Jim Laurent's Weblog

Recently a customer in the Federal Government asked some fairly straightforward security questions about Logical Domains.  In doing my research, I found it wasn't that straight forward to get the answers from the standard Logical Domains (LDOMs) documentation.  Luckily, our engineering and marketing team stepped up to provide clear, concise answers so that this customer (who prefers to remain anonymous) can move forward and implement their virtualization strategy on Sun's T2 class of processors.

Logical Domains (LDoms) provide built-in and no-cost virtualization capabilities for Sun Chip Multithreading (CMT) Servers. Unlike proprietary virtualization technologies, LDoms can save you up to $10,000 per server. It allows you to create virtual machines that take advantage of the massive thread scale offered by these platforms. Create up to 128 virtual servers on one system... for free!  Customers have used Logical Domains to reduce their costs and consolidate their server farms for significant returns in operations and energy savings. For example, using LDOMs and Solaris containers, the United States Air Force was able to reduce rack space to achieve a 13:1 consolidation ratio, decreased server deployment time by more than 90% and cut datacenter power consumption by more than 25%. Download the software for Solaris 10 or OpenSolaris today.

Logical Domains allow the primary Solaris domain (sometimes known as the control domain) to create virtual disks and assign CPU thread, network, memory and I/O resources to other virtual Solaris machines to run on a single system.  The control domain uses the Logical Domains Manager (LDM) to control, monitor and manage the running domains.  Live migration of domains is supported.

LDoms 1.2 adds a number of new features, including:

• Improved Network performance with the introduction of support for jumbo frames
• Reduced power footprint with CPU power management, powering off cores that aren't in use automatically
• Easier adoption with support for physical-to-virtual migration tool
• Quick start with support for configuration assistant tools
• Faster agility with enhancements to Domain Mobility
• Increased control and response to guest availability with Domain dependencies
• In-built protection from corruption with Auto-recovery of configurations

And now on to the Q and A:

CPU

Q: Can the Control domain access/utilize the CPU threads of a guest without shutting down the guest?

Answer: A Control domain cannot access the CPU threads assigned to a guest domain unless the threads are removed from the guest, and then added to the control domain, such as with CPU Dynamic Reconfiguration, or by rebooting both the guest and control domain after a Static Reconfiguration. LDoms fundamentally partitions CPU resources and there is no sharing of CPU thread resources. Enforcement of this partitioning and separation is done at the Hypervisor level, so it cannot be circumvented by the Control domain.

Virtualization solutions for x86 and IBM Power systems typically time-slice access to threads across multiple guests. This is because IBM and Intel CPU's have very few threads per socket. With SPARC CMT, we have up to 128 threads per socket, and we take advantage of the hardware by using a much safer and simpler partitioning approach in the SPARC Hypervisor and LDoms.

Q: Can a guest domain access the CPU threads of another guest?

Answer: No. LDoms partitions threads and does not share them across logical domain boundaries. See detailed explanation above.

Q: Can a guest domain access the CPU threads of the control domain?

Answer: No. See answers above.

Memory

Q: Can the Control domain alter the active memory space of a running guest?

Answer: There are two types of memory “alteration” in a system, first is modifying the contents of existing memory in a guest, and second, is the reconfiguration of memory size within a guest. For LDoms, guests have no knowledge of one another, nor are there any interfaces to allow one guest to gain access to or modify the memory of another guest. Memory separation and partitioning is enforced by the SPARC Hypervisor.

As of LDoms 1.2, Any request to change the memory configuration (i.e. How much memory a guest has allocated to it), through the LDM command line interface on the Control Domain would queue a “Delayed Reconfiguration” operation, which would take effect upon the next reboot of the guest. Beginning in LDoms 2.0, we will support the dynamic reconfiguration of a guest domain's memory configuration.

There are some memory transfer or shared memory access between domains done in order to implement virtual device and domain services. These transfers and sharing are strictly controlled by each domain and by the SPARC hypervisor: a domain will define, with the hypervisor, the memory data it is going to transfer or share with another domain

Q: Can a guest domain access the memory of another guest?

Answer: No. Guests have no knowledge of one another, nor are there any interfaces to allow one guest to gain access to or modify the memory of another guest. Memory separation and partitioning is enforced by the SPARC Hypervisor.

Q: Can a guest domain access the memory of the control domain?

Answer: No. There are no interfaces which allow for a guest to modify the configuration of or gain access to any part of the control domain's memory.

Virtual Network

Q: Can the control domain alter the network traffic of guest domains? The concern is about a compromised Control Domain becoming a man-in-the-middle. How can this condition be identified/reported?

Answer: Yes. The network switching of the packets is done in a software driver(vsw), its harder to alter the network traffic to Guest domains, but a compromised control(or service) domain *can* alter the traffic. Our Security model assumes that the domain(s) that host services such as vsw, are trusted, so they need to be secured as per the local security guidelines. Compromising or accessing the network traffic of guest domains from the control domain requires root access on the control domain.

Q: Can a guest domain access the network traffic for another guest? The assumption is yes, since an IP network is being shared. A scenario of interest - or pre condition - is if the physical NIC is disconnected, other than via the physical IP network. The key concern is a guest domain accessing the IP traffic of another guest domain via the virtual switch.

Answer: No. The traffic between the virtual switch(vsw) and the virtual network device(vnet) uses Logical Domain Channels(LDCs) that are a point-to-point type of connection. As a result, the traffic between the virtual switch and a guest domain is not visible to other guest domains. Note, switching is based on mac-addresses and LDoms doesn't allow the change of mac-address of a vnet device in a guest domain, so guest domains cannot spoof by changing their mac-addresses.

Q: Can a guest domain access the network traffic of the control domain?

Answer: No. Guest domains will only see the traffic that fits the following:

• Unicast traffic that matches the virtual network device's mac-address in the guest domain.

• Broadcast traffic.

• Multicast traffic for which the guest domain registered to receive.
  
  

No other packets will be seen by the Guest domains.

Virtual Disks

Q: Can a guest domain access virtual disk devices that it has not been allocated, e.g., other guests, Control Domains?

Answer: No. A guest domain can only access virtual disk devices that have been explicitly assigned to it. It will not see, nor can the guest access any other disk.

Virtual Console

Q: Can a guest domain access the virtual console of another guest domain?

Q: Can a guest domain access the console for the control domain?

Answers: A guest domain cannot access the console interface for a different guest domain, nor can a guest domain access the console for the control domain. The only console access is via a privileged user on the control domain itself. There are no interfaces available in any other scenario for access a guest console, including over the general network interface.

Special Interest

Once the LDoms are running in our environment, there is very little need to log into the Control Domain (CD) and this is preferred behavior.

Q: Can a Control Domain be shut down and the LDOMS continue to run? If not, are there other options for maximally restricting access to, e.g., "locking" a CD once the LDoms are configured? An acceptable instance of "locking"is restricting access to the CD from Virtual Console only. Ideally, access via SSH would also be highly restricted. Limited access for maintenance and configuration are also acceptable.

In summary, the primary objective of these features is to secure the CD from a malicious user gaining access and changing LDom configuration without detection.

Answer: one of the architectural principles of LDoms has been that a guest domain can operate independently of the control domain. For example, If a control domain were to fail and reboot, the guests will continue to operate. Extending this logic, yes, you can currently shutdown the control domain and the guest environment will continue to operate. However, this holds only if the guests are using virtual I/O (assuming that I/O is being served from an I/O service domain that's not the control domain) or have been granted direct ownership of one or more PCI-E busses. But with the advent of upcoming projects like direct I/O (the ability to assign individual PCI-E slots to a guest) and SR-IOV (the ability to assign individual PCI-E virtual functions to a guest), it will not be possible to shut down the control domain without impacting guest domains that have been allocated individual PCI-E slots or functions.

In addition, other caveats, or things to consider are:

• Without a control domain, there is no console access to the guests unless the console service is hosted elsewhere.

• With no control domain, there's no LDoms Manager, which precludes any monitoring or reconfiguration of the guests. It also precludes capabilities such as domain mobility (i.e. migration) and power management.

• All IO used by the guest must continue to be available – i.e. If the control domain is also operating as an IO service domain, those IO devices being served by the control domain will cease to be available for the duration that the control domain is down.

• FMA (the Solaris Fault Management Architecture) will be unavailable

• Certain Sun as well as third party management tools require access to the control domain, if the control domain goes down, those tools will have degraded capability

In terms of "locking" or severely limiting access to the control domain, that is certainly possible, but would be subject to its own set of constraints:

• Without control domain access, there is no console access to the guests unless the console service is hosted elsewhere.

