This chapter summarizes new features in the Solaris 10 5/09 release.
The following system resources features and enhancements have been added to the Solaris 10 5/09 release.
If the source and the target zonepaths reside on ZFS and both are in the same pool, a snapshot of the source zonepath is taken and the zoneadm clone uses ZFS to clone the zone.
You can specify to copy a ZFS zonepath instead of specifying to clone the ZFS. If neither the source nor the target zonepath is on ZFS, or if one is on ZFS and the other is not on ZFS, the clone process uses the existing copy technique.
In all cases, the system copies the data from a source zonepath to a target zonepath if using a ZFS clone is not possible.
For more information, see the following:
zoneadm(1M) man page
Use the -b option to specify official or Interim Diagnostics Relief (IDR) patches, to be backed out of a zone during the attach. This option applies only to zone brands that use SVr4 packaging.
For more information, see the following:
zoneadm(1M) man page
The following system administration features and enhancements have been added to the Solaris 10 5/09 release.
IP security (IPsec) is now managed by the following Solaris Management Facility (SMF) services:
svc:/network/ipsec/policy:default – The policy service checks for the /etc/inet/ipsecinit.conf file and feeds the data into the IPsec Security Policy Database (SPD). The policy service must be started and its file, /etc/inet/ipsecinit.conf, must exist for boot-time IPsec policy configuration.
svc:/network/ipsec/ike:default – The ike service controls the Internet Key Exchange (IKE) daemon in iked(1M). This service controls ike in a manner similar to other daemon-controlled services like ssh or sendmail.
svc:/network/ipsec/manual-key:default – The manual-key service checks for the /etc/inet/secret/ipseckeys file and feeds the keys into the IPsec Security Association Database (SADB). Prior to SMF, the mere existence of the /etc/inet/secret/ipseckeys file was sufficient, but now the service should also be enabled to load manual IPsec keys.
svc:/network/ipsec/ipsecalgs:default – The ipsecalgs service is enabled by default and maps Solaris Cryptographic Framework algorithms to their use in IPsec. Changes enabled with ipsecalgs(1M) subsequently refresh the ipsecalgs service.
The SMF management brings all the SMF features to IPsec, for example, interface consistency, capability of restarting, and fault-tracking.
The following security features and enhancements have been added to the Solaris 10 5/09 release.
The Solaris 10 5/09 release contains a public API for User Datagram Protocol (UDP) sockets that act as IPsec Network Address Translator (NAT) Traversal endpoints.
The UDP_NAT_T_ENDPOINT socket option, when enabled, has UDP traffic prefixed with a zero security parameters index (SPI) value of four bytes on outbound traffic and strips zero SPIs on inbound traffic. Inbound traffic bound for such a socket with a nonzero SPI is automatically transferred to IPsec's Encapsulating Security Payload (ESP) for ESP-in-UDP decapsulation. ESP-in-UDP encapsulation is determined by a property in the IPsec Security Association (SA).
This feature enables IPsec key management software developers to create key management protocols that can transit NAT devices. The Solaris IKE daemon in iked(1M) uses this facility and such sockets are displayed using the pfiles(1M) command.
The Solaris 10 5/09 release introduces the following algorithms for IPsec and IKE:
Three larger Diffie-Hellman integer-modulus groups including 2048-bit, 3072-bit, and 4096-bit – The larger Diffie-Hellman groups are available in IKE Phase 1 and Phase 2. The groups are specified by group number 14 for 2048-bit, 15 for 3072-bit, and 16 for 4096-bit, per RFC 3526.
SHA-2 series of hashes including sha256, sha384, and sha512– SHA-2 using HMAC is available for IPsec's Authentication Header (AH) and ESP, and for IKE during its interactions. SHA-2 is used in IPsec per RFC 4868, with truncated ICV lengths of 16 bytes for SHA256, 24 bytes for SHA384, and 32 bytes for SHA512.
SHA-2 is not available for certificates generated with ikecert(1M).
