Feature FAQs

Solaris Process Rights Management, introduced in the Oracle Solaris 10 Operating System, gives system administrators the ability to limit and selectively enable applications to gain access to just enough system resources to perform their functions. This capability dramatically reduces the possibility of attack from a poorly written application, by eliminating inappropriate access to the system. Even if hackers gain access to an application's server, they are unable to increase operating privileges, thus limiting the opportunity to inject malicious code or otherwise damage data.

Because Process Rights Management puts limits on the rights of any process, regardless of the user associated with the running process, a hacker who gains control over an application is similarly restricted.

A good example of this is a Web server. Normally on a UNIX system, Web servers must run as the “root” user (the system superuser) because of their usual requirement to connect to TCP port 80 (the privileged Web port). This means that the Web server is a great target for attacks; hackers can often gain full access to a server as the “root” user through a buffer stack overflow or other attack. With Process Rights Management, the Web server can be granted just one privilege other than that of a normal user—the ability to open a privileged port; a hacker will find they do not have additional privileges and thus cannot modify the security on the system or bypass it to access critical or private system resources.

Another good example is the Solaris Containers model. The groundbreaking Solaris Containers technology enables users to create dozens or even hundreds of secure, fault-isolated containers within a single Solaris instance. Solaris Containers are isolated from each other so that users or applications in one container cannot see or access contents in another container or in the global system environment. Process Rights Management helps ensure that applications—even those run with privileges—are constrained to access resources only in their own Solaris Containers.

Enhancements to the Solaris Role Based Access Control (RBAC) software, referred to in the Oracle Solaris 10 OS as the Solaris User Rights Management software, enable administrators to assign specific access rights to programs and commands for each user. This reduces the chance of administrative errors or accidental or malicious use of IT resources. User Rights Management is centrally managed to reduce costs and increase flexibility.

Thus, the Solaris RBAC software constrains a user's actions, and Process Rights Management constrains a process' capabilities.

Existing Solaris applications will continue to work unmodified, since they are typically unaware of the constraints placed on them by Process Rights Management. Developers may write applications to explicitly use privileges granted by Process Rights Management but this is not required.

Administrators can add Process Rights Management's functionality to existing applications by using the ppriv utility included in the Oracle Solaris 10 OS. With the ppriv utility, administrators can determine the privileges required by a process and can set those privileges without modifying the applications.

For maximum compatibility with customer applications, the system is designed to let applications behave as they have in the past although they are now additionally subject to privilege policies.

Process Rights Management is a feature of the Oracle Solaris 10 OS, included at no extra cost and enabled by default, always on and always working.

The Solaris OS development team looked closely at the experimental Linux privilege patches and other UNIX models. These existing solutions failed to offer the flexibility to work with existing customer file systems, required application recompiling, or were fixed in size, limiting, for example, the number of allowed privileges. Solaris Process Rights Management's privilege model also has the advantage of growing out of the proven, extensive capabilities of the Trusted Solaris Operating System.

Solaris Secure Execution prevents modified or unsigned code from running by verifying the integrity of the executable portion of almost all applications, drivers, and modules on a Solaris system.

Sun provides customers with the tools to sign their own or third-party applications with no additional changes needed. Manual signature verification is available today in the Oracle Solaris 10 OS, with automatic runtime verification planned for a future release.

The Solaris Basic Audit and Reporting Tool (BART) helps system administrators validate the integrity of data files and associated meta information such as file ownership and size. BART complements the Solaris Secure Execution technology by providing tools to monitor the integrity of all files on the system at any point in time. System administrators, using simple scripts, can automate integrity checks using BART.

The Solaris IP Filter firewall is firewall software that allows for stateful packet filtering. It can also be used to deliver network address translation (NAT) capabilities. IP Filter provides protection to a single server or a network of servers and clients. The IP Filter technology included in the Oracle Solaris 10 OS is based on the next-generation Version 4.x open source IP Filter. Enhancements made during the Solaris software development process have been placed back into the open source version of IP Filter.

The most popular packet filtering solution in use today is the open source IP Filter. Customers who deploy Linux or other UNIX operating systems don't want to deploy multiple solutions to obtain the same functionality. Sun has included IP Filter in the Solaris OS to meet the needs of these customers.

