completion.
disabled

Commit transactions to stable storage with

the next flush, regardless of delay. Fast performance, no


risk of pool corruption.

Data corruption is another ma

tter.

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 4 - 26


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

ZFS Synchronous Behavior: Tuning Caveats

A sync

property value of

disabled

on the active

BE or
/var may produce undefined behavior.
Increases vulnerability to replay attacks
Understand all the risks before using this value
Processes that rely on synchronous behavior can lose
data with the
disabled
value.

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 4 - 27


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

RAIDZ/Mirror Performance

Latest-and-greatest RAIDZ pools automatically mirror


latency-sensitive metadata.
Pools created with b148 or later
Pool version 29 or later
Boosts I/O throughput
Applies to all newly-written
Trades off space for time

data

Does not improve resilience to failure

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 4 - 28


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Integrating ZFS into Deployment

Consider a separate file system per significant application.


Monitor with

fsstat(1M)

Use snapshots for easy rollbacks.


Use

zfs diff

to monitor changes.

Apply encryption if appropriate.


Use
zfs send/receive
for replication or backup.

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 4 - 29


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Performance Notes

On-disk encryption costs ~7% on random I/O and ~3% on


sequential I/O.
RAID-Z mirror allocation Some workloads show 2-4x
speedup on directory searches.

Scrub/resilver ops now prefetch their metadata.


System duty cycle (SDC) scheduler balances thread
priorities for CPU time.
Slim ZIL reduces metadata I/O if data blocks are not full.
Explicit ZIL behavior is controlled via

sync

proper

ty.

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 4 - 30


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Other ZFS Features

Dynamic LUN expansion


autoexpand

property

Splittable mirrored pools (


zpool split)
Triple-parity RAID-Z (
raidz3 )
Improved ACL compatibility with CIFS
Automatic snapshots/Time Slider
SMF service
User/group quotas
Via userspace

auto-snapshot
and

groupspace

subcommands

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 4 - 31


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

ZFS References

Oracle Solaris Administration: ZFS File Systems


http://www.oracle.com/pls/topic/lookup?ctx=E23824&id=ZFSADMIN

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 4 - 32


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Zones

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Changes Since Solaris 10 FCS

Core
Configurable privileges (
limitpriv
Supports DTrace inside a zone

Zone rename and move operations


Zone migration (attach, detach)
Software update on attach
Default update is conservative
Option U will update all
Boot arguments (

bootargs )

Packaging
Parallel patching, turbo SVR4 packaging
Live Upgrade support

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 5 - 2


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Changes Since Solaris 10 FCS

Resource management
Overhauled and simplified (

zone.*

CPU Caps added


zone.cpu-cap zo , cpu-shares
See resource_controls(5)
Enhanced observability
getvmusage(2)
Supported by
Integration with ZFS
Assign datasets to zones
Faster provisioning with clones and snapshots

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 5 - 3


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Changes Since Solaris 10 FCS

Networking
ip-type
defrouter
Brands
Oracle Solaris 8 Containers
Oracle Solaris 9 Containers
Trusted extensions

Sun Cluster integration


Oracle Enterprise Manager Ops Center 2.5 Integration

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 5 - 4


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Changes Since Solaris 10 FCS

Physical to virtual (p2v) migration

Consolidate legacy instances as zones onto new hardware


Available for Oracle Solaris 8, 9, and (other) 10 instan
ces
Process
Create a system image
Transfer to zonepath
Install the zone

location

Image automatically updated during installation


User-land/kernel need to be in sync
Need to emulate Host ID

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 5 - 5


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Changes in Oracle
Solaris 11

Copyright 2011, Oracle and/or its affiliates. All rights


reserved.

