Solaris For The Modern Data Center Taking Advantage of Solaris 11 Features JANUARY 2013
Contents Introduction... 2 Patching and Maintenance... 2 IPS Packages... 2 Boot Environments... 2 Fast Reboot... 3 Storage Enhancements... 3 ZFS File System... 3 Checksums and Self-Healing Data... 4 Snapshots... 4 Replication... 5 Clones... 5 Deduplication... 5 SMB File Sharing... 6 Network Enhancements... 6 Virtual NICS, Switches... 6 Firewall... 6 Network Load Balancer... 7 Data Center Bridging... 7 Virtualization... 7 Virtualization Technology Models... 8 Choosing Your Virtualization Model... 9 Security... 9 Summary... 10 Contact Dewpoint Today... 10 Dewpoint making technology work www.dewpoint.com 1
Introduction Solaris 11 builds on the solid platform of Solaris 10 while remodeling some of the older sections of the code base to create an operating system that is better able to support the modern data center. In particular, the areas of system maintenance, storage, networking, and virtualization have been improved. These improvements make it much easier to manage Solaris across the full spectrum of deployment environments in use today: physical servers, virtual machines, and cloud. The features that will be explored in this paper include: Patching and Maintenance Storage Enhancements Network Enhancements Virtualization Security Patching and Maintenance IPS Packages Solaris 11 has extensive changes in the methods used to install, patch, and update software. The patching system used in previous versions of Solaris was designed over a decade ago, and was not scaling well with the increase of software size or the frequency of system updates. The older patch system made it difficult to back out some types of patches. To address these issues, Solaris 11 uses a brand new system called Imaging Packaging System (IPS). IPS is similar to patching models used in Linux that are flexible and intelligent enough to automatically address any prerequisite packages required for installations and updates. IPS is used for system software installation as well as patching. Boot Environments Solaris 11 supports multiple boot environments that bring benefits to the system maintenance processes. Each boot environment uses a snapshot of the root file system so different binary and configuration files can exist in each unique boot environment. New packages and updates can be installed into a new boot environment so they have no effect on the current running system. When out of production, the system can be booted into this new boot environment to run with the changed code. If the new environment has problems, the system can simply be re-booted into the previous boot environment to restore the original configuration. Dewpoint making technology work www.dewpoint.com 2
Fast Reboot To better support the concept of boot environments, Solaris 11 has a fast reboot mode that avoids resetting the systems boards and running through a full post and diagnostics. When a system is functioning properly and is being re-booted to apply (or remove) package updates, running through a full diagnostic suite of tests is wasting valuable time in an outage window. Using the fast reboot mode allows a system to restart in just a few minutes. Tests have shown that fast reboot taking less than 2.5 minutes on old hardware. Storage Enhancements ZFS File System Solaris introduced the ZFS file system in Solaris 10 as a new technology that combined a volume manager and a file system into a better way to manage storage. In Solaris 11, ZFS takes center stage as it is the required file system for the root volume. ZFS provides the framework to support the new Image Packaging System (IPS) and boot environments for Solaris system management. ZFS simplifies storage management by eliminating hard partitioning of disks and file systems. ZFS protects data redundancy by using mirroring or redundant disk stripes to create disk pools from which file systems can be allocated. Storage pools can be optimized for performance (RAID 10) or capacity (RAID 5 and RAID 6). ZFS is a transactional file system, which means that the file system state is always consistent on disk. Traditional file systems overwrite data in place, which means that if the system loses power, for example, between the time a data block is allocated and when it is linked into a directory, the file system will be left in an inconsistent state. Historically, this problem was solved through the use of the fsck command. This command was responsible for reviewing and verifying the file system state, and attempting to repair any inconsistencies during the process. This problem of inconsistent file systems caused great pain to administrators, and the fsck command was never guaranteed to fix all possible problems. More recently, file systems have introduced the concept of journaling. The journaling process records actions in a separate journal, which can then be replayed safely if a system crash occurs. This process introduces unnecessary overhead because the data needs to be written twice, often resulting in a new set of problems, such as when the journal cannot be replayed properly. With a transactional file system, data is managed using copy on write semantics. Data is never overwritten, and any sequence of operations is either entirely committed or entirely ignored. Thus, the file system can never be corrupted through accidental loss of power or a system crash. Although the most recently written pieces of data might be lost, the file system itself will always be consistent. In addition, data can be flagged as synchronous and is always guaranteed to be written before returning, so it is never lost. Dewpoint making technology work www.dewpoint.com 3
