Oracle Solaris 10 8/11 | Oracle Solaris 11 | Oracle Solaris 11 Benefits |
---|---|---|
SVR4 packages (dating from the late 1980's) |
Image Packaging System (IPS) a state of the art, network repository–based packaging system. |
Installing and maintaining Oracle Solaris is greately simplified because of the new packaging architecture. This simplification is particularly noticeable in reducing the effort to keep systems updated. |
System software maintenance via packages and patches |
System software maintenance via updates to packages |
IPS greatly simplifies the process of updating a system because there is only one way to upgrade or patch a system - by updating the packages. |
Live Upgrade is a risk management feature mainly used for patching and upgrading by providing roll-back capabilities. It works on both UFS and ZFS root. |
The same feature on Oracle Solaris 11 is now called called “Boot Environments”. It is now called simply Boot Environments. |
Oracle Solaris 11 Boot Environments are a risk management feature suitable for any situation involving system software changes, and fully integrated into package updates, Zones, and ZFS. |
Patch a system by applying the appropriate patch bundle either directly to the system in single user mode (after downloading the appropriate patchset) or via Live Upgrade to an alternate Boot Environment |
Update a system by connecting to the Support Repository and The changes will be made to an automatically created Boot Environment and changes will not impact running environment. |
Updates will automatically create an alternate Boot Environment to which changes will be made. On Oracle Solaris 10, Live Upgrade must be manually invoked and of, in addition, running on UFS, significant planning including potentially disk reformatting may be required to achieve Live Upgrade storage requirements.
- If upgrade is not what was expected, rollback to pre-upgrade environment. - ZFS snapshots are almost instantaneous. - This can have a positive impact on decreasing maintenance windows, particularly if it is possible to start the update operation during production time. Downtime is then a reboot, verify that the applications are running correctly, and then enable system to production mode. - Organizations wanting to use Live Upgrade on UFS were often constrained by disk requirements, which sometimes required breaking a mirror so that one half would be the ‘before patching’ state, and the other ‘after patching’ state. On Oracle Solaris 11 customers are not forced to give up mirroring in order to build a safety net for updating a system. |
Upgrade a system to a later release via traditional upgrade process (a one-way process), or via Live Upgrade |
Upgrade a system by connecting to the repository as above. |
Same note as above as there is no distinction on Oracle Solaris 11 between upgrading a system to a later release and updating a system with the latest packages changes. |
Live Upgrade managed through commands like the following-
Status: Activate: Delete: |
Boot Environments managed through the
Status: Activate: Delete: |
Management centralized in one command for all boot environments administration. |
SVR4 packaging system supports SVR4 packages. |
IPS supports IPS packages and SVR4 packages. SVR4 package commands are included. SVR4 patch commands only available with an Solaris 10 Zone on Oracle Solaris 11. |
IPS supports SVR4 packages where it is not practical or possible to repackage in IPS format. |
Packages have names like |
Packages have hierarchical names like |
Packages were re-factored to consolidate similar components or break up large packages to facilitate updating. Finer grain packages generally means less to update since changes to a large package tend not to be spread evenly across all contents of a package. Packages were then renamed to be much more understandable and to give an indication of where a specific package fits in the overall system hierarchy. |
Download full SVR4 package from customer’s SVR4 package location. There is no centralized Oracle repository for Oracle Solaris 10 packages. |
IPS retrieves packages from Oracle or organization repository. IPS calculates package deltas between what is currently installed and latest version from repository and downloads differences. |
IPS minimizes what must be transferred to update a package. |
Set of commands like |
Package maintenance capabilities accessed through |
Single pkg command interface for all actions. Oracle Solaris 10 commands can be invoked and will do the right thing for IPS, e.g. |
Updating zones, see Zones section. |
||
Zones and Boot Environments, see Virtualization section. |
||
Installation from Jumpstart vs. IPS Repository, see Installation section. |
Key Links:
Oracle Solaris 11 Package Changes
Introducing the Basics of Image Packaging System (IPS) on Oracle Solaris 11
Creating and Administering Oracle Solaris 11.2 Boot Environments
