16 February 2018

Solaris 11.4 Beta: Fast (asynchronous) ZFS destroy

A destroy of a larger ZFS filesystem takes some time.
If you would like to destroy and re-create a filesystem
you need to wait till the destroy is done.

This was the case in the past. Solaris 11.4 Beta
includes a new feature: It destroys ZFS filesystems asynchronously.

You can re-create your filesystem quickly. The destroy
runs in the background. Using zpool monitor you
see how long the background destroy takes.

# zfs list destroytest/fs1
destroytest/fs1 22.1G 17.1G 22.1G /fs1

# time zfs destroy destroytest/fs1; zfs create -o mountpoint=/fs1 destroytest/fs1

real 0m0.654s
user 0m0.005s
sys 0m0.621s

# zpool monitor -t destroy destroytest 5
destroytest destroy 22.1G 0 unknown
destroytest destroy 20.1G 401M 51s
destroytest destroy 13.5G 872M 15s
destroytest destroy 10.8G 767M 14s
destroytest destroy 4.92G 878M 5s

If you need to wait till the filesystem is destroyed completely
you can use the new -s flag.

# time zfs destroy -s destroytest/fs1

real 0m26.438s
user 0m0.005s
sys 0m0.509s

Learn more about the new Solaris 11.4 Beta on

07 February 2018

Upgrade from Solaris 11.3 to 11.4 Beta with only 4 commands using JomaSoft VDCF

You need VDCF 7.0.8 or later which supports the Solaris 11.4 Beta release.
Check your current Version using vdcfadm -c show_version

-bash-4.1$ vdcfadm -c show_version
      Package  Version     Arch.   Install-Date        Name
  JSvdcf-base  7.0.8f      i386    Feb 07 2018 11:30   JomaSoft VDCF - Base

If you don't use VDCF so far here the link to the Free Edition download
VDCF automates lots of Solaris operations and includes best practices to save time and avoid errors.

To install Solaris 11.4 Beta and to upgrade existing systems,
we create an IPS repository. Download the 7 files from

Place the files in a temporary directory

-bash-4.1$ ls -l /ips/zipfiles
total 18352831
-rw-r--r--   1 marcel   staff      12262 Feb  7 10:51 install-repo.ksh
-rw-r--r--   1 marcel   staff    2008529484 Feb  7 11:30 sol-11_4-beta-repo_1of5.zip
-rw-r--r--   1 marcel   staff    1702107787 Feb  7 11:23 sol-11_4-beta-repo_2of5.zip
-rw-r--r--   1 marcel   staff    2002857649 Feb  7 11:39 sol-11_4-beta-repo_3of5.zip
-rw-r--r--   1 marcel   staff    1956904984 Feb  7 11:32 sol-11_4-beta-repo_4of5.zip
-rw-r--r--   1 marcel   staff    1719447798 Feb  7 11:41 sol-11_4-beta-repo_5of5.zip
-rw-r--r--   1 marcel   staff        520 Feb  7 10:51 sol-11_4-beta-repo_digest.txt

The first VDCF command creates the new repository including the SMF service.

-bash-4.1$ ipsadm -c create_repo name=s114 dir=/ips/zipfiles zpool=repo114
Port 8282 is assigned to the repository
Using sol-11_4-beta-repo download.
Uncompressing sol-11_4-beta-repo_1of5.zip...done.
Uncompressing sol-11_4-beta-repo_2of5.zip...done.
Uncompressing sol-11_4-beta-repo_3of5.zip...done.
Uncompressing sol-11_4-beta-repo_4of5.zip...done.
Uncompressing sol-11_4-beta-repo_5of5.zip...done.
Repository can be found in /ips/repo/s114.
Repository installed in /ips/repo/s114
refresh smf service application/pkg/server:s114 ...
Repo server application/pkg/server:s114 listening on http://localhost:8282
rebuilding index (pkgrepo rebuild)
enable smf service application/pkg/server:s114 ...
Setup of IPS repository finished:
solaris   6435     online           2018-02-07T11:45:13.891850Z
Repository s114 successfully created

