Solaris 10 and 11 differences for sysadmins
The following tables summarise differences between Solaris 10 and Solaris 11 with emphasis on the benefits of Solaris 11. The content is drawn from Transitioning from Solaris 10 to Solaris 11 and other sources in the Solaris documentation.
Table of Contents
- Image Packaging System (IPS)
- Virtualisation
- ZFS, SMB and COMSTAR
- Installation
- System Configuration
- Networking
- Security
- Localisation & Internationalisation
- Further Reading
Image Packaging System (IPS)
Solaris 10 | Solaris 11 | Solaris 11 Comments |
---|---|---|
SVR4 packages (dating from the late 1980's) | Image Packaging System (IPS) a state of the art, network repository-based packaging system. |
Installing and maintaining Solaris is greately simplified because of the new packaging architecture. This simplification is particularly noticeable in reducing the effort to keep systems updated. For Solaris 10 and earlier, it was not uncommon to spend time dealing with patch dependency issues. An administrator had no idea of the amount of work that would be required for applying a single patch, i.e. resolving situations where one patch had been superseded by another or become dependent on another patch being applied. For Solaris 11 all system changes are made by updating packages and because of the automatic dependency checking, before actually updating packages, the administrator will see the entire set of packages impacted by updating. |
System software maintenance via packages and patches | System software maintenance via updates to packages | IPS greatly simplifies the process of updating a system because there is only one way to upgrade or patch a system - by updating the packages. |
Live Upgrade is a risk management feature mainly used for patching and upgrading by providing roll-back capabilities. It works on both UFS and ZFS root. | The same feature on Solaris 11 is now called called "Boot Environments". It is now called simply Boot Environments. | Solaris 11 Boot Environments are a risk management feature suitable for any situation involving system software changes, and fully integrated into package updates, Zones, and ZFS. |
Patch a system by applying the appropriate patch bundle either directly to the system in single user mode (after downloading the appropriate patchset)# ./installbundle
or via Live Upgrade to an alternate Boot Environment
|
Update a system by connecting to the Support Repository and# pkg update
The changes will be made to an automatically created Boot Environment and changes will not impact running environment.
|
Updates will automatically create an alternate Boot Environment to which changes will be made. On Solaris 10, Live Upgrade must be manually invoked and of, in addition, running on UFS, significant planning including potentially disk reformatting may be required to achieve Live Upgrade storage requirements.
Other advantages are similar to Solaris 10's when the latter is running on ZFS: -If upgrade is not what was expected, rollback to pre-upgrade environment. -ZFS snapshots are almost instantaneous. -This can have a positive impact on decreasing maintenance windows, particularly if it is possible to start the update operation during production time. Downtime is then a reboot, verify that the applications are running correctly, and then enable system to production mode. -Organizations wanting to use Live Upgrade on UFS were often constrained by disk requirements, which sometimes required breaking a mirror so that one half would be the "before patching" state, and the other "after patching" state. On Solaris 11 customers are not forced to give up mirroring in order to build a safety net for updating a system. |
Upgrade a system to a later release via traditional upgrade process (a one-way process), or via Live Upgrade | Upgrade a system by connecting to the repository as above. | Same note as above as there is no distinction on Solaris 11 between upgrading a system to a later release and updating a system with the latest packages changes. |
Live Upgrade managed through commands like the following-
Create a boot environment: # lucreate -n newBE
Status:# lustatus
Activate:# luactive newBE
Delete:# ludelete BE
|
Boot Environments managed through the beadm(1M) command.
Create a boot environment # beadm create newBE
Status:# beadm list
Activate:# beadm activate newBE
Delete:# beadm delete BE
|
Management centralized in one command for all boot environments administration. |
SVR4 packaging system supports SVR4 packages. | IPS supports IPS packages and SVR4 packages. SVR4 package commands are included. SVR4 patch commands only available with an Solaris 10 Zone on Solaris 11. | IPS supports SVR4 packages where it is not practical or possible to repackage in IPS format. |
Packages have names like SUNWxxxx
|
Packages have hierarchical names likedriver/storage/<driver name> system/management/<name> and so forth. |
Packages were re-factored to consolidate similar components or break up large packages to facilitate updating. Finer grain packages generally means less to update since changes to a large package tend not to be spread evenly across all contents of a package. Packages were then renamed to be much more understandable and to give an indication of where a specific package fits in the overall system hierarchy. |
Download full SVR4 package from customer's SVR4 package location. There is no centralized Oracle repository for Solaris 10 packages. |
IPS retrieves packages from Oracle or organization repository. IPS calculates package deltas between what is currently installed and latest version from repository and downloads differences. |
IPS minimizes what must be transferred to update a package. |
Set of commands like pkgadd , patchadd , pkgrm , pkgadm , pkginfo , pkgchk .