Oracle Un
iversity and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKIT
MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Design and Features

lofiadm

support

v2v and p2v migration


Branded Oracle Solaris 10 containers

Exclusive-IP network stack enhancements


zonestat
IPMP support for

ip-type

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 5 - 7


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Storage

lofiadm(1M) lofi(7D)

supported
New resource control to limit
lofi

devices
zone.max-lofi
zonecfg:zone1>
zonecfg:zone1:rctl>

add rctl
set name=zone.max-

lofi
zonecfg:zone1:rctl>
ivileged, limit=10, action=none)
zonecfg:zone1:rctl>
zonecfg:zone1>

add value (priv=pr


end

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Networking: Exclusive IP Zone


s

Exclusive-IP options
allowed-address
erty defines usable
address/range.

prop

defrouter

property supports
.

ip-type=exclusive
# zonecfg -z zone1
zonecfg:zone1>

set ip-type=exclusive

zonecfg:zone1>

add net

zonecfg:zone1:net>

set allowed-address=

192.168.1.10/32
zonecfg:zone1:net>

set physical=vnic1

zonecfg:zone1:net>

set defrouter=192.16

zonecfg:zone1:net>

end

8.1.1

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Networking: Exclusive IP Zones

Administration/tools available inside a zone


dladm, flowadm, ipadm
IP Tunnels
IPMP
Zones are ideal for virtual networking
Configurable with multiple vnics
Internal namespace for flows
Layers 2 and 3 network protection
Prohibit mischievous traffic from exclusive-IP zones
(Try dladm show-linkprop protection
)

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 5 - 10


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Networking: Shared IP Zones

IPMP

Solaris 10 IPMP, interface name changes on failover,


creating issues for some users
For example: Using interface

ce0:2 one moment,

ce1:1
the next
Zone admin has no control
Solaris 11 IPMP
Zone retains same interface
ipmp0:2 remains ipmp0:2

for the zone session

Zone admin can test interface for


IPMP flag
If set, the address is highly available.

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 5 - 11


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Zones Observability

Improved utilization monitoring


CLI and Oracle Enterprise Manager integration
acctadm
Uses extended accounting (see
)
Also vcs extended-accounting
Reports on both shared and dedicated resources
Measures utilization against configured limits
zonestat(1M)

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 5 - 12


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

zonestat

zonestatd

Command

daemon performs monitoring

Nonroot users and nonglobal zone users can see (some of)
the information
zonestat

can monitor:

Virtual, physical, and locked memory


Pools, psets, LWPs, and processes
Shared-memory, semaphore, and message resources
Can report specific zones, resource types
Supports sorting by column
Machine-parseable output is also available

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 5 - 13


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

zonestat
Interval: Example

End-of-run reporting for average, high, and total usa


ge
$ zonestat 5
Collecting data for first interval...
Interval: 1, Duration: 0:00:05
SUMMARY

Cpus/Online: 32/32

Physical: 32.0G

Virtual: 47.9G
----------CPU---------- ----PHY
SICAL----- -----VIRTUAL----ZONE USED %PART %CAP %SHRU USED
%CAP USED

PCT

PCT %CAP

- 5660M 17.2%
- 5086M 15.5%

[total] 1.57 4.92%


9.9G 20.6%
[system] 0.09 0.28%
- 9275M 18.8%
-

kodiak-dp
100% 46.0M 0.14% 4.49% 36.2M 0.07% 1.17%

2%

- 62.4M 0.12%

1.00 100%

global 0.48 1.56%


- 1.56% 419M 1.27%
673M 1.37%
kodiak-ab
0.00 0.00%
- 0.01% 67.0M 0.2
115M 0.23%
-

0%

kodiak-rie

0.00 0.00%

- 0.02% 41.6M 0.1

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

zonestat
by
Resource: Example

Example: Monitor lwps and processes


$ zonestat -r processes,lwps 5

PROCESSES
system-limit

SYSTEM LIMIT
292K
ZONE USED

PCT

CAP %CAP
[total]
-

191 0.63%

[system]

0 0.00%

global
-

167 0.55%

foo

24 0.08%

300 8.00%
LWPS
system-limit

SYSTEM LIMIT
2047M
ZONE USED

PCT

CAP %CAP
[total]
-

713 0.00%

[system]

