Random mumblings of an SSE Scott Howard's Weblog

The final patches for the Solaris 10 in.telnetd vulnerability are now available on SunSolve.

The patch numbers are : 

120068-02  :  Solaris 10 SPARC

120069-02  :  Solaris 10 x86/x64.

 Both patches are available from http://sunsolve.sun.com/

ISR (Interim Security Relief) patches are now available for the Solaris 10 in.telnetd vulnerability from http://sunsolve.sun.com/tpatches

 The Descriptions and readme links are currently empty, but they should be there shortly.

 The ISR's are :

IDR125456-01.zip  -  Solaris 10 SPARC
IDR125457-01.zip  -  Solaris 10 x86

Patch 120068-01 (SPARC) or 120069-01 (x86) are required patches, however none of these patches/ISR's require a reboot and they will take effect immediately.

The idea of being Solaris Flash Archives as a means of backing up a server is something that comes up fairly frequently - and is generally going to be a bad idea.  That's not to say that you can't make it work, it's just to say that it's normally going to be the wrong answer to the problem.

Flash archives are designed for quick deployment of like servers, where like is defined in terms of the software installed, and not (necessarily) the hardware involved.  By design what is "restored" from a flash archive is deliberately different to what was flashed, with many of the OS configuration files being deliberately deleted and/or re-created during the flash process. This includes things like /etc/hosts, /etc/hostname.*, /etc/netmasks, /etc/path_to_inst, the entire /dev and /devices trees and some others.

So in effect, what you put in is NOT what you get back out.

But the very definition of a backup/restore is that you get back exactly what you started with. ufsdump (or any commercial backup software) will give you a restored machine which looks exactly like what you started with.

Why does this matter?

Sure, it's possible to fix some of the files which are deliberately delete/changed (such as /etc/hosts) using post-install scripts, but to do this reliably means you need to actually take copies of these files whenever you do a flash archive, which begins to get messy.
Others like /dev and path_to_inst are a little more difficult.  If you've added storage to the machine post-install (such as if you didn't have any external storage installed during the initial install) then there's a very good chance that your controller numbers will be different after the flash "restore" than they were before.
Add in network interfaces and it gets very messy (the on-board NET0 on a V440 is ce0 if you build the machine without any extra CE cards in it, but will be something like CE4 or CE8 if you've installed some extra cards afterwards).

The whole concept of backup/restore is about getting your machine back exactly as it was when the backup was taken - Flash simply doesn't give you this (and wasn't designed to).

There are a few cases where Flash can replace backups, but it's pretty much the same cases where JumpStart alone can replace backups - such where you've got a pool of similar machines where details like controller numbers aren't important and network config can be easily re-created. Desktop workstations and pools of compute servers/web servers/etc spring to mind. General purpose servers normally do not fit into this category.

Keep in mind that you can do ufsdump over a network in much the same way as you can do a flarcreate. The restore side is a little more difficult to automate, but only if you don't take into account all the "extra" stuff you need to do for flash to get things back how you started.

ufsdump 0f backuphost:/backups/myhost-root.ufs /

Or even better, add in fssnap to make sure things are consistent :

ufsdump 0f backuphost:/backups/myhost-root.ufs `fssnap -o raw,bs=/export/home,unlink /`; fssnap -d /

I haven't seen it announced anywhere yet, but Solaris 10 11/06 (Update 3) appears to be out!

The list of new features from the "What's New" guide is impressive :

System Administration Features

• Storage Networking Industry Association Multipath Management API Support
• Sun Java Web Console Changes
• File-System Monitoring Tool
• ZFS Command Improvements and Changes

• Recursive ZFS snapshots
• Double Parity RAID-Z
• Hot-spares for ZFS storage pool devices
• Replacing a ZFS file system with a ZFS clone

System Resource Features

• Resource Pools Facility Service FMRIs

Solaris Zones Features

• Solaris Zones Renaming Feature
• Zones Move and Clone Features
• Migrating a Non-Global Zone From One Machine to Another
• Configurable Privileges for Non-Global Zones

Logical Domains Features

• Logical Domains (LDoms) 1.0 Software

Security Features

• Solaris Trusted Extensions
• Solaris Trusted Extensions for Printing
• Solaris Trusted Extensions File-System Labeling

Device Management Features

• Support for PCI Express (PCIe)
• x86: Sun Fire X4500 SATA Disk FMA
• SPARC: Transitioning SPARC-Based Systems From Ipge to E1000g Network Drivers
• Solaris Fibre Channel Host-Based Logical Unit Number Masking
• SPARC: Extended Message Signaled Interrupt Support for Fire-Based Platforms
• Improved Device in Use Error Checking

Desktop Features

• Default Desktop Session in dtlogin
• Adobe Flash Player Plugin for Solaris
• GNOME-VFS and Nautilus ACL Support
• Solaris Trusted Extensions Desktops

Installation Enhancements

• Secure By Default Network Profile
• Installing Solaris Trusted Extensions

System Performance Enhancements

• SPARC: Watchdog Timer for Sun4V

Networking Enhancements

• Sun Java System Message Queue 3.7 Update 1

New and Updated Drivers

• ST Driver Support for Quantum LTO-2 and LTO-3 Tape Drives
• CDB Length Capability

Language Support

• IIIMF and Language Engines

Of course, it's all available for free - just jump over to the Solaris Website and download it!

This Wednesday at 10am PST/1pm EST (click here for your local timezone) Sun will be running the latest in it's Expert Exchange series, this time on using Live Upgrade to Upgrade and Patch your Solaris systems.

 Keeping systems running is critical to your business. How can you
maximize system availability - and minimize risk - while keeping your
systems up to date with the latest patches and upgrades? Simple - put
Solaris Live Upgrade to work - and this Sun Expert Exchange Q&A
forum is a great way to get started.
 

So that's the official blurb, but what can Live Upgrade really do for you?  One of the main complaints I hear from sysadmins is that patching is too difficult - primarily that it takes too long (often at 2am in the morning), and is too hard (and/or slow) to backout if there are any problems. If you're one of those Admins, then Live Upgrade is the answer.

What most people seem to miss is that Live Upgrade isn't just for upgrading between Solaris versions - it can also be used for patching. So instead of spending hours at 2am applying patches and rebooting your system - all during a multi-hour outage of course - you can carry out the patching to an "Alternate Boot Environment" anytime through the middle of the day, and then simply reboot the system to use the ABE during your outage window. If there's any problems with the patching, then it's simply another reboot to revert to the previous boot environment.

Yes, Live Upgrade does require a bit of planning beforehand, but the time it takes to configure a worthwhile Live Upgrade setup is generally far less than the time LU will save you in the long run.

So join us on Wednesday to find out how Live Upgrade can help you reduce your patching and upgrade outage windows. And don't let the marketing people on the panel fool you - the techies will be there as well to answer all of the hard questions!  To register, go to http://sun.com/expertexchange and enter your details.