• There's no way to interact with the LDoms Manager directly, which limits the ability to monitor, manage, or reconfigure the guests. The current lack of a suitable standalone LDoms management capability exacerbates this issue.

• The inability to login to the control domain makes it extremely difficult to discover or manage any I/O (e.g. disks & network interfaces) bound to that domain.

• Certain Sun as well as third party management tools require access to the control domain, if the control domain is locked down, those tools will have degraded capability

The control domain is usually configured as a service domain. In that case,the control domain needs to be up and running in order to provide service for virtual devices used by guest domains. If the control domain is down then access to virtual devices is suspended until the control domain comes back up.

On appropriate platforms, I/O domains can be created and used as service domains instead of using the control domain as a service domain. That way, guest domains will not depend on the control domain to access their virtual devices.

Forbes magazine published a great article on why Oracle wants Solaris.

Some of the highlights include:

• Virtualization
• Scalability
• Security 
• Reliability
• Management
• Flexibility

 

Update:  See the screencast on how to update at the CommunityOne website.

For What's New in OpenSolaris 2009.06, see this PDF presentation... 

If you have OpenSolaris 2008.11 installed, the repositories have now been updated to include the 2009.06 packages. You do NOT have to do a clean install. Simply update your packages.  The complete download image will be available on Monday June 1st.

However, the Update manager GUI tools will tell you that no new packages are available. You must use the command line tools to update SUNWipkg first. Attempting to run the "pfexec pkg image-update" command will give you a message indicating that you need to run:

pfexec pkg install SUNWipkg

in order to update the package tools. Once this process is complete, you can use the command line or the GUI Update Manager to move to 2009.06. Update manager will create a new boot environment (using ZFS) and make it the default BE. OpenSolaris will be featured prominently during Community One/JavaOne this week.

One more bit of information.  If you have created zones on your opensolaris installation, you may need to uninstall the zones before updating. Otherwise, the update manager will give you an error (for which there is a bugID 8313 )

"Unable to clone current boot environment"

To remove the zones:

pfexec zoneadm -z zonename uninstall

If you are a part of the US DoD you may remember my earlier blog entry (July 2007) in which I posted customizations to the Solaris Security Toolkit designed to help secure a computer in compliance with DISA Security Guidelines.  Although I haven't done any additional work since that time, Aaron Lippold of DISA took my work and extended it to increase compliance and updated it to more recent versions of DISA STIGs.

Aaron recently notified me that his modifications have now been posted on Forge.mil.

Forge.mil is a family of services provided to support the DoD's technology development community. The system currently enables the collaborative development and use of open source and DoD community source software. These initial software development capabilities are growing to support the full system life-cycle and enable continuous collaboration among all stakeholders including developers, testers, certifiers, operators, and users.

This is great news because it provides a way for the DoD community to collaborate together to make the tool better for everyone. If you are a DoD employee or contractor with a Common Access Card (CAC) you can access this project at https://software.forge.mil/sf/projects/dodsst/.

Join the community, download the tools, contribute changes and make your life generally better by using the Toolkit and DoDSST project to secure your Solaris 10 environment quicker, in an automated and more reproducible fashion.

 I'd like to thank Aaron for the hard work he has done and for his iniative in creating this project for the good of the US Government.

One of the new features of the recently posted VirtualBox 2.2 beta1 is that you are finally allowed to share folders from an OpenSolaris guest to a MacOS host.  This increases the usability of VBox substantially for me because I've been using a workaround for a while.

It's easy to setup the sharing capability in the Virtualbox GUI. With your VM running:

Devices > Shared Folders

Enter the path of a folder on our Mac and the "Share" name that you will be using to reference it on your OpenSolaris system.  The folder name does not need to be related to the actual folder path.

On the OpenSolaris side, you need to mount the file system to make it visible to the user.

bash-3.2$ id
uid=101(jlaurent) gid=10(staff) groups=10(staff)
bash-3.2$ mkdir mac
bash-3.2$ pfexec mount  -F vboxfs -o uid=101,gid=10 jlaurent /export/home/jlaurent/mac

This, however, is annoying to do each time you reboot so it would be nice to have the file system mount on boot up.  Adding a line to /etc/vfstab should help.

 jlaurent    -    /export/home/jlaurent/mac    vboxfs    -    yes    uid=101,gid=10

Unfortunately, in my testing, this prevented the system from booting.  Thanks to Michael, I learned that this is because Solaris process vfstab BEFORE it completes the ZFS mount of my home directory in /export/home.  Changing the line to:

jlaurent    -    /mac    vboxfs    -    yes    uid=101,gid=10

Fixed the problem.  

However, it's not very convenient at /mac.  There are a few other options.

You can also add the line you your .bashrc file but that only takes effect when you start a new terminal window.  The best option for me was to place the line in the Gnome session startup scripts.

System > Preferences > Sessions > Add

There's a little trick, however, that was non-intuitive to me the first time I did this.  My file system was NOT mounting on login and I didn't know why.  I checked into my .xsession-errors file and found the message: mount: command not found.

As you can see in the screen shot above, the absolute pathname is required for commands executed during login.

Issues:

StarOffice and Gedit do NOT want to save data back into this folder even though cp and vi have no problem with it.  I'm still researching this issue.

If you happen to be attending the Federal Office Systems Exhibition (FOSE) this week at the convention center in Washington D. C. drop in on my OpenSolaris session.  It will be held Thursday at 11:30 in room 158A. Come and see the benefits of ZFS, Dtrace, Zones and other new features in OpenSolaris.

Come visit Sun's booth #2309 to learn more about all of our systems, storage, software and services. 

• See Sun Ray thin clients in action
• Learn more about open source software such as MySQL, OpenSSO, OpenSolaris and VirtualBox
• See our X64 based servers running Windows, Red Hat or Solaris.
• Learn more about our Openstorage System 7000
• and more
  

I also provided a 5 minute "lightning talk" and panel discussion on Cloud Computing on Tuesday. About 120 people attended. Read more about Sun's cloud initiatives at our web site. Stay alert for upcoming announcement about Sun's cloud offerings.

Catch me if you can at Sun's table in the Cloud area of the exhibit hall and play "stump the geek."

 You can download OpenSolaris or Solaris 10 for free usage.  Do it today and get started learning.

 In a resounding endorsement for the Solaris 10 enterprise grade operating system.  Today, Sun and Hewlett-Packard announced an expanded multi-year partnership agreement for HP to distribute and support Sun's Solaris 10 OS. The top five x86/x64 based system vendors (Sun, HP, IBM, Fujitus/Siemens, Dell) now all ship Solaris with their systems.

If you don't happen to have an HP system, feel free to check out Sun's servers based on the Intel, AMD or Sparc processors or download Solaris 10 or OpenSolaris for free and try it out on your laptop or PC.  If you don't like the ugly mess of muti-booting using GRUB, try it in Sun's free and open-source VirtualBox environment.  VBOX allows you to run Solaris 10, OpenSolaris, Red Hat or Windows on top of a variety of hosts such as Windows, Linux, Solaris or Mac OS.

Sun's VirtualBox type II hypervisor is a great free tool for running multiple guest OSes on your desktop.  I use VBOX on my Mac to run Solaris 10 and OpenSolaris.

One of the weaknesses of VBOX at this time is that the "guest additions" don't yet support file sharing from a Solaris guest OS.  There are ways around this, however, using SMB protocols.  Here's how....

• Configure SMB sharing on your Mac
• Apple Menu > System Preferences > File Sharing pref pane
• Enable File sharing
• Click Options
• Enable Share files and folders using SMB
• Enable your username account for file sharing. Doing this exposes your home folder on the network as a Windows shared folder. Make sure you have a good password!
• Install Solaris or OpenSolaris in VirtualBox
• Configure NAT networking
• Open a Nautilus file browser
• Go > Location
• Enter: smb://10.0.2.2/<usernameonmac>
• Enter your password
• A new file browser should open with your mounted files.
• Bookmarks > Add Bookmark
  

This works because when NAT networking is configured the Solaris guest gets an IP address of 10.0.2.xx.  The VBOX hypervisor acts not only as DHCP server but also as gateway and host at IP address 10.0.2.2.

In OpenSolaris, you can also do this using the Places > Connect to server menu item.  Choose Custom Location from the pull-down menu and enter the SMB address.