0 0.00%

global
-

618 0.00%

foo

95 0.00%

1000 9.50%

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Resource Manageme
nt

New

max-processes

resource control
# zonecfg -z zone1
zonecfg:zone1>

prctl

set max-processes=300

now reports resource utilization

# prctl -i zone foo


zone: 4: foo
NAME

PRIVILEGE

VALUE

FLAG

ACTION

zone.max-lofi
usage

system

18.4E

max

usage
privileged

28.3MB
3.00GB

system

16.0EB

max

deny

zone.max-swap

deny
deny

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Zones Security

Delegated administration
Authorizations can be configured directly in
zonecfg
login, manage, clonefrom
zonecfg -z zone1
zonecfg:zone1>

add admin

zonecfg:zone1:admin>
zonecfg:zone1:admin>

set user=jack
set auths=login,ma

zonecfg:zone1:admin>

end

nage

zonecfg:zone1>

commit

Authorizations are added to user/role entry in


/etc/user_attr
g

by

zonecf

Copyright 2011, Oracle and/or


its affiliates. All rights reserved.

O
racle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Solaris 10 Containers

Solaris 10 branded zone


Similar to the existing solaris8 and

solaris brand se

ttings on
Solaris 10
Promote adoption and compatibility of Oracle Solaris 11
Leverage existing investment in Solaris 10
Infrastructure, training, support
Allow new technology to support Oracle Solaris 10 contex
t
Virtualized networking among Solaris 10 instances
Application recertification for Solaris 11 unnecessary

Use p2v installation process


Or v2v for moving the existing Solaris 10 zones
Support instances on Solaris 10 10/09 or later

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 5 - 18


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Solaris 10 Container: Expected Migration Path

zone: db27-prod
redeploy
Solaris 10
Solaris10

Brand

zone: db27-prod
zone: db27-prod
p2v
Solaris 11

Solaris 11

Solaris 10
db27-prod

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

References

Oracle Solaris Administration: Oracle Solaris Zones, Oracle


Solaris 10 Zones, and Resource Management
http://www.oracle.com/pls/topic/lookup?ctx=E23824&id=SYSADRM

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 5 - 20


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Network Virtualization 2

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Advanced Network Features

ilbadm
IP Filtering, forwarding in a zone
Hardware Lanes and dynamic polling
ipmpstat

Fiber Channel over Ethernet (FCoE)


VRPP support
NUMA I/O
Public GLDv3 APIs

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 6 - 2


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

ilbadm

: L3/L4 Integrated Load Balancing

Operational modes
Stateless Direct Server Return (DSR)
Half or Full NAT
Algorithms supported
Round robin
IP hashing: Source address or source address + port
Health-checking built-ins
TCP, UDP, ICMP probes
Apply as parameters to user-scripted tests
Performance comparable to IP forwarding

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 6 - 3


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Load Balancing Components

pkg://solaris/service/network/loadbalancer/ilb@0.5.11,5.11-0.148:
To configure:
Server group: list of host+port addresses
Virtual IP (aka logical host )
Algorithm, operational type
Healthcheck program and parameters (optional)
The configured elements form a
ilbadm

subcommands follow

rul.
dladm

model.

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 6 - 4


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

ilbadm
: Example

ilbadm create-servergroup
\
> -s servers=apache-zone1:80,apache-zone2:80 \
apache_group
#
ilbadm create-rule
e p I vip=10.1.2.3,port=80
>
-m lbalg=rr,type=HALF-NAT
-h hc-name=/var/hc/apache_check
\
-o servergroup=apache_group
\
apacheload_rrobin

\
\
\

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

IP Filter, Forwarding in a Zone

Same operational semantics as the GZ


For IP Filter in a zone
# pkg install ipfilter; pkg contents ipfilter
Filter/NAT configuration files in the
/etc/ipf

directory
See

/usr/share/ipfilter/examples

# svcadm enable ipfilter


Or just forwarding
# svcadm enable ipv4-forwarding

Copyright 2011, Oracle and/or its


affiliates. All rights reserved.

