Does your system contain the fixes for CVEs or are you vulnerable?

On Solaris 11 the software packages are stored in a IPS repository.
One of the packages is 'solaris-11-cpu'.

If a CVE is fixed Oracle adds the CVE info into this package as metadata.

That's great. You can easly search for a CVE to find out which
package and Solaris Update contains the fix.

Current sample for CVS-2020-14871 "component: Pluggable authentication module"

-bash-5.0$ pkg search :CVE-2020-14871:
INDEX          ACTION VALUE              PACKAGE
CVE-2020-14871 set    pkg://solaris/consolidation/osnet/osnet-incorporation@11.4,5.11-11.4.25.0.1.75.3 pkg:/support/critical-patch-update/solaris-11-cpu@2020.12-1
CVE-2020-14871 set    pkg://solaris/consolidation/osnet/osnet-incorporation@11.4,5.11-11.4.25.0.1.75.3 pkg:/support/critical-patch-update/solaris-11-cpu@2020.9-2
CVE-2020-14871 set    pkg://solaris/consolidation/osnet/osnet-incorporation@11.4,5.11-11.4.25.0.1.75.3 pkg:/support/critical-patch-update/solaris-11-cpu@2020.11-1
CVE-2020-14871 set    pkg://solaris/consolidation/osnet/osnet-incorporation@11.4,5.11-11.4.25.0.1.75.3 pkg:/support/critical-patch-update/solaris-11-cpu@2020.10-2
CVE-2020-14871 set    pkg://solaris/consolidation/osnet/osnet-incorporation@11.4,5.11-11.4.27.0.1.82.2 pkg:/support/critical-patch-update/solaris-11-cpu@2020.12-1
CVE-2020-14871 set    pkg://solaris/consolidation/osnet/osnet-incorporation@11.4,5.11-11.4.27.0.1.82.2 pkg:/support/critical-patch-update/solaris-11-cpu@2020.11-1
CVE-2020-14871 set    pkg://solaris/system/library@0.5.11,5.11-0.175.3.36.0.22.0    pkg:/support/critical-patch-update/solaris-11-cpu@2020.6-2
CVE-2020-14871 set    pkg://solaris/system/library@0.5.11,5.11-0.175.3.36.0.22.0    pkg:/support/critical-patch-update/solaris-11-cpu@2020.12-1
CVE-2020-14871 set    pkg://solaris/system/library@0.5.11,5.11-0.175.3.36.0.22.0   pkg:/support/critical-patch-update/solaris-11-cpu@2020.8-2
CVE-2020-14871 set    pkg://solaris/system/library@0.5.11,5.11-0.175.3.36.0.22.0   pkg:/support/critical-patch-update/solaris-11-cpu@2020.9-2
CVE-2020-14871 set    pkg://solaris/system/library@0.5.11,5.11-0.175.3.36.0.22.0    pkg:/support/critical-patch-update/solaris-11-cpu@2020.11-1
CVE-2020-14871 set    pkg://solaris/system/library@0.5.11,5.11-0.175.3.36.0.22.0   pkg:/support/critical-patch-update/solaris-11-cpu@2020.10-2
CVE-2020-14871 set    pkg://solaris/system/library@0.5.11,5.11-0.175.3.36.0.22.0   pkg:/support/critical-patch-update/solaris-11-cpu@2020.7-2

This means you have the fix installed if you are on
Solaris 11.4  CPU 2020-09 or later which is S11.4 SRU 25

Users of our JomaSoft VDCF tool can list the systems centrally
where the required package is already installed

-bash-5.0$ vpkgadm -c show_server id=solaris/system/library@0.5.11-0.175.3.36.0.22.0

Package: system/library - Core system libraries
PKG-ID : solaris/system/library@0.5.11-0.175.3.36.0.22.0
Version: 0.5.11-0.175.3.36.0.22.0 is installed on:
   Name  Type     PatchLevel                GroupPkg       Comment
  g0062  Node     3.36.0.23.0 (U3.SRU36)    large-server   ZFS Cloning / Shared DS
  v0123  vServer  3.36.0.23.0 (U3.SRU36)    mini-server    ZFS Clones
  v0143  vServer  3.36.0.23.0 (U3.SRU36)    mini-server    Shared dataset

If the fix is not installed, it does not mean you are vulnerable in this special case,
because the bug has no impact on Solaris 11.1 or later.