For more on accessing Windows Sharing check out Brian Leonard's blog entry.

Meanwhile, make sure to get the free downloads of Solaris 10, OpenSolaris or VirtualBox.

Many of you have previously seen my comparison chart for Solaris 10, Red Hat Enterprise Linux 5 and MS Windows 2003, all of which can be purchased from Sun running on Sun hardware.  All of the current open source development effort for Solaris is going on in the OpenSolaris community and Sun has produced a binary distribution of OpenSolaris which is available (along with support contracts) at OpenSolaris.com.  

Development from Sun's engineers and outside contributors continues at a fast pace on OpenSolaris and there are hundreds of projects and thousands of community members.  Occasionally, features from OpenSolaris get back ported to Solaris 10 when there is sufficient business case, customer demand and engineering determines that the new feature will not reduce the stability of Solaris 10.  Past examples includes Trusted Extensions, ZFS CPU Caps and more.  Eventually, OpenSolaris with form the basis for the next major version of Solaris with long term support.  In the mean time, you can put OpenSolaris binary distrbution into production today and get support for it from Sun.

With that in mind, I have updated my comparison chart to included OpenSolaris in addition to the other OSes.

Why should you care?

OpenSolaris provides significant new features for Sun users for developers as well as infrastructure operators. Examples include:

• ZFS automatic snapshot
• Network auto configuration
• Image Packaging system and update GUI
• CIFS server in kernel
• Improved Gnome user interface and accessibility
• More GNU utilities.
  

Download it today for Intel and AMD based laptops, workstations or servers.

Try it out with Sun Studio Developer tools, optimized AMP Stack or other open source software in our repository.

 

My previous blog entry attempted to establish the fact that Solaris 10 (including Containers/Zones) is used through the US DoD.  On a related note, I received this direct quote from one of my customers in the US DoD.

Just as a reminder, I'm the DNS guy for all of <Deleted> We're running
zones for our DNS servers (authoritative and recursive) world-wide from
Hawaii to Stuttgart and places in between and they are functioning
beautifully.  Sol 10 is the most versatile OS ever!

Keep the good new coming!

As an OS Ambassador for Sun Federal, I'm frequently asked the questions:

Are Solaris containers "certified" for use by the US Government or DoD?

• Short answer: Yes!  Read on for the long answer.
  
• Solaris 10 has received the highest commercial level of Common Criteria Certification.  This is known as EAL4+ and we did this using 3 protection profiles:
• Controlled Access Protection profile
• Role Based Access Control Protection Profile
• Labeled Security Protection Profile
• If you review our documentation and security target, you'll find that the "Trusted Extensions" component of Solaris 10 which implements the LSPP is based upon Solaris containers.  We use Solaris containers in a unique manner by providing each container with a security label which cannot be violated by a user inside the container.
• In addition, you should note that Sun includes the GUI, Multi-level desktop (Gnome and CDE), LDAP server and management tools in our evaluation.  Red Hat's CC evaluation is for a command line installation only.
  
• I'm unaware of any other government "certification" which would apply to Solaris containers.  If you know of any, please let me know.
  

Who is using Solaris containers in the US Government?

• My customer, DISA, is using containers in their Defense Enterprise Computing Centers as part of the Capacity Computing contract that they awarded to Sun in 2006 to provide Solaris computing on demand.  They have used containers and Sun's capacity computer service to experience significant consolidation and cost savings for the taxpayer.  This is being done on classified and unclassified networks.
• DISA's mission critical Global Command and Control System is also using Solaris containers to support the warfighter.
  
• The US Air Force used Solaris containers and Logical Domains to provide significant savings in floor space and improved system utilization for their Global Combat Support System.
• The US Army is using Solaris 10 and Sun Cluster Software
  
• I'm certain that the are many other examples of which I'm not aware because of the fact that Solaris 10 containers are:
• Built into Solaris 10 since 2005
• Free to use and deploy
• Lower overhead, easy to use virtualization tools
  

Is Solaris 10 (or MySQL or JCAPs other other Sun product) on my federal agency's "approved products list?" 

• Whenever I get this question I ask my own questions:
• For which agency?
• Please show me a public web site that hosts the "approved products list."
• Whom should I contact to have my product added to the "approved products list?"
• What are the specific requirements to be on the "approved products list?"
  
• In many cases I'm met with blank stares and the person who asked me the question doesn't know where to find the APL. Sometimes it doesn't actually exist.  In other cases there are waiver procedures available to bypass the APL. While I'm not saying that there are no APLs in federal agencies, I believe that a lot of people believe that there is when there isn't.  There most certainly is NOT one big APL for the federal government or DoD.
  
• One example of an APL is the DoD's Joint Interoperbility Test Command's IPv6 APL.  There you will find Solaris 10, and we are in the process of adding additional products.

Summary

Solaris 10 is in use today in a wide variety of government and DoD applications including many of its advanced features such as containers, ZFS, SMF and much more.

Download Solaris 10 today and try it or look into the future with OpenSolaris.

Why is Solaris 10 so successful in the market?  It's all about platforms, developers, OEM providers and application availability.

Platforms

Solaris 10 runs on the major volume platforms in the industry: Sparc, Intel and AMD.  Contrary to popular opinion (and competitive FUD), the Sparc architecture is NOT a proprietary architecture.  It is an industry standard and open source architecture that anyone can replicate (and have already).  On the other hand, the Intel X86 architecture (while a defacto standard) is propriety and can only be replicated using an expensive and legally difficult clean room reverse engineering process.

Developers

Solaris 10 supports developers by being available for free download, being able to run on low-cost x86 laptop and desktop systems and providing a vibrant open source community for developing new enhancements.  Don't forget our great development toolkit.

OEM Vendors

Solaris 10 can be purchased from the major hardware vendors in the industry through OEM agreements: Sun, Dell, IBM, Fujitsu/Siemens and Intel.

Applications

Solaris 10 has a larger application catalog than any other Unix or Linux product in the market place.

All Results	6620 Apps
SPARC	5653 Apps
X64	3527 Apps

Why should you care?

You don't buy hardware or operating systems because they're cool or keep your data center warm.  You buy for applications.  Choosing a platform that is available from major vendors, runs on a variety of platforms (large and small), supports your developers and has a larger application catalog should be high on your list.

One of the nicest features of OpenSolaris is the new package management feature.  Using the pkg command you can quickly update your system to the latest bits available in the repository.  It turns out, however, that with OpenSolaris 2008.05 there is a workaround that you must use in order for this to work properly.  It caught me by surprise recently (not reading those forums thoroughly enough).

Like the rest of the world, I downloaded the OpenSolaris 2008.05 ISO image to my MacBook Pro and installed it into (Sun's free and open source hypervisor) VirtualBox 2.0.  The 2008.05 edition is based upon build 86. To get the complete update to the latest build 97, I simply:

time pfexec pkg image-update -v

About 35 minutes later the system has been updated, a ZFS snapshot of my original system has been made and the grub menu automatically updated to add a new boot image.  All I need to do now is reboot.  This is where the pain started.  After the initial Solaris banner, the system simply reset itself repeatedly.

Luckily, thanks to the snapshot, I can still choose the original boot environment from the GRUB menu.

Thanks to the great community of OS Ambassadors within Sun, I had my solution within hours as posted at this forum.

• beadm list
• pfexec beadm mount <my boot env> /mnt
• pfexec /mnt/boot/solaris/bin/update_grub -R /mnt

Final step was getting my favorite Gnome theme to help my Solaris box look more like a Mac and place the close widget in the upper left corner where God and Steve Jobs intended it to be.

Finally, if you are a Linux user and unfamiliar with the "pfexec" command, see Glenn Brunette's blog about the benefits of pfexec vs. sudo.

I added some additional YouTube video links to my blog on enhancements for Intel in Solaris 10 and OpenSolaris. 

Many of you have heard that Solaris 10 and open-source OpenSolaris runs on both SPARC and X86/X64 architectures.  You probably even know Solaris is available on both AMD and Intel processors in Sun servers as well as non-Sun platforms. In fact, Dell, IBM and Fujitsu/Siemens are Solaris OEMs on their platforms. You may even know that Solaris has set a number of world record benchmarks for scalability and performance on the Intel processor.  But do you really know how we did it? 

Sun and Intel work together on a number of areas in the Solaris OS and development tools including:

• I/O optimizations
• Scalability and performance
  
• Power Management
  
• Compiler optimizations
• Virtualization enhancements
• Fault Management
  

There are a number of resources available where you can learn why Solaris is a great choice on Intel XEON processors.

