Hard Line on 9

Bundling and OS tweaks boost Solaris but may not be enough to justify enterprisewide upgrades.

The recently released Solaris 9 operating environment is an evolutionary release whose manageability and capability improvements stem mainly from the bundling of several technologies from Sun Microsystems Inc.s product catalog, including Sun ONE LDAP and application servers. The cost-to-benefit ratio is good for systems with up to four CPUs, but the upgrade argument is harder to make for higher-end systems or for blanket deployments.

Priced at $95 for a media kit, Solaris 9 is an excellent upgrade for single-processor servers and desktops. Upgrade prices get steeper for larger systems—about $30,000 to upgrade a 32-processor server—so IT managers should make sure the added capabilities are really needed (if not already purchased in third-party products) before moving servers to the new operating system.

This release of Solaris is available only for the SPARC platform, which means that an increasing number of organizations with Intel Corp.-based servers will have to use Linux and BSD to get similar functionality.

Servers that are upgraded to Solaris 9 will gain significant management improvements. Suns Management Console 2.1 is now the primary Solaris management interface, eliminating the need for older tools such as AdminTool.

In tests, eWeek Labs was impressed with the consoles breadth of functions. Using Management Console 2.1, we could manage storage resources (volume and hard drive) as well as users.

In addition, Solaris Volume Manager, managed through the console, adds capabilities from Suns DiskSuite product and allowed us to partition arrays and manage RAIDs.

Volume Manager will work well for small and midrange servers, but enterprises with high-end servers should continue to use more robust third-party tools such as Veritas Software Corp.s Volume Manager for the necessary level of performance and scalability, as well as for features such as dynamic multipathing.

RBAC (Role-Based Access Control) is a useful feature that gives Solaris 9 administrative granularity. Using RBAC, we were able to create utility accounts with limited privileges. We could thus grant trusted users the ability to perform certain administrative tasks, such as resetting passwords and restoring files from backup media, without giving them superuser rights. And the fewer superuser accounts granted, the better a networks security.

Solaris 9 Resource Manager, also managed through Management Console, is a new addition to the operating environment whose lineage can be traced to Solaris Resource Manager 1.2, an add-on product for Solaris 8, 7 and 2.6.

Solaris 9 Resource Manager allowed us to carve up the resources on our SPARC server and assign them to specific applications and groups. Unlike its predecessor, Solaris 9 Resource Manager is integrated with the operating system kernel, a sure sign that Sun is serious about server virtualization, even on lower-end servers.

Solaris 9 Resource Manager divvies up resources into dynamic units called shares. To increase the amount of server resources an application can use, we simply increased its number of CPU shares (a much easier process than dealing with fixed percentages).

Also improving the manageability and flexibility of Solaris 9 is the bundling of a fully functional Sun ONE (Open Net Environment) Directory Server 5.1 and the Sun ONE Application Server 7 Platform Edition (now in beta). These servers, both of which come from Suns iPlanet division, not only will make Solaris 9 more manageable than its predecessors but will also improve its standing as a development platform (see related story).

Solaris 9 also includes several new features that automate administration tasks.

The graphical Patch Manager is a useful tool from which enterprises will gain immediate benefit.

Patch Manager allows IT managers to see the patch update status of a server and automatically download all recommended patches. Importantly, the patches are ordered to make sure that no dependency problems arise from mismatched patches.

Solaris Live Upgrade 2.0 allows IT managers to upgrade their systems with a minimal amount of downtime.

Using Live Upgrade, an upgraded version of the operating system is installed and configured while the current version is still running. Once the upgraded operating system is ready, an IT manager has the ability to reboot into the new operating system. In the event that the upgrade isnt successful, the IT manager can simply reboot back to the previous configuration, sparing a painful reinstallation or recovery from backup.

Web Start Flash is another tool that will make deployments and upgrades easier: It allows the creation of a master machine. After the installation configuration of this machine is saved, the configuration can be propagated throughout the network using either Network File System servers or HTTP servers.

Bundling has also bolstered the security in Solaris 9, but so have some changes to the operating system itself.

A new minimal-installation option should allow IT managers to set up appliancelike servers with very few loose ends. Solaris 9 also loads up Secure Shell tools by default, which should make remote access more secure (see GeekSpeak, June 10).

In addition, while Solaris 8 included a simple packet filtering firewall, Solaris 9 provides a full version of Suns SunScreen 3.2 stateful firewall. The inclusion of this firewall will make it easier for administrators to protect critical machines and will allow older and less expensive single-processor boxes to be used as workgroup-class firewalls.

eWeek Labs ran a few basic security tests on a Solaris 9 server without the SunScreen firewall enabled. We did not find any glaring holes after subjecting the server to port scans and a few buffer overflow attacks.

More time will be needed to judge the overall security of Solaris 9 compared with its predecessors, but the new releases modularity is a security boon: There are fewer cross-dependencies in 9, making it easier to pull things out of the operating system without affecting other components.

Our recommendation is to closely examine all of the services enabled by default; outside of the minimal installation, there is a sizable number of services and ports enabled in a default install. Shut down or pull out anything you dont need, especially extra remote procedure calls, long a favorite target of hackers. Of course, this advice holds true for any operating system. For more general operating system hardening advice, go to www.eweek.com/article2/0,3959,35185,00.asp.

On the desktop side, the biggest changes are still to come, with GNOME (GNU Network Object Model Environment) 2.0 expected to ship with the first service pack of Solaris 9.

GNOME 1.4 is available as a technology preview, and it ran fairly smoothly in our tests. We experienced no violent crashes, and there were no insanely long pauses before applications launched.

However, be warned that there are many documented bugs in GNOME 1.4. We dont recommend using it as a replacement to the Solaris Common Desktop Environment because it is not yet supported by Sun. If you do decide to take it for a ride, the best way to get support is through newsgroups and e-mail lists.

Sun is leveraging GNOME to make Solaris friendlier to Windows users. As more applications are created that play to GNOMEs strengths, we expect the operating system experience to be greatly enhanced.

Solaris 9s management utilities were not created specifically for the GNOME desktop, but we were able to launch Suns Management Console 2.1 on a GNOME desktop without problems.

Senior Analyst Henry Baltazar is at [email protected].