Then we create an AI service to allow us to install new systems with the
second VDCF command

-bash-4.1$ ipsadm -c create_service name=s114beta platform=i386 patchlevel=4.0 repository=http://localhost:8282
Creating Install service s114beta - this may take a moment ...
Service s114beta successfully created

VDCF uses reusable build definitions to reference a specific Solaris SRU, AI service
and IPS repository:

-bash-4.1$ ipsadm -c create_build name=s114betax service=s114beta repository=http://localhost:8282
Repo server http://localhost:8282 with Solaris 11 patchlevel (U4) selected
Build s114betax successfully created

Now we can upgrade an existing Solaris 11.3 server:

-bash-4.1$ node -c upgrade name=vbox-sol11c build=s114betax reboot
Node Upgrade started for Node vbox-sol11c ...
doing a 'pkg set-publisher -g solaris' now ..
 Startup: Refreshing catalog 'solaris' ... Done
 Startup: Caching catalogs ... Done
doing a 'pkg update  -C 5 --accept --be-name s11. --ignore-missing --reject system/input-method/ibus/anthy --reject system/input-method/ibus/pinyin --reject system/input-method/ibus/sunpinyin --reject system/input-method/library/m17n/contrib entire@11.4,5.11-' now ...
 Startup: Refreshing catalog 'solaris' ... Done
Planning: Solver setup ... Done
Planning: Running solver ... Done
Planning: Finding local manifests ... Done
Planning: Fetching manifests:    0/1416  0% complete

< CUT >

Current BootEnvironment list:
BE               Flags Mountpoint Space  Policy Created
--               ----- ---------- -----  ------ -------
s11.   N     /          6.69M  static 2018-02-07 15:37
s11. R     -          29.91G static 2018-02-07 17:39
Node vbox-sol11c updated to Solaris 11 entire@11.4,5.11- Node is rebooting now.

31 January 2018

Oracle Solaris 11.4 beta is here!

Try the new features yourself. Here some links to the download page and to Oracle Solaris Blogs,
where the engineers describe a few new features in detail.

Solaris 11.4: Download and Docs

Solaris 11.4: What's New (PDF)

Oracle Solaris Blogs

Oracle Solaris 11.4 Open Beta Released!

reflink(3c) What is it? Why do I care? And how can I use it?

Application Sandboxing in Oracle Solaris 11.4

Live Zone Reconfiguration for Dataset Resources

What's in a uname ?

Solaris Analytics: An Overview

More adventures in Software FMA

Migrating from IPF to Packet Filter in Solaris 11.4

Immutable Zones: SMF changes & Trusted Path services

Getting Data Out of the StatsStore

Default Memory Allocator Security Protections using Silicon Secured Memory (SSM ADI)

What is this BUI thing anyway?

Installing Packages — Oracle Solaris 11.4 Beta

Solaris 11.4 Beta: Fast (asynchronous) ZFS destroy

Oracle Solaris 11.4 Data Management Features

In the coming days I will add additional links here and will add blogs about new features myself.

30 October 2017

Events about SPARC and Oracle Solaris in Nov & Dec 2017

A) Webcast 3rd Thursday Tech Talk: Solaris Continuous Innovation: Modernize without the Risk

16. November 2017
Speaker: Scott Lynn

B) DOAG Konferenz und Ausstellung - Yearly Conference, Nuremberg (Germany)

21 - 24 November 2017
Speakers: Thomas Nau, Joost Pronk, Jan Brosowski, Manfred Drozd, Christophe Brune, Malthe Griesel, Elke Freymann, Michael Färber, Marcel Hofstetter

C) Oracle Power of Solaris Sponsored by Fujitsu, Rome (Italy)

28. November 2017

D) Oracle SPARC / Solaris Users Group Summit, Solna (Sweden)

1. December 2017
Speakers: Bill Nesheim, Martin De Jong, Wissam Moussa, Sergey Kalmykov, Niclas Fredsberg, Juha Hellman

E) UKOUG Tech 17 - Yearly Conference, Birmingham (UK)

4-6 December 2017
Speakers: Stefan Hinker, Marcel Hofstetter

F) Oracle Systems Summit 2017 - Mit Sicherheit in die Zukunft!