Oracle Universi
ty and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Hardware Lanes and Dynamic Polling

A Hardware Lane is defined by


NIC-supported partitions (Receive/Transmit R
ings, DMA)
Kernel queues/threads bound to CPU, pset, or
pool
Same CPUs assigned to a VNIC or a flow
Dynamic polling
Switches from interrupt handling to polling
rate in low traffic
Reduces context switching and lock contention

mtx

srw

mpstat output with NIC and legacy driver:


intr
ithr
csw
icsw
migr s
syscl
usr sys wt idl
10818 8607 4558 1547 161 1797 289 19112 17

srw

mpstat with NIC and GLDv3-based driver:


intr
ithr
csw
icsw
migr s
syscl
usr sys wt idl
2823 1489 875 151 93 261 1
19825 15

69 0 12

mtx
57 0 27

Copyright 2011, Oracle and/or


its affiliates. All rights reserved.

O
racle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Hardware Lanes

Intended for multicore platforms with multi-10


g

igE NICs

Hardware Lanes + dedicated resources


= linear scaling
Integrated with virtualization and Q
oS controls
Dynamic polling, packet chaining boo
st efficiency

Physical Machine
Physical NIC
C
Hardware
Virtual

VNIC

L
Rings/DMA
Machine/Zone

Kernel Threads
and Queues

A
S

Hardware Lane
Virtual

Rings/DMA
Machine/Zone

NIC

Kernel Threads
and Queues

Switch
S
I
VLAN
F
Separated
I
E

Hardware

Kernel Threads

Rings/DMA
Application

Flow
R

and Queues

Copyrig
ht 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Universi
ty and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COP
YING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

ipmpstat

: Observability for IPMP Groups

Reads sockets opened by

in.mpathd

Five output modes


Address ( -a)
Group ( -g )
Interface ( )
-p
Probe (
)
Target ( -t )
VNICs are valid IPMP group members.
Useful for testing

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 6 - 9


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

ipmpstat
: Example

ifconfig blut0 ipmp


# ifconfig play0 group blut0
ifconfig play1 group blut0
ipmpstat -a
ADDRESS
UND

STATE GROUP

INBO

OUTBOUND

play1 play0

play1 play0

fe80::897f:b644:ae41:e0b up
-10.2.3.5
up

blut0

--

blut0

play

10.9.8.7

blut0

play

STATE GROUP

INBO

up

ifconfig play0 group \"\"


# ipmpstat -a
ADDRESS
UND

OUTBOUND

play1

play1

fe80::897f:b644:ae41:e0b up
--

blut0

--

10.2.3.5

up

blut0

play

10.9.8.7

up

blut0

play

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Fiber Channel over Ethernet (FCoE)

MAC Layer APIs To Create VNICs,


Leadville

App

Dedicate Resources, Bandwidth


Fiber
Network

Channel
for both Network Stack and FCoE
Stack

Stack
Virtual

FCoE

NIC

Glue

Virtualized Data Link Layer


MAC
MAC
Client

Client
MAC Layer

Rx/Tx Ring
DMA

Rx/Tx Ring
DMA

Channel

Channel

H/W Flow Classifier


Pseudo FC instance presented to storage
10g thernet Port
10 g Port

FCoE Port

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Virtual Router Redundancy Protocol (VRRP)

HA support for routers and load balancers


Treats active server as a primary
Other servers are passive
Solaris framework monitors control messages
Upon primary failure, framework elects a new primary
Moves the Virtual IP address (VIP)

Each VRRP router associates a VNIC with the VRRP id


VNIC attributes are set via
dladm(1M) .