|
Package maintenance capabilities accessed through pkg(1) command although SVR4 package commands continue to work on IPS packages. |
Single pkg command interface for all actions. Solaris 10 commands can be invoked and will do the right thing for IPS, e.g. pkginfo , pkgadd , pkgrm .
|
Virtualisation
Solaris 10 | Solaris 11 | Solaris 11 Comments |
---|---|---|
Supports Solaris 8 Branded Zones and Solaris 9 Branded Zones but does require purchasing an additional license. Solaris 10 Zones are part of the base offering and fully supported as a part of Oracle's Premier Support for Operating Systems. |
Solaris 10 and 11 Zones are supported with no addition licensing requirements. Solaris 8 and 9 Branded Zones are not supported. In addition, Solaris 11 also supports independent kernels through a new feature in Solaris 11.2 called Solaris Kernel Zones meaning the administrators can run different OS versions in parallel. |
Support for Solaris 10 Zones is included in Solaris 11 support programs. The primary advantage is that it will be possible to run Solaris 10 applications in an Solaris 11 environment on new hardware platforms long after Solaris 10 is no longer supported to run natively on new platforms. Support life for Solaris 8 and 9 is documented in Lifetime Support Policy: Oracle Hardware and Operating Systems Support. |
No boot environments for zones | Zone boot environments supported | Boot environments provide the same benefits for zones as they do for the entire system, i.e. a way to snapshot the zone's environment before making any software changes, and thus providing a simple rollback capability should there be a reason to revert to the state before the changes to the zone's environment. |
Monitor zones through a variety of tools - vmstat , mpstat , prstat
|
New zonestat(1) command provides variety of zone-specific information. Commands as mentioned for Solaris 10 are also useful.
|
Consolidating cpu, memory, networking and resource control utilization into one command simplifies monitoring. |
Two options for file system organization - sparse root (when minimizing size was most important) and whole root (when customizing zone contents is important). | Single solution - a minimized whole root that allows customizing zone contents. | "Hybrid" solution minimizes storage requirements to less than 400MB per zone while maintaining the ability to customize zone content. |
Not possible to create zones during system installation. | Possible to define contents and create zones during initial system install. | The ability to directly provision zones from the AI server, creates additional flexibility in deployment. |
Networking interfaces in zones can either use shared or exclusive IP stacks. Shared stacks are the default. | Networking in zones can use either shared or exclusive IP stacks. Exclusive IP stacks are the default. | The advantages of shared stacks are offered through new capabilities for administering exclusive IP stacks, see below. Moreover the IP and data link layers in Solaris 11 were re-engineered to integrate network virtualization and network resource management capabilities and to use those with zones on Solaris 11, you must select exclusive IP stacks. If you run Solaris 10 zones on Solaris 11, it is possible to make use of both virtual networking and network resource capabilities, as long as those are created and assigned from the global zone (i.e. running Solaris 11). |
Exclusive IP stack zones can be assigned any IP address from within the zone. | A range of allowable IP addresses can be assigned externally from the global zone to a non-global zone using exclusive IP stack. | Provides IP address controls for Exclusive IP stack zones. |
Shared IP stack provides datalink protection against MAC and IP spoofing. Exclusive zones not protected. | Protection against MAC and IP spoofing whether using Shared IP stack or Exclusive IP stack. | With the default of zones to Exclusive IP stack, this symmetry ensures no loss of security capabilities. |
Exclusive IP stack zone usage implied a dedicated external physical interface for each zone. | Introduction of Virtual NICs removed constraint of one physical interface for each zone. | VNICs and virtual switches provide much more flexibility in creating network-in-a-box topologies as well as getting better utilization from high speed NICs. See networking section for more details. |
User must have root privileges on global zone to administer a zone. |
Zone administration is assigned on a per zone basis.
