May 20, 2013

Steve TunstallGreat video

May 20, 2013 23:34 GMT

I love the many videos on www.Wimp.com. New ones every day.

Today, they had a nice video of the Oracle racing boat. Check this out...

http://www.wimp.com/overwater/

May 16, 2013

Joerg MoellenkampLieber SPON, ...

May 16, 2013 06:57 GMT
der Adblocker bleibt an ... zumindestens so lange, ...



May 12, 2013

Joerg MoellenkampHTC One

May 12, 2013 14:59 GMT
I have a new mobile phone. After using Apple phones for quite a while now (the imperium got me after owning a number of fringe phones for a while like the Siemens SX1 or the Nokia N97), i switched sides: It's a HTC One. In black (I will never ever make the mistake to buy a camera or a device with a camera in silver again). It's hands down the best phone i have ever owned or just used. However more interesting: It was actually fun to use the camera in this phone. Most of the time i've kept the DSLR in my backpack when i was on Ruegen (had a small vacation to recharge myself, albeit i had to work on Friday, but where i put my notebook with reasonable mobile phone coverage is my home office) and used the camera of the HTC one. I was really surprised about the quality. Of course not comparable with a DSLR. Nevertheless really nice. You can see some of the pictures at flickr.

May 10, 2013

Joerg MoellenkampSome solaris-related events in May

May 10, 2013 08:29 GMT
As this article announces events in Germany, this entry will continue in german language. Sorry.

Am 23. Mai wird Hartmut Streppel in der Geschäftsstelle Hamburg einen Vortrag im Rahmen der Oracle Business Breakfasts halten. Thema ist hier "Oracle Solaris Cluster entmystifiziert und virtualisiert". Hartmut ist in Deutschland der Experte zum Thema Oracle Solaris Cluster. Anmelden könnt Ihr euch unter diesem Link.

Einen Tag später - am 24. Mai - gibt es in Potsdam ein weiteres Event im Rahmen der Business Breakfasts. Thema ist hier "ZFS und Datenbanken". Vortragen werden hier mein Kollege Dirk Nitschke und ich. Auch hier ist die Anmeldeseite schon verfügbar. Eine Registrierung ist auf dieser Seite. möglich.

Obwohl offensichtlicherweise nicht in Deutschland, möchte ich bei dieser Gelegenheit möchte ich zudem auch noch auf den "Oracle Solaris Day 2013 Vienna" am 23. Mai hinweisen, auf dem auch eine Reihe von ausgewiesenen Experten sowie meine Wenigkeit vortragen werden. Die Agenda auf der Registrierungsseite ist nicht ganz richtig, da ich später rekrutiert wurde ;-) Den Vortrag "What's new in Solaris 11.1?" wird von mir gehalten.

May 08, 2013

Steve TunstallZFSSA update 2011.1.6.0 is now available

May 08, 2013 22:41 GMT

For those who have not noticed, ZFSSA version 2011.1.6.0 came out on April 29th.

Go get it.

Release notes are here:

https://wikis.oracle.com/display/FishWorks/Software+Updates

Joerg Moellenkamp::linkbuf for 09-May-2013

May 08, 2013 22:10 GMT

May 06, 2013

Joerg Moellenkamp::linkbuf for 07-May-2013

May 06, 2013 22:10 GMT

Adam LeventhalDelphix and Flash

May 06, 2013 04:28 GMT

I started working with flash in 2006 — fortunate timing as flash was just starting to take hold in the enterprise. I started asking customers I’d visit about flash. I’ll always remember the response from an early adopter when I asked about how he planned on using the new, expensive storage, “We just bought it, and we have no idea.” It was a solution in search of a problem — the garbage can model at play.

Flash has evolved significantly since then from a raw material used on its own to a component in systems of increasing complexity. I wrote recently about the various techniques being employed to get the most out of flash; all share the basic idea of trading compute and IOPS (abundant commodities) for capacity (still more expensive for flash than hard drives). The ideal use cases are the ones that benefit most from that trade-off, ones where compression and dedup consume cheap compute cycles rather than expensive space on the NAND flash. Flash storage is best with data that contains high degrees of redundancy that clever software can squeeze out. With those loose criteria, it’s been amazing to me how flash storage vendors have flocked to the VDI use case. It’s certainly well-suited — big on IOPS with nearly identical data from different Windows installs that’s easily compressed and deduped — but seemingly every flash vendor has decided that it’s one part — if not the part — of the market they want to address. Take a look at the information on VDI from various flash storage vendors: Fusion, Nimble, Pure Storage, Tegile, Tintri, Violin, Virident, Whiptailthe list goes on and on.