This is documented here:
https://www.oracle.com/security-alerts/cpuoct2020.html#AppendixSUNS

Anyway ... make sure you are up-to-date ...

Solaris 11.4 SRU27 with Zones Sheet on the Dashboard

Solaris 11.4 GA was released in 08/2018. Since then Oracle published an update (SRU) each month.

We are now at SRU27 (November 2020). This new SRU contains a bunch of new features.

My favorite is the Zones Sheet where you can see how the Resource Usage of your zones is. 

 

Check out all the other changes on the Oracle Solaris Blog

https://blogs.oracle.com/solaris/announcing-oracle-solaris-114-sru27

Many details on Twitter by Alan Coopersmith
https://twitter.com/alanc/status/1329196081041735682

Solaris 11 Upgrade on Veritas Cluster with Failover Zones

For efficient Solaris 11 upgrades on Veritas Cluster do the following

1. Disable Evacuation of the Solaris Zones

/opt/VRTSvcs/bin/hagrp -modify myzone_sg Evacuate 0

After the Solaris 11 Upgrade and reboot the Zones are not evacuated to the other Cluster Node.

2. Double check AutoStartList

Check and set the AutoStartList of your Solaris Zones Service Group to make sure
the Zones are attached to the same Node they are currently running on.

/opt/VRTSvcs/bin/hagrp -modify myzone_sg AutoStartList node1 node2

With this setup you can upgrade your first node, reboot and verify all Zones are running fine.

pkg update --be-name s11.3.36 entire@0.5.11,5.11-0.175.3.36
init 6

If all is well with your Solaris Zones and Apps you can do the same with your second node.
 

And after all your nodes are upgraded you can enable Evacuation again.

/opt/VRTSvcs/bin/hagrp -modify myzone_sg Evacuate 1

Happy Upgrading ..

Events about SPARC, Solaris, ZFS and ... Q3/Q4 2020

Last Updated 23.11.2020

PLANNED Events

ONLINE: UKOUG Virtual Conference 2020
12/01/2020 - 12/09/2020

https://ukoug.org/general/custom.asp?page=UKOUGagenda20

Online: 12/08/2020 14:00 GMT / 15:00 CET

Oracle Database on Solaris ZFS done right

Event History and Recordings

ONLINE: Oracle Systems Engineering Forum: Oracle Storage (EMEA)
11/17/2020  13:00 - 15:30 CET

 https://go.oracle.com/LP=100716?intcmp=WWMK200922P00030:ow:evp:cpo:::RC_WWMK200922P00029:OER400094388&src1=:so:ch:or:dg:::RC_WWMK200707P00061

 

 

 

ONLINE: DOAG 2020 Conference (Germany)
11/17/2020 - 11/19/2020

https://2020.doag.org/de/home/

Onsite: 11/17/2020 15:00

Einsatz der Recovery Appliance - Ist es wirklich so einfach?