The Solaris IP Filter firewall offers these key benefits:

• Strengthens security in Solaris by preventing unauthorized access to private computers or networks
• Enhances the integrity of networks that contain Solaris systems
• Engineered to use stable interfaces to ensure high performance and easy manageability for Solaris software customers

It also provides the following capabilities:

• Network address translation (NAT): I/O packets going through NAT can have their source or destination IP address changed to mask the real address, based on configurable rules.
• Filtering: Packets can be allowed or not allowed into a network, based on configurable rules.
• Accounting: Rules can be set up to record the number of bytes and packets entering and leaving the network, allowing for statistical analysis.

Sun's IP Filter technology is different in a number of ways:

• Sun will fully support IP Filter deployed on Solaris servers, regardless of whether or not those servers are hosting Internet applications, protecting a network of internal servers, or protecting a single desktop client.
• Sun has incorporated performance enhancements and stability enhancements into IP Filter to ensure a high-quality customer experience.
• Sun is investigating continued improvements in both the IP Filter firewall and in the management of stateful packet filtering in general in the Solaris OS.

Labeling data based on its sensitivity and controlling access to that data based on the label is known as labeled security and is a capability introduced with the Solaris Trusted Extensions feature of the Oracle Solaris 10 Operating System. Because access to data, users, process, files, network packets, windows on the desktop and devices is enforced by the kernel and is based on the relationships of labels to each other, it is also known as a Mandatory Access Control (MAC) policy. Users and most privileged applications cannot override the Mandatory Access Control policy, ensuring a high degree of security to the system.

Trusted Extensions provides labeled security as a configuration of Oracle Solaris 10. Separation of data, processes, memory, network traffic, windowing elements, device allocation and more is enforced by a Mandatory Access Control Policy that defines the relationship and flow of data based on a security classification (called a label). This technology includes two multi-level desktops (Trusted CDE and Trusted Java Desktop System), multi-level printing, multi-level device allocation, multi-level networking, LDAP client naming services, multi-level file system use and a full multi-level API.

No. There is no extra cost or fee for use of Trusted Extension for either end-users or OEMs. Solaris Trusted Extensions is a feature introduced in the Oracle Solaris 10 11/06 Operating System update; it delivers labeled security to all users who wish to activate it. Trusted Extensions is installed as part of the Solaris OS and is enabled with the command "svcadm enable labeld".

During installation, customers can now set the default behavior for network services to run in a much more secure manner. Many non-essential network services are disabled and many more are set to listen for network connections only from the local system ("localhost"), thus reducing the exposure to attack. Users can still access their graphical interface, use Web browsers or Email clients and other services. Solaris Secure Shell remains available for secure remote administrative access to the system.

Oracle Solaris 10 has many Common Criteria certifications and generally is tested against the Controlled Access Protection Profile (CAPP), Role Based Access Control Protection Profile (RBACPP) and Labeled Security Protection Profile (LSPP).

Oracle Solaris 10 3/05 and Oracle Solaris 10 11/06 have both achieved CAPP and RBACPP certification at Evaluation Assurance Level 4+ (EAL 4+). Oracle Solaris 10 5/08 has achieved CAPP, RBACPP and LSPP certification at EAL4+; evaluation for Oracle Solaris 10 5/09 at the same levels is underway as of June 2009.

The Oracle Solaris 10 Operating System delivers a number of networking enhancements designed to improve performance for most applications. Oracle Solaris 10 also includes a number of key protocols that meet the diverse needs of the Sun customer base. This release enables more efficient routing and improved network availability, and includes protocols to support telecommunications applications such as Voice over IP (VoIP). The Oracle Solaris 10 release also supports the most current IPv6 specifications critical to the Asia Pacific market and the U.S. Department of Defense (DoD).

The Oracle Solaris 10 OS supports the following:

• Berkeley Internet Name Domain (BIND9)
• Solaris Stream Control Transmission Protocol software
• Session Initiation Protocol (SIP)
• Open Shortest Path First (OSPFv2) and Border Gateway Protocol 4 (BGP-4) routing protocols
• Virtual IP source address selection (VIPA)

Sun has enhanced the TCP/IP stack in the Oracle Solaris 10 Operating System to deliver very high performance for single-CPU systems while simultaneously improving scalability across multiple CPUs. The synchronization and cross-communication overhead between CPUs (necessary when scaling across a very large number of CPUs) is reduced by vertically partitioning the workload using an IP classifier-based lockless design. The Oracle Solaris 10 TCP/IP stack is also designed to seamlessly accommodate future technologies such as offload, 10 Gigabit Ethernet, Remote Direct Memory Access (RDMA), and others into Solaris.