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 6 - 12


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

IP over Infiniband (IPoIB)

Used in Exalogic systems (BOND0 interface)

Runs on top of IB's verb layer


Control over IB partitions in
*-part subcommands

dladm(1M)

IB data links show up as Host Channel Adapter (HCA) port


s
Create partition data links over IB data links
Plumb them with IP addresses, assign them to zones
All dladm(1M)

link properties apply

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 6 - 13


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Non-Uniform Memory Architecture (NUMA) I/O

On NUMA platforms, I/O performance factors include:


Kernel resource location (memory placement)
Hardware topology
Device location (backplane attachment)
NUMA I/O Framework
Defines affinity for all I/O subsystems
I/O subsystems register affinity to needed resources
Framework uses affinity to determine memory placement
Consumer-transparent process

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11

6 - 14

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

NUMA I/O Architecture: Overview

I/O
I/O topology

ernel Affinity APIs

I/O
topology

Subsystem
onstructor

Admin
Interface
Core NUMA I/O
Framework
constraints
NUMA
I/O
Bind

topology

interrupt

Subsystem
NUMA lgrp
sub-system

nterrupt

Device

Driver

PCI/DDI

andles
Framework

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

GLDv3 Public Driver APIs

Dynamic polling
Packet chaining
Hardware checksumming offload
Large Send Offload (LSO)
Revamped driver property interface
Simplify driver development
Extensibility for future releases
First supported in Solaris 10 U9 (09/10 release)
See Chapter 19, Document #816-4854

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 6 - 16


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Network Performance Highlights

Dynamic polling on receive rings boosts efficiency


Aggregation, flow control on transmit rings
Binding available to psets or pools
Supports Message Signaled Interrupts (MSI)
Used in PCI Express (PCIe) hardware
Alternative to traditional Pin-Based Interrupt
Hardware Lanes
Improve cache locality, isolates traffic

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 6 - 17


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

O
racle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYIN
G eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Security

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Features

Root as a role
On-disk file encryption
Network spoofing protection

Delegated administration
Zones, SMF services
In-kernel

pfexec

Forced Privilege and Stop Profile

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 7 - 2


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Root Implemented as a Role

User defined during installation receives the root r


ole
sudo

is enabled with 5-minute grace

installer@os11e:~$

roles

root
installer@os11e:~$
Console User

profiles

Suspend To RAM
Suspend To Disk
Brightness
CPU Power Management
Network Autoconf User
Network Wifi Info
Desktop Removable Media User
Basic Solaris User
All

Copyright 2011, Oracle and/or its


affiliates. All rights reserved.

Oracle Universi
ty and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

File system encryption:


zfs(1M)

Applicable to datasets or volumes


Need a wrapper key to mount file system
Passphrase or file-based, delegatable key co
ntrol
See man page examples 22-27 for
zfs(1M)
$ zfs create -o encryption=on rpool1/home/fng
Enter passphrase for 'rpool1/home/fng':
Enter again:
$ zfs list rpool1/home/fng
NAME
rpool1/home/fng

USED AVAIL REFER MOUNTPOINT


31K 8.29G
31K /

export/home/fng
fir@os11e:/$

zfs get all rpool1/home/fng |

grep key
ssphrase,prompt
ailable

rpool1/home/fng
local
rpool1/home/fng

keysource

pa

keystatus

av

rpool1/home/fng

rekeydate

Fr

i Dec 10 10:35 2010 local

Copyright 2011, Oracle and/or


its affiliates. All rights reserved.

O
racle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Configuring ZFS Encryption

You can also write a key to a file


keysource
ile path

attribute specifies format and f

Encryption policy is inherited and read-only


# pktool genkey keystore=file outkey=/dmkey.file
keytype=aes keylen=256
# zfs create -o encryption=aes-256-ccm -o
keysource=raw,file:///dmkey.file rpool1/home/fng
# zfs clone rpool1/home/fng@final rpool1/home/delivered
Enter passphrase for 'rpool1/home/delivered':
Enter again:
# zfs set encryption=off rpool1/home/delivered
cannot set property for 'rpool1/home/delivered:
'encryption' is readonly

Copyright 2011, Oracle and/or its


affiliates. All rights reserved.

