Differences between Oracle Solaris 10 and 11 for System Administrators

The following tables summarize differences between Oracle Solaris 10 and 11 with emphasis on the benefits of Oracle Solaris 11. The content is drawn from Transitioning from Oracle Solaris 10 to Oracle Solaris 11 and other sources in the Oracle Solaris documentation.

Image Packaging System (IPS)

Oracle Solaris 10 8/11 Oracle Solaris 11 Oracle Solaris 11 Benefits

SVR4 packages (dating from the late 1980's)

Image Packaging System (IPS) a state of the art, network repository–based  packaging system.

Installing and maintaining Oracle Solaris is greately simplified because of the new packaging architecture. This simplification is particularly noticeable in reducing the effort to keep systems updated.

For Oracle Solaris 10 and earlier, it was not uncommon to spend time dealing with patch dependency issues. An administrator had no idea of the amount of work that would be required for applying a single patch, i.e. resolving situations where one patch had been superseded by another or become dependent on another patch being applied. 

For Oracle Solaris 11 all system changes are made by updating packages and because of the automatic dependency checking, before actually updating packages, the administrator will see the entire set of packages impacted by updating.

System software maintenance via packages and patches

System software maintenance via updates to packages

IPS greatly simplifies the process of updating a system because there is only one way to upgrade or patch a system - by updating the packages.

Live Upgrade is a risk management feature mainly used for patching and upgrading by providing roll-back capabilities. It works on both UFS and ZFS root.

The same feature on Oracle Solaris 11 is now called called “Boot Environments”. It is now called simply Boot Environments.

Oracle Solaris 11 Boot Environments are a risk management feature suitable for any situation involving system software changes, and fully integrated into package updates, Zones, and ZFS.

Patch a system by applying the appropriate patch bundle either directly to the system in single user mode (after downloading the appropriate patchset)
# ./installbundle

or via Live Upgrade to an alternate Boot Environment

Update a system by connecting to the Support Repository and
 
# pkg update

The changes will be made to an automatically created Boot Environment and changes will not impact running environment.

Updates will automatically create an alternate Boot Environment to which changes will be made. On Oracle Solaris 10, Live Upgrade must be manually invoked and of, in addition, running on UFS, significant planning including potentially disk reformatting may be required to achieve Live Upgrade storage requirements.


Other advantages are similar to Oracle Solaris 10’s when the latter is running on ZFS:

-   If upgrade is not what was expected, rollback to pre-upgrade environment.

-   ZFS snapshots are almost instantaneous.

-   This can have a positive impact on decreasing maintenance windows, particularly if it is possible to start the update operation during production time. Downtime is then a reboot, verify that the applications are running correctly, and then enable system to production mode.

-   Organizations wanting to use Live Upgrade on UFS were often constrained by disk requirements, which sometimes required breaking a mirror so that one half would be the ‘before patching’ state, and the other ‘after patching’ state. On Oracle Solaris 11 customers are not forced to give up mirroring in order to build a safety net for updating a system.

Upgrade a system to a later release via traditional upgrade process (a one-way process), or via Live Upgrade

Upgrade a system by connecting to the repository as above.

Same note as above as there is no distinction on Oracle Solaris 11 between upgrading a system to a later release and updating a system with the latest packages changes.

Live Upgrade managed through commands like the following-


Create a boot environment:
# lucreate -n newBE

Status:
# lustatus

Activate:
# luactive newBE

Delete:
# ludelete BE

Boot Environments managed through the beadm(1M) command.


Create a boot environment
# beadm create newBE

Status:
# beadm list

Activate:
# beadm activate newBE

Delete:
# beadm delete BE

Management centralized in one command for all boot environments administration.

SVR4 packaging system supports SVR4 packages.

IPS supports IPS packages and SVR4 packages. SVR4 package commands are included. SVR4 patch commands only available with an Solaris 10 Zone on Oracle Solaris 11.

IPS supports SVR4 packages where it is not practical or possible to repackage in IPS format.

Packages have names like SUNWxxxx

Packages have hierarchical names like

driver/storage/<driver name>
system/management/<name>

and so forth.