Updating the Software on an Oracle Solaris System
Oracle Solaris 11 Cheat Sheet for Image Packaging System. (PDF)
Oracle Solaris 10 8/11 | Oracle Solaris 11 | Oracle Solaris 11 Benefits |
---|---|---|
Supports Solaris 8 Branded Zones and Solaris 9 Branded Zones but does require purchasing an additional license. Solaris 10 Zones are part of the base offering and fully supported as a part of Oracle’s Premier Support for Operating Systems. |
Oracle Solaris 10 and 11 Zones are supported with no addition licensing requirements. Solaris 8 and 9 Branded Zones are not supported. |
Support for Oracle Solaris 10 Zones is included in Oracle Solaris 11 support programs. The primary advantage is that it will be possible to run Oracle Solaris 10 applications in an Oracle Solaris 11 environment on new hardware platforms long after Oracle Solaris 10 is no longer supported to run natively on new platforms. Support life for Oracle Solaris 8 and 9 is documented in Lifetime Support Policy: Oracle Hardware and Operating Systems Support. |
No boot environments for zones |
Zone boot environments supported |
Boot environments provide the same benefits for zones as they do for the entire system, i.e. a way to snapshot the zone's environment before making any software changes, and thus providing a simple rollback capability should there be a reason to revert to the state before the changes to the zone's environment. |
Monitor zones through a variety of tools - |
New |
Consolidating cpu, memory, networking and resource control utilization into one command simplifies monitoring. |
Two options for file system organization - sparse root (when minimizing size was most important) and whole root (when customizing zone contents is important). |
Single solution - a minimized whole root that allows customizing zone contents. |
“Hybrid” solution minimizes storage requirements to less than 400MB per zone while maintaining the ability to customize zone content. |
Not possible to create zones during system installation. |
Possible to define contents and create zones during initial system install. |
The ability to directly provision zones from the AI server, creates additional flexibility in deployment. |
Networking interfaces in zones can either use shared or exclusive IP stacks. Shared stacks are the default. |
Networking in zones can use either shared or exclusive IP stacks. Exclusive IP stacks are the default. |
The advantages of shared stacks are offered through new capabilities for administering exclusive IP stacks, see below. Moreover the IP and data link layers in Oracle Solaris 11 were re-engineered to integrate network virtualization and network resource management capabilities and to use those with zones on Oracle Solaris 11, you must select exclusive IP stacks. If you run Oracle Solaris 10 zones on Oracle Solaris 11, it is possible to make use of both virtual networking and network resource capabilities, as long as those are created and assigned from the global zone (i.e. running Oracle Solaris 11). |
Exclusive IP stack zones can be assigned any IP address from within the zone. |
A range of allowable IP addresses can be assigned externally from the global zone to a non-global zone using exclusive IP stack. |
Provides IP address controls for Exclusive IP stack zones. |
Shared IP stack provides datalink protection against MAC and IP spoofing. Exclusive zones not protected. |
Protection against MAC and IP spoofing whether using Shared IP stack or Exclusive IP stack. |
With the default of zones to Exclusive IP stack, this symmetry ensures no loss of security capabilities. |
Exclusive IP stack zone usage implied a dedicated external physical interface for each zone. |
Introduction of Virtual NICs removed constraint of one physical interface for each zone. |
VNICs and virtual switches provide much more flexibility in creating network-in-a-box topologies as well as getting better utilization from high speed NICs. See networking section for more details. |
User must have root privileges on global zone to administer a zone. |
Zone administration is assigned on a per zone basis.
|
This is simply a role added to the zone administrators profile, and that profile does not have to contain any other global-zone administrator capabilities so zone administrator can only administer assigned zones. |
|
|
The tool offers similar capabilities whether migrating to Oracle Solaris 10 or Oracle Solaris 11 zones. |
Zones whose contents can't be modified can be created via sparse root zones but this capability was not designed as a security feature. There is little flexibility in configurations, and not applicable to whole root zones. |
Immutable zones were designed as a security feature. They can be created with a range of capabilities. The security policy can be: flexible-configuration - permits /var , /etc , and root home directory changes.