• Sun and Intel webcast
• Intel projects at OpenSolaris.org
  
• Solaris on Xeon whitepaper
• Solaris 10 05/08 and Intel enhancements video 
• OpenSolaris and Intel YouTube video produced by Intel 
• CPU Power management
• Episode #1 – Why Intel and OpenSolaris?
  
• Episode #2 – Power Management
• Episode #3 - Getting instant performance boosts
  
• Episode #4 – Predicitive Self-Healing
  
• Episode #5 – Virtualization
  
• Episode #6 – I/O Acceleration Technology
  

These are just a few of the projects that make Solaris run better than any other OS on Intel Xeon based processors.  Many more have been completed or are planned in the future including enhancement specifically for the Intel Nehalem microarchitecture

Download Solaris 10 or OpenSolaris today and try it out on your favorite Intel based PC, Server or Virtual Machine.

Like most System Engineers at Sun, I'm often called upon to demonstrate Sun's technology especially Solaris 10 and Sun Ray thin clients.  In the past, demonstrating Sun Rays meant bringing a customer into our Sun office OR setting up a network server and device at the customer's location. 

To make this much easier, I decided to follow the example of others and turn my Sun issued MacBook Pro into a Sun Ray server.  As a result of this configuration, I can set two devices on my customer's desk with only one ethernet cord and no power cords (have to keep those batteries charged) to display the power of the Sun Ray thin client.  I also have a configuration (thanks to Matt) the provides a multi-level Solaris environment via Solaris 10 Trusted Extensions along with the ability to display an MS Windows desktop using Win2003 running in a separate virtual machine on the same Mac.  Very Cool!

To do this I needed:

• A MacBook Pro (mine is running 10.5.4)
• VMware Fusion 1.1.3 (unfortunately Virtual Box does not yet support bridged networing on MacOS X)
  
• Solaris 10 05/08 (free download available)
  
• Sun Ray Server Software 4.0
• Patch 127554-02
• A General Dynamics Tadpole Comet 15 mobile thin client (or other Sun Ray compatible device)
  

Here's how I did it:

• Install Solaris 10 using VMware Fusion and these settings.
  
• 1024 MB of RAM
• Bridged networking
• Install the Solaris 10 Entire Distribution
• Configur the Solaris IP address as 192.168.1.3
  
• Download the Sun Ray Server Software (it's free)
• unpack the downloaded tar image, this creates a directory srss_4.0
• install the apache tomcat server.  In my case:
• su
• cd /opt
• tar xvf /Documents/srss_4.0/Supplemental/Apache_Tomcat/apache-tomcat-5.5.20.tar
• mv apache-tomcat-5.5.20 apache-tomcat
  

• install Sun Ray Server Software

• cd ~jlaurent/Dcouments/srss_4.0
• ./utinstall  (installs the Sun Ray server tools in /opt/SUNWut)
  
• patchadd 127554-02
• reboot
• PATH=$PATH:/opt/SUNWut/sbin
• Use utadm to add the 192.168.1.0 subnet as a shared Sun Ray network.  Make sure to choose the option to offer IP addresses.
  

 # utadm -A 192.168.1.0
### Configuring /etc/nsswitch.conf
### Configuring Service information for Sun Ray
### Disabling Routing
  Selected values for subnetwork "192.168.1.0"
    net mask:           255.255.255.0
    no IP addresses offered
    auth server list:   192.168.1.3
    firmware server:    192.168.1.3
  Accept as is? ([Y]/N): n
  new netmask: [255.255.255.0]
  Do you want to offer IP addresses for this subnet? (Y/[N]): y
  new first Sun Ray address: [192.168.1.245]
  number of Sun Ray addresses to allocate: [10]
  auth server list:     192.168.1.3
To read auth server list from file, enter file name:
Auth server IP address (enter <CR> to end list):
If no server in the auth server list responds,
should an auth server be located by broadcasting on the network? ([Y]/N):
  new firmware server: [192.168.1.3]
  new router: [192.168.1.1]
  Selected values for subnetwork "192.168.1.0"
    net mask:           255.255.255.0
    first unit address: 192.168.1.245
    last unit address:  192.168.1.254
    auth server list:   192.168.1.3
    firmware server:    192.168.1.3
    router:             192.168.1.1
  Accept as is? ([Y]/N): y
### Configuring firmware version for Sun Ray
### Successfully enabled tftp for firmware downloads
        All the units served by "sunray" on the 192.168.1.0
        network interface, running firmware other than version
        "4.0_127553-02_2008.03.06.15.04" will be upgraded at their next power-on.

### Configuring Sun Ray Logging Functions
### Turning on Sun Ray LAN connection

NOTE: utrestart must be run before LAN connections will be allowed

DHCP is not currently running, should I start it? ([Y]/N): y

• utrestart -c
• utconfig
  

Configuration of Sun Ray Core Services Software

This script automates the configuration of the Sun Ray Core Services
software and related software products.  Before proceeding, you should
have read the Sun Ray Core Services 4.0 Installation Guide and filled
out the Configuration Worksheet.  This script will prompt you for the
values you filled out on the Worksheet.  For your convenience, default
values (where applicable) are shown in brackets.

Continue ([y]/n)? y
Enter Sun Ray admin password:
Re-enter Sun Ray admin password:

Configure Sun Ray Web Administration? ([y]/n)?
Enter Apache Tomcat installation directory [/opt/apache-tomcat]:
Enter HTTP port number [1660]:
Enable secure connections? ([y]/n)?
Enter HTTPS port number [1661]:
Enter Tomcat process username [utwww]:
Enable remote server administration? (y/[n])?

Configure Sun Ray Kiosk Mode? (y/[n])? y

Enter user prefix [utku]:

Enter group [utkiosk]:

Enter userID range start [150000]:

Enter number of users [25]:
Configure this server for a failover group? (y/[n])?
About to configure the following software products:

Sun Ray Data Store 3.0
    Hostname: sunray
    Sun Ray root entry: o=utdata
    Sun Ray root name: utdata
    Sun Ray utdata admin password: (not shown)
    SRDS 'rootdn': cn=admin,o=utdata

Sun Ray Web Administration hosted at Apache Tomcat/5.5.20
    Apache Tomcat installation directory: /opt/apache-tomcat
    HTTP port number: 1660
    HTTPS port number: 1661
    Tomcat process username: utwww
    Remote server administration: Disabled

Sun Ray Core Services 4.0
    Failover group: no
    Sun Ray Kiosk Mode: yes

Sun Ray Kiosk Mode 4.0
  User name prefix:   utku
  Base user ID:       150000
  Number of accounts: 25
  Kiosk group name:   utkiosk
  Kiosk group ID:     auto

Continue ([y]/n)? y
Updating Sun Ray Data Store schema ...
Updating Sun Ray Data Store ACL's ...
Creating Sun Ray Data Store ...
Restarting Sun Ray Data Store ...
Starting Sun Ray Data Store daemon .
Wed Jul  2 11:02 : utdsd starting

Loading Sun Ray Data Store ...
Executing '/usr/bin/ldapadd -p 7012 -D cn=admin,o=utdata' ...
adding new entry o=utdata
adding new entry o=v1,o=utdata
adding new entry utname=sunray,o=v1,o=utdata
adding new entry utname=desktops,utname=sunray,o=v1,o=utdata
adding new entry utname=users,utname=sunray,o=v1,o=utdata
adding new entry utname=logicalTokens,utname=sunray,o=v1,o=utdata
adding new entry utname=rawTokens,utname=sunray,o=v1,o=utdata
adding new entry utname=multihead,utname=sunray,o=v1,o=utdata
adding new entry utname=container,utname=sunray,o=v1,o=utdata
adding new entry utname=properties,utname=sunray,o=v1,o=utdata
adding new entry cn=utadmin,utname=sunray,o=v1,o=utdata
adding new entry utname=smartCards,utname=sunray,o=v1,o=utdata
adding new entry utordername=probeorder,utname=smartCards,utname=sunray,o=v1,o=utdata
adding new entry utname=policy,utname=sunray,o=v1,o=utdata
adding new entry utname=resDefs,utname=sunray,o=v1,o=utdata
adding new entry utname=prefs,utname=sunray,o=v1,o=utdata
adding new entry utPrefType=resolution,utname=prefs,utname=sunray,o=v1,o=utdata
adding new entry utPrefClass=advisory,utPrefType=resolution,utname=prefs,utname=sunray,o=v1,o=utdata

Added 18 new LDAP entries.