Packages were re-factored to consolidate similar components or break up large packages to facilitate updating. Finer grain packages generally means less to update since changes to a large package tend not to be spread evenly across all contents of a package. Packages were then renamed to be much more understandable and to give an indication of where a specific package fits in the overall system hierarchy.

Download full SVR4 package from customer’s SVR4 package location. There is no centralized Oracle repository for Oracle Solaris 10 packages.

IPS retrieves packages from Oracle or organization repository. IPS calculates package deltas between what is currently installed and latest version from repository and downloads differences.
 

IPS minimizes what must be transferred to update a package.

Set of commands like pkgadd, patchadd, pkgrm, pkgadm, pkginfo, pkgchk.

Package maintenance capabilities accessed through pkg(1) command although SVR4 package commands continue to work on IPS packages.
 

Single pkg command interface for all actions. Oracle Solaris 10 commands can be invoked and will do the right thing for IPS, e.g. pkginfo, pkgadd, pkgrm.

Updating zones, see Zones section.

Zones and Boot Environments, see Virtualization section.

Installation from Jumpstart vs. IPS Repository, see Installation section.

Key Links:
Oracle Solaris 11 Package Changes
Introducing the Basics of Image Packaging System (IPS) on Oracle Solaris 11
Creating and Administering Oracle Solaris 11.2 Boot Environments
Updating the Software on an Oracle Solaris System
Oracle Solaris 11 Cheat Sheet for Image Packaging System. (PDF)

 

Virtualization

Oracle Solaris 10 8/11 Oracle Solaris 11 Oracle Solaris 11 Benefits

Supports Solaris 8 Branded Zones and Solaris 9 Branded Zones but does require purchasing an additional license. Solaris 10 Zones are part of the base offering and fully supported as a part of Oracle’s Premier Support for Operating Systems.

Oracle Solaris 10 and 11 Zones are supported with no addition licensing requirements. Solaris 8 and 9 Branded Zones are not supported.
In addition, Oracle Solaris 11 also supports independent kernels through a new feature in Oracle Solaris 11.2 called Oracle Solaris Kernel Zones meaning the administrators can run different OS versions in parallel.

Support for Oracle Solaris 10 Zones is included in Oracle Solaris 11 support programs. The primary advantage is that it will be possible to run Oracle Solaris 10 applications in an Oracle Solaris 11 environment on new hardware platforms long after Oracle Solaris 10 is no longer supported to run natively on new platforms.

Support life for Oracle Solaris 8 and 9 is documented in Lifetime Support Policy: Oracle Hardware and Operating Systems Support.

No boot environments for zones

Zone boot environments supported

Boot environments provide the same benefits for zones as they do for the entire system, i.e. a way to snapshot the zone's environment before making any software changes, and thus providing a simple rollback capability should there be a reason to revert to the state before the changes to the zone's environment.

Monitor zones through a variety of tools - vmstat, mpstat, prstat

New zonestat(1) command provides variety of zone-specific information. Commands as mentioned for Oracle Solaris 10 are also useful.

Consolidating cpu, memory, networking and resource control utilization into one command simplifies monitoring.

Two options for file system organization - sparse root (when minimizing size was most important) and whole root (when customizing zone contents is important).

Single solution - a minimized whole root that allows customizing zone contents.

“Hybrid” solution minimizes storage requirements to less than 400MB per zone while maintaining the ability to customize zone content.

Not possible to create zones during system installation.

Possible to define contents and create zones during initial system install.

The ability to directly provision zones from the AI server, creates additional flexibility in deployment.

Networking interfaces in zones can either use shared or exclusive IP stacks. Shared stacks are the default.

Networking in zones can use either shared or exclusive IP stacks. Exclusive IP stacks are the default.

The advantages of shared stacks are offered through new capabilities for administering exclusive IP stacks, see below.  Moreover the IP and data link layers in Oracle Solaris 11 were re-engineered to integrate network virtualization and network resource management capabilities and to use those with zones on Oracle Solaris 11, you must select exclusive IP stacks.

If you run Oracle Solaris 10 zones on Oracle Solaris 11, it is possible to make use of both virtual networking and network resource capabilities, as long as those are created and assigned from the global zone (i.e. running Oracle Solaris 11).

