Patching solaris 10 on servers with nonglobal zones by ramdev published october 26, 2011 updated july 2, 2015 for servers with solaris 10 os at, or near, update 1 106 or update 2 606, if nonglobal zones are already configured and running, patching these servers at single user mode will encounter issues. Note that the algorithm used to encrypt the file is not stored in the encrypted output, this means that the user must know the key and the algorithm used to restore the clear text file. Using zfs encryption is straightforward, we can protect our file system using a passphrase which can be specified during the file system mount operation or using a key file wrapping key that allow the file system to be mounted automatically. Solaris is known for its scalability, especially on sparc systems, and for originating many innovative features such as dtrace, zfs. I want to install solaris 10 recommended patch cluster on it, but not sure, how to go ahead with pr the unix and linux forums. Other things have taken priority right now so hopefully we can figure something out in the next few days.
Zfs encryption is integrated with the zfs command set. I want to install solaris10 recommended patch cluster on it, but not sure, how to go ahead with pr the unix and linux forums. If you are running solaris 10 u5, you can only have mirroring using svm, plus the root file system must be ufs. May 30, 2011 solaris 10 containers feature can be used to wrap the existing solaris 10 installation inside a solaris 11 express system. Why did we add encrypt 1 to solaris 10 when we already had openssl1 enc command. For the love of physics walter lewin may 16, 2011 duration. To install solaris on a disk that has the smi label, which is a format used in solaris 10 and earlier, you need to change the label of the disk with the format e command in advance. My question is, how can we boot to an encrypted partition of a disk without storing the disk encryption key on the machine. Regarding to oracle security alert cve list, we need to apply solaris recommended bundle patch instead of apply one by one patch. While this might represent a little less flexibility in terms of what changes can be applied to the system compared to patching in oracle solaris 10, it means the updates have been thoroughly tested by oracle as a single unit and they are known to work well rather than being an arbitrary selection of patches that are applied in an arbitrary order. Solaris operating system version 10 305 and later all platforms goal.
The keys for encrypted zfs file system are only required when they are first accessed. Browse other questions tagged solaris encryption zfs testing or ask your own question. Jun 10, 2012 zfs patching with zones using lu liveupgrade in solaris. Oracle solaris 11 adds transparent data encryption functionality to zfs. Bsd commands, which were present in solaris 10, have been depreciated in solaris 11 express, and their usage is discouraged as well. I need some one to explain this steps as i am new to this. However, you can make a slice in a zfs partition an mirror that i wouldnt recommend using svm to mirror on top of zfs. Are there any encrypted file systems available for solaris 10. It covers all the major new facilities, in a workshop environment, providing extensive handson practicals. Here we are going to see traditional os patching where your root filesystem is ufs. The main differences are package administration, os installation methods, zones enhancement and network virtualization. So to simulate a reboot i unload the keys for all the file system in the zone. A zfs file system can store up to 256 quadrillion zettabytes zb. I have worked on many volume manages like svmsolaris volume manager,vxvm veritas volume manager and lvm.
In 2010, after the sun acquisition by oracle, it was renamed oracle solaris. This is having zfs filesystem and 10 sparseroot zones are there. The first step in this process is to ensure that solaris 10 operating system is installed, followed by the installation of any optional solaris 10 contributed software. Solaris 10 os patching using liveupgrade unixarena. In 2010, after the sun acquisition by oracle, it was renamed oracle solaris solaris is known for its scalability, especially on sparc systems, and for originating many innovative features such as dtrace, zfs and time slider. The one downside of going with zfs has been not having an easy solution for encrypted file systems. Solaris 11 creating and maintaining zfs pools the urban penguin.
Using an s keystore for zfs encryption oracle what. Zfs encryption in oracle zfs storage appliance oracle. Patching a live solaris 10 system without live upgrade. These updates can either be a system upgrade or the application of patches. Modification application differences between solaris 10 or earlier and solaris 11 12. Im testing the encryption feature in zfs v31 in a solaris 11. The patching requires that the zones be bootable, and they are not bootable because of service dependencies when in single user. Sun has released a security patch addressing the following issues. How to upgrade or patch a zfs root file system with zone roots at least solaris 10 509 use this procedure when you need to upgrade or patch a zfs root file system with zone roots in at least the solaris 10 509 release.
Nov 19, 2010 it does require some understanding of solaris and zfs debugging tools. The idea of upgrading and patching has prompted me to make sure i can do this on a live system. Hi all, i just set up a freenas server in which id like to backup zfs file systems from by sun box running solaris 11. Jul 03, 2012 solaris os patching has been moved far away from the traditional methods from solaris 10 onwards. Sun announced that zfs was included in the 606 update to solaris 10 in june 2006, one year after the opening of the opensolaris community. Solaris 10 1008 u6 added boot from zfs and can use zfs as its root file system. We have figured out that we want to take all our solaris 10 systems up to update 4 0808 to ensure we get all the enhancements for zfs and other things included. But we have to make sure backup everything include create zfs snapshot and splitting zfs mirror for rollback plan. The plan is straight forward in live upgrade method of oracle. We have been able to use linuxbased encrypted partitions mapped to zfs volumes, but i really, really dont like the setup as.