Oracle Universi
ty and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

File system encryption:


lofiadm

(1M)

Full scenario: Example 6,


man page

marty@os11e:/$
marty@os11e:/$

lofiadm

mkfile 64m /var/tmp/setec


lofiadm -c aes-256-cbc -a

/var/tmp/setec
Enter passphrase:
Re-enter passphrase:
/dev/lofi/1
marty@os11e:/$

newfs /dev/rlofi/1

newfs: construct a new file system /dev/rlofi/1: (y/n


)? y
...
marty@os11e:/$
Block Device
Options
/dev/lofi/1
Encrypted

lofiadm
File
/var/tmp/setec

Copyright 2011, Oracle and/or


its affiliates. All rights reserved.

O
racle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Network Spoofing Protection

mac-nospoof

: Cannot change MAC address

restricted

: Outbound ipv4, ipv6, and ARP packets only

ip-nospoof
ips property

: Checks outbound packets against allowed-

dhcp-nospoof
dladm(1M)

: Multiple conditions apply. See


.

dladm show-linkprop -p protection play0


LINK
PROPERTY
PERM VALUE

DEFAULT

POSS

IBLE
play0

protection

rw

--

--

ma

c-nospoof,
r
estricted,
i

p-nospoof,
d
hcp-nospoof
dladm set-linkprop -p protection=mac-nospoof play0

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 7 - 7


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Zones: Delegated Administration

Per-user, per-zone authorizations


Limits NGZ access from the GZ

/user_attr

zonecfg(1)
file.

syncs with GZ

zonecfg:webber>

/etc

info

zonename: webber
zonepath: /home/webber/zone
...
admin:
user: hen3ry
auths: login,manage
zonecfg:webber>

verify; exit

UX: /usr/sbin/usermod: hen3ry is currently logged in,


some changes may not take effect until next login.

Copyright 2011, Oracle and/or its


affiliates. All rights reserved.

Oracle Universi
ty and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

SMF: Delegated Administration

Set authorizations in manifest


Enable/disable (

value_authorization
action_authorization

Restart/refresh (
)
Modify values in all or select property groups
Assign auths to profiles/users
Complete list in

via rbac(5)

smf_security(5)

<property_group name='general' type='framework'>


<!-- Allow restart, refresh. -->
<propval name='action_authorization' type='astring'
value='solaris.smf.manage.myservice' />
<!-- Allow enable, disable. -->
<propval name='value_authorization' type='astring'
value='solaris.smf.manage.myservice' />
</property_group>

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 7 - 9


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

SMF: Method Context

Execution attributes include:


Security
User, group, privileges
Also resource management and environ
ment
<exec_method type='method' name='st
art'
exec='/lib/svc/method/foobar
start'
timeout_seconds='60' >
<method_context>
<method_credential
user='foo'

group='bar'
privileges='basic,sys_n
et_config,net_rawaccess' />
</method_context>
</exec_method>

Copyrig
ht 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Universi
ty and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COP
YING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

SMF: Firewall Integration

Application-specific attributes
$ svcadm enable ipfilter
$ svccfg -s ipfilter:default setprop
firewall_config_default/policy = allow
$

svcadm refresh network/ipfilter


$ svcadm enable ftp

svccfg -s ftp setprop firewall_config/policy = al

low
$ svccfg -s ftp setprop firewall_config/apply_to =
network:192.168.1.0/24

Applications can participate in automatic firewall


policy

firewall_context/name
Define
for RPC services.
firewall_context/ipf_
method
Implement
for other
services.
See

svc.ipfd(1M)

for more

information.

Copyright 2011, Oracle and/or


its affiliates. All rights reserved.