Exclusive IP stack zones can be assigned any IP address from within the zone.

A range of allowable IP addresses can be assigned externally from the global zone to a non-global zone using exclusive IP stack.

Provides IP address controls for Exclusive IP stack zones.

Shared IP stack provides datalink protection against MAC and IP spoofing. Exclusive zones not protected.

Protection against MAC and IP spoofing whether using Shared IP stack or Exclusive IP stack.

With the default of zones to Exclusive IP stack, this symmetry ensures no loss of security capabilities.

Exclusive IP stack zone usage implied a dedicated external physical interface for each zone.

Introduction of Virtual NICs removed constraint of one physical interface for each zone.

VNICs and virtual switches provide much more flexibility in creating network-in-a-box topologies as well as getting better utilization from high speed NICs. See networking section for more details.

User must have root privileges on global zone to administer a zone.

Zone administration is assigned on a per zone basis.

zonecfg:my-zone> add admin zonecfg:my-zone:admin> set user=zadmin-username zonecfg:my-zone:admin> set auths=login,manage zonecfg:my-zone:admin> end

This is simply a role added to the zone administrators profile, and that profile does not have to contain any other global-zone administrator capabilities so zone administrator can only administer assigned zones.

zonep2vchk tool for migrating a physical system to an Oracle Solaris 10 zone.

# <dir>/zonep2vchk

zonep2vchk tool for migrating a physical Oracle Solaris 10 system to an Oracle Solaris 10 or 11 Zone.

# /usr/sbin/zonep2vchk

The tool offers similar capabilities whether migrating to Oracle Solaris 10 or Oracle Solaris 11 zones.

Zones whose contents can't be modified can be created via sparse root zones but this capability was not designed as a security feature. There is little flexibility in configurations, and not applicable to whole root zones.

Immutable zones were designed as a security feature. They can be created with a range of capabilities. The security policy can be:

strict - read only

fixed-configuration - permits /var updates

flexible-configuration - permits /var, /etc, and root home directory changes. Other attributes are associated with these settings.

The ability to insulate zones from change is a very powerful security feature.

Hung zone may not be able to be restarted.

Hung zone more likely able to be restarted.

On Oracle Solaris 10, if a zone hung, it would typically be due to a problem in some other subsystem.  In some situations a zone could not be halted to restart.  On Oracle Solaris 11, a zone that is hung has a better chance of being able to be halted and restarted.  It still may hang again if the underlying problem (for example unavailability of a file system resource) has not been addressed.

To gracefully shut down a zone (not summarily halt it) log into each zone and

# init -5

All zones can be gracefully shutdown, one by one from the global zone via

# zoneadm -z my-zone shutdown

Ability to gracefully shutdown all zones from global zones, simplifies administration.

Zone creation does not automatically create a network interface

Zone creation automatically creates a VNIC associated with each zone.

Automatic VNIC creation simplifies creating zones.

Key Links:
Oracle Solaris Zone Features
Creating and Using Oracle Solaris Zones
Installing, Booting, Shutting Down, Halting, Uninstalling, and Cloning Non-Global Zones
About Zone Migrations and the zonep2vchk Tool
zonecfg(1M) Reference Manual
Exclusive-IP Non-Global Zones
Managing Network Virtualization and Network Resources in Oracle Solaris 11.2
Configuring and Administering Immutable Zones
 

 

ZFS, SMB and COMSTAR

Oracle Solaris 10 8/11 Oracle Solaris 11 11/11 Oracle Solaris 11 Benefits

No file system encryption functionality

File system encryption is a property that can be assigned to a ZFS file system when the file system is created.

Encryption offers very high security value with minimal performance impact.  In particular, the T4 SPU (crypto graphics unit), achieves wire-speed encryption and decryption on the processor’s 10 GbE ports.

ZFS deduplication is not supported in Oracle Solaris 10 releases, but you can migrate a pool from an Oracle Solaris 11 system to an Oracle Solaris 10 system with deduped data, but no further deduplication takes place when the pool is imported on the Solaris 10 system.