Creating Sun Ray Core Services Configuration ...
Adding user account for 'utwww' (ut admin web server user) ...done
Sun Ray Web Administration enabled to start at system boot.
Starting Sun Ray Web Administration...
See /var/opt/SUNWut/log/utwebadmin.log for server logging information.

Unique "/etc/opt/SUNWut/gmSignature" has been generated.

Restarting Sun Ray Data Store ...
Stopping Sun Ray Data Store daemon
Sun Ray Data Store daemon stopped
Starting Sun Ray Data Store daemon .
Wed Jul  2 11:02 : utdsd starting
Adding user admin ...
User(s) added successfully!

Creating new Sun Ray Kiosk Mode configuration ...

Validating new user ids.
Validating new user accounts.
Creating kiosk group utkiosk
Configuring new kiosk user accounts:
.........................
25 users configured

***********************************************************
The current policy has been modified.  You must restart the
authentication manager to activate the changes.
***********************************************************
Configuration of Sun Ray Core Services has completed.  Please check
the log file, /var/adm/log/utconfig.2008_07_02_11:01:42.log, for errors.

In MacOS

• Apple Menu > System Preferences > Network
• Location > Edit Locations
• Click the '+' Sign to create a new location and name it.
• Click on Ethernet
• Configure Manually
• IP address 192.168.1.1
• Netmask 255.255.255.0
• Click Apply
• Turn your Airport Wireless connection OFF. (This appears to interfere with the networking path to Solaris)
  

Connect the Sun Ray device directly to the Mac with a single ethernet cord.  No hub required.

If you have done this correctly, when you power on the Sun Ray device it will get an IP address from Solaris and display a login screen.

Access the Sun Ray web based management tool by pointing your browser to http://localhost:1660

Virtual Box 1.6 has been released and is no longer in beta for MacOS X.  One of the advertised features is the ability to import VMDK image files from VMware into Virtual Box.  Being the eternal optimist, I decided to try it.  How long could it take?  A few minutes maybe?  I have quite a few different VMs in Fusion and did this with Solaris 10 08/07.

Virtual Box is:

• a type 2 hypervisor
• Free
• Open Source
• supported on a variety of host OSes (Windows, Linux, Macintosh and OpenSolaris)
• capable of running a variety of guest OSes
• now owned and being developed by Sun Microsystems as part of the open source xVM family of virtualization products

The first part was easy. Extract the VMDK file and import it into Virtual Box

• Right click on your chosen VM.  Choose "Show Package Contents"
• Find a file with a .vmdk suffix.  Click once to select
• Command-D (duplicate it) Wait a few minutes while Mac OS copies the multi-GB file
• Drag the copied file to another location
• Start Virtual Box
• File > Virtual Disk Manager
• Click Add.  Locate and select the copied .vmdk file. Click OK.
• Create a New VM as usual using the added vmdk file
• Boot the VM
  

That should have been it, right?  Unfortunately, after seeing the grub screen and attempting to boot Solaris, I entered an infinite loop of rebooting OS.  Obviously, it's mostly working but something is still wrong.  Luckily, inside of Sun, we archive our mail aliases and Rudolf Kutina had already posted a solution to the problem.

The rebooting sequence resulted from the fact that VMware Fusion emulates SCSI disks (c0t0d0s0) while VBox emulates IDE disks (c0d0s0).  Because of this, the Solaris device trees and vfstab mount entries are not correct.  Rudolf's solution is not for the weak of heart but DOES work.  After all, it's all just a virtual machine and if I screw it up, I just make another copy.  What have you got to lose?

1. Boot into Solaris Safeboot mode. You can get access at the Grub menu, usually is the 2nd or 3rd option.
2. Mount the found Solaris partition on /a , Safeboot will usually find the slice on the disk with Solaris and ask if you want it to mount on /a. Select Yes.
3. Move /a/dev, /a/devices, and /a/etc/path_to_inst to another name (I just append .orig) and then create new directories, (mkdir) /a/dev and /a/devices, and touch file /a/etc/path_to_inst.
4. Run "devfsadm -r /a" to rebuild the device tree
5. set TERM so we can use 'vi', TERM=vt100; export TERM
   
6. Now we need to fix boot disk patch changes Edit /a/boot/solaris/bootenv.rc and fix the line with "setprop bootpath '/pci@0,0....' to match the path you'll find mounted for /a (i.e. run a 'df -k' command, and you should see /a mounted from /dev/dsk/c1d0s0 or something, then run 'ls -l /dev/dsk/c1d0s0' or whatever your device listed was, and you should see the actual link point to ../../devices/pci@0,0/...ide..)
7. Fix also disk naming in /a/etc/vfstab to match IDE "c0d0sx" scheme. Change each instance of c1t0d0s0 to c0d0s0 etc.
8. Recreate archive "bootadm update-archive -v -R /a" to rebuild the boot-archive on /a
9. Force to reconfigure on next boot with 'touch /a/reconfigure'
10. Delete /etc/dhcp.e1000g0 /etc/hostname.e1000g0 create /etc/dhcp.pcn0.
11. Run "cd /; sync; sync; sync; umount /a"
12. reboot with 'init 6'
    

Enjoy your new Virtual Box machine.

Instructions are also available for importing a Windows XP .vmdk file to Virtual Box.

You may have seen my earlier blog entry on myths and facts about swap space in which I mentioned that ZFS file systems cannot be used for swap files.

# cd /zpool1
# mkfile 10g swapfile
# swap -a /zpool1/swapfile
"/zpool1/swapfile" may contain holes - can't swap on it.

You can, however, use zvols to add swap space onto a ZFS pool:

#
# Add swap partition in the /export/home zfs partition
#
echo "adding zfs swap"
if [ ! -L /dev/zvol/dsk/export/swap ]
then
       echo "creating swap area"
       zfs create -V 1gb export/swap
fi
echo "/dev/zvol/dsk/export/swap -  -  swap  -  no   -" >> /etc/vfstab
/usr/sbin/swap -a /dev/zvol/dsk/export/swap
 

 Thanks to Jim Litchfield for pulling this info from the documentation for zpool

 

Solaris 10 5/08 is now available on the Sun Download center.  It's free for commercial use and based on an open source development project. Watch this video by Larry Wake of Solaris Marketing team to learn what's new.

 

Solaris 10 has become the first Unix or Linux Operating System to receive IPv6 Certification from the DoD Joint Interoperability and Test Command (JITC).  JITC is the DoD organization responsible for validating products for use in the US DoD.  This most recent certifcation of Solaris for IPv6 standards extends our earlier IPv6 logo certification performed at the University of New Hampshire Interoperabity Lab.

Solaris is the ONLY product currently listed in the "Advanced Server" Category.  Testing was completed on SPARC as well as x86/x64 platforms.

Why should you care?

Sun's continuing commitment to standards in support of the Federal Government means that our customers will be able to move quickly into their transition to the next generation of the internet.

If you'd like to try out Solaris 10 or our next generation of Solaris, known as Solaris Express, they are both available via free downloads and include free right-to-use license.  If you are not sure of the difference between the various Solaris editions, please see my earlier blog entry.

 

I'm often asked the relationship between the various Solaris named products that Sun provides.  Here is my view on them:

OpenSolaris is a SOURCE code project at opensolaris.org from which a number of actual products may be derived including:

• Portions of Solaris 10
• Solaris Express and SX Dev. Edition
• xVM Server
• Project Indiana

Solaris Nevada is the portion of Open Solaris community code that includes only the kernel (OS and Networking consolidations). Running uname on this build indicates SunOS 5.11.

Solaris Express Community Edition is Sun's binary release for OpenSolaris developers (code named "Nevada"). It is built from the latest OpenSolaris source and additional technology that has not been published in the OpenSolaris source base. This release is unsupported. Developers can build the OpenSolaris source by using this release as the base system. It is updated every other Friday.

Solaris Express Developers Edition, includes Solaris Express Community Edition along with the development tools (Netbeans, Studio etc) in a single installation to simplify life for developers. The Developer Edition is released every three to four months and replaces the Solaris Express monthly release.

Project Indiana is currently in preview edition two.  The OpenSolaris Developer Preview is the first milestone of Project Indiana. It is a single CD combined live/install image: a core operating system, kernel, system libraries, a desktop environment and a package management system. It is not a final release and is intended for developers to try, test, and provide feedback.