O
racle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Least Privilege Changes

net_priv_addr

proc_fork

proc_exec

Copyright 2011, Oracle and/or its affiliates. All rig


hts reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eKI
T MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

In-kernel

New

PRIV_PFEXEC

pfexec

process flag

Set by any profile shell, inherited across

exec(2)

Applies RBAC attributes transparently


No need for
pfexec
Other profile shells now available:
pfbash(1)
pftcsh(1)
pfzsh(1)

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 7 - 13


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Basic Privileges: More is Less

basic

privilege set expanded


file_read, file_write, file_link_any
proc_exec, proc_fork
proc_info, proc_session
net_access

Easier to disable certain privileges:


Read-only process:
Host-only process:

!file_write
!net_access

Copyright 2011, Oracle and/or its


affiliates. All rights reserved.

Oracle Universi
ty and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Role-Based Access Control

Software Installa
tion
DTrace Analysis
Developer

Audit Review
File Integrity Verifi
cation

Internal
Auditor

Dataset Management
Backup Operator
Sys
Admin

Copyright 2011, Oracle and/or


its affiliates. All rights reserved.

O
racle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Sandboxing Enhancements

User profiles are cumulative, processed in list order


/etc/user_attr, /etc/security/policy.conf
Ignored any profiles assigned after

Stop is read

Either by file ( policy.conf

) or by command

Provides an explicit limit to a user's authorizations

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 7 - 16


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Kerberos Improvements

Zero-configuration client via DNS


Authentication via Active Directory available
Enhancements to PAM configurations
Better interoperability for Windows clients
Initial authentication possible with public keys
New

RFC 4556 (PKINIT) implemented


kdcmgr
(1M) tool
Sets up Kerberos Key Distribution Center

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 7 - 17


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Key Management:

pkcs11_kms

Provid

er

Consumer for Key Management Server (KMS)


Configured with
kmscfg(1M)
pkg:/system/library/security/crypto/pkcs11_kms@...
KMS configuration required for each consumer
See

KMS 2.2 Administration Guide for details

http://docs.sun.com/app/docs/doc/316195103AA

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 7 - 18


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Other Enhancements

NSA Suite B algorithms support


Internet Key Exchange
Accepts Elliptic Curve Cryptography (ECC)
Also RSA and DSA
AES Cipher Feedback (CFB) mode
Available on SPARC T3 processor
Used by Oracle Database Advanced Security Option
Supports acceleration of table-level encryption

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 7 - 19


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Oracle Solaris 11 Trusted Extensions

Mandatory Access Control

Need-to-

Internal

know

Use

Public

(MAC)
Zones are classified ( lab

eled )
Multilevel Desktop Services

Processes need proper


clearance to access la

belled
(Global Zone)
assets
Networks, printers also

Solaris Kernel
labeled
net

net

net

net

Runs all Solaris applica

tions
Designed for defense and
intelligence industry
requirements
Meets Common Criteria
Certifications at EAL
4+ levels

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 7 - 20


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Trusted Extensions Changes

GNOME replaces CDE as Desktop


GNOME login manager asserts labeling
X server uses same X Access Control Extension (XACE)
policy hooks as SELinux
New ZFS attribute:
mlslabel
Prevents remounting on the wrong label
Labeled IPsec

Multilevel IKE daemon negotiates Security Associations


Maintains the label s confidentiality and integrity
CIPSO data does not need to be sent in the clear
Allows the use of single physical network

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 7 - 21


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Trusted Platform Modules (TPM)

Support for Trusted Platform Modules (TPM)

TSS 1.2 API


tpmadm(1M)

CLI

pkcs11_tpm(5)

Crypto module

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 7 - 22


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Services Management Facility (SMF)

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK

IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

SMF Design Goals

Increase application availability


Monitor services in run time
Restart failed processes
Graph-dependent services
Start independent service paths concurrently
Common naming for all services
Not just daemon processes
It is either disabled

or some variation of

enabled

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 8 - 2


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

SMF Is the Glue in Solaris 11

Services are first-class objects


Health monitoring
FMRI-based naming
Universal lifecycle
Tools to observe services, not just processes
Automated restarts after errors and faults
Integrated refresh upon reconfiguration
Control for many service attributes
Privileges
User/group delegation
Resource controls

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 8 - 3


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Service Templates

Service properties include:


Decorations
Descriptions
Simple constraints
Online help
Store property descriptions with the service
Catch errors during configuration:
Validate constraints in APIs and commands

smf
_template(5)

Copyright 2011, Oracle and/or its affiliates.

