1. [Admins] Device Removal From a ZFS Storage Pool

   In addition to removing hot spares, cache and log devices, Solaris 11.4 has support for removal of top-level virtual data devices (vdev) from a zpool with the exception of a RAID-Z pool. It is possible to cancel a remove operation that's in progress too.

   This enhancement will come in handy especially when dealing with overprovisioned and/or misconfigured pools.

   Ref: ZFS: Removing Devices From a Storage Pool for examples.

2. [Developers & Admins] Bundled Software

   Bundled software packages include Python 3.5, Oracle instant client 12.2, MySQL 5.7, Cython (C-Extensions for Python), cx_Oracle Python module, Go compiler, clang (C language family frontend for LLVM) and so on.

   cx_Oracle is a Python module that enables accessing Oracle Database 12c and 11g from Python applications. The Solaris packaged version 5.2 can be used with Python 2.7 and 3.4.

   Depending on the type of Solaris installation, not every software package may get installed by default but the above mentioned packages can be installed from the package repository on demand.

   eg.,

   # pkg install pkg:/developer/golang-17
   
   # go version
   go version devel a30c3bd1a7fcc6a48acfb74936a19b4c Fri Dec 22 01:41:25 GMT 2017 solaris/sparc64
   

3. [Security] Isolating Applications with Sandboxes

   Sandboxes are isolated environments where users can run applications to protect them from other processes on the system while not giving full access to the rest of the system. Put another way, application sandboxing is one way to protect users, applications and systems by limiting the privileges of an application to its intended functionality there by reducing the risk of system compromise.

   Sandboxing joins Logical Domains (LDoms) and Zones in extending the isolation mechanisms available on Solaris.

   Sandboxes are suitable for constraining both privileged and unprivileged applications. Temporary sandboxes can be created to execute untrusted processes. Only administrators with the Sandbox Management rights profile (privileged users) can create persistent, uniquely named sandboxes with specific security attributes.

   The unprivileged command sandbox can be used to create temporary or named sandboxes to execute applications in a restricted environment. The privileged command sandbox can be used to create and manage named sandboxes.

   To install security/sandboxing package, run:

   # pkg install sandboxing
   
   -OR-
   
   # pkg install pkg:/security/sandboxing
   

   Ref: Configuring Sandboxes for Project Isolation for details.

4. New Way to Find SRU Level

   uname -v was enhanced to include SRU level. Starting with the release of Solaris 11.4, uname -v reports Solaris patch version in the format "11.<update>.<sru>.<build>.<patch>".

   # uname -v
   11.4.0.12.0
   

   Above output translates to Solaris 11 Update 4 SRU 0 Build 12 Patch 0.

5. [Cloud] Service to Perform Initial Configuration of Guest Operating Systems

   cloudbase-init service on Solaris will help speed up the guest VM deployment in a cloud infrastructure by performing initial configuration of the guest OS. Initial configuration tasks typically include user creation, password generation, networking configuration, SSH keys and so on.

   cloudbase-init package is not installed by default on Solaris 11.4. Install the package only into VM images that will be deployed in cloud environments by running:

   # pkg install cloudbase-init
   

6. Device Usage Information

   The release of Solaris 11.4 makes it easy to identify the consumers of busy devices. Busy devices are those devices that are opened or held by a process or kernel module.

   Having access to the device usage information helps with certain hotplug or fault management tasks. For example, if a device is busy, it cannot be hotplugged. If users are provided with the knowledge of how a device is currently being used, it helps them in resolving related issue(s).

   On Solaris 11.4, prtconf -v shows pids of processes using different devices.

   eg.,

   # prtconf -v
    ...
       Device Minor Nodes:
           dev=(214,72)
               dev_path=/pci@300/pci@2/usb@0/hub@4/storage@2/disk@0,0:a
                   spectype=blk type=minor nodetype=ddi_block:channel
                   dev_link=/dev/dsk/c2t0d0s0
               dev_path=/pci@300/pci@2/usb@0/hub@4/storage@2/disk@0,0:a,raw
                   spectype=chr type=minor nodetype=ddi_block:channel
                   dev_link=/dev/rdsk/c2t0d0s0
               Device Minor Opened By:
                   proc='fmd' pid=1516
                       cmd='/usr/lib/fm/fmd/fmd'
                       user='root[0]'
    ...
   

7. [Developers] Support for C11 (C standard revision)

   Solaris 11.4 includes support for the C11 programming language standard: ISO/IEC 9899:2011 Information technology - Programming languages - C.

   Note that C11 standard is not part of the Single UNIX Specification yet. Solaris 11.4 has support for C11 in addition to C99 to provide customers with C11 support ahead of its inclusion in a future UNIX specification. That means developers can write C programs using the newest available C programming language standard on Solaris 11.4 (and later).

8. pfiles on a coredump

   pfiles, a /proc debugging utility, has been enhanced in Solaris 11.4 to provide details about the file descriptors opened by a crashed process in addition to the files opened by a live process.

   In other words, "pfiles core" now works.

9. Privileged Command Execution History

   A new command, admhist, was included in Solaris 11.4 to show successful system administration related commands which are likely to have modified the system state, in human readable form. This is similar to the shell builtin "history".

   eg.,

   The following command displays the system administration events that occurred on the system today.

   # admhist -d "today" -v
   ...
   2018-05-31 17:43:21.957-07:00 root@pitcher.dom.com cwd=/ /usr/bin/sparcv9/python2.7 /usr/bin/64/python2.7 /usr/bin/pkg -R /zonepool/p6128-z1/root/ --runid=12891 remote --ctlfd=8 --progfd=13
   2018-05-31 17:43:21.959-07:00 root@pitcher.dom.com cwd=/ /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
   2018-05-31 17:43:22.413-07:00 root@pitcher.dom.com cwd=/ /usr/bin/sparcv9/pkg /usr/bin/64/python2.7 /usr/bin/pkg install sandboxing
   2018-05-31 17:43:22.415-07:00 root@pitcher.dom.com cwd=/ /usr/lib/rad/rad -m /usr/lib/rad/transport -m /usr/lib/rad/protocol -m /usr/lib/rad/module -m /usr/lib/rad/site-modules -t pipe:fd=3,exit -e 180 -i 1
   2018-05-31 18:59:52.821-07:00 root@pitcher.dom.com cwd=/root /usr/bin/sparcv9/pkg /usr/bin/64/python2.7 /usr/bin/pkg search cloudbase-init
   ..
   

   It is possible to narrow the results by date, time, zone and audit-tag

   Ref: man page of admhist(8)

10. [Developers] Process Control Library

    Solaris 11.4 includes a new process control library, libproc, which provides high-level interface to features of the /proc interface. This library also provides access to information such as symbol tables which are useful while examining and control of processes and threads.

    A controlling process using libproc can typically:

    • Grab another process by suspending its execution
    • Examine the state of that process
    • Examine or modify the address space of the grabbed process
    • Make that process execute system calls on behalf of the controlling process, and
    • Release the grabbed process to continue execution

    Ref: man page of libproc(3LIB) for an example and details.

Labels: oracle solaris 11.4 beta operating+system features security developers administrators cloud

Posted by: Giri Mandalika.    # 10:41 PM 0 comments.     Tweet