Other attributes are associated with these settings. |
The ability to insulate zones from change is a very powerful security feature. |
Hung zone may not be able to be restarted. |
Hung zone more likely able to be restarted. |
On Oracle Solaris 10, if a zone hung, it would typically be due to a problem in some other subsystem. In some situations a zone could not be halted to restart. On Oracle Solaris 11, a zone that is hung has a better chance of being able to be halted and restarted. It still may hang again if the underlying problem (for example unavailability of a file system resource) has not been addressed. |
To gracefully shut down a zone (not summarily halt it) log into each zone and # init -5 |
All zones can be gracefully shutdown, one by one from the global zone via
|
Ability to gracefully shutdown all zones from global zones, simplifies administration. |
Zone creation does not automatically create a network interface |
Zone creation automatically creates a VNIC associated with each zone. |
Automatic VNIC creation simplifies creating zones. |
Key Links:
Oracle Solaris Zone Features
Creating and Using Oracle Solaris Zones
Installing, Booting, Shutting Down, Halting, Uninstalling, and Cloning Non-Global Zones
About Zone Migrations and the zonep2vchk
Tool
zonecfg(1M) Reference Manual
Exclusive-IP Non-Global Zones
Managing Network Virtualization and Network Resources in Oracle Solaris 11.2
Configuring and Administering Immutable Zones
Oracle Solaris 10 8/11 | Oracle Solaris 11 11/11 | Oracle Solaris 11 Benefits |
---|---|---|
No file system encryption functionality |
File system encryption is a property that can be assigned to a ZFS file system when the file system is created. |
Encryption offers very high security value with minimal performance impact. In particular, the T4 SPU (crypto graphics unit), achieves wire-speed encryption and decryption on the processor’s 10 GbE ports. |
ZFS deduplication is not supported in Oracle Solaris 10 releases, but you can migrate a pool from an Oracle Solaris 11 system to an Oracle Solaris 10 system with deduped data, but no further deduplication takes place when the pool is imported on the Solaris 10 system. |
Deduplication is a property that can be assigned to a ZFS dataset. |
Deduplication plus ZFS compression can substantially reduce storage requirements. |
ZFS capabilities are managed through the ZFS commands and properties. These features are described in zfs(1M) and zpool(1M) manual pages |
Core capabilities are managed through the ZFS commands and properties. Delegated administration, encryption, and share syntax are covered in the separate |
By distributing ZFS capabilities into separate commands and properties, it is possible to delegate administration based on the specific administrative task. |
For UFS, backups are often accomplished by using the |
Oracle Solaris 11 includes a new system clone and disaster recovery capability called Unified Archives. Administrators can use the Create ZFS snapshots of important file systems and then send/receive them to backup system. An automatic snapshot service ( A UFS file system can be migrated to a ZFS file system on an Oracle Solaris 11 system by using the shadow migration feature. In addition, theufsdump and ufsrestore commands can be used to migrate a a UFS file system to a ZFS file system. |
ZFS provides comprehensive set of capabilities to archive and retrieve file system snapshots and migrate data between systems running different Oracle Solaris versions. Unified Archives provide the ability to quickly capture a clone or disaster recovery archive and deploy it to a bare metal or virtualized system. This provides extremely flexible golden image deployment when required. |
Oracle Solaris 10 release uses the iSCSI target, the iscsitadm command, and the ZFS shareiscsi property to configure iSCSI LUNs. |
Administration is through the |
COMSTAR in Oracle Solaris 11 provides a more flexible environment for iSCSI support. |
Key Links:
Oracle Solaris 10 8/11 | Oracle Solaris 11 | Oracle Solaris 11 Benefits |
---|---|---|
Root file system can be UFS-based or ZFS based. |
Root file system is ZFS. Other UFS file systems can still be mountable. |
ZFS for the root file system offers superior reliability and expandability compared to UFS. Also ease of management of ZFS makes 3rd party volume managers unnecessary. |
JumpStart for unattended installations. |
Automated Installer (AI) for unattended installations. |
AI (unlike JumpStart) integrates with other Oracle Solaris technologies like System Management Framework (SMF), IPS and ZFS to provide consistency, scalability, and performance in provisioning systems, including systems with Oracle Solaris Zones. |
Hands-on install from media is accomplished by installing from Oracle Solaris installation DVDs (x86 and SPARC). Unattended installations are possible by placing the contents of the installation media (or ISO image contents from a download) on a JumpStart server. |
Hands-on install from media can be accomplished through a variety of mechanisms. |
New installation architecture provides a consistent mechanism for deploying systems, via a single, feature rich automated installer or through two types of interactive installations. |
