Solaris 11 Lunch and Learn Review

Recently I was able to attend a presentation regarding Solaris 11 and it's new features. It was a lunch and learn event that was designed to get attendees familiar with the changes that are coming down the Solaris product line. Having been well versed in Solaris 9 and Solaris 10 I was interested in seeing what changes were on the way. When I was trying to wrap my mind around the SMF and other modifications from Solaris 10 I was told that SUN was forced to keep some of the changes out of 10 because nobody would even recognize it if they didn't.

The Solaris 9 to Solaris 10 changes were quite vast. Things such as the SMF created dependencies within services and would automatically keep services running. This was great and all but you now have to learn to use svccfg and figure out how to create and xml file that has the ability to handle your daemons. I really did not like this change at first but over time as I migrated the Solaris 9 systems up to Solaris 10 it became second nature. Other changes such as the fault management subsystem along with RBAC, ZFS, and most of all Containers, made Solaris 10 the defacto standard for the Solaris bloodline.

OpenSolaris was a community project that was basically the testing ground for new features that would be integrated into Solaris 11. Things like ZFS boot were just a revision away and the sky was the limit. Oracle proceeded to kill the OpenSolaris community through neglect and deception. That is why I was a little shocked when I heard the mention of Solaris 11 express being referred to as having a community. I guess they meant it used to have a community but I couldn't bring myself to derail the show with my snarky comments.

One of the touted features in Solaris 11 is the IPS (Image Packaging System). This is designed to make patching your systems much easier because now instead of downloading and installing a patch, you will download and install a patched version of the package. Not only that but any dependencies that need to be resolved will get resolved automatically and the extra packages needed to meet prerequisites will be pulled down and installed also. That sounds great right? The command to perform these actions is pkg. You can do things like pkg install apache or pkg uninstall apache or pkg update (which will fetch your updates and install them for you). This does sound quite an appealing feature for Solaris because now instead of using blastwave to fetch and install applications, the operating system now has this functionality natively.

Although they call it the Image Packaging System, in reality, this is nothing more than apt-get. The apt suite has been available in debian for years and years. Well now this feature has finally made it to Solaris in version 11. Not only do you have an apt-get equivalent but you will have the ability to choose boot environments during startup. If you install a kernel level package that requires a restart, then this package is tagged with a special boot flag which instructs zfs to automatically snapshot the system and create a menu entry for both the old and new revisions of the kernel. Then during boot you will be presented a menu to choose from. How cool is that! It's also nothing more than grub/lilo ported to Solaris for version 11. Don't get me wrong, I never used the live update features because they were just way too cumbersome and had the potential for more harm then good. At least those lu commands are no longer needed. I guess these "features" are good for Solaris but linux has been doing that for years.

Moving along I found myself feeling disappointed. I found out that Solaris 11 express is basically OpenSolaris and works the same way. One of the huge complaints that I had with OpenSolaris was that when installing a zone you were forced to have a network connection. Sure it's 2011 so all computers and servers have an internet connection. This might not be a hangup for you but to me that is just poor design. There are numerous reasons why I might not be able to access the internet but still need to install a zone pronto. The zone installation forces you to fetch a pkg file from Oracle's website every time you install a zone. In Solaris 10 this was not the case at all, zones were installed based off the global zones package set. There was not an internet requirement. This was a big step backward in both OpenSolaris and now Solaris 11 express. Another shortcoming was the lack of sparse root zones. All zones are now whole root zones.

A cool feature that was touted was the Crossbow network virtualization project. With Crossbow you can use dladm create vnic to create virtual network cards. This allows you to hand a virtual network card into a local zone and let it operate as though it was a physical card. To elaborate, one shortcoming in Solaris 10 was that your network cards inside of the local zones were not able to be fully controlled unless you released it from the global zone and set ip type=exclusive. The exclusive network card would then be handed into the local zone and along with it came an entire ip stack. With this new network virtualization strategy it allows you to create 892 virtual network cards out of 1 physical network card. The virtual network cards will have independent network stacks. This means that your virtual nics can be setup for different ipfilter rule sets, mac addresses, and best of all, independent routing tables.
A major complaint I had with Solaris 10 was that when sharing the network card between the global and a local zone, there was only one routing table, and it resided in the global zone. You could not successfully put a local zone in a different subnet without adding a route for that subnet into the global routing table. The virtual networking scenarios started to get out of hand with splitting up 4 e1000g cards into 4 parts each creating 16 and then bonding one virtual interface from each physical interface for load balancing traffic across all 4 cards. Also there was some talk about QoS on the virtual networking interfaces and possibly even ratio balancing with a mechanism that sounded like the Fair Share Scheduler for networking.