Patching a live solaris 10 system without live upgrade ive used this procedure for patching a live solaris system with a zfs root. Solaris 11 express further introduced zfs encryption. As compared to solaris 11, solaris 10 doesnt upkeep zfs encryption and probably never will. Solaris 10 1008 also includes virtualization enhancements including the ability for a solaris container to automatically update its environment when moved from one system to another, logical domains support for dynamically reconfigurable disk and network io.
Jun 27, 2019 bsd commands, which were present in solaris 10, have been depreciated in solaris 11 express, and their usage is discouraged as well. The idea is to do a zfs send from the solaris box and to receive the stream at the freenas box with zfs recv. We were looking at zfs, but it seems that zfs will only be available under opensolaris. I am using solaris zones, and dont want to reboot my system. Ive done some searches and come up with a plethora of information about. For more info on the issues with the solaris implementation see my comments here and here. The first important thing to understand about zfs is that it is not providing full disk encryption and you will be able to tell that a disk that has data on it that was encrypted by zfs is part of a zfs pool. Zfs patching with zones using lu liveupgrade in solaris. Solaris 10 doesnt support zfs encryption and probably never will.
Solaris live upgrade software enables the operating system to continue to run while upgrades, patch installations, or routine maintenance operations are performed. Aesni accelerated zfs v31 encryption in solaris 11 unix. Solaris os and veritas patching procedure with vcs unixarena. Hello, i want to install zfs on an existing solaris 10 installation on a sparc machine. Solaris, zfs, encrypted boot to secure off site servers. Although, solaris 11 express has an updated version of gnome, xsun and cde are no longer there.
Though i have enough space in r the unix and linux forums. Dec 07, 20 solaris 11 creating and maintaining zfs pools december 7, 20 by the urban penguin even though zfs, the zetabyte file system made its appearance during the life of solaris 10. Oracle technical paperoracle solaris 10 recommended patching strategy 3 apply updates for thirdparty and homegrown software and hardware. For backing up the data, you create snapshots, as well as use zfs sendreceive commands. Oracle solaris 11 includes a new system clone and disaster recovery capability called unified archives. Solaris zfs of solaris 10 operating system function. The sendreceive commands can be used to save the backed up data snapshots on the local or remote machine.
The patching under solaris 10 can be conducted via the smpatch command or the java x windows gui updatemanager. Most of the solaris administrators will search for solaris 11 os patch bundle like how we use to get for solaris 10 but you wont get it. Before you begin oracle solaris 10 910 release notes. Encryption function provided zfs see chapter 4 automated repair function designed to improve system availability by automatically diagnosing hardware failures that. As mentioned in the first half of this chapter, patching as a separate process no longer exists.
Im not sure if sun supports this process, so dont use on a production server until you have tested patching. Introduction oracle solaris 10 has been an amazing os update, including ground breaking features like zones solaris containers, zfs, services, dynamic tracing against live production operating systems without impact, and logical domains. Encryption is the process where data is encoded for privacy and a key is needed by the data owner to access the encoded data. Here the global zone is part of veritas cluster and couple of zones are controlled by vcs and one zone is noncluster. Hi after doing a live upgrade from solaris 10 update 8 to solaris 10 update 9 the alternate boot environment i created is no longer bootable. Installing a solaris 10 zfs root file system youtube. This is the same zfs encryption that is available in general purpose solaris but with appliance interfaces added for key management. Jan 12, 2016 oracle solaris 11 supports encryption on zfs in a native way to protect critical data without depending on external programs, and it is integrated with the oracle solaris cryptographic framework, which in turn makes encryption easier and faster by providing several symmetric and asymmetric algorithms for encrypting files and entire file systems. Then, with oracle solaris live upgrade, you can either migrate your ufs root file system with zone roots to a zfs root file system or you can upgrade or patch your zfs root file system and zone roots. How to backup and restore the solaris 10 zfs root pool.
Installing zfs on an existing solaris 10 installation. You cannot migrate unsupported zone configurations from a previous oracle solaris 10 release directly to the oracle solaris 10 9 10 release. I cant find any information about it or how it works. Solaris is a nonfree unix operating system originally developed by sun microsystems. Note that bug fixes for some thirdparty or communitybased software delivered as part of oracle solaris may be provided through package upgrades rather than patches. Oracle took a brave decision by making zfs as default root filesystem in solaris 11 onwards. Like if i create a zfs pool with encryptionon, how can i tell whether a file is being properly encrypted or not. To see the available versions, use the following command. Encrypting zfs file systems oracle solaris administration.