I worked extensively with flash until leaving Oracle in 2010 when I decided to leave for a start up. I ended up not sticking with flash precisely because it was — and is — such a crowded space. I’d happily bet on the space, but it was harder to pick one winner. One of the things that drew me to Delphix though was precisely its compatibility with flash. At Delphix we create virtual database copies by sharing blocks; think of it as dedup before the fact, or dedup but without the runtime tax. Creating a virtual copy happens almost instantaneously saving tremendous amounts of administration time, unblocking developers, and accelerating projects — hence our credo of agile data. Unlike storage-based snapshots, Delphix virtual copies are database aware, provisioning is fully integrated and automated. Those virtual copies also take up much less physical space, but with as many or more IOPS hitting the aggregate of those virtual copies. Sound familiar yet? One tenth the capacity with the same workload — let’s call it 10x greater IOPS intensity — is ideally suited for flash storage.

Flash storage is best when clever software can squeeze out redundancies; Delphix is that clever software for databases. Delphix customers are starting to combine our product with their flash storage purchases. An all-flash array that’s 5x the $/TB as disk storage suddenly becomes half the price of disk storage when combined with Delphix — with substantially better performance. We as an industry still haven’t realized the full potential of flash storage. Agile data through Delphix fills in another big piece of the flash picture.

May 02, 2013

Joerg MoellenkampSPECjEnterprise 2010 on a virtualized T5-8

May 02, 2013 08:44 GMT
Interesting benchmark result: SPECjEnterprise2010 on a virtualised T5-8 (half of the machine for Java, half of the machine for DB).

Joerg MoellenkampCheck both sides - or: Errors on the SAN

May 02, 2013 05:28 GMT
It's just a little tip from the field: A customer has suddenly really bad performance on one of his servers. he finds a lot of error messages like this in the output of dmesg:

Apr 21 05:22:11 server1 scsi: [ID 243001 kern.info] /scsi_vhci (scsi_vhci0):
Apr 21 05:22:11 server1 /scsi_vhci/ssd@g6001438005de946defa2000000020010 (ssd38): Command failed to complete (3) on path fp9/ssd@w50001fe15023ef59,a

Continue reading "Check both sides - or: Errors on the SAN"

May 01, 2013

Joerg MoellenkampRecommended listening: TesseracT - Concealing Fate

May 01, 2013 18:06 GMT
Don't know if djent is really an own music genre or if it is just a special technique of playing an instrument in Progressive Metal. I just think that this is an awesome piece of music. I want to recommend the song "Concealing Fate" of the british band Tesseract. Almost 30 minutes of really great music played by awesome musicians.

Joerg MoellenkampSecurity walkthroughs for Solaris 11.1

May 01, 2013 17:05 GMT
You can find a number of nice tutorials around a number of Solaris 11 security features in Glenn Fadens blog: Oracle Solaris 11.1 Security Lab:
This set of exercises is designed to briefly demonstrate some aspects of the privilege policy in Oracle Solaris:

April 30, 2013

Joerg MoellenkampSolaris Technical Day in Vienna - revisited

April 30, 2013 18:22 GMT
A few days ago i linked to Karoly Vegh blog entry announcing the Solaris Technical Day on May 23rd. There is now a link to register for this event.
That said, there are some changes in the agenda: I'm in Vienna at that time so I will do the "What's new in Solaris 11.1" presentation as well as the ZFS Hands-On. Looking forward to see you in Vienna.

Joerg MoellenkampLosverfahren

April 30, 2013 07:06 GMT
Könnte mal jemand der gesammelten Medienlandschaft in Deutschland mitteilen, das es bei dem NSU-Prozess nicht darum geht, den Medien Plätze für möglichst komfortables Arbeiten zu ermöglichen, sondern einen Prozess durchzuführen, bei dem ein revisionssicheres Urteil herauskommt? Und wer sich über die Brigitte oder RTL II wundert ... Die gehören zu Mediengruppen. Brigitte zu G+J. Der Stern gehört auch zu G+J. Glaubt hier jemand, da würde jemand von der Brigitte beim Prozess sitzen? Da hat sich wahrscheinlich jede Postille eines jeden Medienhauses angemeldet um die Wahrscheinlichkeit zu erhöhen, gezogen zu werden.

April 28, 2013

Joerg MoellenkampJust a thought

April 28, 2013 20:05 GMT
Take an old Sun X4500 chassis. Rip out all the 48 disks. Keep the trays. Rip out the SATA controllers, put in multiport NIC chips. Use otherwise the same backplane. Take the disk trays. Shoehorn PICO-ITX boards into them. Reuse the power and SATA sockets. Boot the boards via iSCSI or onboard flash. Use the Controller Board (the board with the Opterons) as a software loadbalancer, switch, router, whatever... call it moonshining ;-)

Joerg MoellenkampShore of the baltic sea

April 28, 2013 19:28 GMT
DSC_0123

Joerg MoellenkampWaiting for data corruption to happen

April 28, 2013 19:21 GMT
Many people believe that computers are exact devices. That data stored on disk will get back to you unharmed. That data you send over the network can be assumed as correct. That computers are deterministic devices. But they aren't. Not at all. I'm talking about this quite often when talking about ZFS.