Checksums and Self-Healing Data With ZFS, all data and metadata is verified using a user-selectable checksum algorithm. Traditional file systems that do provide checksum verification have performed it on a per-block basis, out of necessity due to the volume management layer and traditional file system design. The traditional design means that certain failures, such as writing a complete block to an incorrect location, can result in data that is incorrect but has no checksum errors. ZFS checksums are stored in a way such that these failures are detected and can be recovered from gracefully. All checksum verification and data recovery are performed at the file system layer, and are transparent to applications. In addition, ZFS provides for self-healing data. ZFS supports storage pools with varying levels of data redundancy. When a bad data block is detected, ZFS fetches the correct data from another redundant copy and repairs the bad data, replacing it with the correct data. Snapshots A snapshot is a read-only copy of a file system or volume. Snapshots can be created almost instantly, and they initially consume no additional disk space within the pool. However, as data within the active dataset changes, the snapshot consumes disk space by continuing to reference the old data, thus preventing the disk space from being freed. ZFS snapshots include the following features: The snapshots persist across system reboots. The theoretical maximum number of snapshots is 2 64. Snapshots use no separate backing store. Snapshots consume disk space directly from the same storage pool as the file system or volume from which they were created. Recursive snapshots are created quickly as one atomic operation. The snapshots are created together (all at once) or not created at all. The benefit of atomic snapshot operations is that the snapshot data is always taken at one consistent time, even across descendent file systems. Snapshots are used with multiple boot environments to allow patches to be installed into an alternate boot environment. Redirecting the patching outside of the current running environment protects the system from the effects of a bad patch. Different snapshots of the root file system allow the server to be booted into the new or original patch configuration. An administrator can create snapshots of application or data volumes before applying updates there as well. Using snapshots in this manner allows the system to quickly revert to the original state if an upgrade fails. Reverting to a snapshot is extremely fast and orders of magnitude simpler and quicker than restoring from a backup. Snapshots can be used to create consistent versions of the file systems that can be backed up to media or replicated to another system. Dewpoint making technology work www.dewpoint.com 4
Replication ZFS has inherent replication abilities. A snapshot of a file system or volume can be sent to another location on the same or a different Solaris server. This replication can be used for backup, disaster recovery or test/development functions. The zfs send command creates a stream representation of a snapshot that is written to standard output. By default, a full stream is generated. You can redirect the output to a file or to a different system. The zfs receive command creates a snapshot whose contents are specified in the stream that is provided on standard input. If a full stream is received, a new file system is created as well. You can send ZFS snapshot data and receive ZFS snapshot data and file systems with these commands. Incremental replication updates are supported by taking a new snapshot of the original file system. This new snapshot is sent to the destination location using an incremental flag. In this case, only the changes since the previous snapshot and replication are sent. The use of incremental replication can greatly reduce the time and bandwidth required to update a replicated ZFS object. Clones A clone is a writable volume or file system whose initial contents are the same as the dataset from which it was created. As with snapshots, creating a clone is nearly instantaneous and initially consumes no additional disk space. In addition, you can snapshot a clone. Clones are useful if you are running virtualization on a server and want to duplicate a Solaris Zone or virtual machine. Clones are also useful to create copies of production data for development or test. Clones can only be created from a snapshot. When a snapshot is cloned, an implicit dependency is created between the clone and snapshot. Even though the clone is created somewhere else in the file system hierarchy, the original snapshot cannot be destroyed as long as the clone exists. The origin property exposes this dependency, and the zfs destroy command lists any such dependencies, if they exist. Because a clone initially shares all its disk space with the original snapshot, its used property value is initially zero. As changes are made to the clone, it uses more disk space. The used property of the original snapshot does not include the disk space consumed by the clone. Deduplication A ZFS file system that stores files containing many duplicate blocks of data can improve storage utilization by enabling deduplication on the file system. ZFS deduplication can provide storage savings for use cases like home directories, archives, or backup files. Solaris provides tools that can check a data area and determine if deduplication will actually provide real reductions in your data. Since deduplication produces overhead in a system for both processor and memory resources, deduplication should only be enabled in environments where it can provide tangible results. Dewpoint making technology work www.dewpoint.com 5