The Oracle Solaris 10 Operating System adds network layer 3 redundancy, providing the ability to implement high-availability network solutions for services that are more resilient and for innovative new applications. Layer 3 multipathing enables end-to-end redundancy from system to system and provides greater protection from network failures—even out through the Internet. This standards-based multipathing feature is implemented using a combination of virtual IP address selection and Open Shortest Path First-Multipathing (OSPF-MP). Virtual IP address selection enables system administrators to specify IP source addresses for packets on a per-network basis; OSPF-MP uses the routing protocol to route traffic around failed network interfaces. In addition, the Oracle Solaris 10 OS also includes the OSPFv2 and BGP-4 routing protocols, making it easier to administer complex routing policies.

The Oracle Solaris 10 Operating System currently integrates key data management technologies such as the ground-breaking ZFS filesystem, as well as NFS, UNIX file system (UFS), and the Solaris Volume Manager software. With Oracle Solaris ZFS, file systems are significantly easier to configure and deploy. ZFS is designed from the ground up to automate common administrative tasks, protect data from corruption, and provide virtually unlimited scalability. ZFS uses virtual storage pools to make it easy to expand or contract file systems simply by adding more drives.

• Network File System (NFS), developed and introduced by Sun, is the industry standard for file sharing between computers. NFS v4 software in Oracle Solaris 10 provides traditional file access with the addition of strong security features, improved access and performance on the Internet, and enhanced cross-platform interoperability.
• UNIX File System (UFS) is integrated with Solaris and provides a general-purpose file system. It is suitable for a wide variety of applications and is tailored for handling small, cacheable files accessed randomly by individual processes. UFS most commonly handles workloads such as software development and network services.
• The Solaris Volume Manager software is a robust disk and storage management solution suitable for enterprise-class deployment. This Solaris technology can be used to pool storage elements into volumes and allocate them to applications, with redundancy and failover capabilities that can help provide continuous data access even in the event of a device failure. With an easy-to-use interface, the software greatly simplifies storage administration and allows many operations–such as recovering volumes or expanding the size of a file system–to occur online, minimizing the need for costly downtime.
• Oracle Solaris ZFS, a general purpose file system with integrated volume management, provides a data management solution that's simple to deploy and protects your critical data from corruption. ZFS provides Integrated volume management that is ideal for managing Sun's industry standard storage servers and is key to our leadership and innovation in Open Storage.

Oracle Solaris ZFS is a next generation general purpose file system available in Oracle Solaris 10. It is designed to meet the modern needs of a general-purpose, host-based file system.

Oracle Solaris ZFS is a next generation file system that is designed, over time, to replace UFS along with the need for separate volume management software. Oracle Solaris ZFS is available in Oracle Solaris 10 release along with the default UNIX file system, UFS, and complements these special purpose Solaris file systems and storage archive software products offered: Sun StorageTek QFS shared SAN file system and the Sun StorageTek Storage Archive Manager software.

• Easy Manageability: The administrative model is extremely easy and automated to a large extent.
• Security and integrity: Consistency of data is maintained at all times. Data is protected by 256-bit checksums.
• Scalability: Oracle Solaris ZFS provides a 128-bit storage pool, designed to provide 16 billion, billion times greater capacity than currently available 32-bit and 64-bit file systems.

No. Most file systems today require a volume manager because they are only able to deal with a single disk or volume. The interface between the file system and the volume manager makes it difficult to grow and shrink file systems, share space, or migrate live data. Oracle Solaris ZFS has been designed such that a separate volume manager is not needed. Instead, many disks can be put into a single storage pool, which is shared by multiple file systems. This allows for efficient use of the storage pool. For example, space is shared dynamically between the file systems in the pool without the need to grow or shrink them, and all file systems can utilize the maximum throughput of the pool. Oracle Solaris ZFS and Sun's industry standard storage servers make it possible to offer a compelling Open Storage storage solution over proprietary storage offerings.

Ease of administration is one of the design objectives of ZFS. The design of Oracle Solaris ZFS eliminates many complicated storage administration concepts entirely. For example, space within the storage pool is dynamically allocated to file systems in the pool, so there's no need to statically partition storage into slices, volumes, and file systems. Since the on-disk structure of Oracle Solaris ZFS is always consistent, a file system check is not needed upon an unclean shutdown (nor must a log be played to make the file system consistent). The command-line interface to Oracle Solaris ZFS allows administrators to express their intent straightforwardly; they need not memorize or look up cryptic commands.

