On Solaris 11 the software packages are stored in a IPS repository.
One of the packages is 'solaris-11-cpu'.
If a CVE is fixed Oracle adds the CVE info into this package as metadata.
That's great. You can easly search for a CVE to find out which
package and Solaris Update contains the fix.
Current sample for CVS-2020-14871 "component: Pluggable authentication module"
-bash-5.0$ pkg search :CVE-2020-14871:
INDEX ACTION VALUE PACKAGE
CVE-2020-14871 set pkg://solaris/consolidation/osnet/osnet-incorporation@11.4,5.11-11.4.25.0.1.75.3 pkg:/support/critical-patch-update/solaris-11-cpu@2020.12-1
CVE-2020-14871 set pkg://solaris/consolidation/osnet/osnet-incorporation@11.4,5.11-11.4.25.0.1.75.3 pkg:/support/critical-patch-update/solaris-11-cpu@2020.9-2
CVE-2020-14871 set pkg://solaris/consolidation/osnet/osnet-incorporation@11.4,5.11-11.4.25.0.1.75.3 pkg:/support/critical-patch-update/solaris-11-cpu@2020.11-1
CVE-2020-14871 set pkg://solaris/consolidation/osnet/osnet-incorporation@11.4,5.11-11.4.25.0.1.75.3 pkg:/support/critical-patch-update/solaris-11-cpu@2020.10-2
CVE-2020-14871 set pkg://solaris/consolidation/osnet/osnet-incorporation@11.4,5.11-11.4.27.0.1.82.2 pkg:/support/critical-patch-update/solaris-11-cpu@2020.12-1
CVE-2020-14871 set pkg://solaris/consolidation/osnet/osnet-incorporation@11.4,5.11-11.4.27.0.1.82.2 pkg:/support/critical-patch-update/solaris-11-cpu@2020.11-1
CVE-2020-14871 set pkg://solaris/system/library@0.5.11,5.11-0.175.3.36.0.22.0 pkg:/support/critical-patch-update/solaris-11-cpu@2020.6-2
CVE-2020-14871 set pkg://solaris/system/library@0.5.11,5.11-0.175.3.36.0.22.0 pkg:/support/critical-patch-update/solaris-11-cpu@2020.12-1
CVE-2020-14871 set pkg://solaris/system/library@0.5.11,5.11-0.175.3.36.0.22.0 pkg:/support/critical-patch-update/solaris-11-cpu@2020.8-2
CVE-2020-14871 set pkg://solaris/system/library@0.5.11,5.11-0.175.3.36.0.22.0 pkg:/support/critical-patch-update/solaris-11-cpu@2020.9-2
CVE-2020-14871 set pkg://solaris/system/library@0.5.11,5.11-0.175.3.36.0.22.0 pkg:/support/critical-patch-update/solaris-11-cpu@2020.11-1
CVE-2020-14871 set pkg://solaris/system/library@0.5.11,5.11-0.175.3.36.0.22.0 pkg:/support/critical-patch-update/solaris-11-cpu@2020.10-2
CVE-2020-14871 set pkg://solaris/system/library@0.5.11,5.11-0.175.3.36.0.22.0 pkg:/support/critical-patch-update/solaris-11-cpu@2020.7-2
This means you have the fix installed if you are on
Solaris 11.4 CPU 2020-09 or later which is S11.4 SRU 25
Users of our JomaSoft VDCF tool can list the systems centrally
where the required package is already installed
-bash-5.0$ vpkgadm -c show_server id=solaris/system/library@0.5.11-0.175.3.36.0.22.0
Package: system/library - Core system libraries
PKG-ID : solaris/system/library@0.5.11-0.175.3.36.0.22.0
Version: 0.5.11-0.175.3.36.0.22.0 is installed on:
Name Type PatchLevel GroupPkg Comment
g0062 Node 3.36.0.23.0 (U3.SRU36) large-server ZFS Cloning / Shared DS
v0123 vServer 3.36.0.23.0 (U3.SRU36) mini-server ZFS Clones
v0143 vServer 3.36.0.23.0 (U3.SRU36) mini-server Shared dataset
If the fix is not installed, it does not mean you are vulnerable in this special case,
because the bug has no impact on Solaris 11.1 or later.
This is documented here:
https://www.oracle.com/security-alerts/cpuoct2020.html#AppendixSUNS
Anyway ... make sure you are up-to-date ...
19 December 2020
Does your system contain the fixes for CVEs or are you vulnerable?
20 November 2020
Solaris 11.4 SRU27 with Zones Sheet on the Dashboard
Solaris 11.4 GA was
released in 08/2018. Since then Oracle published an update (SRU) each
month.
We are now at SRU27 (November 2020). This new SRU
contains a bunch of new features.
My favorite is the Zones Sheet where you can see how the Resource Usage of your zones is.