zonecfg:my-zone> add admin
|
This is simply a role added to the zone administrators profile, and that profile does not have to contain any other global-zone administrator capabilities so zone administrator can only administer assigned zones. |
zonep2vchk tool for migrating a physical system to an Solaris 10 zone. # <dir>/zonep2vchk
|
zonep2vchk tool for migrating a physical Solaris 10 system to an Solaris 10 or 11 Zone.# /usr/sbin/zonep2vchk
|
The tool offers similar capabilities whether migrating to Solaris 10 or Solaris 11 zones. |
Zones whose contents can't be modified can be created via sparse root zones but this capability was not designed as a security feature. There is little flexibility in configurations, and not applicable to whole root zones. |
Immutable zones were designed as a security feature. They can be created with a range of capabilities. The security policy can be:strict - read only fixed-configuration - permits /var updates
flexible-configuration - permits /var , /etc , and root home directory changes.
Other attributes are associated with these settings. |
The ability to insulate zones from change is a very powerful security feature. |
Hung zone may not be able to be restarted. | Hung zone more likely able to be restarted. | On Solaris 10, if a zone hung, it would typically be due to a problem in some other subsystem. In some situations a zone could not be halted to restart. On Solaris 11, a zone that is hung has a better chance of being able to be halted and restarted. It still may hang again if the underlying problem (for example unavailability of a file system resource) has not been addressed. |
To gracefully shut down a zone (not summarily halt it) log into each zone and
# init -5 |
All zones can be gracefully shutdown, one by one from the global zone via
# zoneadm -z my-zone shutdown
|
Ability to gracefully shutdown all zones from global zones, simplifies administration. |
Zone creation does not automatically create a network interface | Zone creation automatically creates a VNIC associated with each zone. | Automatic VNIC creation simplifies creating zones. |
ZFS, SMB and COMSTAR
Solaris 10 | Solaris 11 | Solaris 11 Comments |
---|---|---|
No file system encryption functionality |
File system encryption is a property that can be assigned to a ZFS file system when the file system is created. |
Encryption offers very high security value with minimal performance impact. In particular, the T4 SPU (crypto graphics unit), achieves wire-speed encryption and decryption on the processor's 10 GbE ports. See BestPerf Oracle blog. |
ZFS deduplication is not supported in Solaris 10 releases, but you can migrate a pool from an Solaris 11 system to an Solaris 10 system with deduped data, but no further deduplication takes place when the pool is imported on the Solaris 10 system. | Deduplication is a property that can be assigned to a ZFS dataset. | Deduplication plus ZFS compression can substantially reduce storage requirements. |
ZFS capabilities are managed through the ZFS commands and properties. These features are described in zfs(1M) and zpool(1M) manual pages |
Core capabilities are managed through the ZFS commands and properties. Delegated administration, encryption, and share syntax are covered in the separate zfs_allow(1M) , zfs_encrypt(1M) , and zfs_share(1M) manual pages.
|
By distributing ZFS capabilities into separate commands and properties, it is possible to delegate administration based on the specific administrative task. |
For UFS, backups are often accomplished by using the ufsdump and ufsrestore commands. You can migrate a UFS file system to a ZFS file system by using these commands on an Solaris 10 system or migrate UFS data to a ZFS file system between two Solaris 10 systems.
|
Solaris 11 includes a new system clone and disaster recovery capability called Unified Archives. Administrators can use the Create ZFS snapshots of important file systems and then send/receive them to backup system. An automatic snapshot service ( A UFS file system can be migrated to a ZFS file system on an Solaris 11 system by using the shadow migration feature.
In addition, the |
ZFS provides comprehensive set of capabilities to archive and retrieve file system snapshots and migrate data between systems running different Solaris versions. Unified Archives provide the ability to quickly capture a clone or disaster recovery archive and deploy it to a bare metal or virtualized system. This provides extremely flexible golden image deployment when required. |
Solaris 10 release uses the iSCSI target, the iscsitadm command, and the ZFS shareiscsi property to configure iSCSI LUNs. |
Administration is through the |
COMSTAR in Solaris 11 provides a more flexible environment for iSCSI support. |
Installation
Solaris 10 | Solaris 11 | Solaris 11 Comments |
---|---|---|
Root file system can be UFS-based or ZFS based. | Root file system is ZFS. Other UFS file systems can still be mountable. | ZFS for the root file system offers superior reliability and expandability compared to UFS. Also ease of management of ZFS makes 3rd party volume managers unnecessary. |
JumpStart for unattended installations. |
Automated Installer (AI) for unattended installations. |
AI (unlike JumpStart) integrates with other Solaris technologies like System Management Framework (SMF), IPS and ZFS to provide consistency, scalability, and performance in provisioning systems, including systems with Solaris Zones. |
Hands-on install from media is accomplished by installing from Solaris installation DVDs (x86 and SPARC).