Oracle Solaris ZFS is a copy-on-write file system, and thus the on-disk structure of Oracle Solaris ZFS is always consistent. If the system is shut down in an unclean way, upon reboot there is no recovery needed to make Oracle Solaris ZFS consistent (for example, by running fsck). All operations are transactional, so related changes succeed or fail as a whole and all data is protected by 256-bit checksums. When any data is read, the checksum is verified to ensure that the data that the application wrote is what it gets back. If a checksum error is detected in a mirrored pool, the correct data will be read from the other side of the mirror, and the corrupt data will be repaired.

Because Oracle Solaris ZFS supports the Portable Operating System Interface (POSIX) file system interfaces, there is no need to make changes to applications.

Solaris Cluster supports Oracle Solaris ZFS as a failover file system. Oracle Solaris ZFS and Solaris Cluster offer a best-in-class file system solution combining high availability, data integrity, performance and scalability covering the needs of the most demanding environments.

Visit the Solaris Cluster product site to learn more.

Yes, DTrace and Oracle Solaris ZFS are fully compatible. Solaris developers can use DTrace both as a debugging tool and as an aid to improving performance.

There are no plans to port Solaris ZFS to earlier versions of Solaris

Oracle Solaris 10 offers a number of Linux interoperability features including:

• Seamless interoperability between Solaris and Linux-based systems
• Built-in binary and source code compatibility
• Easy portability with Java technology
• Sun Java Enterprise System software for standardized Java technology-based network services
• Integration of key open source applications
• Free, high-quality porting tools
• Common desktop environment with Sun Java Desktop System desktops
• Designed for compliance with the Linux Standard Base (LSB) specification

DTrace is a comprehensive dynamic tracing framework for Oracle Solaris 10 designed for real time application debugging and performance troubleshooting. DTrace provides a powerful infrastructure to permit administrators, developers, and service personnel to concisely answer arbitrary questions about the behavior of the operating system and user programs. It is a powerful tool that can be used by both entry-level and experienced system administrators to troubleshoot both system and application performance problems in hours or minutes that might have previously taken days. DTrace is safe to use on development, test, and production systems.

With DTrace, system administrators can identify the root cause of transient performance bottlenecks safely and quickly on production systems. Developers can also use the DTrace feature to identify performance bottlenecks in their code during product development and testing. By using the information from DTrace to optimize performance, more users or more transactions can be supported on existing systems.

• Provides a fully instrumented operating system, with more than 30,000 instrumentation points in the kernel alone
• Provides a unified view of both the application and the kernel
• No changes to applications are required
• No need to reboot or even restart applications before, during, or after a DTrace session
• Safe to use on production systems as user cannot accidentally 'panic' the system
• Gives precise and accurate response to queries
• Easy to get started using DTrace through prewritten scripts of DTrace routines

When not in use, DTrace has no impact on system performance or on other behavior. When being used, DTrace overhead is dependent on the number of probe points being observed but in most situations is very low, and DTrace requests that place an excessive load on the system will be automatically terminated by default.

DTrace allows the system administrator to dynamically turn on probes. Probes are essentially programmable sensors scattered throughout the Solaris software. Once a probe is turned on, DTrace gathers the data, aggregates it, and reports back to the system administrator in real time.

Yes, DTrace is integrated into the Oracle Solaris 10 Operating System and does not require a separate license.

Unlike competitive offerings, DTrace is the only dynamic tracing tool available that eliminates the need for collecting and processing event data. With DTrace, a system administrator can query the system experiencing the problem— in real time, while in production—and get accurate and precise information regarding the source of the problem. No log files are generated, and there is no data to analyze later. The answer to the first query guides the user to the next query and so on until the root cause of the problem is identified. Getting to the root cause using DTrace reduces the time it takes to identify problems by orders of magnitude, literally from days to hours.

No. DTrace instruments applications dynamically with no changes required.

Predictive Self Healing automatically detects, manages, and compensates for hardware or software faults as they occur, thereby proactively preventing system failures. It is designed for automatic self-correction of errors as they occur and makes a wealth of diagnostic information relating to system faults available to the system administrator. Predictive Self Healing is designed to keep systems and applications running, that is, to increase availability, in the event of hardware and software faults, and it does not require manual intervention. DTrace is used as needed for understanding system and application behavior. With this information, system administrators and developers can tune the system and application for best performance. DTrace does not manage faults; it tells the user what is happening in the system, and the user must then take action in order to realize performance improvements.

DTrace will run on any system that supports the Oracle Solaris 10 Operating System, as it is not dependent on any platform-specific features. It runs on SPARC and x86 hardware.

Certainly. You can use scripts developed by others, such as those available on the Sun BigAdmin portal. However, it is not difficult to learn D, which is very similar to the ANSI C programming language, with a special set of functions and variables to make tracing easy.