Deduplication is a property that can be assigned to a ZFS dataset.

Deduplication plus ZFS compression can substantially reduce storage requirements.

ZFS capabilities are managed through the ZFS commands and properties. These features are described in zfs(1M) and zpool(1M) manual pages

Core capabilities are managed through the ZFS commands and properties. Delegated administration, encryption, and share syntax are covered in the separate zfs_allow(1M), zfs_encrypt(1M), and zfs_share(1M) manual pages.

By distributing ZFS capabilities into separate commands and properties, it is possible to delegate administration based on the specific administrative task.

For UFS, backups are often accomplished by using the ufsdump and ufsrestore commands. You can migrate a UFS file system to a ZFS file system by using these commands on an Oracle Solaris 10 system or migrate UFS data to a ZFS file system between two Oracle Solaris 10 systems.

Oracle Solaris 11 includes a new system clone and disaster recovery capability called Unified Archives. Administrators can use the archiveadm(1M) command to quickly capture an archive and either deploy it through the existing Oracle Solaris Zone administration tools or Automated Installer.

Create ZFS snapshots of important file systems and then send/receive them to backup system. An automatic snapshot service (service/storage/zfs-auto-snapshot) is provided to create file system snapshots automatically. Or, you can archive ZFS data with the traditional UNIX tar/cpio/pax archivers or use more sophisticated enterprise backup products.

A UFS file system can be migrated to a ZFS file system on an Oracle Solaris 11 system by using the shadow migration feature.

In addition, the ufsdump and ufsrestore commands can be used to migrate a a UFS file system to a ZFS file system.

ZFS provides comprehensive set of capabilities to archive and retrieve file system snapshots and migrate data between systems running different Oracle Solaris versions. Unified Archives provide the ability to quickly capture a clone or disaster recovery archive and deploy it to a bare metal or virtualized system. This provides extremely flexible golden image deployment when required.

Oracle Solaris 10 release uses the iSCSI target, the iscsitadm command, and the ZFS shareiscsi property to configure iSCSI LUNs.

Administration is through the itadm(1M) command for managing SCSI targets, the srptadm(1M) command for managing SCSI RDMA Protocol (SRP), and the stmfadm(1M) command for managing SCSI LUNs.

COMSTAR in Oracle Solaris 11 provides a more flexible environment for iSCSI support.

Key Links:

 

Installation

Oracle Solaris 10 8/11 Oracle Solaris 11 Oracle Solaris 11 Benefits

Root file system can be UFS-based or ZFS based.

Root file system is ZFS. Other UFS file systems can still be mountable.

ZFS for the root file system offers superior reliability and expandability compared to UFS.  Also ease of management of ZFS makes 3rd party volume managers unnecessary.

JumpStart for unattended installations.

Automated Installer (AI) for unattended installations.

AI (unlike JumpStart) integrates with other Oracle Solaris technologies like System Management Framework (SMF), IPS and ZFS to provide consistency, scalability, and performance in provisioning systems, including systems with Oracle Solaris Zones.

Oracle VM Manager Ops Center can provision both Oracle Solaris 10 and 11 systems as well as manage virtualization environments and makes an attractive option for customers that don’t want to manage their own AI and or Jumpstart servers.  Oracle VM Manager Ops Center is a no cost download.

 

Hands-on install from media is accomplished by installing from Oracle Solaris installation DVDs (x86 and SPARC).

Unattended installations are possible by placing the contents of the installation media (or ISO image contents from a download) on a JumpStart server.

Hands-on install from media can be accomplished through a variety of mechanisms.

For SPARC systems:
- Text Installer CD
- Text Installer USB
For x86 systems

- Text Installer CD
- Text Installer USB
- Live Media (formerly LiveCD) DVD
- Live Media (formerly LiveCD) USB

Unattended installations are possible by placing the contents of the AI Image media (or ISO image contents from a download) on an AI server.
 

Also, a DVD set of the package repository for both SPARC and x86 is available.

New installation architecture provides a consistent mechanism for deploying systems, via a single, feature rich automated installer or through two types of interactive installations.