Unattended installations are possible by placing the contents of the installation media (or ISO image contents from a download) on a JumpStart server. |
Hands-on install from media can be accomplished through a variety of mechanisms. |
New installation architecture provides a consistent mechanism for deploying systems, via a single, feature rich automated installer or through two types of interactive installations. |
Install over the network via JumpStart or from the installer |
Install over the network via the Automated Installer (AI). |
Similar results but the superiority of IPS design means IPS packages install faster on Solaris 11 than SVr4 packages on Solaris 10. |
JumpStart server and client creation commands:
|
Automated Installer server and client creation commands |
All AI actions managed through the new installadm command centralizes administration
|
JumpStart installs Solaris 10 and earlier |
AI installs Solaris 11. Additionally it is possible to set up an Solaris 11 system as a JumpStart server for Solaris 10. |
This allows centralizing all install servers on Solaris 11. |
JumpStart did not support the concept of what services should run on a system, only what should be installed on a system. | With AI it is possible to provision both for services and content. For example it is possible to specific the same package content for 2 AI instances, but have different services enabled on each. Or it is possible to have different package content on each | This is a good example of how deeper integration with SMF provides additional flexibility in deployments |
JumpStart Profile and Rules |
AI Manifest and Criteria. |
The migration utility |
Creating customized installation media is a manual process involving a significant amount of work | Creating customized text installer images, AI images, and Live Media images is handled by a special tool the Distribution Constructor. | Distribution Constructor offers the ability to easily customize an installation, via media or through the AI server. |
Creating system archives either for back up or for fast golden image deployment using Flash Archive support and the flar command.
|
System clones and full disaster recovery archives can be created using Unified Archives and deployed using the existing Solaris Zones or Automated Installer capabilities. Archives can be flexibly deployed either to bare metal or virtualized environments with powerful transforms. | Unified Archives is a feature that's deeply integrated into the system allowing administrators to quickly capture live running systems and deploy across the cloud. |
System Configuration
Solaris 10 | Solaris 11 | Solaris 11 Comments |
---|---|---|
Configuration information in files, typically in /etc
|
Configuration information in the SMF repository. |
Centralizing management simplifies configuration and replication, particularly in a cloud environment where a unified programmatic access is a necessity to support dynamic creation of Solaris environments. Flat files are easy to administer, but their editing simplicity masks other problems. Patching and upgrading on Solaris 10 occasionally brought out the problem of handling conflicts with configuration files that had been modified since installation. With Solaris 11, configuration information is generally accessed and set through SMF commands. There is now a layered concept of configuration data management and so a distinction between, for example, the underlying set of configuration defaults, and administrator changes. This makes for a much more orderly update process, as administrator changes made prior to an upgrade - and that correspond to valid configuration parameters after the upgrade - can be preserved. |
sysidtool , sysidconfig and sys-unconfig are tools used to provide or clear system configuration information
|
|
System configuration is now integrated as part of the SMF repository. This greatly simplifies the process to configure and unconfigure systems in a reliable and repeatable way. |
Edit /etc/nsswitch.conf to specify how a system will get information on hosts, users etc.
|
Managed through |
See the benefits of SMF detailed in first row of this section |
Edit /etc/nodename to set the identity of the host.
|
Managed through |
See the benefits of SMF detailed in first row of this section |
Edit /etc/defaultdomain to set NIS domain
|
Managed through |
See the benefits of SMF detailed in first row of this section |
Edit /etc/default/init
|
Locale managed through Timezone managed through |
See the benefits of SMF detailed in first row of this section |
Name service servers and domains set through /etc/resolv.conf
|
Managed through |
See the benefits of SMF detailed in first row of this section In addition, errors in Solaris 10 resolv.conf were not flagged leading to behavior where the results did not match in intentions of the administrator. In Solaris 11 basic error checking is performed through the use of SMF templates and reported through SMF. |
Manage serial ports through getty , pmadm , ttyadm , ttymon
|
Managed through |
See the benefits of SMF detailed in first row of this section |
Power management by editing /etc/power.conf file and using pmconfig command.