Another feature that made people sit up a little higher in their seats was the mention of native Active Directory integration and CIFS built in to the operating system at the kernel level. This means that you can now take your ZFS filesets and publish them to windows machines using one command share cifs /mount/point . There was also mention of binding file shares such as these directly to AD for permissions. The command was something such as smbadmin bind domain name1, domain name 2. The ease of setup and potential management power via ZFS make this one of the best features in a lackluster list of changes. Imagine being able to wield the power of ZFS file systems presenting them as file stores for the domain. This would give the flexibility of ZFS with the usability for business environments.

Along with native CIFS and AD connectivity ZFS gets 2 new capabilities. The first of which is dedupe. The de-duplication should help speed up transfers and shrink the storage footprint by eliminating duplication of files. That might not seem like a big deal but imagine the storage savings on a server with 20 zones.

The other new ZFS feature is encryption. This feature will make all the security minded people smile from ear to ear. You can now encrypt your ZFS storage pool and nobody can read it without your permission. But wait, theres more... You can also encrypt at the fileset level which extends this capability even further. Now you can setup ZFS filesets and dedicate them to different zones and allow them to be encrypted individually where even the global zone cannot access them without the proper decryption keys. That means you can ensure privacy between zones that share a system keeping everyone honest, even the global zone administrator.

The last feature that I can remember was the new structure for user account roles. The root user is now just a role on the server and not an actual account. However that works right. The root privileges are then assigned to basic user accounts I'm guessing through an interface similar to RBAC and pfexec in Solaris 10. It's like sudo but you don't have to type sudo. I like the thought of restricting the root user role from a security standpoint but I don't know how people will react to this. Although you can now delegate administration between regular users on a case per case basis, someone has to maintain all these profiles which might turn into a nightmare. It would be cool to allow user1 to administer zones 1 and 2 and let user 2 administer zone 3 but that seems like a lot of RBAC work.

In summary, The Solaris 11 express lunch and learn trip was definitely educational. However, I think that Solaris 11 express overall was not very impressive. Some of the features in Solaris 11 seem to be outright copies of linux. The apt-get package management with the grub menus are quite handy to have but rely too heavily upon fetching files directly from Oracle. The virtual networking features do address some of the shortcomings found in Solaris 10 containers. The root account as a role seems like a good idea but might not be very practical. Someone still has to have the power to assign roles for users to perform root level actions, who does that now? It used to be a job for root but who knows how that will work. Finally the ZFS updates paired with native CIFS and Active Directory capabilities seem great. This feature might be a solution without a problem however. Does the functionality of ZFS justify purchasing Solaris for the corporate environment? That has yet to be seen.

I find myself choosing CentOS over Solaris more and more often these days. The fact that you are forced to have support contracts just to run Solaris on your system kind of knocks it out of contention when it comes to picking the best bang for your buck. Solaris 11 express looks a whole lot like linux except the pricetag. This version of Solaris did not make me think I have to have it the minute it comes out. On the contrary, this version of Solaris had me looking for the exit. Solaris 10 is solid and should have been considered ahead of it's time. Solaris 11 is more like the end of the line.

Finally, I must say that the woman who gave the presentation did an excellent job. She fielded questions from the audience and you could definitely tell she wasn't just another Oracle sales zombie. She knew her stuff and was quite impressive. The presentation was nice but the fact that she was actually running Solaris 11 on the laptop being used to present put her over the top. Although my frustrations with Oracle have to do with a difference in philosophies it was not through any fault of the presenter. She was much like me, a "doer", someone who gets the job done. It was not her fault that Oracle is a terrible company to do business with.

Thanks for reading my rambles.