Alec Muffet pointed on Facebook to a really interesting presentation that is showing errors due to corruption of data in a different context. It's about a DNS attack without attacking something. It's just waiting for errors to happen. It's something like waiting for typos in DNS names made by users. Just this time the error is introduces by computers. By reserving domains that are just one bit different from the original domain. Of course the probability is really small that such an error will happen, but given the enormous amount of requests the DNS system handles every second of the day, the number of events isn't that small as you would assume at first: "Bitsquatting: DNS Hijacking without exploitation". Really worth a read.

April 26, 2013

Marcelo LealSNIA SpeedConf and Las Vegas

April 26, 2013 18:46 GMT

Hi, last year was a busy one, but just because we worked in really cool projects and was very, very exciting! I should be at Las Vegas from May 05-09, and in Santa Clara from Jun 10-12. In Santa Clara I will be presenting one of the solutions we developed...
Read more »

April 24, 2013

Jim LaurentSolaris 11 and Payment Card Industry (PCI) security compliance

April 24, 2013 16:51 GMT
See Lynn Rorher's blog about Oracle's newly published white paper discussing how Solaris 11 enabled security for the payment card industry.

Jim LaurentSolaris 11 outperforms RHEL 6 on 2 socket Intel servers

April 24, 2013 16:34 GMT

As a long time Sun employee, I've often heard the term "Slow-laris" applied to Oracle's premier Unix operating system.  Most frequently this was in comparison to the Linux OS running on small two socket servers.  I will admit that in the Solaris 8 and 9 timeframe engineering decisions were made to benefit scalability to 64 sockets that sometimes penalized smaller servers.  In addition, because of Solaris long history and derivation from ATT and BSD Unix code, there was undoubtedly a bit of code labeled, "if it ain't broke, don't fix it."  With the advent of Solaris 10 and Dynamic Tracing, (DTrace) we actually hunted down and killed a number of those legacy code segments using a new philosophy labeled internally, "If Solaris is slower than Linux on the same hardware, it's a bug."

As a result, Solaris 11 provides higher performance than Red Hat Enterprise Linux 6.3 on basically identical 2 socket hardware as measured by the SPECjbb benchmark.  According to SPEC:

The SPECjbb2013 benchmark has been developed from the ground up to measure performance based on the latest Java application features. It is relevant to all audiences who are interested in Java server performance, including JVM vendors, hardware developers, Java application developers, researchers and members of the academic community.

Java is one of the predominant enterprise programming environments for mission critical applications and many of Oracle's products are written in Java.

This chart from the SPECjbb site shows the performance of our X3-2 Intel based server with 16 cores and 128 GB of RAM running Solaris 11.1.  The X3-2 tested features the Intel E5-2690 CPU @ 2.9 Ghz.

X3-2 Chart

By comparison, an HP ML350P with the identical Intel chip and clock speed running RHEL 6.3 produces this chart.  Clearly, Solaris 11 produce a smoother response curve with higher numbers for both MaxjOPS and Critical jOPS.  In addition, the X3-2 system requires only 1 rack unit vs. 4 rack units for the HP model reducing data center requirements. 

HP Chart

 To summarize, Solaris is faster than RHEL 6 on small servers and more scalable and responsive on large servers including our SPARC T5 servers.

At the same time, it provides virtualization, security and availability features unavailable on RHEL including:

See more at:


Jim LaurentSolaris 11 provides smooth, scalable performance on SPECjbb 2013

April 24, 2013 16:33 GMT

Oracle released SPEC Benchmark results for the T5-2 and X2-4 processor using the SPECjbb 2013 benchmark. Who would be interested in SPECjbb performance? According to SPEC:

The SPECjbb2013 benchmark has been developed from the ground up to measure performance based on the latest Java application features. It is relevant to all audiences who are interested in Java server performance, including JVM vendors, hardware developers, Java application developers, researchers and members of the academic community. 

Jeff Victor has posted an excellent comparison of the T5 SPECjbb performance to our competitors on a per core basis.  To me, the charts tell the biggest part of the story,  Oracle's Solaris 11 on both SPARC and X86 shows smooth scaling with excellent response times over a wide range of transaction counts.

First, let's look at the results for the SPARC T5-2 server with 2 CPU sockets and 32 cores.  The vertical access marks "response time" so a lower number is better.  The horizontal axis is the number of Java operations being performed.  The blue dots indicate the median response time at each level of operations being processed.  Notice how Solaris 11 and the SPARC hardware provide smooth, predictable performance up through 60,000 jOPS.

(Note: You may not be able to see the full chart width on this page.  Right-click and open image in new tab to see the full chart.) 

T5-2 Chart

 Now let's look at Oracle's X2-4 Intel based system also running Solaris 11.  The X2-4 has 4 CPU chips with 40 total cores.  Here Solaris 11 also provides smooth scaling of performance.