|
Power management through |
See the benefits of SMF detailed in first row of this section |
System registration is handled by the feature, Auto Registration. Oracle Configuration Manager is available in Solaris 10 8/11 but not enabled by default. | System registration is handled by Oracle Configuration Manager. | System registration involved collecting and uploading configuration information to an Oracle repository. The ability to collect information about customer systems is a core element in the ability to offer customers a superior support experience. |
Networking
Solaris 10 | Solaris 11 | Solaris 11 Comments |
---|---|---|
Use ifconfig to change current configuration
|
If in manual configuration mode use new |
Network virtualization adds many new capabilities and continuing to overload ifconfig is the wrong management approach.
|
Limited virtualization: VLAN support link and IPMP aggregation |
Full network virtualization is now a fundamental part of the Solaris networking subsystem. Virtual NICs (VNICs), virtual switches, VLAN support, are all available. |
Network virtualization allows sharing a high bandwidth connection with multiple applications, and expands the opportunity for server consolidations to encompass consolidating entire network topologies on a single system. |
Quality of Service controls for networking provided by IPQoS. No way to control network bandwidth. | Network quality of service through new network resource management capabilities includes: Assignment of bandwidth limits to physical and virtual NICs by port, IP address, protocol Assignment of CPU resources designated to handle network traffic. In addition if a VNIC is assigned to an Solaris Zone already under resource management constraints, that VNIC will automatically be associated with those resource constraints. |
IPQoS in Solaris 10 was an add-on to the networking stack to provide quality of service capabilities but at the cost of network performance. In Solaris 11, network bandwidth management was integrated into the data link layer to minimize any performance impact. The new network resource management provides a framework for setting maximum bandwidth limits for both physical and virtual NICs with ability to fine tune to specific traffic characteristics. For zones, bandwidth and CPU assignment controls prevent resource usage within one zone from negatively impact resource usage in others. An Solaris 10 Zone can take advantage of bandwidth management and CPU assignment, as long as administration is from the global zone running on Solaris 11. |
Networking observablility principally through ifconfig and netstat .
|
Solaris 11 adds two new commands for network observability, |
Enhanced statistics gathering capability, and in the case of dlstat, ability to gather statistics over a defined time period for historical analysis purposes make it possible to use for capacity planning, debugging, and reporting purposes. |
VLAN compatibility while supported is convoluted to set up |
Integrated support for VLANs over Virtual NICs. To support VLANs in a VNIC infrastructure a VNIC can be given a VLAN tag. |
This simplies VLAN administration. There is no more configuration needed and VLAN tags are automatically added to packets leaving that VNIC. Solaris virtual switches also understand VLAN tags and make sure that traffic remains segregated. |
No load balancer |
The Integrated Load Balancer (ILB) is now a feature of Solaris. It is managed via the |
In integrated load balancer provides opportunities to address load balancer needs without necessarily purchasing separate equipment. The load balancer is one of the building blocks for network consolidation projects enabled by the networking virtualization capabilities in Solaris 11. |
Network packet reception is always interrupt driven. | Adaptive polling allows the handling of network packets to switch between interrupt and polling modes dependent on the volume of traffic being received. | With this behavior the most efficient method of handling incoming network packets is always in operation. On very busy networks where the receiver is also very busy, the high demand for CPU resources as system becomes overwhelmed with interrupts is avoided. |
No way to automatically co-ordinate the creation of VLANs dynamically with the switch infrastructure | Dynamic creation of VLANs on the system and switch infrastructure is supported via the GARP VLAN Registration Protocol(GVRP) . GVRP allows the host to dynamically inform the physical switches of VLANs configured on a physical link. When that feature is enabled on the switch and the host, messages are sent from the host to the switch at a regular interval, containing the VLANs which are enabled on the physical link. The switch uses the content of these messages to enable the correct VLANs on the switch ports. |
This improves security because only the necessary VLANs will be enabled on a switch port, and it also improves performance by reducing the number of multicast packets that will be duplicated by the switches. |
Security
Solaris 10 | Solaris 11 | Solaris 11 Comments |
---|---|---|
Secure by default is selectable during installation, but is not the default security setting. | Secure by default is the default security setting at install. SSH is the only service enabled. | By default Solaris 11 is less vulnerable at install time. |
root user is typically used for administrative purposes.