28.11. München, Germany
Speaker: Thomas Herrguth, Ralf Zenses, Detlef Drewanz, Jörg Meiners, Jan Brosowski

5.12. Köln, Germany
Speaker: Thomas Herrguth, Ralf Zenses, Detlef Drewanz, Jörg Meiners, Jan Brosowski

6.12. Frankfurt, Germany
Speaker: Thomas Herrguth, Ralf Zenses, Detlef Drewanz, Jörg Meiners, Jan Brosowski

14.12. Zürich, Switzerland
Speaker: Stefano Amato, Ralf Zenses, Detlef Drewanz, Jörg Meiners, Jan Brosowski, Marcel Hofstetter

24 September 2017

New Oracle SPARC M8 CPU and T8/M8 Servers

On September 18th 2017 Oracle announced the Next-Generation SPARC Processor and Servers.

The full webcast is available at

The SPARC M8 chip has 32-cores running at 5.0 GHz, with 8 threads per core a total of 256 threads per processor. The L1 cache with 32KB is double the size of the previous SPARC M7 chip.
Each of the 32 cores now includes an Oracle Database Number unit to accelerate Oracle Numbers arithmetic performance. SHA-3 was added to the many crypto ciphers supported by the cores.

Performance improvements compared to the SPARC M7
- Single-Thread 1,5x
- CPU Frequency +21%
- Memory Bandwidth +16%
- Memory Access +6%

SPARC Servers with the SPARC M8 CPU
There are 5 Servers using the new SPARC M8 processor: SPARC T8-1, T8-2, T8-4, M8-8 and SuperCluster M8. The Servers require Solaris 11.3 SRU24 or later. Solaris 10 1/13 with latest patches is also supported to run inside Logical Domains.

Oracle Solaris 11.4
The new Solaris 11.4 release is planned for Fall 2018.
Oracle repeated to support Solaris 11 at least to 2034.

SPARC M8 Benchmark Links

Oracle SPARC M8 for SAS - Vertical Scaling for Secure, Rapid, Agile Environments

21 June 2017

SPARC M12 and S7 CPU comparison using SLOB

Fujitsu SPARC M12 Server

Fujitsu recently announced new SPARC M12 Servers using the SPARC64-XII CPU. This systems hold several performance world records. Check out details at http://www.fujitsu.com/global/products/computing/servers/unix/sparc/key-reports/benchmarks/

But how does this CPU and system scale and how is the performance compared to our own Oracle SPARC S7 Server?

SLOB DB Benchmark

To compare the two systems I setup a SLOB (Silly Little Oracle DB Benchmark) environment.

The SLOB benchmark executes 500'000 SQL select statements (SLOB Ops). The SGA is 20GB is size to make sure all data is in the Database Cache and no physical I/O is required. This way we measure CPU, Memory, OS and DB Performance.

SLOB results

The 12-core SPARC64-XII scales very well. Using 96 parallel readers we reach 78'000 SLOB OPS per second per socket. This is 2x the SLOB OPS compared to the 8-core SPARC-S7 CPU. 

Calculating the performance down to 1 core, we see a peak of 6500 SLOB OPS per second per core on the M12 and 5000 SLOB OPS per second per core on the S7. A M12 core outperforms the S7 core by 30%. On the S7 we see better results if only 1 single reader is executed.