Install over the network via JumpStart or from the installer

Install over the network via the Automated Installer (AI).

Similar results but the superiority of IPS design means IPS packages install faster on Oracle Solaris 11 than SVr4 packages on Oracle Solaris 10.

JumpStart server and client creation commands:


# setup-install_server
# add_install_client

Automated Installer server and client creation commands

# installadm create-service
# installadm create-client

All AI actions managed through the new installadm command centralizes administration

JumpStart installs Oracle Solaris 10 and earlier

AI installs Oracle Solaris 11.

Additionally it is possible to set up an Oracle Solaris 11 system as a JumpStart server for Oracle Solaris 10.

This allows centralizing all install servers on Oracle Solaris 11.

JumpStart did not support the concept of what services should run on a system, only what should be installed on a system.

With AI it is possible to provision both for services and content. For example it is possible to specific the same package content for 2 AI instances, but have different services enabled on each. Or it is possible to have different package content on each

This is a good example of how deeper integration with SMF provides additional flexibility in deployments

JumpStart Profile and Rules

AI Manifest and Criteria.

The migration utility js2ai can be used to migrate some aspects of Solaris 10 JumpStart Profiles and Rules to AI Manifests and Criteria.

Creating customized installation media is a manual process involving a significant amount of work

Creating customized text installer images, AI images, and Live Media images is handled by a special tool the Distribution Constructor.

Distribution Constructor offers the ability to easily customize an installation, via media or through the AI server.

Creating system archives either for back up or for fast golden image deployment using Flash Archive support and the flar command.

System clones and full disaster recovery archives can be created using Unified Archives and deployed using the existing Oracle Solaris Zones or Automated Installer capabilities. Archives can be flexibly deployed either to bare metal or virtualized environments with powerful transforms.

Unified Archives is a feature that's deeply integrated into the system allowing administrators to quickly capture live running systems and deploy across the cloud.

Key Links:

 

System Configuration

Oracle Solaris 10 8/11 Oracle Solaris 11 Oracle Solaris 11 Benefits

Configuration information in files, typically in /etc

Configuration information in the SMF repository.

Centralizing management simplifies configuration and replication, particularly in a cloud environment where a unified programmatic access is a necessity to support dynamic creation of Oracle Solaris environments.

Flat files are easy to administer, but their editing simplicity masks other problems. Patching and upgrading on Oracle Solaris 10 occasionally brought out the problem of handling conflicts with configuration files that had been modified since installation. With Oracle Solaris 11, configuration information is generally accessed and set through SMF commands. There is now a layered concept of configuration data management and so a distinction between, for example, the underlying set of configuration defaults, and administrator changes. This makes for a much more orderly update process, as administrator changes made prior to an upgrade - and that correspond to valid configuration parameters after the upgrade - can be preserved.

sysidtool, sysidconfig and sys-unconfig are tools used to provide or clear system configuration information

sysconfig or the SCI tool create the underlying sc_profile.xml file.

System configuration is now integrated as part of the SMF repository. This greatly simplifies the process to configure and unconfigure systems in a reliable and repeatable way.

Edit /etc/nsswitch.conf to specify how a system will get information on hosts, users etc.

Managed through

# svccfg -s svc:/system/name-service/switch

See the benefits of SMF detailed in first row of this section

Edit /etc/nodename to set the identity of the host.

Managed through

# svccfg -s svc:/system/identity:node

See the benefits of SMF detailed in first row of this section

Edit /etc/defaultdomain to set NIS domain

Managed through

# svccfg -s svc:/network/nis/domain

Property is config/domainname

See the benefits of SMF detailed in first row of this section

Edit /etc/default/init

Locale managed through

# svccfg -s svc:/system/environment:init

Timezone managed through

# svccfg -s svc:/system/environment:init

See the benefits of SMF detailed in first row of this section

Name service servers and domains set through /etc/resolv.conf

Managed through

# svccfg -s svc:/network/dns/client

See the benefits of SMF detailed in first row of this section

In addition, errors in Oracle Solaris 10 resolv.conf were not flagged leading to behavior where the results did not match in intentions of the administrator. In Oracle Solaris 11 basic error checking is performed through the use of SMF templates and reported through SMF.