Install over the network via JumpStart or from the installer |
Install over the network via the Automated Installer (AI). |
Similar results but the superiority of IPS design means IPS packages install faster on Oracle Solaris 11 than SVr4 packages on Oracle Solaris 10. |
JumpStart server and client creation commands: # setup-install_server # add_install_client
|
Automated Installer server and client creation commands |
All AI actions managed through the new |
JumpStart installs Oracle Solaris 10 and earlier |
AI installs Oracle Solaris 11. Additionally it is possible to set up an Oracle Solaris 11 system as a JumpStart server for Oracle Solaris 10. |
This allows centralizing all install servers on Oracle Solaris 11. |
JumpStart did not support the concept of what services should run on a system, only what should be installed on a system. |
With AI it is possible to provision both for services and content. For example it is possible to specific the same package content for 2 AI instances, but have different services enabled on each. Or it is possible to have different package content on each |
This is a good example of how deeper integration with SMF provides additional flexibility in deployments |
JumpStart Profile and Rules |
AI Manifest and Criteria. |
The migration utility |
Creating customized installation media is a manual process involving a significant amount of work |
Creating customized text installer images, AI images, and Live Media images is handled by a special tool the Distribution Constructor. |
Distribution Constructor offers the ability to easily customize an installation, via media or through the AI server. |
Creating system archives either for back up or for fast golden image deployment using Flash Archive support and the |
System clones and full disaster recovery archives can be created using Unified Archives and deployed using the existing Oracle Solaris Zones or Automated Installer capabilities. Archives can be flexibly deployed either to bare metal or virtualized environments with powerful transforms. |
Unified Archives is a feature that's deeply integrated into the system allowing administrators to quickly capture live running systems and deploy across the cloud. |
Key Links:
Oracle Solaris 10 8/11 | Oracle Solaris 11 | Oracle Solaris 11 Benefits |
---|---|---|
Configuration information in files, typically in |
Configuration information in the SMF repository. |
Centralizing management simplifies configuration and replication, particularly in a cloud environment where a unified programmatic access is a necessity to support dynamic creation of Oracle Solaris environments. Flat files are easy to administer, but their editing simplicity masks other problems. Patching and upgrading on Oracle Solaris 10 occasionally brought out the problem of handling conflicts with configuration files that had been modified since installation. With Oracle Solaris 11, configuration information is generally accessed and set through SMF commands. There is now a layered concept of configuration data management and so a distinction between, for example, the underlying set of configuration defaults, and administrator changes. This makes for a much more orderly update process, as administrator changes made prior to an upgrade - and that correspond to valid configuration parameters after the upgrade - can be preserved. |
|
|
System configuration is now integrated as part of the SMF repository. This greatly simplifies the process to configure and unconfigure systems in a reliable and repeatable way. |
Edit |
Managed through |
See the benefits of SMF detailed in first row of this section |
Edit |
Managed through |
See the benefits of SMF detailed in first row of this section |
Edit |
Managed through |
See the benefits of SMF detailed in first row of this section |
Edit |
Locale managed through Timezone managed through |
See the benefits of SMF detailed in first row of this section |
Name service servers and domains set through |
Managed through |
See the benefits of SMF detailed in first row of this section In addition, errors in Oracle Solaris 10 resolv.conf were not flagged leading to behavior where the results did not match in intentions of the administrator. In Oracle Solaris 11 basic error checking is performed through the use of SMF templates and reported through SMF. |
Manage serial ports through |
Managed through |
See the benefits of SMF detailed in first row of this section |
Power management by editing |
Power management through |
See the benefits of SMF detailed in first row of this section |
System registration is handled by the feature, Auto Registration. Oracle Configuration Manager is available in Oracle Solaris 10 8/11 but not enabled by default. |
System registration is handled by Oracle Configuration Manager. |
System registration involved collecting and uploading configuration information to an Oracle repository. The ability to collect information about customer systems is a core element in the ability to offer customers a superior support experience. |
Other networking configuration topics can be found in the Networking section. |
Key Links:
Oracle Solaris 10 8/11 | Oracle Solaris 11 | Oracle Solaris 11 Benefits |
---|---|---|
Use |
If in manual configuration mode use new netcfg .
