LISA’11: Oracle Solaris 11 Summit

Print Friendly, PDF & Email

These are my notes from Solaris 11 Summit at LISA’11. Warning, they are in note format not blog so may not read so well. They are mostly here for me to refer back to but you might find them interesting.

Topics to be covered

  • strategy
  • life cycle mgt
  • zfs
  • virtualisation
  • oracle apps
  • ha
  • kernel

strategy

enterprise ops centre free if you buy the OS

some features: dynamic threads, crypto accel, latency aware kern, opt mem, parallel net, dtrace, zfs 128 b it block address. 10x net, cpu, mem, data…

one example is that solaris 11 can handle 64Tb of memory.

simplified admin of cloud operations, zfs as default root allows for rapid os updates (4x RH), provisioning (3x vmware), reboots (2.5x rh), 48% less hardware outages. lower latency in virtualised hardware. 4x lower than kvm. scalable data, storage savings and speed. security enhancements such as immutable filesystem, faster ssl and encryption i/o.

updating environments made easier using zfs, like opensolaris using snapshots to enable easy rollback etc.

package updates so like apt, net repos, crypto verified, complete tools, best practise is the default. Only difference is you need to reboot to apply the patch due to need to switch into the new zfs snap!

networking in zones is now through dedicated IP stacks ending at the mac level. this allows for better net virtualisation through specially designed virtual devices.

the whole stack is now considered best of breed. considering the whole stack and solve problems at the right layer of the architecture.

This does make me think that we need to start thinking about the integration between the different systems. We need to think of the whole stack and treat all hardware, OS and apps as one machine regardless of the flavour.

works well with oracle db (obviously!) I don’t think for sure and never have, that we should move oracle db to linux. sparc engineered to have smarter threads, cryto, big pipes and power management. IOMMU in both sparc and intel is improving I/O massively.

Solaris 11 = mission critical cloud, future: next gen is net virt, secur, end-to-end analitics, built-in capacity planning, hw scaling to Pbs of RAM…

Life cycle management

Package management was the number one complaint with solaris! You don’t say!! ;-)

os installers getting bigger and not able to fit on install media. solaris 10 saw that old srv pkg was a dead method

how do we want it to work. Like apt! ;-) the recommended practise was a manual process which wasn’t being followed. so wanted it to be automated.

wanted to lessen the downtime to apply critical patches to core os or kernel

wanted to make use of the tools (smf, zfs, etc) to automate the process.

make use of the computer to calculate the deps and to obtain the patches automatically.

there was also no way to verify that a package had been installed correctly or as intended.

contains all the tools to build the install images and the devs should be able to use the same tools.

all the metadata is contained in the package

zfs boot envs – shortened boot time due to reduced hardware detection process.

key ips features; all oriented towards network installs, sources can be different vendor repos, packaging and patching is the same operation, manifests contain info for all architectures, same method for package verification in zones as to the global zones, dependencies calculated according to various pkg variants to suit the env, cryto signing both upstream signers and local ones, you can require that a local install is locally signed before deployed.

Capable of doing partial transfer “meta-patch” transitioning, like rpm delta, only download the differences. Capable of creating groups or bulk operations (e.g. language sets).

commands for building packages, pkgsend (push to repo),  pkgmogrify (to mod package metadata), pkglint (check the validity of the build).

yearly rotation of features, patch batching on a monthly basis.

can do pinning equiv to pull certain new releases back.

resources, dev guide “IPS Developer Guide”, maintaining pkgs http://docs.oracle.com/cd/E23824_01/html/E21803/index.html

Asked how multiple developers work on separate build environments and what tools are available for automating this.

A: for each development and build environment have a unique repo for that system and merge different repos into one in a release management process.

Big ideas for simplified deployments

zfs – beadm, live cd has text installer and gui installer, there’s generic groups (like tasksel) for installing server and desktop base packages.