All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 8 - 4


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Early Manifest Imports

Two import services


svc:/system/early-manifest-import:default
svc:/system/manifest-import:default
Solves potential race condition with manifest upgrad
es
Reads new manifest location
/lib/svc/manifest
/var/svc/manifest

remains fo

r compatibility
/lib/svc/manifest

manifest-import
, and
then /var/svc/manifest

service reads
.

Copyright 2011, Oracle and/or its


affiliates. All rights reserved.

Oracle Universi
ty and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING e
KIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

SMF Enhanced Profiles

Customize configuration for mutliple services


Example: enabling/disabling services in one action
# netservices limited | open
Easy deployment of services configurations
Drop-in during system deployment
Installer support for SMF profiles in the works
/etc/svc/profile
Use

site/ subdirectory for local customization

Copyright 2011, Oracle and/or its affiliates.


All rights reserved.

Oracle University and ORACLE CORPORATION use only

What's New in Oracle Solaris 11 8 - 6


THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING eK
IT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

Fault Notif
ication

Set and list notification types for SMF/FMA fa


ults.
Default parameters kept as a service
svc:/system/svc/global:default

# svccfg setnotify -g to-maintenance


mailto:admin@domain.com

svccfg listnotify -g
Event: to-maintenance (source: svc:/system/

svc/global:default)
Notification Type: smtp
Active: true
to: admin@domain.com

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

IPS A
ctuators

Signals additional behavior, usually on a live


system
restart_fmri

prompts a se

rvice restart.
Per-file attribute
Remember that IPS only updates obj
ects as needed.
reboot-needed

indicate

s that a reboot is required.

dir group=bin mode=0755 owner=root path=opt timestamp=2


0101109T051058Z
dir group=bin mode=0755 owner=root path=opt/app timesta
mp=20101109T051110Z
file opt/app/app-bin group=bin mode=0555 owner=root pat
h=opt/app/app-bin
pkg.size=48088
reboot-needed=true
file opt/app/app.conf group=bin mode=0644 owner=root pa
th=opt/app/app.conf
pkg.size=267
file lib/svc/manifest/application/lianep-app.xml mode=0
444 owner=root
path=lib/svc/manifest/application/lianep-app.xml
restart_fmri=svc:/system/manifest-import:default

Copyright 2011, Oracle


and/or its affiliates. All rights reserved.

Oracle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYING
eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

proc_t
FMRI Stored in
Structure

#!/usr/sbin/dtrace

inline string fmri =


stringof(curthread->t_procp->p_ct_proce
ss->conp_svc_fmri->rs_string);

syscall:::entry
{
@[fmri] = count();
}

dtrace: script '/var/tmp/foo' matched 228 p


robes
^C
svc:/system/sysevent:default
10
svc:/network/smtp:sendmail
21
svc:/network/physical:nwam
40
svc:/network/ntp:default
50
svc:/system/hal:default
65
svc:/network/datalink-management:defaul
t
428
svc:/application/graphical-login/gdm:de
fault
274792

Copyrig
ht 2011, Oracle and/or its affiliates. All rights reserved.

Oracle Universi
ty and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COP
YING eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED

O
racle University and ORACLE CORPORATION use only

THESE eKIT MATERIALS ARE FOR YOUR USE IN THIS CLASSROOM ONLY. COPYIN
G eKIT MATERIALS FROM THIS COMPUTER IS STRICTLY PROHIBITED