|
Network virtualization adds many new capabilities and continuing to overload |
Limited virtualization: VLAN support link and IPMP aggregation |
Full network virtualization is now a fundamental part of the Oracle Solaris networking subsystem. Virtual NICs (VNICs), virtual switches, VLAN support, are all available. |
Network virtualization allows sharing a high bandwidth connection with multiple applications, and expands the opportunity for server consolidations to encompass consolidating entire network topologies on a single system. |
Quality of Service controls for networking provided by IPQoS. No way to control network bandwidth. |
Network quality of service through new network resource management capabilities includes: Assignment of bandwidth limits to physical and virtual NICs by port, IP address, protocol Assignment of CPU resources designated to handle network traffic. In addition if a VNIC is assigned to an Oracle Solaris Zone already under resource management constraints, that VNIC will automatically be associated with those resource constraints. |
IPQoS in Oracle Solaris 10 was an add-on to the networking stack to provide quality of service capabilities but at the cost of network performance. In Oracle Solaris 11, network bandwidth management was integrated into the data link layer to minimize any performance impact. The new network resource management provides a framework for setting maximum bandwidth limits for both physical and virtual NICs with ability to fine tune to specific traffic characteristics. For zones, bandwidth and CPU assignment controls prevent resource usage within one zone from negatively impact resource usage in others. An Oracle Solaris 10 Zone can take advantage of bandwidth management and CPU assignment, as long as administration is from the global zone running on Oracle Solaris 11. |
Networking observablility principally through |
Oracle Solaris 11 adds two new commands for network observability, |
Enhanced statistics gathering capability, and in the case of dlstat, ability to gather statistics over a defined time period for historical analysis purposes make it possible to use for capacity planning, debugging, and reporting purposes. |
VLAN compatibility while supported is convoluted to set up |
Integrated support for VLANs over Virtual NICs. To support VLANs in a VNIC infrastructure a VNIC can be given a VLAN tag. |
This simplies VLAN administration. There is no more configuration needed and VLAN tags are automatically added to packets leaving that VNIC. Oracle Solaris virtual switches also understand VLAN tags and make sure that traffic remains segregated. |
No load balancer |
The Integrated Load Balancer (ILB) is now a feature of Oracle Solaris. It is managed via the |
In integrated load balancer provides opportunities to address load balancer needs without necessarily purchasing separate equipment. |
Network packet reception is always interrupt driven. |
Adaptive polling allows the handling of network packets to switch between interrupt and polling modes dependent on the volume of traffic being received. |
With this behavior the most efficient method of handling incoming network packets is always in operation. On very busy networks where the receiver is also very busy, the high demand for CPU resources as system becomes overwhelmed with interrupts is avoided. |
No way to automatically co-ordinate the creation of VLANs dynamically with the switch infrastructure |
Dynamic creation of VLANs on the system and switch infrastructure is supported via the GARP VLAN Registration Protocol(GVRP) . GVRP allows the host to dynamically inform the physical switches of VLANs configured on a physical link. When that feature is enabled on the switch and the host, messages are sent from the host to the switch at a regular interval, containing the VLANs which are enabled on the physical link. The switch uses the content of these messages to enable the correct VLANs on the switch ports. |
This improves security because only the necessary VLANs will be enabled on a switch port, and it also improves performance by reducing the number of multicast packets that will be duplicated by the switches. |
Key Links:
Oracle Solaris 10 8/11 | Oracle Solaris 11 | Oracle Solaris 11 Benefits |
---|---|---|
Secure by default is selectable during installation, but is not the default security setting. |
Secure by default is the default security setting at install. SSH is the only service enabled. |
By default Oracle Solaris 11 is less vulnerable at install time. |
|
|
The |
Auditing not on by default, and some performance impact in certain situations. |
Auditing is a service and enabled by default. |
On by default, and greater attention to minimize performance impact of auditing. |
IPFilter managed through |
IP Filter management is integrated into SMF. |
Part of the overall shift to SMF managed services as detailed in the Configuration section. |
|
|
Popular open source utility now included with Oracle Solaris. |
|
The ASET functionality is replaced by a combination of IP Filter, which includes |
|
Administrative rights can be assigned to individual users and roles created to implement separation of duty |
Many additions to roles and rights.
|
While the concept of roles was introduced in Oracle Solaris 8 and responsibilities was introduced in Oracle Solaris 9, there has been a concerted effort to fine tune in Oracle Solaris 11 to promote usage. |
Supports a broad range of security standards |
Expands/replaces security standards supported. Internet Key Exchange (IKE) and IPsec – IKE now includes more Diffie-Hellman groups and can also use Elliptic Curve Cryptography (ECC) groups. IPsec includes AES-CCM and AES-GCM modes and is now capable of protecting network traffic for the Trusted Extensions feature of Oracle Solaris (Trusted Extensions) |
Staying current with changes in security standards is a core design goal for Oracle Solaris releases. |
See ZFS section for Encrypting ZFS File Systems. |
Key Links:
Oracle Solaris 10 8/11 | Oracle Solaris 11 | Oracle Solaris 11 Benefits |
---|---|---|
Core localizations are: Chinese- Simplified |
Supports 200 Locales. The core set of localizations is: Chinese- Simplified |
Much broader support for localizations outside the core group. |
Key Links: