Marcel Hofstetter Solaris Blog

24 September 2017

New Oracle SPARC M8 CPU and T8/M8 Servers

On September 18th 2017 Oracle announced the Next-Generation SPARC Processor and Servers.

The full webcast is available at

http://www.oracle.com/us/corporate/events/next-gen-secure-infrastructure-platform/index.html

SPARC M8 CPU

The SPARC M8 chip has 32-cores running at 5.0 GHz, with 8 threads per core a total of 256 threads per processor. The L1 cache with 32KB is double the size of the previous SPARC M7 chip.

Each of the 32 cores now includes an Oracle Database Number unit to accelerate Oracle Numbers arithmetic performance. SHA-3 was added to the many crypto ciphers supported by the cores.

Performance improvements compared to the SPARC M7
- Single-Thread 1,5x
- CPU Frequency +21%
- Memory Bandwidth +16%
- Memory Access +6%

SPARC Servers with the SPARC M8 CPU

There are 5 Servers using the new SPARC M8 processor: SPARC T8-1, T8-2, T8-4, M8-8 and SuperCluster M8. The Servers require Solaris 11.3 SRU24 or later. Solaris 10 1/13 with latest patches is also supported to run inside Logical Domains.

Link to the Oracle SPARC Server Website

Oracle Solaris 11.4
The new Solaris 11.4 release is planned for Fall 2018.
Oracle repeated to support Solaris 11 at least to 2034.

SPARC M8 Benchmark Links

SPECjbb2015:SPARC T8-1 World Record Single Chip Multi-JVM Result

OracleAdvanced Analytics: SPARC T8-2 Up To 1.5x Advantage Under LoadCompared to 2-Chip x86 E5-2699 v4

AESEncryption: SPARC M8 Performance, Beats x86 Per Core Under Load

Oracle SPARC M8 for SAS - Vertical Scaling for Secure, Rapid, Agile Environments

http://www.oracle.com/technetwork/database/bi-datawarehousing/sas/sas-vertical-scale-m8-preso-3870873.pdf (9 MB)

21 June 2017

SPARC M12 and S7 CPU comparison using SLOB

Fujitsu SPARC M12 Server

Fujitsu recently announced new SPARC M12 Servers using the SPARC64-XII CPU. This systems hold several performance world records. Check out details at http://www.fujitsu.com/global/products/computing/servers/unix/sparc/key-reports/benchmarks/

But how does this CPU and system scale and how is the performance compared to our own Oracle SPARC S7 Server?

SLOB DB Benchmark

To compare the two systems I setup a SLOB (Silly Little Oracle DB Benchmark) environment.

The SLOB benchmark executes 500'000 SQL select statements (SLOB Ops). The SGA is 20GB is size to make sure all data is in the Database Cache and no physical I/O is required. This way we measure CPU, Memory, OS and DB Performance.

SLOB results

The 12-core SPARC64-XII scales very well. Using 96 parallel readers we reach 78'000 SLOB OPS per second per socket. This is 2x the SLOB OPS compared to the 8-core SPARC-S7 CPU.

Calculating the performance down to 1 core, we see a peak of 6500 SLOB OPS per second per core on the M12 and 5000 SLOB OPS per second per core on the S7. A M12 core outperforms the S7 core by 30%. On the S7 we see better results if only 1 single reader is executed.

Technical details

To make sure we compare oranges with oranges, the same setup was used on both servers.
A Logical Domain was created using 48GB RAM and 1 socket assigned to it.
Solaris 11.3 SRU19 / Oracle DB 12c DATABASE BUNDLE PATCH: 12.1.0.2.170418 (25397136)

We used a SPARC S7-2 (4.267 Ghz) and a SPARC M12-2S (4.25 Ghz).

22 May 2017

Is my Server Secure? Use the Solaris 11 Compliance Tool

Security Compliance
IT Security is more important than ever. Make sure your systems are up-to-date.
Don't run Services you don't need. Use strong passwords. Protect your files.

Security Compliance checking helps to detect weak and modified configuration.
Solaris 11.3 contains the 'compliance' tool. Using this tool you can create reports against 3 prepared Security Levels.

1. Oracle Solaris Security Benchmark: Baseline
   Matches basically a Secure By Default Installation

2. Oracle Solaris Security Benchmark: Recommended
   Adds Recommended Checks

3. PCI-DSS
   Payment Card Industry - Data Security Standard

The Solaris compliance tool creates easy to understand HTML reports.
It even supports customization for individual machines where individual checks may be enabled or disabled if required.

Use this Blog as an introduction with a few examples. You need to invest more time to reach a completely secure system.

Solaris 11 Compliance Samples
To check against the Solaris Baseline Benchmark run the following command on your system:

# compliance assess -b solaris

Check the HTML report
# compliance report
/var/share/compliance/assessments/solaris.Baseline.2017-05-22,10:32/report.html

The HTML report lists the checks in detail including a description how to fix failed checks. On a newly installed system there may be a few failed checks. If you don't use Kerberos you can disable the services to make sure the checks pass.

# svcadm disable svc:/network/nfs/fedfs-client:default
# svcadm disable svc:/network/rpc/gss:default

Next we check against the Solaris Recommended Profile

# compliance assess -b solaris -p Recommended

# compliance report -f log/var/share/compliance/assessments/solaris.Recommended.2017-05-22,17:18/log# grep fail /var/share/compliance/assessments/solaris.Recommended.2017-05-22,17:18/log | wc -l
      26

To fulfill the Recommended Profile lots of configuration changes would be needed. As a first step we create now an own benchmark, based on the Solaris Baseline, but we add a few additional checks.

If you deploy services, checks like this one may report failed:
OSC-73505 / ssh(1) is the only service binding a listener to non-loopback addresses

On a Solaris Zone I run a Solaris IPS Repository. We create an own tailored benchmark where
this check is disabled.

# compliance tailor -t solaris_jomasoft set benchmark=solaris
# compliance tailor -t solaris_jomasoft set profile=Baseline
# compliance tailor -t solaris_jomasoft exclude OSC-73505 # ssh(1) is the only service binding a listener to non-loopback

Then we add our Password Rules

# compliance tailor -t solaris_jomasoft include OSC-49500 # Passwords require at least 1 upper-case characters
# compliance tailor -t solaris_jomasoft include OSC-47500 # Passwords require at least 1 digits

Change values of existing Checks

# compliance tailor -t solaris_jomasoft value OSCV-46000=8 # Passwords must be at least 8 characters long
# compliance tailor -t solaris_jomasoft value OSCV-48000=1 # Passwords must have at least 1 lower-case characters
# compliance tailor -t solaris_jomasoft value OSCV-49000=1 # Passwords must have at least 1 special characters

Additional Checks

# compliance tailor -t solaris_jomasoft include OSC-93005   # User home directories have appropriate permissions
# compliance tailor -t solaris_jomasoft include OSC-92505   # User home directory ownership is correct

Now we run against our own tailored Benchmark:
# compliance assess -t solaris_jomasoft

A Compliance Report for PCI-DSS is created with
# compliance assess -b pci-dss

To reach PCI-DSS compliance there is some configuration work required.

# compliance report -f log
/var/share/compliance/assessments/pci-dss.Solaris_PCI-DSS.2017-05-22,11:22/log
# grep fail /var/share/compliance/assessments/pci-dss.Solaris_PCI-DSS.2017-05-22,11:22/log | wc -l
      29

Find all details in the Oracle Solaris 11.3 Compliance Guide (PDF)
https://docs.oracle.com/cd/E53394_01/pdf/E54817.pdf

Run your benchmark regularly to detect changes by Administrators and Applications.

07 April 2017

Is there a performance impact when using Solaris ZFS lz4 compression?

Starting with Solaris 11.3 ZFS supports lz4 compression. Lets verify the impact to performance if we enable lz4 compression with 2 concrete sample files.
First a zip file containing Solaris 11 SRU Updates and second a simple text logfile.

We disable the ZFS Cache to see the impact of I/O and compression
# zfs set primarycache=metadata v0123_db/source
# zfs set primarycache=metadata compressed/fs
# zfs set primarycache=metadata uncompressed/fs

Test 1 - zipped file

# time cp p25604852_1100_Solaris86-64_1of4.zip /uncompressed

real    1m27.571s
user    0m0.002s
sys     0m4.361s

-bash-4.4$ zfs get compression,compressratio,used uncompressed/fs
NAME             PROPERTY       VALUE SOURCE
uncompressed/fs compression    off    inherited from uncompressed
uncompressed/fs compressratio 1.00x -
uncompressed/fs used           1.35G -

# time cp p25604852_1100_Solaris86-64_1of4.zip /compressed

real    1m27.427s
user    0m0.002s
sys     0m4.408s

-bash-4.4$ zfs get compression,compressratio,used compressed/fs
NAME           PROPERTY       VALUE SOURCE
compressed/fs compression    lz4    inherited from compressed
compressed/fs compressratio 1.00x -
compressed/fs used           1.34G -

We see the same duration, no performance loss and because the file is zipped
nearly no space savings.

Test 2 - Log file with Text

# time cp framework.log /uncompressed/

real    0m24.608s
user    0m0.001s
sys     0m1.241s

-bash-4.4$ zfs get compression,compressratio,used uncompressed/fs
NAME             PROPERTY       VALUE SOURCE
uncompressed/fs compression    off    inherited from uncompressed
uncompressed/fs compressratio 1.00x -
uncompressed/fs used           390M   -

# time cp framework.log /compressed/

real    0m24.495s
user    0m0.001s
sys     0m1.260s

-bash-4.4$ zfs get compression,compressratio,used compressed/fs
NAME           PROPERTY       VALUE SOURCE
compressed/fs compression    lz4    inherited from compressed
compressed/fs compressratio 6.37x -
compressed/fs used           61.4M -

Good compression (6x). We save 330MB of disk space here.
No impact to duration. The SPARC S7 core is fast enough.

And now Read Performance

# time cp /compressed/framework.log /tmp; time cp /uncompressed/framework.log /tmp

real    0m17.415s
user    0m0.001s
sys     0m1.354s

real    0m24.479s
user    0m0.001s
sys     0m1.389s

Better results from compressed filesystem. CPU decompression is faster than doing I/O. Need to read 6x the data from uncompressed zfs filesystem.

Summary
With above samples we don't see negative impact when enabling lz4 compression. If you use compressable text files you save lots of disk space while gaining read performance. We start using lz4 on our ZPOOLs by default now.