Technical details

To make sure we compare oranges with oranges, the same setup was used on both servers.
A Logical Domain was created using 48GB RAM and 1 socket assigned to it.
Solaris 11.3 SRU19 / Oracle DB 12c DATABASE BUNDLE PATCH: (25397136)

We used a SPARC S7-2 (4.267 Ghz) and a SPARC M12-2S (4.25 Ghz).

22 May 2017

Is my Server Secure? Use the Solaris 11 Compliance Tool

Security Compliance
IT Security is more important than ever. Make sure your systems are up-to-date.
Don't run Services you don't need. Use strong passwords. Protect your files.

Security Compliance checking helps to detect weak and modified configuration.
Solaris 11.3 contains the 'compliance' tool. Using this tool you can create reports against 3 prepared Security Levels.

1. Oracle Solaris Security Benchmark: Baseline
   Matches basically a Secure By Default Installation

2. Oracle Solaris Security Benchmark: Recommended
   Adds Recommended Checks

   Payment Card Industry - Data Security Standard
The Solaris compliance tool creates easy to understand HTML reports.
It even supports customization for individual machines where individual checks may be enabled or disabled if required.

Use this Blog as an introduction with a few examples. You need to invest more time to reach a completely secure system.

Solaris 11 Compliance Samples
To check against the Solaris Baseline Benchmark run the following command on your system:

# compliance assess -b solaris

Check the HTML report
# compliance report

The HTML report lists the checks in detail including a description how to fix failed checks. On a newly installed system there may be a few failed checks. If you don't use Kerberos you can disable the services to make sure the checks pass.

# svcadm disable svc:/network/nfs/fedfs-client:default
# svcadm disable svc:/network/rpc/gss:default

Next we check against the Solaris Recommended Profile

# compliance assess -b solaris -p Recommended

# compliance report -f log
/var/share/compliance/assessments/solaris.Recommended.2017-05-22,17:18/log# grep fail /var/share/compliance/assessments/solaris.Recommended.2017-05-22,17:18/log | wc -l

To fulfill the Recommended Profile lots of configuration changes would be needed. As a first step we create now an own benchmark, based on the Solaris Baseline, but we add a few additional checks.

If you deploy services, checks like this one may report failed:
OSC-73505 / ssh(1) is the only service binding a listener to non-loopback addresses

On a Solaris Zone I run a Solaris IPS Repository. We create an own tailored benchmark where
this check is disabled.

# compliance tailor -t solaris_jomasoft set benchmark=solaris
# compliance tailor -t solaris_jomasoft set profile=Baseline
# compliance tailor -t solaris_jomasoft exclude OSC-73505  # ssh(1) is the only service binding a listener to non-loopback

Then we add our Password Rules

# compliance tailor -t solaris_jomasoft include OSC-49500  # Passwords require at least 1 upper-case characters
# compliance tailor -t solaris_jomasoft include OSC-47500  # Passwords require at least 1 digits

Change values of existing Checks

# compliance tailor -t solaris_jomasoft value OSCV-46000=8  # Passwords must be at least 8 characters long
# compliance tailor -t solaris_jomasoft value OSCV-48000=1  # Passwords must have at least 1 lower-case characters
# compliance tailor -t solaris_jomasoft value OSCV-49000=1  # Passwords must have at least 1 special characters

Additional Checks

# compliance tailor -t solaris_jomasoft include OSC-93005   # User home directories have appropriate permissions
# compliance tailor -t solaris_jomasoft include OSC-92505   # User home directory ownership is correct

Now we run against our own tailored Benchmark:
# compliance assess -t solaris_jomasoft

A Compliance Report for PCI-DSS is created with
# compliance assess -b pci-dss

To reach PCI-DSS compliance there is some configuration work required.

# compliance report -f log
# grep fail /var/share/compliance/assessments/pci-dss.Solaris_PCI-DSS.2017-05-22,11:22/log | wc -l

Find all details in the Oracle Solaris 11.3 Compliance Guide (PDF)

Run your benchmark regularly to detect changes by Administrators and Applications.