X2-4 chart

For comparison, I've also selected HP's most powerful Intel based server the DL980 with 8 CPUs and 80 cores.  This system, however is running Red Hat Enterprise Linux 6.3.  On this chart you will see that RHEL 6 takes a dive in median response time shortly after 27,000 jOPS. Response time drops from 10 milliseconds to 100 milliseconds at around 27,000 jOPS.  Oracle's T5-2 stays below 100 milliseconds all the way to about 62,000 jOPS. Also note how the minimum response times fall apart at around 20,000 jOPS where the T5-2 stays consistent through 57,000 jOPS.

While admittedly, the 80 core DL980 reaches a higher total MaxjOPS throughput number than the 32 core T5-2, the Solaris 11 based system provides smoother scalability in a 2 socket system that requires only three rack units of space.  If that's not enough horsepower, we also offer a T5-4 and T5-8 system.  Need more?  Our M5-32 data center server scales to 32 sockets, 192 cores and 1536 threads. The M5-32 also supports up to 32 TB of RAM. All support our no cost Logical Domains virtualization capability.

HP DL980 Chart

Summary:

 If you want a proven, enterprise class, scalable OS for SPARC (from Oracle or Fujitsu) or X86 based platforms (from Oracle or many third party vendors), choose Solaris 11.  Predictability in response time is important to your enterprise customers.

All Oracle servers under Premier Support for systems include:

For more information on recent SPARC T5 world records, see https://blogs.oracle.com/BestPerf/.

April 23, 2013

Joerg Moellenkamp::linkbuf for 24-Apr-2013

April 23, 2013 22:10 GMT

Joerg MoellenkampOracle Solaris event in Vienna

April 23, 2013 19:09 GMT
On May 23rd an Oracle Solaris event will take place in Vienna. You will find further information about this event in the Oracle Systems Blog Austria: "Solaris Technical Day on the 23rd May in Vienna".

Joerg MoellenkampPCI DSS with Solaris 11

April 23, 2013 17:47 GMT
Interesting whitepaper about the compliance to PCI DSS (Payment Card Industry Data Security Standard) with Solaris 11: "Oracle Solaris 11 and PCI DSS"

Henrik JohanssonZFS Analytics

April 23, 2013 08:26 GMT
While woking with ZFS performance I created a dashboard to get a good overview with lots of different statistics. It's powered by Dtrace, python and graphite. There is a high level of detail but still easy to correlate different statistics.

It feels almost like fishworks analytics lite but without advanced features such as drill-down and heat maps. An example from a box running OpenIndiana:



You get a good view of how the layers interact, the latency for reads in ZFS compared to reads in from the physical disks, average latency, maximum latency, average read size and see how much more data ZFS reads form prefetch including hit rate etc.

I based this on the iomon dtrace script with some glue to send it into graphite, I also added ARC statistics and CPU/Network statistics. ( There is a iomon-graphite effort available on the web but that did not give me correct statistics and did not include things like CPU and network utilization ).

iomon.d

April 21, 2013

Joerg MoellenkampContrails 2

April 21, 2013 19:15 GMT
DSC_0206

April 20, 2013

Joerg Moellenkamp::linkbuf for 21-Apr-2013

April 20, 2013 22:10 GMT

April 18, 2013

Joerg MoellenkampContrails

April 18, 2013 12:40 GMT
Amazing how far you can see contrails. Was just looking out of my roof window and saw a contrail in the distance while thinking about a problem. An Airbus 340-600 from Frankfurt to Vancouver. Lost it out of sight when it was roughly at the Nordostseekanal according to flightradar24. That's roughly 120 km line of sight.

April 17, 2013

Joerg Moellenkamp::linkbuf for 18-Apr-2013

April 17, 2013 22:10 GMT

April 16, 2013

Joerg Moellenkamp::linkbuf for 17-Apr-2013

April 16, 2013 22:10 GMT

Jeff SavitRunning Solaris 11 as a control domain on a T2000

April 16, 2013 16:46 GMT
There is increased adoption of Oracle Solaris 11, and many customers are deploying it on systems that previously ran Solaris 10. That includes older T1-processor based systems like T1000 and T2000. Even though they are old (from 2005) and don't have the performance of current SPARC servers, they are still functional, stable servers that customers continue to operate. One reason to install Solaris 11 on them is that older machines are attractive for testing OS upgrades before updating current, production systems.

Normally this does not present a challenge, because Solaris 11 runs on any T-series or M-series SPARC server. One scenario adds a complication: running Solaris 11 in a control domain on a T1000 or T2000 hosting logical domains. This blog shows how to get around this complication, and also explains why you should stay with Solaris 10 control domains anyway if you are still using T1000 or T2000 systems.

Solaris 11 pre-installed Oracle VM Server for SPARC incompatible with T1

Unlike Solaris 10, Solaris 11 comes with Oracle VM Server for SPARC preinstalled. The ldomsmanager package contains the logical domains manager for Oracle VM Server for SPARC 2.2, which requires a SPARC T2, T2+, T3, or T4 server. It does not work with T1-processor systems, which are only supported by LDoms Manager 1.2 and earlier.