Solaris 10 is our enterprise ready, supported version of Solaris.  It is updated less frequently and provdes a stable platform for deployment of long term applications.
 

They are ALL free to download use in a production environment.  If you need support for Solaris 10 you can choose from a variety of Solaris 10 subscriptions on Sun or non-Sun hardware (Sparc, Intel or AMD based).

Update:  Our own architect of Solaris 10 Trusted Extensions corrected me on my statements about MLS capability and Type Enforcement.  I've corrected my table.  Glenn writes in a comment:

It isn't accurate to state that Type Enforcement enables multilevel security. Although you could define relationships between various types that have similar semantics to Bell & Lepadula rules, this is not practical in general. Types, unlike sensitivity labels, don't have implicit hierarchical relationships. Instead the flexibility of the relationships between types is seen as an advantage over the more rigid MLS rules.

One reason this is confusing is that FLASK in SELinux supports both Types and MLS labels, whereas the Solaris implementation of FLASK will just focus on Types since MLS labels are already associated with zones.

 -----

Great News! 

One of the benefits of open sourcing Solaris is the ability to take advantage when "Innovation Happens Elsewhere" (to quote Sun co-founder Bill Joy).  One of the innovative projects that originated elsewhere is an implementation of Type Enforcement (aka "Flask") for OpenSolaris.  Type Enforcement is a form of Mandatory Access Control that has already appeared in the Security Enhanced Linux project first developed at NSA.  SELinux has worked its way from a science project into major Linux distributions today.

What does this mean for Open Solaris?

• First, it means that we have active development and external contributions to the OpenSolaris community.
  
• Secondly, it means that (when completed), customers and governments who prefer the Type Enforcement to Sun's own Solaris 10 Trusted Extensions model, will have that choice without having to give up the other advanced features of Solaris.

Who is doing this work?

• Stephen Smalley is a researcher at the NSA who has published a number of papers on Type Enforcement and the Security Enhanced Linux project
• John Weeks is an engineer in Sun Federal who has worked for years in the government and security realms. 

When can I get it?

The project has only recently been created at in the OpenSolaris security community.  The source code has yet to be written and posted.   Nothing has been integrated in to the next version (Nevada) of the Solaris kernel yet and there are no plans yet for it to be in Solaris 10.  As the project progresses it may be fully integrated into the Nevada kernel and eventually find its way into a commercial release of Solaris.  Join the community to keep up to date on the latest information.

How will Type Enforcement complement the current Solaris security model?

Read Glenn Faden's most recent blog entry.

Why should I care?

If you have been looking at using SELinux in your project, you should join the community and contribute your comments, feedback, testing and even code to the project creating a better Solaris.

 

 I received this question from a customer today:

We are looking into Solaris or Unix conferences that are held yearly (such as the MS tech net conference) that you feel are worthwhile for learning or finding out cutting edge news. 

Are there any you would recommend or is there a schedule with prices you could direct me to?

I have a number of suggestions but I'm certain that others out there have their own favorites.  Here's my list. 

• JavaOne 
  
• Sun Tech Days 
  
• Locally run OpenSolaris user's groups
  
• OSCON: Open Source Convention (Sun is a platinum sponsor)
  
• Usenix sponsored conferences
  
• LISA 
  

Have your own favorite conference?  Jump into the comments section and let us all know about it.

Why should you care? 

To quote Sy Sims, "An educated consumer is our best customer."

Go out and get educate.  Some of the brightest and most enthusiastic Sun Engineers speak and attend many of these conferences.

As an OS Ambassador at Sun, I have spoken hundreds of times around the country about the Dynamic Tracing facility built in (no extra charge) to Solaris 10 since 2005 and part of the Open Solaris community.  I've described it as a "CAT Scan" into the system when we previously only used X-Ray.  I've said that this allows us to be good doctors (healing the sick) rather than coroners (diagnosing the dead).

Many customers, however, are put off by the programming language or 400 page manual that describes DTrace, however and therefore never really get started.  They don't always realize that we have enhanced PostgreSQL, Ruby, Java, PHP and other higher level languages to make good use of DTrace.  They haven't felt the power of being able to root cause any problem in their system.

While DTrace will never be an "Easy" or "Go Fast" button for your system, there are a number of tools that make it more palatable to the casual user.

Dtrace Toolkit

This collection of pre-written scripts provide some easy tools for collecting the type of data that  system administrators are starving for.

DExplorer

DExplorer automatically runs a collection of DTrace scripts to examine many areas of the system, and places the output in a meaningful directory structure that is tar'd and gzip'd.

Chime Visualization tool

Chime is a graphical tool for visualizing DTrace aggregations. It provides an alternative to similar CLI-based tools (such as intrstat) that is more visually appealing and potentially more useful. In particular, its ability to display data over time adds a missing dimension to system observability. Among its recent new features is the ability to display moving averages.

DTrace NetBeans GUI Plugin

Graphical User Interface (GUI) for running DTrace scripts that can be installed into the Sun Studio 12 IDE, NetBeans IDE 5.5, NetBeans IDE 5.5.1, and NetBeans IDE 6.0.

DTrace BidAdmin community

Includes a collection of tips, tricks, documentation and discussions on DTrace

Why should you care?

Want to be a hero?  Use DTrace to determine why your system isn't working properly.  Save you boss money.  Get more transaction through your systems.  We've done this at a number of customers on live, production systems and you can to.  Download the free DTrace Toolkit today and get started.

PS.  For those who think that System Tap in the Linux community is "just like DTrace," see Adam's rebuttal.

 

Update 2/28: Made some minor corrections.  Provided an English and high quality version of the German video.  Added a ZFS GUI screenshot and instructions.  Added a link to Constantin's ZFS and Virtual Box blog entry.

---

This week I am at "Immersion Week" in suburban Chicago.  Immersion Week is an annual training event for Sun Technical staff in the field sales and professional services organizations.  Included in our "goodie bags" was a USB hub and three USB memory sticks along with the suggestion that we use them to demonstrate the open source ZFS file system included with Solaris 10.

Being a Solaris (and Mac) propeller head and fueled by a few Coronas, I found it hard to refuse this challenge. For an advanced version of this, check out this YouTube video (high quality MP4 version) from my colleagues across the pond.  Here are the steps that I followed.

System under test:  MacBook Pro running MacOS 10.5.2, VMware Fusion 1.1.1 and Solaris 10 08/07.

 1. Enable USB device access per the VMware Fusion instructions: 

1	Open the virtual machine without powering it on. You cannot configure the USB controller while the virtual machine is powered on.

2	Choose Virtual Machine > Settings or click the Settings button in the toolbar to open the virtual machine Settings sheet.

3	Select + and Add USB controller.

4	Select one or both of the options:

•	Enable USB 2.0 Support

•	Automatically Connect USB Device

5	Click Apply.

2. Boot the Solaris VM. Login. Open a Solaris terminal window.  Assume root privileges.  Disable the Volume Management service volfs.  This prevents Solaris from automounting the removable disks. This stays in effect across reboots until you "enable" it.

    svcadm disable volfs 

3. Insert the USB hub with 3 sticks into the Mac's USB port

4. Fusion menus: Virtual Machine > USB > Connect ....  for each of the 3 USB devices.  This "grabs" them away from MacOS into Solaris control.

5. Find out the device names for the three USB disks:

# rmformat
Looking for devices...
     1. Logical Node: /dev/rdsk/c0t0d0p0
        Physical Node: /pci@0,0/pci-ide@7,1/ide@1/sd@0,0
        Connected Device: NECVMWar VMware IDE CDR10 1.00
        Device Type: DVD Reader/Writer
     2. Logical Node: /dev/rdsk/c2t0d0p0
        Physical Node: /pci@0,0/pci15ad,790@11/pci15ad,770@2/storage@1/disk@0,0
        Connected Device: CBM      Flash Disk       5.00
        Device Type: Removable
     3. Logical Node: /dev/rdsk/c3t0d0p0
        Physical Node: /pci@0,0/pci15ad,790@11/pci15ad,770@2/storage@2/disk@0,0
        Connected Device: USB      Flash Disk       1100
        Device Type: Removable
     4. Logical Node: /dev/rdsk/c4t0d0p0
        Physical Node: /pci@0,0/pci15ad,790@11/pci15ad,770@2/storage@3/disk@0,0
        Connected Device: CBM      Flash Disk       5.00
        Device Type: Removable

6.  Create a zpool using RAID Z on the three devices.

# zpool create usbdisk raidz c2t0d0p0 c3t0d0p0 c4t0d0p0
invalid vdev specification
use '-f' to override the following errors:
raidz contains devices of different sizes

Wasn't that nice of ZFS to warn us!