Historically, transient failures have been debugged using process-centric tools like truss. However, these tools were not designed for systemic problems. The tools for systemic problems are designed for postmortem analysis. DTrace is designed to understand system behavior in real time on production systems.

DTrace is well integrated with the Solaris Process Rights Management facility. By default, only the superuser can use DTrace, but a set of privileges is defined that may be assigned to any given user. These privileges allow successively greater visibility into the system, ranging from processes owned by the user to full system observability and interaction.

No. DTrace itself can be used to list available probe points, and the Solaris Dynamic Tracing Guide gives excellent examples of how to make use of them. For those interested, the DTrace source code is available from the OpenSolaris Web site.

You can get started with the " How to use DTrace from a Oracle Solaris 10 System" guide. This guide takes you step-by-step through some basic commands that help you become familiar with the technology. Also, with the D programming language included in DTrace, you can use scripts that others have written making it easy to get started using DTrace. Additionally, there is a growing repository of scripts in the Sun BigAdmin system administrator portal that users can freely leverage. You may also join the DTrace community on opensolaris.org to get the latest information on DTrace and to participate in group discussions.

Simply stated, Sun's operating system strategy is to provide customers with a choice of systems solutions to meet their immediate and long-term needs. To do this, Sun has tightly integrated its operating system, software, hardware, and added service offerings that deliver superior benefits across chosen markets. By taking this "systems" approach, Sun provides a more integrated, cost-effective alternative to its competitors. To achieve the broad range of solutions needed, Sun offers the same Solaris software on both the SPARC architecture and x86-based systems, and offers standard Linux distributions on x86-based systems only. The common integrated values of Java technology, the Sun Java Enterprise System, and Sun Services on all platforms help customers to easily deploy applications across a comprehensive range of hardware based on the SPARC and x64/x86 architectures with excellent software and services to support them.

To provide the greatest value to Solaris users as well as provide an even greater range of opportunities to Solaris developers, Sun and its partners also support the Solaris OS on x86 systems from all major systems vendors. Oracle Solaris 10 is supported on hundreds of systems based on the latest AMD, Intel, and SPARC CPUs.

The Solaris OS has supported both x86 and SPARC systems since the mid 1990s, but support for x86 systems has shown major advances starting in the early 2000s, fueled by Sun acquisitions, the introduction of x86 systems into its own hardware product line, and alliances with AMD and Intel. Oracle Solaris 10 introduced support for 64-bit x86 systems ("x64" systems) and the Solaris Hardware Compatibility List Solaris Hardware Compatibility List (HCL) , available on the BigAdmin site, now lists hundreds of 32-bit and 64-bit x86 systems from a large number of vendors such as Dell, Hewlett-Packard, IBM and of course Sun itself. Solaris support for peripheral hardware devices has also grown phenomenally; supported components are also listed in the HCL.

A complete list of third-party applications for Solaris on both x86 and SPARC systems is being continuously updated; as of June 2009, there are over 7,700 x86 applications available for Oracle Solaris 10.

The Solaris Operating System is developed and built from a single code base for all systems; there is no separate roadmap for different hardware platforms; the same features and functionality are found on platforms, other than those specific to certain hardware features. There are also no separate release or support life cycles for different supported platforms.

Oracle Solaris 10 is designed for high performance. The enhanced TCP/IP stack alone delivers a 20 percent to 40 percent performance improvement over the Solaris 9 release for most applications out of the box. Solaris software engineers have focused on performance throughout the development process, resulting in faster execution of typical system functions.

Sun has also announced world records (over 170 as of August 2007) on a number of industry-standard benchmarks. More information on these world-record benchmarks can be found on the Oracle Solaris 10 Benchmarks page.

Yes, for those open source products that are integrated into the Solaris OS; examples include BIND, Sendmail, Apache, PostgreSQL, Tomcat, and Samba. In addition, the Solaris Software Companion CD includes many popular open source packages, for example, GNU tools and squid; this category of open source software is not currently supported by Sun Services. Visit sun.com/solaris/freeware for additional information on support.

More information can be found on the AMD Web site and on the Sun Web site.

More information can be found on the Intel Web site and on the Sun Web site.

More information can be found at Oracle Solaris 10 on the Inside.

Yes, existing 32-bit applications and Java programs are fully supported on the 64-bit Solaris kernel.

Having Oracle Solaris 10 highly optimized for use on 64-bit AMD Opteron and Intel Xeon architectures opens up the possibility to build new applications exploiting the linear 64-bit address space—something that had previously not been feasible on 32-bit x86 systems. In addition, the 64-bit kernel has guaranteed compatibility with existing x86 32-bit binaries.