Check out all the other changes on the Oracle Solaris Blog
https://blogs.oracle.com/solaris/announcing-oracle-solaris-114-sru27
https://twitter.com/alanc/status/1329196081041735682
02 November 2020
Solaris 11 Upgrade on Veritas Cluster with Failover Zones
For efficient Solaris 11 upgrades on Veritas Cluster do the following
1. Disable Evacuation of the Solaris Zones
/opt/VRTSvcs/bin/hagrp
-modify myzone_sg Evacuate 0
After the Solaris 11 Upgrade and
reboot the Zones are not evacuated to the other Cluster Node.
2. Double check AutoStartList
Check and set the
AutoStartList of your Solaris Zones Service Group to make sure
the
Zones are attached to the same Node they are currently running on.
/opt/VRTSvcs/bin/hagrp -modify myzone_sg AutoStartList node1 node2
With this setup you can upgrade your first node, reboot and verify all Zones are running fine.
pkg update --be-name
s11.3.36 entire@0.5.11,5.11-0.175.3.36
init 6
If all is well with your Solaris Zones and Apps you can do
the same with your second node.
And after all your nodes are upgraded you can enable Evacuation again.
/opt/VRTSvcs/bin/hagrp -modify myzone_sg Evacuate 1
Happy Upgrading ..
17 September 2020
Events about SPARC, Solaris, ZFS and ... Q3/Q4 2020
Last Updated 23.11.2020
PLANNED Events
12/01/2020 - 12/09/2020
Online: 12/08/2020 14:00 GMT / 15:00 CET
Event History and Recordings
11/17/2020 13:00 - 15:30 CET
11/17/2020 - 11/19/2020
Onsite: 11/17/2020 15:00
Online: 11/19/2020 13:00
ONLINE: Oracle Systems Engineering Forum: Oracle Servers (EMEA)
11/03/2020 13:00 - 15:30 CET
29 August 2020
Why we are using SPARC LDoms
Oracle and Fujitsu SPARC Servers include the LDoms Technology. There are no additional costs.
If you see the "Marketing" name 'Oracle VM Server for SPARC'. That is exactly this LDoms Technology.
You can create individual Domains with dedicated CPU and RAM resources running
different Solaris Releases. Use of CPU and RAM is very efficient, because there is no software layer involved. You can add and remove CPU and RAM while the LDoms is running!
Access to Disk and Network can be done virtualized. Performance is good. Using such a virtualized setup the Domains can be live migrated between Servers with the same type of CPU. You can cold migrate (with downtime) between different types of Server in a few minutes.
You place different customers and applications in different LDoms. Good aproach to consolidate your environment.
We at JomaSoft use this technology very successful since years ourselfs and at customer sites.
Our VDCF tool makes deployment and management of LDoms very easy.
Learn more:
https://www.oracle.com/virtualization/vm-server-for-sparc/
https://www.oracle.com/technetwork/server-storage/vm/ovmsparc-best-practices-2334546.pdf
29 June 2020
Performance Impact of ZFS Encryption on Oracle Solaris
You just need to set the encryption property when you create a new filesystem and provide a passphrase or keyfile.
On a SPARC S7 LDom we have 3 ZFS filesystems with different encryption settings.
# zfs get encryption v0123_db/plain v0123_db/encr v0123_db/encr256
NAME PROPERTY VALUE SOURCE
v0123_db/encr encryption on local
v0123_db/encr256 encryption aes-256-ccm local
v0123_db/plain encryption off -
Now lets see how much is the difference in write performance if we copy a 1 GB file.
# ls -lh p25604852_1100_Solaris86-64_1of4.zip
-rw-r--r-- 1 marcel staff 1.3G Apr 7 2017 p25604852_1100_Solaris86-64_1of4.zip
#
# time cp p25604852_1100_Solaris86-64_1of4.zip /plain
real 0m8.829s
user 0m0.002s
sys 0m1.711s
# time cp p25604852_1100_Solaris86-64_1of4.zip /encr
real 0m9.229s
user 0m0.002s
sys 0m1.747s
# time cp p25604852_1100_Solaris86-64_1of4.zip /encr256
real 0m9.733s
user 0m0.002s
sys 0m1.754s
The difference is a low one digit percent value.
Performance impact is a little larger when doing a simple read test.
# time cp /plain/p25604852_1100_Solaris86-64_1of4.zip /tmp
real 0m4.216s
user 0m0.002s
sys 0m3.810s
# time cp /encr/p25604852_1100_Solaris86-64_1of4.zip /tmp
real 0m5.131s
user 0m0.003s
sys 0m5.028s
# time cp /encr256/p25604852_1100_Solaris86-64_1of4.zip /tmp
real 0m5.400s
user 0m0.003s
sys 0m5.287s
Learn more about ZFS encryption with the Oracle Solaris 11.4 ZFS Admin Guide
https://docs.oracle.com/cd/E37838_01/html/E61017/gkkih.html