The following screenshot shows what happens (bold font) if you try to use Oracle VM Server for SPARC 2.x commands in a Solaris 11 control domain. The commands were issued in a control domain on a T2000 that previously ran Solaris 10. We also display the version of the logical domains manager installed in Solaris 11: 

root@t2000 psrinfo -vp
The physical processor has 4 virtual processors (0-3)
  UltraSPARC-T1 (chipid 0, clock 1200 MHz)
# prtconf|grep T
SUNW,Sun-Fire-T200
# ldm -V
Failed to connect to logical domain manager: Connection refused
# pkg info ldomsmanager
          Name: system/ldoms/ldomsmanager
       Summary: Logical Domains Manager
   Description: LDoms Manager - Virtualization for SPARC T-Series
      Category: System/Virtualization
         State: Installed
     Publisher: solaris
       Version: 2.2.0.0
 Build Release: 5.11
        Branch: 0.175.0.8.0.3.0
Packaging Date: May 25, 2012 10:20:48 PM 
          Size: 2.86 MB
          FMRI: pkg://solaris/system/ldoms/ldomsmanager@2.2.0.0,5.11-0.175.0.8.0.3.0:20120525T222048Z

The 2.2 version of the logical domains manager will have to be removed, and 1.2 installed, in order to use this as a control domain.

Preparing to change - create a new boot environment

Before doing anything else, lets create a new boot environment: 

# beadm list
BE      Active Mountpoint Space Policy Created          
--      ------ ---------- ----- ------ -------          
solaris NR     /          2.14G static 2012-09-25 10:32 
# beadm create solaris-1 
# beadm activate solaris-1
# beadm list
BE        Active Mountpoint Space Policy Created          
--        ------ ---------- ----- ------ -------          
solaris   N      /          4.82M static 2012-09-25 10:32 
solaris-1 R      -          2.14G static 2012-09-29 11:40 
# init 0

Normally an init 6 to reboot would have been sufficient, but in the next step I reset the system anyway in order to put the system in factory default mode for a "clean" domain configuration.

Preparing to change - reset to factory default

There was a leftover domain configuration on the T2000, so I reset it to the factory install state. Since the ldm command is't working yet, it can't be done from the control domain, so I did it by logging onto to the service processor: 

$ ssh -X admin@t2000-sc

Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
Oracle Advanced Lights Out Manager CMT v1.7.9
Please login: 
admin
Please Enter password: ********

sc> showhost
Sun-Fire-T2000 System Firmware 6.7.10  2010/07/14 16:35

Host flash versions:
   OBP 4.30.4.b 2010/07/09 13:48
   Hypervisor 1.7.3.c 2010/07/09 15:14
   POST 4.30.4.b 2010/07/09 14:24 
 
sc> bootmode config="factory-default"
sc> poweroff
Are you sure you want to power off the system [y/n]?  y
SC Alert: SC Request to Power Off Host.
SC Alert: Host system has shut down.
sc> poweron
SC Alert: Host System has Reset

At this point I rebooted into the new Solaris 11 boot environment, and Solaris commands showed it was running on the factory default configuration of a single domain owning all 32 CPUs and 32GB of RAM (that's what it looked like in 2005.) 

# psrinfo -vp
The physical processor has 8 cores and 32 virtual processors (0-31)
  The core has 4 virtual processors (0-3)
  The core has 4 virtual processors (4-7)
  The core has 4 virtual processors (8-11)
  The core has 4 virtual processors (12-15)
  The core has 4 virtual processors (16-19)
  The core has 4 virtual processors (20-23)
  The core has 4 virtual processors (24-27)
  The core has 4 virtual processors (28-31)
    UltraSPARC-T1 (chipid 0, clock 1200 MHz)
# prtconf|grep Mem
Memory size: 32640 Megabytes
Note that the older processor has 4 virtual CPUs per core, while current processors have 8 per core.

Remove ldomsmanager 2.2 and install the 1.2 version

The Solaris 11 pkg command is now used to remove the 2.2 version that shipped with Solaris 11: 

# pkg uninstall ldomsmanager
            Packages to remove:  1
       Create boot environment: No
Create backup boot environment: No
            Services to change:  2

PHASE                                        ACTIONS
Removal Phase                                130/130 

PHASE                                          ITEMS
Package State Update Phase                       1/1 
Package Cache Update Phase                       1/1
Image State Update Phase                         2/2

Finally, LDoms 1.2 installed via its install script, the same way it was done years ago: 

# unzip LDoms-1_2-Integration-10.zip
# cd LDoms-1_2-Integration-10/Install/
# ./install-ldm 
Welcome to the LDoms installer.
You are about to install the Logical Domains Manager package that will
enable you to create, destroy and control other domains on your
system.  Given the capabilities of the LDoms domain manager, you can
now change the security configuration of this Solaris instance using
the Solaris Security Toolkit.
... 
... normal install messages omitted
...