There is no direct support for executing one binary architecture on another processor. However, source code developed on one platform, can be easily recompiled to run on another; for example, an application developed on the SPARC platform can be recompiled for x64/x86-based systems. Sun has worked and continues to work with a large number of ISVs to ensure broad x86 application support for Solaris, including bringing 64-bit applications into the x64 world, with the result being that thousands of applications that were previously only available on SPARC systems are now available on x86 systems as well. See sun.com/solaris/apps for a list of available applications and the platforms they support.

Sun Studio 12 software can be downloaded from http://developers.sun.com/devtools/index.html

No. On a 64-bit kernel, you need 64-bit drivers because the driver is running in the kernel's address space. Similarly, if you boot a 32-bit kernel on an x64-based system, 32-bit drivers are required.

As an integral part of the Oracle Solaris 10 Operating System, Solaris Containers isolate software applications and services using flexible, software-defined boundaries. A breakthrough approach to virtualization and workload management, Solaris Containers let many private execution environments be created within a single instance of the Solaris OS. Each environment has its own identity, separate from the underlying hardware, yet behaves as if it is running on its own system, making consolidation simple, safe, and secure.

A key thing to note is that in Oracle Solaris 10, Solaris Containers focus on application/workload management. They deliver tools to “shrink wrap” your application in its own environment that has the right attributes such as CPU and memory quantity, IP address, and users. This way it's easier to deploy an application on a shared system.

The benefits of Solaris Containers include the following:

• Higher system utilization through ease of consolidation
• Multiple applications can share a single system but still remain completely isolated from one another
• Restarting a container is much quicker because you are not rebooting the entire operating system
• Allows a system administrator to create an environment that the Container Administrator can customize for the application

A Solaris Zone is a virtual environment that has security and application fault containment, and its own name space that can be tailored to the application that will run in it. It is possible to give a Solaris Zone its own node name, IP address(es), users, groups, disk space, network ports, name server, and so on. The security and fault containment mean that users working inside the Solaris Zone have no way to compromise or even look out of their own environment other than what would be the case with separate systems—through the network or shared disk.

Solaris Zones are part of a Solaris Container, delivering security, application fault, and namespace isolation. The addition of Solaris Zone functionality to Solaris Containers allows the creation of a Solaris Container that is fully customized for an application.

The other components are the resource management tools in the Solaris OS. They control the amount of resources an application receives, such as CPU cycles, physical memory, and network bandwidth. Resource management tools also help with measuring the usage of an application. This could be used for health monitoring and capacity planning, as well as billing and charge back.

Solaris Zones is already available as part of Oracle Solaris 10.

Generally very low, at less than 1 percent per Solaris Container.

No, Solaris Containers cannot span across Solaris instances.

The Solaris Cluster software does support Solaris Containers, both the resource management parts as well as Solaris Zones. In a Solaris Cluster configuration applications can run inside zones which are considered as virtual nodes. With Solaris Cluster Geographic Edition, Solaris Containers can be failed-over across unlimited distances providing a Disaster Recovery set-up. For more info, visit the Solaris Cluster site.

Yes. You can change the settings at any time directly through the command line interface or by using scripts or cron.

They interact as if they are on different systems, through the network or shared disk. For example, if they interact through the network, the system knows that one Solaris Container is talking to another, so communications will go through the network stack. Communication between Solaris Containers is very fast because it never leaves the system or even hits the network interface card.

There is no difference. N1 Grid Container was the name previously used to describe the container functionality in Oracle Solaris 10. The “N1 Grid Container” name has been replaced by the name “Solaris Containers.”

The term "Trusted Solaris" refers to earlier, specially developed versions of the Solaris Operating System that were modified to include labels and mandatory access control technology. The last release of a separate Trusted Solaris OS was Trusted Solaris 8.

As of Oracle Solaris 10 11/06, Sun has included labels and mandatory access controls as a standard part of the Solaris OS. The collective features providing this functionality are known as Solaris(TM) Trusted Extensions. Thus, there is no separate "Trusted Oracle Solaris 10" release as the functionality of this kind required by customers is now integrated into Oracle Solaris 10.

Solaris Trusted Extensions extends the existing security features of Oracle Solaris 10 to include labeling and mandatory access controls. It is not a separate operating system, it does not require a separate support contract and all applications that run with Oracle Solaris 10 and Solaris Containers will work when Solaris Trusted Extensions is enabled. Since it is an integrated feature of Oracle Solaris 10, it is supported on all systems that Oracle Solaris 10 runs on, x86 or SPARC.