Manage serial ports through getty, pmadm, ttyadm, ttymon

Managed through

# svccfg -s svc:/system/console-login:terma
and

# svccfg -s svc:/system/console-login:terma

See the benefits of SMF detailed in first row of this section

Power management by editing /etc/power.conf file and using pmconfig command.

Power management through poweradm command.

See the benefits of SMF detailed in first row of this section

System registration is handled by the feature, Auto Registration.  Oracle Configuration Manager is available in Oracle Solaris 10 8/11 but not enabled by default.

System registration is handled by Oracle Configuration Manager.

System registration involved collecting and uploading configuration information to an Oracle repository.  The ability to collect information about customer systems is a core element in the ability to offer customers a superior support experience.

Other networking configuration topics can be found in the Networking section.

Key Links:

 

Networking

Oracle Solaris 10 8/11 Oracle Solaris 11 Oracle Solaris 11 Benefits

Use ifconfig to change current configuration

If in manual configuration mode use new ipadm and dladm commands

If in Automatic Configuration Mode, use netcfg.

Network virtualization adds many new capabilities and continuing to overload ifconfig is the wrong management approach.

Limited virtualization: VLAN support link and IPMP aggregation

Full network virtualization is now a fundamental part of the Oracle Solaris networking subsystem.  Virtual NICs (VNICs), virtual switches, VLAN support, are all available.

Network virtualization allows sharing a high bandwidth connection with multiple applications, and expands the opportunity for server consolidations to encompass consolidating entire network topologies on a single system.

Quality of Service controls for networking provided by IPQoS. No way to control network bandwidth.

Network quality of service through new network resource management capabilities includes:

Assignment of bandwidth limits to physical and virtual NICs by port, IP address, protocol

Assignment of CPU resources designated to handle network traffic.

In addition if a VNIC is assigned to an Oracle Solaris Zone already under resource management
constraints, that VNIC will automatically be associated with those resource constraints.
IPQoS in Oracle Solaris 10 was an add-on to the networking stack to provide quality of service capabilities but at the cost of network performance.  In Oracle Solaris 11, network bandwidth management was integrated into the data link layer to minimize any performance impact. The new network resource management provides a framework for setting maximum bandwidth limits for both physical and virtual NICs with ability to fine tune to specific traffic characteristics.

For zones, bandwidth and CPU assignment controls prevent resource usage within one zone from negatively impact resource usage in others.

An Oracle Solaris 10 Zone can take advantage of bandwidth management and CPU assignment, as long as administration is from the global zone running on Oracle Solaris 11.

Networking observablility principally through ifconfig and netstat.

Oracle Solaris 11 adds two new commands for network observability, dlstat(1M) for data link layer statistics, and flowstat(1M) (see below) in addition the network can also be observed via zonestat(1M).

 

Enhanced statistics gathering capability, and in the case of dlstat, ability to gather statistics over a defined time period for historical analysis purposes make it possible to use for capacity planning, debugging, and reporting purposes.

VLAN compatibility while supported is convoluted to set up

Integrated support for VLANs over Virtual NICs. To support VLANs in a VNIC infrastructure a VNIC can be given a VLAN tag.

This simplies VLAN administration. There is no more configuration needed and VLAN tags are automatically added to packets leaving that VNIC. Oracle Solaris virtual switches also understand VLAN tags and make sure that traffic remains segregated.

No load balancer

The Integrated Load Balancer (ILB) is now a feature of Oracle Solaris. It is managed via the ilbadm(1M) command.

In integrated load balancer provides opportunities to address load balancer needs without necessarily purchasing separate equipment.

The load balancer is one of the building blocks for network consolidation projects enabled by the networking virtualization capabilities in Oracle Solaris 11.

Network packet reception is always interrupt driven.

Adaptive polling allows the handling of network packets to switch between interrupt and polling modes dependent on the volume of traffic being received.

With this behavior the most efficient method of handling incoming network packets is always in operation. On very busy networks where the receiver is also very busy, the high demand for CPU resources as system becomes overwhelmed with interrupts is avoided.