# zpool create -f usbdisk raidz c2t0d0p0 c3t0d0p0 c4t0d0p0
# # zpool status

  pool: usbdisk
 state: ONLINE
 scrub: none requested
config:

        NAME          STATE     READ WRITE CKSUM
        usbdisk       ONLINE       0     0     0
          raidz1      ONLINE       0     0     0
            c3t0d0p0  ONLINE       0     0     0
            c2t0d0p0  ONLINE       0     0     0
            c4t0d0p0  ONLINE       0     0     0

errors: No known data errors

# zpool list
NAME                    SIZE    USED   AVAIL    CAP  HEALTH     ALTROOT
usbdisk                 360M     91K    360M     0%  ONLINE     -

7.  Now lets have some fun......

8. Create a 5 MB file

cd /usbdisk
mkfile 5m test
# ls -l
total 10245
-rw------T   1 root     root     5242880 Feb 27 23:43 test
# du -ak
5122    ./test
5124    .

Notice how du and ls agree on sizes.

9. Enable compresssion

zfs set compression=on usbdisk
# pwd
/usbdisk
# mkfile 5m testcompression
# ls -l
total 10246
-rw------T   1 root     root     5242880 Feb 27 23:43 test
-rw------T   1 root     root     5242880 Feb 27 23:48 testcompression
# du -ak
5122    ./test
0       ./testcompression
5124    .

 Notice that ls shows a 5 MB file but du -ak shows a zero size file because zero filled files compress so well.

10.  Now remove one of the USB memory sticks from the hub and attempt to create file.

# mkfile 5m test2
# zpool status

  pool: usbdisk
 state: ONLINE
status: One or more devices has experienced an unrecoverable error.  An
        attempt was made to correct the error.  Applications are unaffected.
action: Determine if the device needs to be replaced, and clear the errors
        using 'zpool clear' or replace the device with 'zpool replace'.
   see: http://www.sun.com/msg/ZFS-8000-9P
 scrub: none requested
config:

        NAME          STATE     READ WRITE CKSUM
        usbdisk       ONLINE       0     0     0
          raidz1      ONLINE       0     0     0
            c2t0d0p0  ONLINE       0     0     0
            c3t0d0p0  ONLINE       0   156     0
            c4t0d0p0  ONLINE       0     0     0

errors: No known data errors

zpool status reports that although a device is missing, data is intact.

Re-insert the removed memory stick and...

# zpool scrub usbdisk
# zpool status

  pool: usbdisk
 state: ONLINE
status: One or more devices has experienced an unrecoverable error.  An
        attempt was made to correct the error.  Applications are unaffected.
action: Determine if the device needs to be replaced, and clear the errors
        using 'zpool clear' or replace the device with 'zpool replace'.
   see: http://www.sun.com/msg/ZFS-8000-9P
 scrub: resilver completed with 0 errors on Thu Feb 28 00:37:03 2008
config:

        NAME          STATE     READ WRITE CKSUM
        usbdisk       ONLINE       0     0     0
          raidz1      ONLINE       0     0     0
            c2t0d0p0  ONLINE       0     0     0
            c3t0d0p0  ONLINE       0   254     0
            c4t0d0p0  ONLINE       0     0     0

errors: No known data errors
# zpool clear usbdisk
# zpool status

  pool: usbdisk
 state: ONLINE
 scrub: resilver completed with 0 errors on Thu Feb 28 00:37:03 2008
config:

        NAME          STATE     READ WRITE CKSUM
        usbdisk       ONLINE       0     0     0
          raidz1      ONLINE       0     0     0
            c2t0d0p0  ONLINE       0     0     0
            c3t0d0p0  ONLINE       0     0     0
            c4t0d0p0  ONLINE       0     0     0

errors: No known data errors

zpool scrub examines all data in the specified pools to verify that it checksums correctly. For  replicated  (mirror  or raidz)  devices,  ZFS  automatically  repairs any damage discovered during the scrub.

11.  Now for some real fun with export and import.

# cd /
# zpool export usbdisk
# zpool list

Note that the pool usbdisk is no longer listed.  Remove all three memory sticks.  Mix them up.  Re-insert them.

# zpool import
  pool: usbdisk
    id: 13155150575270542445
 state: ONLINE
action: The pool can be imported using its name or numeric identifier.
config:

        usbdisk       ONLINE
          raidz1      ONLINE
            c2t0d0p0  ONLINE
            c4t0d0p0  ONLINE
            c3t0d0p0  ONLINE
# zpool import usbdisk
# zpool status
 
  pool: usbdisk
 state: ONLINE
 scrub: none requested
config:

        NAME          STATE     READ WRITE CKSUM
        usbdisk       ONLINE       0     0     0
          raidz1      ONLINE       0     0     0
            c2t0d0p0  ONLINE       0     0     0
            c4t0d0p0  ONLINE       0     0     0
            c3t0d0p0  ONLINE       0     0     0

errors: No known data errors

Notice how politely, ZFS tells you the name of the pool (even if you forgot it) and asks you to import it by name.  It doesn't matter that the actual "disks" have changed location.

12.  Transfer the disks to another systems (in this case a MacOS system). First note the files that exist and then export the file system. 

 On the Solaris system....

# ls -l
total 20473
-rw------T   1 root     root     5242880 Feb 28 00:32 test
-rw------T   1 root     root     5242880 Feb 28 00:49 testcompression
# du -a
10236   ./test
1       ./testcompression
20477   .
# cd /
# zpool export usbdisk

Shutdown the virtual machine and exit VMware to avoid confusion. Remove the USB hub from the Mac.

Now on Mac OS X 10.5 Re-insert the USB hub. MacOS X Finder produces an error: "Disk inserted was not readable by this computer."

Click "Ignore." Open the MacOS X terminal applications.

$ sudo -s
Password:
bash-3.2# zpool import
  pool: usbdisk
    id: 13155150575270542445
 state: ONLINE
status: The pool is formatted using an older on-disk version.
action: The pool can be imported using its name or numeric identifier, though
    some features will not be available without an explicit 'zpool upgrade'.
config:

    usbdisk     ONLINE
      raidz1    ONLINE
        disk4   ONLINE
        disk3   ONLINE
        disk5   ONLINE
bash-3.2# zpool import usbdisk
bash-3.2# cd /Volumes/usbdisk
bash-3.2# ls
test        testcompression
bash-3.2# du -a
10236    ./test
1    ./testcompression
10241    .
# zfs get all usbdisk
NAME     PROPERTY       VALUE                  SOURCE
usbdisk  type           filesystem             -
usbdisk  creation       Thu Feb 28  0:32 2008  -
usbdisk  used           5.14M                  -
usbdisk  available      200M                   -
usbdisk  referenced     5.03M                  -
usbdisk  compressratio  1.00x                  -
usbdisk  mounted        yes                    -
usbdisk  quota          none                   default
usbdisk  reservation    none                   default
usbdisk  recordsize     128K                   default
usbdisk  mountpoint     /Volumes/usbdisk       default
usbdisk  sharenfs       off                    default
usbdisk  checksum       on                     default
usbdisk  compression    on                     local
usbdisk  atime          on                     default
usbdisk  devices        on                     default
usbdisk  exec           on                     default
usbdisk  setuid         on                     default
usbdisk  readonly       off                    default
usbdisk  zoned          off                    default
usbdisk  snapdir        hidden                 default
usbdisk  aclmode        groupmask              default
usbdisk  aclinherit     secure                 default
usbdisk  canmount       on                     default
usbdisk  shareiscsi     off                    default
usbdisk  xattr          on                     default
usbdisk  copies         1                      default

Like magic, the USB-based ZFS array is now accessible (read-only) to MacOS X 10.5.  A future update is expected to support R/W access. The compression property is still turned on as it was in Solaris.

PS.  I tried mounting the devices in Solaris using Virtual Box by Innotek (recently acquired by Sun).  This software for MacOS X is currently in Beta test.  I received some rather nasty messages about: Failing to create proxy device for USB device.  Virtual Box also runs on Linux, Windows and OpenSolaris hosts.

 See here what Constantin has done with Virtual Box on Open Solaris with ZFS.