Solaris Containers provide virtualized environments to host multiple applications and is great for performing server consolidation. The Solaris Trusted Extensions feature utilizes Solaris Containers extensively to provide security boundaries and to enforce Mandatory Access Control by labeling a Container. Solaris Containers behave slightly differently when running with Trusted Extensions enabled, providing a single system view of services such as authentication databases, security configuration, file system and network interfaces. Communication between Solaris Containers is generally dissallowed by default when Trusted Extensions is enabled, and permitted only by explicit specification.

In summary, customers running with Trusted Extensions enabled use labeled Solaris Containers to provide a security boundary for their file systems, data, applications and users.

Yes, a white paper is available from Sun.

Yes. Solaris Zones and the Solaris resource management feature are both part of Solaris Containers and are designed to work together.

Solaris Containers provide security, application fault, and name space isolation. This means that once working in Solaris Containers, users cannot compromise or even see outside of their Solaris Containers other than the regular ways, such as through the network or shared file systems. The name space isolation allows Solaris Containers to have their own users, and even their own root user, who only has authority inside the root user's own Solaris Container.

Yes, and the Solaris Container root user only has authority to change/configure things inside its own Solaris Container.

Yes. You can even have different Solaris Containers listening to different name server types. One Solaris Container could be listening to an NIS server, while another could be listening to an LDAP server.

Through standard protocols such as ssh, telnet, or rlogin. There is also a specific way to log in to a Solaris Container called zlogin if the user is in the base operating system (called the global zone). With zlogin, a user can log directly in to a Solaris Container.

There is no change in the installation process. The same tools and the same process apply in a Solaris Container. However, you now have a choice to install in a particular Solaris Container or to install system-wide.

There is no change in the patch process.

Yes, however, this is not the default behavior, as access to a raw device can compromise the security isolation. The global administrator can choose to separately add the raw device to the Solaris Container.

Dynamic System Domains are based on hardware. They offer electrical separation with different versions of the operating system possible per domain. The number of domains is limited per system. Solaris Containers are based on software. They offer logical separation with the same operating system in each Solaris Container. The Solaris Containers offer enormous scalability: while there is no hard-coded limit, up to 8000 per OS image are available, well exceeding today's normal requirements.

Dynamic System Domain features include the ability to hot-plug hardware and run different versions of the Solaris Operating System per domain. Solaris Containers provide very fine-grained control over what an application can do and see. If your applications require the type of separation that separate operating systems can give you, then you should use a Dynamic System Domain; otherwise, you can use Solaris Containers. The real benefit comes when you use Solaris Containers within a Dynamic System Domain.

Oracle Solaris 10 now new tools to more easily manage Containers. You can clone them, rename them, and move them on the same system. You can also migrate them from one system to another.

Additionally you can now customize the security level which the Container boots to better suit application requirements.

Starting in Oracle Solaris 10 10/08, when a container is detached and then reattached to a new system, it is automatically upgraded to the latest patches and packages associated with the new system. This allows for flexibility when performing rolling upgrades of systems and ensures consistency of systems when moving workloads. Also new in Oracle Solaris 10 10/08 is the ability for Solaris Containers to officially utilize a ZFS file system as their root. Upgrading a Oracle Solaris 10 system that has Containers with ZFS-based roots is also supported.

If you plan to have several developers on the same system, you could, for example, create a Container with all the right applications and developer tools as a golden master. You can then use the new cloning feature to replicate this golden master and quickly create an identical Container with the same set of applications and tools for every new developer.

It's really useful for moving your application from your testing and staging systems to your production systems. This allows you to prepare the application and its environment in testing and then move over as is, greatly decreasing the installation and deployment time for the production systems. You can also pre-harden the Container by turning off all the network services you don't need.

Yes, with Oracle Solaris 10 8/07 you can use Solaris Live Upgrade for patching and upgrading systems with Solaris Containers. This offers two important operational advantages, particularly around patching.

1. You can patch without taking the system offline because you patch a copy of the system. Patching Containers is a serial operation, so patching without taking the system off-line is a major advantage.
2. After patching the copy, you then can boot from that copy. Should you experience a problem, you can easily revert back to the original environment.

With Solaris 8 Containers and Solaris 9 Containers you can run Solaris 8 and Solaris 9 applications on the latest SPARC systems and Oracle Solaris 10 today. The entire environment of the original source system, either Solaris 8 or Solaris 9, is automatically captured and transferred to a Container running on the target Oracle Solaris 10 system. For more information, please visit the Solaris 8 Containers and Solaris 9 Containers FAQs.