This feature enables the SunSSH server and client to use Solaris Cryptographic Framework through the OpenSSL PKCS#11 engine. SunSSH uses cryptographic framework for hardware crypto acceleration of symmetric crypto algorithms which is important to the data transfer speed. This feature is aimed at UltraSPARC® T2 processor platforms with n2cp(7D) crypto driver.
UltraSPARC T1 processor platforms are not affected by this feature since the ncp(7D) driver does not support symmetric crypto algorithms. Platforms without any hardware crypto plugins are not affected by this feature, regardless of the value set for the UseOpenSSLEngine option. The default value of the UseOpenSSLEngine option is set to on and the server and client SSH configuration files need not be updated.
SunSSH should be used with Sun Crypto Accelerator 6000 board software version 1.1 with the following patches installed:
128365-02 for SPARC-based systems
128366-02 for x86-based systems
No patch is available for the Sun Crypto Accelerator 6000 board software version 1.0. To workaround this issue, remove the AES counter modes from the Ciphers option keyword on both the server and the client side.
The following device management feature has been added to the Solaris 10 5/09 release.
This feature provides the basic CPU Advanced Configuration and Power Interface (ACPI) T-state support. T-state support enables the CPU driver to receive _TPC change notifications as a manner of controlling the processor speed. This is frequently done on some systems as a passive cooling mechanism along with the existing CPU ACPI P-States.
For more information, see http://opensolaris.org/os/community/pm/.
The following system performance features and enhancements have been added to the Solaris 10 5/09 release.
This feature introduces Large Segment Offload (LSO) support for the ixgbe driver and some ixgbe driver bug fixes. LSO is an important feature for NIC, especially for 10-Gb NIC. LSO can offload the segmentation job on Layer 4 to the NIC driver. LSO improves transmit performance by decreasing CPU overhead. This feature is enabled by default.
This feature includes the following enhancements:
Event driven CPU power management – On systems that support Dynamic Voltage and Frequency Scaling (DVFS) by Solaris, the kernel scheduler or dispatcher will schedule threads across the system's CPUs in a manner that coalesces load, and frees up other CPUs to be deeply power managed. CPU power state changes are triggered when the dispatcher recognizes that the utilization across a group of power manageable CPUs has changed in a significant way. This eliminates the need to periodically poll CPU utilizations across the system, and enables the system to save more power when CPUs are not used, while driving performance when CPUs are used. Event driven CPU power management is enabled by default on systems that support DVFS. This feature can be disabled, or the legacy polling-based CPU power management can be used through the cpupm keyword in power.conf(4).
Support for Deep Idle CPU Power Management or deep C-state support on Intel Nehalem-based systems – The project also adds Solaris support for Deep C-states on Intel Nehalem-based systems. This support enables unused CPU resources to be dynamically placed in a state where they consume a fraction of the power consumed in their normal operating state. This feature also provides Solaris support for the power saving feature, as well as the policy implementation that decides when idle CPUs should request deep idle mode. This feature will be enabled by default where supported, and can be disabled through the cpu-deep-idle keyword in power.conf(4).
Observability for Intel's Turbo Mode feature – Intel Nehalem-based systems have the ability to raise the operating frequency of a subset of the available cores when there is enough thermal headroom to do so. This ability temporarily boosts performance, but it is controlled by the hardware and transparent to software. Starting with the Solaris 10 5/09 release, a new kstat module observes when the system is entering the turbo mode and at which frequency it operates.
The following developer tools features and enhancements have been added to the Solaris 10 5/09 release.
SunVTSTM 7.0 Patch Set 5 has the following enhancements:
Ability to specify device specific options in a test
Creation of generic or host-specific sessions for testing
Loop function on a particular test pass
Terminal user interface (UI) support for the creation or loading of generic and host-specific sessions
CPU Diagnostics Enhancements:
System test, systest, performs processor-level isolation in the event of a failure
CPU test, cputest, is a multiprocess test. A single test binary can test all the CPUs in the system simultaneously.