Online: 11/19/2020 13:00

Oracle Database on Solaris ZFS done right

ONLINE: Oracle Systems Engineering Forum: Oracle Servers (EMEA)
11/03/2020  13:00 - 15:30 CET

https://go.oracle.com/LP=99024?src1=:ow:lp:cpo:::LPD400085579&intcmp=WWMK200707P00014:ow:lp:cpo:::LPD400085579

 

ONLINE: Oracle Systems Engineering Forum: Oracle Storage (US)

10/13/2020 9:00am PT

https://go.oracle.com/LP=99389?elqCampaignId=266566&src1=:so:tw:or:dg:oinf::&SC=:so:tw:or:dg:oinf::&pcode=WWMK200827P00084 

 

ONLINE: Oracle Systems Engineering Forum: Oracle Servers (US)
09/29/2020  9:00am PT 

https://go.oracle.com/LP=99024?src1=:ow:lp:cpo:::LPD400085579&intcmp=WWMK200707P00014:ow:lp:cpo:::LPD400085579

 

Recording 2h 40mins is available

Why we are using SPARC LDoms

Oracle and Fujitsu SPARC Servers include the LDoms Technology. There are no additional costs.
If you see the "Marketing" name 'Oracle VM Server for SPARC'. That is exactly this LDoms Technology.

You can create individual Domains with dedicated CPU and RAM resources running
different Solaris Releases. Use of CPU and RAM is very efficient, because there is no software layer involved. You can add and remove CPU and RAM while the LDoms is running!

Access to Disk and Network can be done virtualized. Performance is good. Using such a virtualized setup the Domains can be live migrated between Servers with the same type of CPU. You can cold migrate (with downtime) between different types of Server in a few minutes.

You place different customers and applications in different LDoms. Good aproach to consolidate your environment.

We at JomaSoft use this technology very successful since years ourselfs and at customer sites.
Our VDCF tool makes deployment and management of LDoms very easy.

Learn more:
https://www.oracle.com/virtualization/vm-server-for-sparc/

https://www.oracle.com/technetwork/server-storage/vm/ovmsparc-best-practices-2334546.pdf

https://blog-archive.global.fujitsu.com/easy-flexible-control-of-your-virtualized-datacenter-with-vdcf-2/ 

https://www.jomasoft.ch/vdcf/

Performance Impact of ZFS Encryption on Oracle Solaris

Transparent Encryption is very easy to use on Oracle Solaris.
You just need to set the encryption property when you create a new filesystem and provide a passphrase or keyfile.

On a SPARC S7 LDom we have 3 ZFS filesystems with different encryption settings.

# zfs get encryption v0123_db/plain v0123_db/encr v0123_db/encr256
NAME              PROPERTY    VALUE        SOURCE
v0123_db/encr     encryption  on           local
v0123_db/encr256  encryption  aes-256-ccm  local
v0123_db/plain    encryption  off          -
Now lets see how much is the difference in write performance if we copy a 1 GB file.

# ls -lh p25604852_1100_Solaris86-64_1of4.zip
-rw-r--r--   1 marcel   staff       1.3G Apr  7  2017 p25604852_1100_Solaris86-64_1of4.zip
#

# time cp p25604852_1100_Solaris86-64_1of4.zip /plain

real    0m8.829s
user    0m0.002s
sys     0m1.711s

# time cp p25604852_1100_Solaris86-64_1of4.zip /encr

real    0m9.229s
user    0m0.002s
sys     0m1.747s

# time cp p25604852_1100_Solaris86-64_1of4.zip /encr256

real    0m9.733s
user    0m0.002s
sys     0m1.754s

The difference is a low one digit percent value.

Performance impact is a little larger when doing a simple read test.

# time cp /plain/p25604852_1100_Solaris86-64_1of4.zip /tmp

real    0m4.216s
user    0m0.002s
sys     0m3.810s

# time cp /encr/p25604852_1100_Solaris86-64_1of4.zip /tmp

real    0m5.131s
user    0m0.003s
sys     0m5.028s

# time cp /encr256/p25604852_1100_Solaris86-64_1of4.zip /tmp

real    0m5.400s
user    0m0.003s
sys     0m5.287s

Learn more about ZFS encryption with the Oracle Solaris 11.4 ZFS Admin Guide

https://docs.oracle.com/cd/E37838_01/html/E61017/gkkih.html

Oracle Database on Solaris ZFS done right

ZFS is the default filesystem on Oracle Solaris. It is

very easy to use with the two commands zpool and zfs.