The Predictive Self Healing facility of the Solaris Operating System helps Solaris systems and services maximize availability in the face of software and hardware faults, and facilitates a simpler and more effective end-to-end experience for system administrators. The major self healing features—the Solaris Fault Manager and the Solaris Service Manager—are part of the Oracle Solaris 10 OS and are supported on x86 and SPARC systems.

Predictive Self Healing is designed in conjunction with Sun's server engineering teams and third-party hardware partners to ensure that Sun's customers receive the following benefits:

• Improved system and service availability through predictive diagnosis and isolation of faulty components
• Automated diagnosis and restart of components that happens automatically and in milliseconds
• Simplified administration model for managing services
• Fast and easy repair of problems with links to knowledge articles
• Scalable architecture that can be rapidly upgraded and adapted to new problems without requiring downtime

If you are running mission-critical systems and want to reduce the risk of system outages, Predictive Self Healing can help you achieve it at no additional cost. For customers with complex systems or mission-critical applications, Predictive Self Healing reduces risks and has the potential to significantly increase the uptime of such systems.

The key highlights of Predictive Self Healing are:

• Proactive prevention and management of faults
• Consistent, first-time fault diagnosis
• Fast recovery and restoration from failures
• Automatic restart of software services

Predictive Self Healing can manage failures that are caused by hardware (CPU, memory, and I/O) and software. This technology is tightly integrated with the hardware, the Solaris Operating System, and any software that is written to the Solaris Fault Manager interfaces to ensure rapid and efficient fault diagnosis and recovery. Our tests showed a 42% reduction in annual interruption rate and a 46% reduction in annual downtime for a 6 CPU system with 12 cores and 192 GB of memory. Testing also showed a 44% reduction in annual interruption rate and 32% reduction in annual downtime for a 4 CPU system with 16 GB of memory.

Predictive Self Healing has negligible performance overhead.

Yes, Predictive Self Healing is integrated into the Oracle Solaris 10 Operating System and does not require a separate license.

With Predictive Self Healing, Sun offers these specific advantages over its competition:

• Unlike HP-UX, Red Hat Linux, and Microsoft Windows, Solaris has the capability to monitor historical data to predict faults and take proactive preventive action to avoid future failures.
• Solaris has the ability to track historical errors, perform root-cause analysis, and shut down any components dependent on the failed service or component. This capability is unmatched by HP-UX, Red Hat Linux, and Microsoft Windows.
• Solaris helps system administrators by providing quick and valuable information on the impact of any failed or failing component in an easy-to-understand format. This information assists system administrators in making decisions about their future action plans. Unlike competing products, Solaris provides additional information references about the fault that occurred.

Predictive Self Healing works in conjunction with your existing systems and applications to reduce the risk of an outage occurring and to improve the availability of your system. Predictive Self Healing can also be extended to monitor and, when possible, automatically restart software applications that may have been affected.

DTrace allows system administrators and developers to understand how applications and the system interact and is initiated when needed. Predictive Self Healing manages hardware and software failures, and is automatically available on all systems.

Key features of Predictive Self Healing in Oracle Solaris 10 include the following:

• Component health status: Automatically removes faulty components from a system, reducing unplanned downtime
• Auto diagnosis with messaging: Provides detailed error messages for faster problem resolution and faster time to service
• CPU offlining: Detects potential CPU failures and offline affected CPUs, keeping systems up and applications available
• Auto restoration: Automatically restores Dynamic System Domains, reducing the impact faulty components have on system availability
• Memory page retirement: Detects potential memory chip failures and automatically migrates data from a suspect memory address range, keeping systems up and applications available

Please visit the availability features page for more information.

A comprehensive set of Support and Service offerings are available during the entire life cycle of a Solaris Operating System milestone version.

Visit the Oracle Solaris 10 Support and Services page to learn more about Sun support and service offerings. You can also take advantage of self-help resources and additional Sun Services.

The OpenSolaris Operating System is a leading-edge open source release that is free to acquire and run, but that also offers the range of support options that enterprises value. The latest enhancements to Solaris features such as ZFS, Solaris Containers, and Predictive Self Healing, will be found in OpenSolaris first. In addition, the OpenSolaris OS contains features that are not planned to be included in the Solaris OS until the release following Oracle Solaris 10, such as the new Solaris installer, the latest GNOME desktop enhancements, and support for the latest wireless networking technologies.

To learn more, visit OpenSolaris.com.