No way to automatically co-ordinate the creation of VLANs dynamically with the switch infrastructure

Dynamic creation of VLANs on the system and switch infrastructure is supported via the GARP VLAN Registration Protocol(GVRP) .

GVRP allows the host to dynamically inform the physical switches of VLANs configured on a physical link. When that feature is enabled on the switch and the host, messages are sent from the host to the switch at a regular interval, containing the VLANs which are enabled on the physical link. The switch uses the content of these messages to enable the correct VLANs on the switch ports.

This improves security because only the necessary VLANs will be enabled on a switch port, and it also improves performance by reducing the number of multicast packets that will be duplicated by the switches.

Key Links:

Security

Oracle Solaris 10 8/11 Oracle Solaris 11 Oracle Solaris 11 Benefits

Secure by default is selectable during installation, but is not the default security setting.

Secure by default is the default security setting at install. SSH is the only service enabled.

By default Oracle Solaris 11 is less vulnerable at install time.

root user is typically used for administrative purposes.

root is now a role that can be assigned to users. It is possible to turn the role back into a user
# rolemod -K type=normal root

The root user can not log into a system. Instead the root role is assigned to a user, and that user can log into the system. This provides superior accountability. An audit of logins would, for example, show user names that have accessed a system, not simply that someone logged in as root.

Auditing not on by default, and some performance impact in certain situations.

Auditing is a service and enabled by default. auditconfig is used to view and change audit policy. SMF controls the audit service, svc:/system/auditd:default

On by default, and greater attention to minimize performance impact of auditing.

IPFilter managed through ipf rule file

IP Filter management is integrated into SMF.
The svc.ipfd daemon monitors actions on services that use firewall configuration.
Compatibility is maintained with ipf rule files.

Part of the overall shift to SMF managed services as detailed in the Configuration section.

su is standard command for assuming the capabilities of the root user.

sudo command now included to augment su.

Popular open source utility now included with Oracle Solaris.

aset(1M) is used to monitor or restrict accesses to system files and directories

The ASET functionality is replaced by a combination of IP Filter, which includes svc.ipfd, BART, SMF, Immutable Zones, and other security features that are supported in Oracle Solaris 11.

Administrative rights can be assigned to individual users and roles created to implement separation of duty

Many additions to roles and rights.

  • -Distinction between assigning and delegating
  • -Media Restore rights profile
  • -Profile-based execution is inherited by all processes, so pfexec is no longer needed
  • -Ability to enforce role based access control (RBAC) without the requirement to modify every script to turn on RBAC.
  • Stop rights profile allows administrators to create restricted accounts

While the concept of roles was introduced in Oracle Solaris 8 and responsibilities was introduced in Oracle Solaris 9, there has been a concerted effort to fine tune in Oracle Solaris 11 to promote usage.

Supports a broad range of security standards

Expands/replaces security standards supported.

Internet Key Exchange (IKE) and IPsec – IKE now includes more Diffie-Hellman groups and can also use Elliptic Curve Cryptography (ECC) groups. IPsec includes AES-CCM and AES-GCM modes and is now capable of protecting network traffic for the Trusted Extensions feature of Oracle Solaris (Trusted Extensions)
Kerberos is now capable of mutual authentication of clients and servers. Also, support for initial authentication by using X.509 certificates with the PKINIT protocol has been introduced.
BART default hash is SHA256

SSH - Support for host and user authentication by using X.509 certificates

Staying current with changes in security standards is a core design goal for Oracle Solaris releases.

See ZFS section for Encrypting ZFS File Systems.

Key Links:

 

Localization and Internationalization

Oracle Solaris 10 8/11 Oracle Solaris 11 Oracle Solaris 11 Benefits

Core localizations are:

Chinese- Simplified
Chinese-Traditional
English
French
German
Italian
Japanese
Korean
Spanish
Swedish
Portuguese - Brazilian

Supports 200 Locales. The core set of localizations is:

Chinese- Simplified
Chinese-Traditional
English
French
German
Italian
Japanese
Korean
Spanish
Portuguese – Brazilian

Much broader support for localizations outside the core group. 

Key Links:

Internationalization and Localization Changes