Memory Diagnostics Enhancements:
physmem-based ramtest has the option to read address length in Kbytes, Mbytes, and Gbytes
Improved l3 buffer test with added memory, march-test algorithms
IO Diagnostics Enhancements:
New hlgraphicstest test is added for testing graphics cards
Users can specify back-to-back loopback option for the nxge interface in the network test
Cddvdtest is enhanced to support different drive speeds
Disktest is enhanced to support the following features:
Tuned to stress USB storage devices
Perform disk performance testing
Not perform write testing on the root disk
Test Solid State Devices (SSD) with test level, wear-leveling mechanism
Supports read-and-write buffer cache test
Modern microprocessors contain hardware performance counters that enable the measurement of many different hardware events related to CPU behavior. Hardware events include instruction and data cache misses as well as various internal states of the processor. Data from the performance counters can be used to analyze and tune the behavior of software on a particular type of processor. The Solaris 10 5/09 OS provides access to CPU Performance Counters (cpc) through the libcpc(3LIB) interface and through the cputrack(1) and cpustat(1M) utilities.
The following driver features and enhancements have been added to the Solaris 10 5/09 release.
This feature introduces a Solaris driver for the fourth generation of InifiniBand (IB) HCA chips from Mellanox, Ltd. The hermon driver provides IB support for SDR, DDR, and QDR chips for conventional HCAs, EMs, and NEMs for blade environments.
The hermon driver enables higher bandwidth and lower latency in IB transmissions, compared to previous generations of the IB product. The higher bandwidth and lower latency are most important in high-performance computing (HPC) applications, though the increase in performance is advantageous in all environments.
In addition, the uDAPL library, a critical underpinning of the MPI library, is updated to work with this driver, providing optimal performance with MPI-based applications.
Starting with the Solaris 10 5/09 release, iSCSI Target is upgraded to provide new features and functionality.
This iSCSI Target update includes the following performance, scalability, interoperability, and reliability improvements:
Improved TCP/IP timeout recovery
iSCSI initiator invoked SCSI RESETs
Code path and memory leak cleanup
Improved interoperability with Target Port Group Tags (TPGT), unidirectional and bidirectional CHAP authentication, and RADIUS server support
Improved Internet Storage Name Service (iSNS) support, including recovery from unavailable iSNS servers
Updated SCSI-3 Persistent Reserve functionality that enables the use of the functionality in various clustering solutions on both Solaris and other operating systems
The Solaris iSCSI Target release now supports a wide variety of iSCSI initiators for the following operating systems:
Linux: Red Hat Enterprise Linux (RHEL), Suse, and Ubuntu
Microsoft Windows (XP, Vista, Server 2003, Server 2008, Windows Cluster Server)
Mac OS X
The ntxn(7D) is a new NIC driver that supports NetXen's PCI Express-based 10-Gigabit Ethernet network interface cards (NIC). Users can access the network through Solaris OS on platforms that have a NetXen NIC installed.
Starting with the Solaris 10 5/09 release, the ICH10 and Hartwell network interfaces are the default network interface cards (NIC) on some x64 and x86 machines. Users can access the network easily with these network interfaces.
The xge driver enables multiple receive rings and MSI-X if the driver can allocate enough MSI-X vectors on platforms that support MSI-X.. The performance of the driver is enhanced by this feature. If the driver is unable to allocate enough MSI-X vectors, the driver continues to work as before in the legacy interrupt mode.
The following language support enhancement has been added to the Solaris 10 5/09 release.
The Solaris 10 5/09 release now supports the Kazakhstan kk_KZ.UTF-8 and Ukraine uk_UA.UTF-8 locales.
The following additional software feature has been added to the Solaris 10 5/09 release.
The Fp-scrubber is a user-level daemon that periodically runs nonintrusive tests to validate proper functioning of the floating-point unit (FPU) hardware. When an error is detected by the test, a fault management action is initiated by using the fmd(1M) command. The Fp-scrubber daemon supports only UltraSPARC III and UltraSPARC IV class of processors.