AI = automated installer, installadm provides a one-stop mgt interface. WAN capable design, uses zfs, smf, ips to simplify process.

client = machine to be installed is phys/virt. manifest XML spec for package, profile = smf for configuration, service = srv infrastructure needed to boot, criteria = rules to associate the above and to essentially create classes of machines.

uses standard PXE/DHCP boot off the AS server install service, download boot image, os and installer, pull packages from IPS repo. With sparc you can use the WAN boot feature.

system configuration framework in smf, sysconfig(1m) interactive UI, profiles can configure any smf properties. Common changes are users, passwords, dns, hostname, nsswitch, rbac…

sysconfig create-profile -o myprofile.xml

then edit to taste. (Q: can you split operations in the xml and just update certain things instead of the whole config in one file).

a default manifest is applied at first boot (interactive config) Can specify the package repos, target disk and layout, locales.

how to write and how often and how many in large environments. There’s some dynamic behaviour. “derived manifests” command aimanifest.

Zones can be defined in the ai manifest:

<configuration type=”zone” name=”zone1″ source=”http://server/zone1/config”/>

auto installed on first boot of the global zone to create the zones

ai used in non-global zone installs:

zoneadm -z zone1 install -m manifest -c profile

there’s a js2ai tool but we probably won’t much interested in that?

development of the deployment system and IPS is still part of the OpenSolaris project

 

After lunch

zone management

zoneadm -z z1 -m /path/to/manifest

zoneadm -z z2 -c /path/to/profile

p2v options in 11. can run a zonep2vchk command to verify. run 10 in 11.

install zones on zfs. boot env uses “linked images”. not much need for sparse root zones now.

zones are installed with pkg:/group/solaris-small-server minimising install and saving patching complexity later. can be compressed with zfs and locales can be removed to further reduce.

Also can apply some of this to global zones.

immutable zones can be set to control writable access to certain parts of the root fs. e.g. strict = all, fixed-configuration = etc , fixed-(fucker moved slides) = /user/lib/brand/solaris/platform.xml. describes what files and config is affected and enforced.

more support for hung zones on shutdown

networking – exclusive stack. can use protos that live at the link/internet layer (ipfilter, snoop, ipsec).

zonestat improved to report and inspect state. bit like openvz in what it can do. e.g. process limits.

security managed via zonecfg. to allow for delegated administration.

zones-discuss@opensolaris.org & zones forums

next session on Crossbow – network virtualisation and resource control

design based on data lanes – vnic (behaves just like a real nic). one of the main objectives is to control the way that the vnic processes interupts. this is controlled at the physical nic in “hardware rings” via polling. So you can set bandwidth limits, QoS (core in the nic no extra components), constrain cpus used by vnic, integration with the resource manager. e.g.

dladm create-vnic -l net0 -p maxbw=100M vnic0

although manual config might not be necessary…

types of traffic can be controlled and given QoS adjustments via flows with cmd flowadm.

HA and vnics. transparent failover and increased throughput. IEEE 802.3ad. link aggregation occurs below the virtual stack so that physical failure is transparent to virtual.

can do firewalling, routing, bridging, LB, VRRP all in software virtually.

still reserve capability to send all traffic to the physical switch if it needs to even if it’s destined for another vnic that lives on the same virtual vlan stack. if a vnic is joined to a vlan shared on a physical switch dynamic vlan provisioning with send an update to the switch to let it know that so it can configure the port to accept traffic for it.

all IP configuration (link protocol) is exclusive to the zone which allows for dynamic configuration of zone networking such as naming nics with the same name across multiple zones.

next talk on security

authen, x509, pki, kerberos, hardware crypto, ldap, AD

root is now a role. the user executing as root is acting as the role root instead of as the user root. so it’s more like sudo. But the speaker advises to not using the real sudo.

pfexec is not setuid, just sets flag that states it’s child procs are subject to role based (rbac) policy. rbac is pushed into the kernel and makes use of ldap and ncsd to supply credential info before handing back off to userland for execution.

SSH can be authenticated using X509 client certificates.