There is a possible patch available for it but we arent 100% sure just yet. Aesni accelerated zfs v31 encryption in solaris 11. Installing the latest version of live upgrade from the update 9 iso. Difference between solaris 10 and solaris 11 difference wiki. All wrapping keys are 32 bytes 256 bits, even for 128 and 192 bit encryption types. In solaris 11, oracle removed the word called patches from their dictionary. Zfs is an innovative file system that provides you with almost unlimited data capacity1, simple data management and a highprofile data protection mechanism. It also exposes a new set of commands via zfs key for managing the keystore. I have solaris10 sparc box with zfs filesystem, which is running two non global zones. How do i test or verify that the zfs encryption is working, especially when running as a samba share. Encrypting zfs file systems transitioning from oracle. I am in process of applying solaris recommended patch cluster via live upgrade. Patches may only be loaded on the global zone but not on. It is normally not possible to manually install a package from a newer release of solaris 11.
I saw in suns details of new features for solaris 10 that there is now an encrypted file system support. Dec 05, 2009 the first step in this process is to ensure that solaris 10 operating system is installed, followed by the installation of any optional solaris 10 contributed software. Single user mode doesnt really work for patching solaris 10 with zones. Sun have done some work in recent times with liveupgrade the last time i looked at it, a few years back now, it was rubbish. In addition, you need to select use a slice on the disk on the. How to run savecore crash dump manually in solaris. You can migrate a ufs file system to a zfs file system by using these commands on an oracle solaris 10 system or migrate ufs data to a zfs file system between two oracle solaris 10 systems. All data and file system metadata such as ownership, access control lists, quota. It does require some understanding of solaris and zfs debugging tools. In this post will show you the data backup and recovery mechanism in oracle solaris 11. How to delete files on a zfs filesystem that is 100% full. Difference between solaris 10 and solaris 11 compare the. There is the promise of zfscrypto, but it seems a distant one. Oracle solaris 11 supports encryption on zfs in a native way to protect critical data without depending on external programs, and it is integrated with the oracle solaris cryptographic framework, which in turn makes encryption easier and faster by providing several symmetric and asymmetric algorithms for encrypting files and entire file systems.
Im not quite sure if this is the right place to ask this, if not, feel free to migrate it to wherever it fits in. How to encrypt data in a zfs file system and how to manage data encryption for the file system or storage pool. How to upgrade or patch a zfs root file system with zone. How to install a zfs boot block in solaris the geek diary. Any other suggestions for some type of efs under solaris 10. It is very much preferrable that the encrypted filesystem for the second boot production environment is zfs. How to backup and restore solaris zfs root pool the following procedure can be used to backup and restore a zfs root pool rpool using the tools that are provided in solaris 10 and above.
What is the best method to run patch for live systesms. Patching a live solaris 10 system with lu, zfs, and pca. What are the differences between solaris 10 and solaris 11. There is no database encryption option that works well with our applications.
It seems not too widely known that you can encrypt your data with zfs for quite some while. Solaris 10 migrating from ufs to zfs with live upgrade i just tested a migration of root from ufs to zfs on x4200. For you information,from solaris 11 onward,zfs will be the default root filesystem. Contribute to lundmanfreebsd crypto development by creating an account on github. As you have mentioned that you are planning to do zfs encryption, you have to choose solaris 11 itself because there is no encryption possible in solaris 10. Solaris operating system wikipedia republished wiki 2. The benefits of using zfs encryption are as follows. Ips also allows patching of the zones to be extremely fast. This workshop is intended for solaris administrators who wish to quickly get up to speed with the new features of solaris 10.
That being said, solaris packages are usually locked into a particular set of revisions via a meta package called entire. Sep 17, 2015 regarding to oracle security alert cve list, we need to apply solaris recommended bundle patch instead of apply one by one patch. We have seen many post about solaris 10 os patching using liveupgrade method. How to delete files on a zfs filesystem that is 100% full by admin when a zfs file system has no space left then the deletion of files can fail with disk quota exceeded. Solaris 10 containers feature can be used to wrap the existing solaris 10 installation inside a solaris 11 express system.
This article is going to explain that how to update the solaris 11. In order to install a new zfs boot block, you need to first boot from dvd, network or the failsafe image on the system. If convenient, the first boot os does not have to be solaris. I thought it was about time i took another look, since. Solaris 10 live upgrade with zfs and nonglobalzones fail. In previous oracle solaris releases and in this release, the cryptographic framework feature provides the encrypt, decrypt, and mac commands to encrypt files oracle solaris 10 does not support zfs encryption. Patching solaris 10 on servers with nonglobal zones.
Here a notes for solaris 10 patching update that can be used as reference. We no need to bring down the server to single user mode if you are using live upgrade method during pathing and before choosing live upgrade,make sure you are using zfs as a root filesystem. So zfs knowledge is must for all of the solaris administrator who is going to work on solaris 11. System administrators can patch a system image rapidly without impacting the boot. Solaris 10 606 includes a new data management feature, zfs zettabyte file system. Oct 26, 2011 for servers with solaris 10 os at, or near, update 1 106 or update 2 606, if nonglobal zones are already configured and running, patching these servers at single user mode will encounter issues.