This section describes the installation and software management features that are new in this release. These features enable fast updates and deployments through software installation and software management tools.
The svc-create-first-boot tool provides a single interface to create, customize, and publish a first boot service package. Provide the package repository path and first boot script as command-line arguments; the tool will publish the first boot service package to the specified repository. Using this tool simplifies automatically executing scripts at first boot.
For more information, see the svc-create-first-boot(1) man page.
Oracle Solaris 11.4 introduces the RAD API for Automated Installer. This API provides functionality for the remote administration of an Automated Install (AI) Server. You can write programs to manage AI server using any RAD supported client language.
For more information, see the autoinstall(3rad) man page.
Oracle Solaris AI installations can now be secured by HMAC-SHA256. Administrators can choose HMAC-SHA256 as the policy for the HMAC algorithm for securing new AI services and clients. Administrators can also upgrade HMAC type for services and clients to be enforced immediately, or generate HMAC-SHA256 keys to be installed by the user, after which HMAC-SHA256 can be enforced by the administrator. Existing systems secured with HMAC-SHA1 will continue to be secured with HMAC-SHA1 until upgraded.
HMAC-SHA256 provides authentication and integrity for the early boot phases of an Oracle Solaris AI installation using the WAN boot protocol. This support in AI, coupled with SPARC OBP firmware support, ensures modern standards of security for wide-area network installations.
For more information, see the installadm(8) man page.
Dehydration and Rehydration for Oracle Solaris Unified Archives (UAR) enhances the current archive technology to utilize the IPS dehydrate/rehydrate technology and minimize the footprint of a created UAR.
In this context, to dehydrate an archive means to remove all noneditable packaged files and packaged hardlinks from the alternate root of an archive image. A noneditable packaged file is a file delivered by the currently installed version of a package that has no preserve or overlay attribute, or has no tagged value of dehydrate=False. On the other hand, rehydration reinstalls all the files and hardlinks removed by dehydration to restore the archive image to its original state.
This feature helps to facilitate independent software vendors (ISVs) to deliver application stacks inside of a UAR where the base OS would be dehydrated thus unencumbering them from copyright and distribution rights for the OS. Effectively the ISV could create a fully deployable application stack and OS image, then through a dehydration operation the OS image would be removed from the archive leaving just the ISVs application. A customer could then deploy this dehydrated archive and rehydrate the OS from a legally owned copy of the OS repository.
Archives can sometimes be very large in size, dehydration offers a nice solution in requiring archives to take up less space on a system and therefore allows better storage management for multiple archives.
In case customers have some dehydrated archives that they wish to deploy across many systems, a rehydrate subcommand would become useful. By rehydrating a dehydration archive back to its normal hydrated state, you can minimize deployment time since a hydrated archive takes less time to deploy than a dehydrated archive.
For more information, see the archiveadm(8) man page.
The cloudbase-init service performs initial configuration of guest operating systems in the cloud. These tasks include user creation, password generation, static networking configuration, hostname, SSH public keys, and user data scripts.
The Oracle Solaris 11.4 version of cloudbase-init is a Service Management Facility (SMF) service (application/cloudbase-init) delivered by the cloudbase-init IPS package.
The cloudbase-init package is not installed by default. Install the package only into images that will be deployed in cloud environments.
The service is enabled by default.
The configuration file, /etc/cloudbase-init.conf, enables only the UserData plugin.
Scripts that are exported through user data typically perform system and application configuration tasks that require privileged access. Therefore, the cloudbase-init service runs as the user root, and any user data scripts must also run as root.
With this feature, boot pools can use iSCSI-iSER as the default transport protocol instead of iSCSI-IPoIB to boot Oracle Solaris. The server can use boot pools to boot firmware-inaccessible storage devices over iSCSI targets. Using the iSCSI-iSER protocol provides the following benefits:
Boots Oracle Solaris faster than on iSCSI-IPoIB
Accesses rpool though iSCSI-iSER with:
Low transport latency
Low CPU utilization
Requires zero configuration
UEFI Secure Boot on Oracle Solaris x86 enables you to install and boot Oracle Solaris on platforms where UEFI Secure Boot is enabled. This feature provides more security by maintaining a chain of trust during boot: digital signatures of the firmware and software are verified before executing the next stage. No break occurs in the chain because of unsigned, corrupt, or rogue firmware or software during the boot process. This feature helps assure that the firmware and software used to boot Oracle Solaris on a hardware platform is correct, and has not been modified or corrupted.
For more information, see Securing Systems and Attached Devices in Oracle Solaris 11.4.