The Solaris Security Toolkit applies to Solaris 10, and cannot be used in Solaris 11 (in which several things hardened by the Toolkit are already hardened by default), so answer b in the choice below: 

You are about to install the Logical Domains Manager package that will
enable you to create, destroy and control other domains on your
system.  Given the capabilities of the LDoms domain manager, you can
now change the security configuration of this Solaris instance using
the Solaris Security Toolkit.

Select a security profile from this list:

a) Hardened Solaris configuration for LDoms (recommended)
b) Standard Solaris configuration
c) Your custom-defined Solaris security configuration profile

Enter a, b, or c [a]: b
... other install messages omitted for brevity...

After install I ensure that the necessary services are enabled, and verify the version of the installed LDoms Manager: 

# svcs ldmd
STATE          STIME    FMRI
online         22:00:36 svc:/ldoms/ldmd:default
# svcs vntsd
STATE          STIME    FMRI
disabled       Aug_19   svc:/ldoms/vntsd:default
# ldm -V

Logical Domain Manager (v 1.2-debug)
        Hypervisor control protocol v 1.3
        Using Hypervisor MD v 1.1

System PROM:
        Hypervisor      v. 1.7.3.       @(#)Hypervisor 1.7.3.c 2010/07/09 15:14\015
        OpenBoot        v. 4.30.4.      @(#)OBP 4.30.4.b 2010/07/09 13:48

Set up control domain and domain services

At this point we have a functioning LDoms 1.2 environment that can be configured in the usual fashion. One difference is that LDoms 1.2 behavior had 'delayed configuration mode (as expected) during initial configuration before rebooting the control domain. Another minor difference with a Solaris 11 control domain is that you define virtual switches using the 'vanity name' of the network interface, rather than the hardware driver name as in Solaris 10. 

# ldm list
------------------------------------------------------------------------------
Notice: the LDom Manager is running in configuration mode. Configuration and
resource information is displayed for the configuration under construction;
not the current active configuration. The configuration being constructed
will only take effect after it is downloaded to the system controller and
the host is reset.
------------------------------------------------------------------------------
NAME             STATE      FLAGS   CONS    VCPU  MEMORY   UTIL  UPTIME
primary          active     -n-c--  SP      32    32640M   3.2%  4d 2h 50m 
# ldm add-vdiskserver primary-vds0 primary
# ldm add-vconscon port-range=5000-5100 primary-vcc0 primary
# ldm add-vswitch net-dev=net0 primary-vsw0 primary
# ldm set-mau 2 primary
# ldm set-vcpu 8 primary
# ldm set-memory 4g primary
# ldm add-config initial
# ldm list-spconfig
factory-default
initial [current]

That's it, really. After reboot, we are ready to install guest domains.

Summary - new wine in old bottles

This example shows that (new) Solaris 11 can be installed on (old) T2000 servers and used as a control domain. The main activity is to remove the preinstalled Oracle VM Server for 2.2 and install Logical Domains 1.2 - the last version of LDoms to support T1-processor systems. I tested Solaris 10 and Solaris 11 guest domains running on this server and they worked without any surprises. This is a viable way to test using Solaris 11 and learn how to use it, even on older T-series equipment.

Note that this is not recommended for production purposes: the combination of Solaris 11, T1, and LDoms 1.2 has not been strenuously tested, and (more important) since Solaris 11 does not have the patchadd command, there would be no way to apply patches to LDoms 1.2, and you would be forced to use an unpatched LDoms manager. If you are using T1 server with logical domains for production, then Solaris 10 is the supportable option. (Thanks to Menno for that observation.)

Joerg MoellenkampIDC about T5/M5

April 16, 2013 09:42 GMT
Interesting read: Oracle Launches T5 and M5 Servers : A New Generation of Oracle's SPARC/Solaris Servers

April 15, 2013

Jeff SavitvNICs on vNets now available

April 15, 2013 16:06 GMT

Overview

Oracle VM Server for SPARC (formerly known as Logical Domains) version 3.0.0.2 now supports Solaris 11 network virtualization, removing a previous restriction that prevented "vNICs on VNets". Previous versions did not support this because a domain's virtual network device only presented a single MAC address. Read on for further details on this capability and how to use it.

Solaris network virtualization

One of the powerful features of Solaris 11 is support for virtual networks, described in Using Virtual Networks in Oracle Solaris 11.1, and also known by the project name "Crossbow". Solaris 11 lets administrators define virtual networks consisting of virtual network interface cards (VNICs), virtual switches, and "etherstubs", which are simulated NICs used for private (within the Solaris instance) virtual networks.

Instead of just consolidating servers, you can consolidate a data center's servers and network topologies into a single Solaris instance. You can set up multiple isolated virtual networks, associate zones with the different virtual networks, and establish rules for isolation, connectivity and quality of service (QoS).