Using the ZFS GUI.

I used the command line but ZFS also has a fully capable browser interface.  To use it the webconsole service must be enabled:

 

# svcadm enable webconsole

Point your browser to:  https://localhost:6789.  Login with the root username and password.

For those who think Solaris is dead and "Linux" will take over the world, a recent survey by Forrester Research (NOT paid for by Sun) points out that Solaris is one of the top three "strategic" OS platforms. This shows the value of communities and openness in the software space.  More about this at Jonathan Schwartz blog.

Some interesting quotes include:

Solaris is back on the winner's podium. Sun Solaris has regained its "historical significance" in European financial services.

Linux has lost traction.

Pure J2EE is still strategically very important.
 

Want to get Solaris for free?  Download Solaris 10 today or participate in the OpenSolaris community. 

Sun invites you to read the independent Forrester report titled "European Financial Services Architecture Shows Clear Strategic Direction"(January 2008) in which Forrester reports Solaris as one of the top 3 most strategically positioned operating systems in European Financial Services Firms.

The internet is a wonderful egalitarian place where everyone can have their say.  Who am I to complain?  I get to put my information up here on blogs.sun.com and actually asked for corrections and comments regarding my comparison chart between Solaris 10 and RHEL 5.  Naturally, I got some comments and corrections.  Information week picked it up on Jan 2nd (must have been a slow holiday in the old newsroom.)  Today, while googling a totally unrelated topic (I wasn't googling myself, I promise) I ran across an entry titled: So Mr. Laurent, Solaris is all that *and* a bag of chips?

Written by "Spencer Shimko, Real Genius" who describes himself as "the source of this dribble." Spencer is currently working with technologies related to security and SELinux for Tresys Technology, LLC. We always like to thank and credit those who comment an help improve our information.

While I fully admitted my Solaris bias in creating the chart, I did try to be as complete and factual as I could.  I hardly think that I fit his description of Sun Guys who are (expletives deleted.)

I do have to take issue with some of his counterpoints however:

Platform support.  Mr. Shimko seems to be implying that I'm playing fast and loose with HW and SW support numbers.  I try to deal in facts and tried only to quote numbers that I could verify. Both Sun and RHAT have issues here because ISVs are so darn "Independent!"  They don't always tell vendors when they port a product to a platform and the information that they provide us changes rapidly and is not always accurate. I had to work with numbers at Sun's and RHATs ISV pages because for me to make up any other number for would truly be lying.  As far as his reference to 3000 RHEL applications, my comparison is only with RHEL 5.  Because they don't guarantee binary compatibility and vendors don't always support the latest OS version, I refuse to extrapolate all available RHEL apps to be available for RHEL 5.

Life cycle support.  While we might argue about what "support" and updates" consist of, I can provide a number of examples of our actual timelines for the last 4 EOL versions. It's true that our Solaris lifecycle page quotes 10 years, but as you can see, support lifespans range from 10-12 years.  This varies based upon customer "acceptance" of OS versions.  Solaris 8 was heavily adopted and Solaris 10 even more so and may end up with a lifespan longer than 12 years.  You can see from this that Sun has a long history of extended life cycle support for our OS.

OS Version	First shipped	End of phase one support	End of phase two support
Solaris 8	Feb 2000	March 2009	March 2012
Solaris 7	November 1998	August 2005	August 2008
Solaris 2.6	July 1997	July 2003	July 2006
Solaris 2.5.1	May 1996	Sept 2002	Sept. 2005

Commercial license costs.  Apparently there was no argument here.  Solaris just costs less than RHEL 5 and is available free for download and production use to all of our customers.

Subscription costs.  I was NOT attempting to compare the cheapest Solaris subscription to the cheapest RHEL subscription but the most comparable subscription level.  Solaris is cheaper at the enterprise level.

Unique OS Advanced technologies.  Mr. Shimko would like to remove certain items from the Solaris list such as binary compatibility guarantee, massive scalability, memory placement optimizations etc.  I could find no references to proof of these items in  RHEL 5.  Solaris, however, is proven in all these areas.  Even Linus Torvads admits that he would like to have ZFS in the Linux codebase.

Virtualization.  He calls Solaris zones "stupid, pointless," but I can assure you that a wide variety of enterprise customers including the US DoD find containers useful, easy and cost effective in their data center environments for consolidation of applications.

Application containment.  He predicts the death of Solaris Trusted Extensions and again disrespects containers.  Solaris TX, however, provide capabilities that SElinux cannot, that is a true multi-level Gnome (or CDE) desktop environment that can be displayed on an ulta-thin client.  This technology is currently going through a Protection Level 5 (highest) accreditation at a government customer.  I'll add here that because Solaris is developed using an open source process, the ability to add Type Enforcement is certainly there.  A little bird tells me that there may already be an effort underway to do just that.

Meanwhile, look forward to an updated version of the chart coming to a blog near you.  This time, we will be adding Windows 2003 server to the list since it is one of the OS platforms that Sun can sell and support now.

Thanks for listening and keep those cards and letters coming.

 

Glenn Brunette just published an excellent blog listing his 5 favorite Solaris security features.  Among the valuable quotes are:

• Solaris has had its auditing facility in place since Solaris 2.3, but I can't even begin to count how often I talk with people who do not know that it exists.  (I frequently get this question)
• Zones are IMHO one of the most significant security features in the Solaris 10 OS. Kernel and most user-land forms of root kits are essentially rendered non-effective when running your applications in a sparse-root non-global zone. (I even recommend to customer when only running one application on a box to run it in a local zone for enhanced security.)
• For those wanting something a little more advanced, you can use RBAC to implement a two-person (or four-eyes) access control scenario.  (An excellent recommendation for security conscious DoD customers

He also points you to a number of learning resources on Solaris:

• Solaris 10 Security Home Page
• Solaris 10 Security Learning Center
• Solaris 10 Security Best Practices
• Solaris Security Library
• Solaris Security Presentations
• OpenSolaris Security Community
• Sun Blogs (tagged Solaris + Security)

Why should you care?

You chose Solaris because of its stellar reputation for security.  Don't be "living in the 90s."  Take the time to learn the new features of Solaris 10 so that you can build and maintain a more robust and secure infrastructure for your organization.

If security is your main area of interest, join the OpenSolaris security community and participate.  Don't forget to get your free download of Solaris 10 or OpenSolaris for Sparc or X64 platforms.

I always get a little concerned when I walk into the office and my boss tells me, "Congratulations on being quoted in Information Week."  Although I admit my mind is still fuzzy from a week and a half away from work, I am positive that I never sat for an interview with an InfoWeek reporter.  Nonetheless, there is the article in black and white electrons under the title: Sun Shines In Solaris 10, Linux Comparison.  I guess I can't complain about the title can I?

This serves as a good reminder to us all what risks and potential problems can result from blog entries that are poorly written, researched or misrepresented.  Thankfully, although I admit that my original entry and the chart are not perfect, I haven't yet been accused of outright lies or propaganda.

As a Sun stockholder, I can't complain when the company gets more good publicity and attention driven to our products and services.

Read my original blog entry and see the Solaris vs. RHEL 5 comparison document.  Feel free to comment.

Bill Vass (SunFederal President and COO) also makes reference to this in his blog entry.

Thanks to Information Week for picking this up.

As an employee of Sun Microsystems Federal, my big boss is Bill Vass.  Bill recently posted a blog entry which references a comparison chart between Solaris 10 and Red Hat EL 5.  As the primary author of the comparison chart I felt that I should come out from behind the veil of my COO.  Admittedly, the list is composed from the point of view of a long time (12 years) Sun employee and Solaris ambassador.  Although I tried to be as complete as possible in collecting the relevant RHEL 5 information, there may be items that I missed.

Feel free to let me know where I made mistakes and provide your input and comments so that the list can continue to be as complete as possible.  It's somewhat like using the "open source" methodology to put many eyes on the code to ensure correctness.  Go ahead!  I can take it!

The general point of the chart should lead you to the conclusion that I've stated before, namely:

• Solaris costs less than Red Hat
• Solaris does more than Red Hat
• Solaris runs on more SPARC and X86/X64 platforms than Red Hat
• Solaris is developed as an open source project 

Download Solaris today or check out the OpenSolaris source code.  While you're at it, you might want to join the xVM community for open virtualization server and management development.

Why should you care?

There are a wide variety of products on which you can base you computing infrastructure.  Having the most complete and correct information can help you to make decisions based upon facts rather than religious factors.