SMB File Sharing The Oracle Solaris operating system has reached a new level of Windows interoperability with the introduction of an integrated SMB server. An Oracle Solaris server can now be an active participant in a Windows active directory domain and provide ubiquitous, cross-protocol file sharing through SMB and NFS to clients in their native dialect. The SMB server allows a native Oracle Solaris system to serve files, by means of SMB shares, to SMB enabled clients, such as Windows and Mac OS systems. A Windows client (or other SMB client) can interoperate with the SMB server as it would with a Windows server. An SMB server can operate in either workgroup mode or in domain mode. In workgroup mode, the SMB server is responsible for authenticating users locally when access is requested to shared resources. This authentication process is referred to as local login. In domain mode, the SMB server uses pass-through authentication, in which user authentication is delegated to a domain controller. In this case, the Solaris server becomes a member of the Windows Active Directory Domain. Oracle Solaris OS credentials have been enhanced to fully support Windows-style SIDs. In addition, the ZFS file system supports Windows-style ACLs and access checking. The SMB shares once created, can be managed by native Windows administration tools. Network Enhancements Solaris 11 has overhauled the network software to better support modern networking and virtualization technologies. Support for technologies such as 10 Gigabit Ethernet, Data Center Bridging, IP Version 6, Infiniband has been greatly enhanced and better integrated into the operating system. Virtual NICS, Switches Networking support for virtualization has been improved by separating the physical network devices from the logical network configuration. This separation of functions allows for more flexibility in network configuration. The operating system supports the creation of virtual switches and network interfaces in the OS software. These constructs allow for virtual machines (like containers or LDOMs) to configure their network interfaces identically to physical machines. This transparency makes it much easier to manage multiple systems regardless of where they are hosted or what the underlying hardware looks like. The virtual switching infrastructure allows Solaris virtualization hosts bridge the physical network switches in the data center through to the virtual machines contained within the servers. Firewall Solaris 11 includes an integrated firewall that can be used to secure network access to the system. The firewall is based on the open source ipfilter software packages. The firewall supports stateless packet filtering functions as well as Network Address Translation (NAT) gateway functioning. Packet filtering provides basic protection against network-based attacks. IP Filter can filter by IP address, port, protocol, Dewpoint making technology work www.dewpoint.com 6
network interface, and traffic direction. IP Filter can also filter by an individual source IP address, a destination IP address, by a range of IP addresses, or by address pools. Network Load Balancer Solaris 11 also includes an integrated network Load Balancer that can be used to provide application redundancy. The Load Balancer operates at layers three and four of the network stack. The Load Balancer intercepts incoming requests from clients, decides which back-end server should handle the request based on load-balancing rules, and then forwards the request to the selected server. The Load Balancer performs optional health checks and provides the data for the load-balancing algorithms to verify if the selected server can handle the incoming request. By performing the above functionalities, Load Balancer spreads work load directed to the server across multiple servers. This can improve reliability, minimize response time and in general improve performance of the server. Data Center Bridging Data center bridging is a set of features that enhances traditional Ethernet networks' abilities to manage traffic especially in environments where network traffic volume and transmission rates are high. Fiber channel can be dedicated to host this type of traffic. However, using dedicated links to service only fiber channel traffic can be costly. Thus, fiber channel traffic over Ethernet (FCoE) is more commonly used when higher speed Ethernet (10 gigabit Ethernet) is deployed. DCB features address fiber channel's sensitivity to packet loss while traversing the Ethernet network. DCB enables peers to distinguish traffic based on priorities. By distinguishing priorities, hosts can ensure that for traffic with higher priorities, packet integrity is preserved in cases of congestion between hosts. With the DCB exchange protocol (DCBX), communicating hosts can exchange configuration information that affect high speed network traffic. The peers can then negotiate on a common configuration that ensures continuous traffic flow while preventing packet loss for those packets with high priority. Virtualization Solaris 11 supports multiple virtualization models to allow a large amount of flexibility in how applications are deployed. The goal of virtualization is to move from managing individual data center components to managing pools of resources. Server virtualization is important for successful server consolidation projects that require you to maintain the isolation of separate systems. Dewpoint making technology work www.dewpoint.com 7