This also permits more independent control of Solaris zones by the zone administrator, extending Solaris 10 "exclusive IP" zones that assigned each zone a physical NIC. That model also provides isolation and lets the non-global zone administrator specify IP address and other properties, but is limited by the number of physical NICs and doesn't provide QoS. Both are in contrast to the shared-IP model, in which the global zone administrator sets the zone's IP address, routing, packet size, and so forth, and all the zones are essentially on the same network without separation or flow control. The shared-IP model also has restrictions: for example, the zone cannot be a DHCP client.

With Solaris virtual networking, each zone administrator has control over their settings - more like administrators of physical Solaris instances, while the global zone administrator controls isolation and resource allocation. (Note: the original "shared-IP" network model for Solaris zones still exists but is no longer the default.)

Solaris network virtualization and logical domains - the restriction

Unfortunately, this useful feature did not work in a logical domain, essentially because the virtual network devices given to a guest domain only presented a single MAC address. Here is an example showing what happens if you try to use this with a simple Solaris 11 zone. Note that the only required parameter is the zonepath. 

# zonecfg -z vm10 
Use 'create' to begin configuring a new zone.
zonecfg:vm10> create
create: Using system default template 'SYSdefault'
zonecfg:vm10> set zonepath=/zones/vm10
zonecfg:vm10> exit
# zoneadm -z vm10 install
... usual messages ...
If you do this in a physical Solaris instance it works, but in a guest domain with a virtual network device, you get the following message when you start the domain: 
# zoneadm -z vm10 boot
zone 'vm10': failed to create vnic for net0: operation failed
zoneadm: zone 'vm10': call to zoneadmd failed

You could certainly do a Solaris-10 style shared-IP zone or a non-VNIC exclusive-IP. For completeness sake, here's the shared-IP case. Note that in the shared-IP model the global zone administrator specifies IP address and routing: 

# zonecfg -z vm11
Use 'create' to begin configuring a new zone.
zonecfg:vm11> create -b
zonecfg:vm11> set zonepath=/zones/vm11
zonecfg:vm11> set ip-type=shared
zonecfg:vm11> add net
zonecfg:vm11:net> set physical=net0
zonecfg:vm11:net> set address=10.139.246.39/23
zonecfg:vm11:net> set defrouter=10.139.246.1
zonecfg:vm11:net> end
zonecfg:vm11> verify
zonecfg:vm11> commit
zonecfg:vm11> exit

Solaris network virtualization and logical domains - the resolution

This restriction is eliminated in the latest version of Oracle VM Server for SPARC, 3.0.0.2. In order to make use of this feature, you must run Solaris 11.1 in both the control domain and guest. The control domain must be running SRU4 or later, since the 3.0.0.2 ldomsmanager package is delivered with that SRU.

To enable the feature, use the ldm add-vnet or ldm set-vnet option alt-mac-addrs=value,value,value,... to indicate that the virtual network device hosts multiple MAC addresses. The alt-mac-addrs values are either a MAC address in octets, or the word "auto" indicating that the system should generate the address. For example, the following line permits two alternate MAC addresses. 

# ldm add-vnet alt-mac-addrs=auto,auto vnet1 primary-vsw0 mydomain1
Alternatively, you can do this in separate commands, and use the second line to add more MAC addresses to an existing virtual network device: 
# ldm add-vnet vnet1 primary-vsw0 mydomain1 
# ldm set-vnet alt-mac-addrs=auto,auto,auto,auto vnet1 mydomain1

In my test, I re-booted zone vm10 and it came up without difficulty. After doing that I issued the following within the guest domain's global zone: 

# dladm show-phys -m
LINK                SLOT     ADDRESS            INUSE CLIENT
net0                primary  0:14:4f:fa:29:1d   yes  vnet0
                    1        0:14:4f:fa:d7:9c   yes  vnicZBI52346836
                    2        0:14:4f:f9:a8:be   yes  net0
This shows that I have two alternate MAC addresses. Note that one address is used for the virtual switch implicitly created when the virtual network device is created for the zone (as all virtual network devices require a virtual switch). If I look from the control domain at the guest's configuration, I see additional MAC addresses from the "outside": 
# ldm list -l mydomain1
...
NETWORK
    NAME             SERVICE                     ID   DEVICE     MAC               MODE   PVID VID                  MTU   LINKPROP  
    vnet01           primary-vsw0@primary        0    network@0  00:14:4f:fa:29:1d        1                         1500            
                                                                 00:14:4f:fa:d7:9c
                                                                 00:14:4f:f9:a8:be
If I want to add more zones I could re-issue the ldm set-vnet with more operands while the domain is down. This property is not yet dynamically reconfigurable.