|
|
The root user can not log into a system. Instead the root role is assigned to a user, and that user can log into the system. This provides superior accountability. An audit of logins would, for example, show user names that have accessed a system, not simply that someone logged in as root.
|
Auditing not on by default, and some performance impact in certain situations. |
Auditing is a service and enabled by default. |
On by default, and greater attention to minimize performance impact of auditing. |
IPFilter managed through ipf rule file
|
IP Filter management is integrated into SMF. The svc.ipfd daemon monitors actions on services that use firewall configuration.Compatibility is maintained with ipf rule files. |
Part of the overall shift to SMF managed services as detailed in the Configuration section. |
su is standard command for assuming the capabilities of the root user.
|
sudo command now included to augment su .
|
Popular open source utility now included with Solaris. |
aset(1M) is used to monitor or restrict accesses to system files and directories
|
The ASET functionality is replaced by a combination of IP Filter, which includes svc.ipfd , BART, SMF, Immutable Zones, and other security features that are supported in Solaris 11.
|
|
Administrative rights can be assigned to individual users and roles created to implement separation of duty |
Many additions to roles and rights.
|
While the concept of roles was introduced in Solaris 8 and responsibilities was introduced in Solaris 9, there has been a concerted effort to fine tune in Solaris 11 to promote usage. |
Supports a broad range of security standards |
Expands/replaces security standards supported. Internet Key Exchange (IKE) and IPsec — IKE now includes more Diffie-Hellman groups and can also use Elliptic Curve Cryptography (ECC) groups. IPsec includes AES-CCM and AES-GCM modes and is now capable of protecting network traffic for the Trusted Extensions feature of Solaris (Trusted Extensions) |
Staying current with changes in security standards is a core design goal for Solaris releases. |
Localisation & Internatialisation
Solaris 10 | Solaris 11 | Solaris 11 Comments |
---|---|---|
Core localizations are: Chinese- Simplified |
Supports 200 Locales. The core set of localizations is: Chinese- Simplified |
Much broader support for localizations outside the core group. |
Further Reading
- Oracle Solaris 11 Package Changes
- Introducing the Basics of Image Packaging System (IPS) on Oracle Solaris 11
- Creating and Administering Oracle Solaris 11.2 Boot Environments
- Updating the Software on an Oracle Solaris System
- Oracle Solaris 11 Cheat Sheet for Image Packaging System.
- Oracle Solaris Zone Features
- Creating and Using Oracle Solaris Zones
- Installing, Booting, Shutting Down, Halting, Uninstalling, and Cloning Non-Global Zones
- About Zone Migrations and the zonep2vchk Tool
- zonecfg(1M) Reference Manual
- Exclusive-IP Non-Global Zones
- Managing Network Virtualization and Network Resources in Oracle Solaris 11.2
- Configuring and Administering Immutable Zones
- Managing Oracle Solaris ZFS File Systems
- Encrypting ZFS File Systems
- Oracle Solaris ZFS Delegated Administration
- Recommended Oracle Solaris ZFS Practices
- Migrating File System Data to ZFS File Systems
- Using Unified Archives for System Recovery and Cloning in Oracle Solaris 11.2
- Configuring Storage Devices With COMSTAR
- Transitioning to an Oracle Solaris 11 Installation Method
- Installing Oracle Solaris 11.2 Systems
- Installing Using Installation Media
- Installing Using an Install Server
- js2ai(1M) Reference Manual
- Creating a Custom Oracle Solaris 11.2 Installation Image
- System Configuration Migration to SMF
- System Configuration Tools Changes
- Naming and Directory Service Administration
- Network Administration Feature Changes
- Managing Network Virtualization and Network Resources in Oracle Solaris 11.2
- Configuring an Oracle Solaris 11.2 System as a Router or a Load Balancer
- Configuring Virtual Networks by Using Virtual Extensible Local Area Networks
- Security Feature Changes
- Roles, Rights, Privileges, and Authorizations
- Internationalization and Localization Changes