Disk management

Expand existing LUNs or add additional LUNs if you

need more space. Since Solaris 11.4 you can remove LUNs if you

want to shrink your pool.

Features

No need for filesystem checks, because of the copy-on-write

implementation. You can create snapshots and clones,

use encryption and compression. Transfer data to other

systems using send/receive or sharing.

Move the pools using export/import to other systems.

ZFS builds the base for the Solaris BootEnvironment (beadm)

where you are able to update to and boot from different Solaris 11

Updates.

ZFS is my preferred filesystem and volume manager, but

is everything perfect? No. You need to carefully configure

ZFS to avoid and work around fragmentation.

Oracle Database

You can run Oracle Database very well on ZFS and profit

from snapshots, cloning and other features. Especially

for larger databases (many TB) with lots of data changes

you should setup carefully.

Following a few Best Practices based on own experiences

and Recommendations by Oracle:

- data pool with log device / 8KB recordsize for data / logbias=latency

- redo pool with log device / 1MB recordsize / logbias=latency

- archive pool / 1MB recordsize

Add multiple LUNs for striping. Use SSDs for highest performance.

If you are using SAN increase zfs:zfs_vdev_max_pending and ssd:ssd_max_throttle to 20.

Limit the ZFS Cache (zfs:zfs_arc_max)

Make sure there is around 20% free space on the zpools.

Use a Server with 'enough' Memory.

After many years of using ZFS it always hurts, if I have

to use other more complicated filesystem ....

Links

Pool Creation Practices for an Oracle Database (Solaris 11.4 ZFS Guide)

https://docs.oracle.com/cd/E37838_01/html/E61017/zfspools-4.html#SVZFSstorage-6

Configuring Oracle ZFS for an Oracle Database Whitepaper (2014)

https://www.oracle.com/technetwork/server-storage/solaris/config-solaris-zfs-wp-167894.pdf

Oracle DB erfolgreich betreiben auf SPARC/LDoms/Solaris/ZFS     (German Presentation)

https://www.jomasoft.ch/docs/DOAG18_JomaSoft_DB_Solaris_ZFS.pdf

New Oracle SPARC and Solaris Webcasts on Demand / April 2020

Learn about the Security features and Performance of the
Oracle SPARC Servers.

Upgrade to Solaris 11.4, which includes the new Web Dashboard,
Compliance, Virtualization and much more.

Why SPARC for most demanding mixed Database workloads
45 Minutes
https://go.oracle.com/LP=89566

Oracle Solaris and SPARC Virtual Seminar
2 Hours 15 Minutes
https://go.oracle.com/LP=91258

Oracle Systems Customer Forum / June 2020

Original plan was:

Tuesday, 17 March 2020  09:00 - 17:30
A full day event in Prague (Czech Republic)

NOW postponed to Early June 2020

with Oracle Systems Engineering and Product Management onsite

Learn the benefits in 2 tracks about Oracle SPARC/Solaris and Oracle PCA
Performance Analysis, Optimizing Lifecycle, Security & Compliance,
Beating Ransomware and a lot more ...

Full Agenda
https://www.oracle.com/a/ocom/docs/dc/em/systems-customer-forum-prague-2020-web.pdf

Registration is open
https://eventreg.oracle.com/profile/web/index.cfm?PKwebID=0x720861abcd

And Prague is a very nice City !!

See you there!

New Oracle Solaris eBook is available

Read the new Oracle Solaris eBook
Oracle Solaris: The Ideal Operating System for Your Oracle Database

Available for free, eMail address registration required.

On Demand-Webcast: Oracle Solaris 11.4 - The Trusted Business Platform

In case you missed the Live Webcast about Oracle Solaris 11.4 in Mid December 2019.
Oracle has made this Webcast available on Demand

The webcast is 1 hour