Note: at the moment this is being written, the zone "anet" property "mac-address" was initialized to random by default, rather than auto. It has to be explicitly changed to "auto" so the zone can boot up. Until the default is changed, instead of using the very short form to define a zone as shown with vm10 above, add an anet stanza as follows. Also note that the "vanity name" is used to specify the lower-link: 

# dladm show-phys
LINK              MEDIA                STATE      SPEED  DUPLEX    DEVICE
net0              Ethernet             up         0      unknown   vnet0
# zonecfg -z vm12 
Use 'create' to begin configuring a new zone.
zonecfg:vm12> create
create: Using system default template 'SYSdefault'
zonecfg:vm12> set zonepath=/zones/vm12
zonecfg:vm12> add anet
zonecfg:vm12:anet> set lower-link=net0
zonecfg:vm12:anet> set mac-address=auto
zonecfg:vm12:anet> end
zonecfg:vm12> verify
zonecfg:vm12> commit
zonecfg:vm12> exit

Using this method I can add more zones, each with an independent, virtual IP stack and network.

Summary

This blog entry isn't a tutorial on Solaris network virtualization, so I've only scratched the surface of what it can do. For example, you can create multiple virtual switches, assign virtual network devices to different switches, and then set rules on which network segments can communicate with one another. You can also impose QoS controls to manage bandwidth. For further information, see Overview of Network Virtualization and How to Configure a Zone for the Virtual Network

Jim LaurentDoD customer receives authority to operate SparcSupercluster

April 15, 2013 13:27 GMT

Recently, one of our good U.S. DoD customers purchased a SPARC SuperCluster system and received their "Interim Authority to Operate" on the DoD network.  Why is this a big deal?  First, allow me provide an overview of the SPARC SuperCluster system.

SPARC SuperCluster is a relatively new engineered system from Oracle consisting of:

This engineered system is designed to provide extremely high performance on database and applications while also reducing "time to mission" and cost of operations.  Because it is engineered in the factory by Oracle, it reduces the amount of vendor finger pointing, tuning, integration and incompatibilities.  It is also 100% compatible with Solaris/SPARC applications written for Solaris 11, 10, 9 and 8.

Getting the authority to operate on a DoD network means that our customer showed to their security auditors that they can properly and securely operate this large, complex, virtualized super-server in compliance with DoD standards. 

To my knowledge, this is the first instance of Solaris 11 being accredited in the US DoD.  As readers of my blog may know, the Defense Information Systems Agency (DISA) creates Security Technical Implementation Guides (STIGs) for various products and technologies.  You can find the Solaris 10 STIG documents at the DISA site, for example.  There is currently no DISA STIG document written for Solaris 11 although I am working to create one with DISA.  Because they are going through a lengthy transition from scripted compliance auditing to SCAP based auditing, the STIG for Solaris 11 is being re-written from scratch using their new Security Resource Guide for Operating systems as a baseline requirement.  Watch this site for updates on the Solaris 11 STIG process.

If there is no STIG for Solaris 11, how did this customer complete their accreditation?  DISA's guidance has alway's been, "In the absence of a DISA provided STIG, the customer may use vendor or industry recommended security practices." There are several resources publicly available for Solaris 11 and the SPARC SuperCluster:

In addition, with the help of my colleague, Kevin Rohan, I have been able to provide customers with two additional resources:

These tools are available from the Oracle DoD hardware sales team and not publicly posted at this time.

To summarize, I would like to remind our customers that:

Please contact me: jim dot laurent at oracle dot com for additional information.

Jim LaurentFAQ: Is Solaris 11 "approved for use" in the US DoD?

April 15, 2013 13:25 GMT

Because of my work with the US DoD and Defense Information Systems Agency (DISA), I get asked this question all the time from Oracle employees as well as customers.

MYTH

There is a single organization in the Government/DoD that approves products for use.

REALITY

Although DISA has a Unified Capabilites Certification Office (UCCO), I asked them the question directly and their response was: "Although there is a Category Holder for Servers on the UC APL webpage, Servers do not fall into the scope of the UCR nor do they fall into an existing product category.  This product can be purchased without an UC APL listing; however site certification and accreditation for IA must be met in the field."

Each customer or funded program goes through its own approval and accreditation process.  There is no single approver.  A program or agency has an assigned DAA (Designated Approving Authority) who's responsible for the security posture of  the entire program.  This includes reviewing the policies, people, products and procedures (4P) that are put in place.  This person signs his name on the line asserting that all reasonable actions have been taken to make the system secure in line with the job that it does.  This may include items like electro-magnetic shielding, encryption, firewalls as well as operating systems, password rules and auditing.  An accounting system gets a different amount of scrutiny than an intelligence gathering or combat system.

I can tell your from personal experience that Solaris 10 and 11 with Zones and Oracle VM for SPARC (aka LDOMs) are currently deployed in the US DoD. 

Why you should care.

Many government contractors or employees believe that they can't use a product unless it's on some approved list.  In most cases products can be used if sufficient rigor is  applied and the DAA can be convinced that the system is secure.  Solaris 10 and 11 provides a wide variety of security features that make this easier today than ever before.