Successful server virtualization can lead to the following benefits: Increasing the utilization of hardware Enabling greater flexibility in resource allocation Reducing data center power requirements Minimizing management costs Lowering the cost of ownership Providing administrative and resource boundaries between applications on a system Enabling simplified high availability and disaster recovery Virtualization Technology Models The virtualization models are described by means of the following competing characteristics: The amount of execution environment isolation The amount of resource flexibility The more isolation that a model provides, the less resource flexibility it provides. The more resource flexibility that a model provides, the less isolation it provides. Because these characteristics compete, they cannot be maximized by a single model. Oracle Solaris 11.1 can be used with any of the following virtualization technology models: Operating system (OS) virtualization provides one or more isolated execution environments in a single OS instance. Each environment contains what appears to be a private copy of the OS in a container. The OS virtualization model provides near-native performance and flexibility, and has a much smaller disk, RAM, and CPU footprint than either virtual machines or physical domains. However, the OS virtualization model provides the least amount of execution environment isolation. Oracle Solaris 11.1 provides this virtualization model by means of the Oracle Solaris Zones product. Virtual machines can be used to run multiple OS instances with a single set of hardware resources. Each virtual machine that you create runs its own OS. You can run various operating systems in this way. A software or firmware hypervisor creates the illusion that each guest OS instance is running on its own separate system. Virtual machines provide less resource flexibility than a machine that uses OS virtualization, but virtual machines do provide more isolation. Oracle Solaris 11.1 provides this virtualization model by means of Oracle VM Server for SPARC and Oracle VM Server for x86. Dewpoint making technology work www.dewpoint.com 8
Hardware partitions, also known as physical domains, provide physical separation between the running OS and its separate set of resources and power. Because this model does not use a hypervisor, it provides bare-metal performance. This virtualization model provides the most isolation, but it is much less flexible with resource configuration than either the virtual machines or OS virtualization model. Oracle provides this type of virtualization on Oracle's Sun SPARC Enterprise M-Series servers. Choosing Your Virtualization Model The following describes how you might use each Oracle Solaris 11.1 virtualization technology in your environment: Use Oracle Solaris Zones to maximize the efficiency and scalability of workloads, and to migrate Solaris 8, Solaris 9, Oracle Solaris 10, and Oracle Solaris 11 workloads to new hardware systems. Use Oracle VM Server for SPARC to deploy different Oracle Solaris 10 and Oracle Solaris 11 environments on SPARC chip multithreading (CMT) systems. Use Oracle VM Server for x86 to deploy a server with heterogeneous operating systems, including the Oracle Solaris 10 OS and the Oracle Solaris 11 OS as guests. Use Oracle SPARC M-Series servers to deploy different Oracle Solaris 10 and Oracle Solaris 11 operating systems to isolated domains. Each domain provides separation and isolation from the other domains on the M-Series server at the socket level, or at the board level to provide electrical isolation. Each domain can run a different version of the Oracle Solaris 10 or Oracle Solaris 11 OS. You can also mix virtualization technologies to maximize workload density. For example, you could configure multiple zones to run within an Oracle Solaris virtual machine or domain to leverage the strengths of the different virtualization technologies. Security Solaris 11 has added many security features to improve the security posture of the operating system. Some of the significant changes include: Auditing Solaris 11 includes an audit process that is enabled by default. The process creates an audit trail of changes to all objects in the operating system. Key Management Enhancements Solaris now operates as a PKCS#11 keystore for RSA keys. In addition, Oracle Key Manager can be used for centralized enterprise key management. ZFS file system encryption ZFS file systems can be encrypted to secure the data on the disks from unauthorized access. Dewpoint making technology work www.dewpoint.com 9
IPFilter Firewall Solaris now includes an integrated firewall to filter port access by IP addresses. Secure by Default Solaris disables all network services during installation to minimize network exposure. Only SSH service is enabled in a new install. Role Based Access Control (RBAC) All access to system privileges is controlled by assigned roles in the system. A user is granted roles that correspond to their level of access required for the system. Removal of root user Solaris 11 is configured without a root user in accordance with current security practices. Access to the system must be performed by audited user accounts. Authorized users can assume the root role when needed. Summary Solaris 11 has been specifically architected for the modern data center and includes enhancements to patching/maintenance, storage handling, networking, virtualization and security that allow it to surpass all other operating systems for today s workloads. New features such as the Imaging Packaging System, integrated load balancer and IP Filter firewall and enhancements to existing features such as the removal of root access, improved virtualization and ZFS demonstrate that Oracle is committed to Solaris as the premier operating system for running enterprise workloads faster and better. Contact Dewpoint Today For more information and to begin investigating how your company can take advantage of these technologies to reduce costs and improve efficiencies. www.dewpoint.com 888-DEWPOINT contactus@dewpoint.com Dewpoint making technology work www.dewpoint.com 10