Friday, April 27, 2012

Oracle Solaris 11 - Session 1: Strategy and Update

Online Forum
Oracle Solaris 11:
What's New Since the Launch

April 2012 

Session I - Keynote: Oracle Solaris Strategy and Update

Markus Flierl, Vice President, Oracle Solaris Engineering, delivered the keynote - the first 1 hour session of 4 sessions on Oracle Solaris 11: What's New Since the Launch. From the entire first session, several major enhancements were noted in Solaris 11 Update 1:
  • Solaris 11 Update 1 - re-architecture of virtual memory sub-system
    New systems coming with 64 sockets, 64 terabytes of main memory
  • Solaris 11 Update 1 improves python performance
    30% performance improvement
  • Solaris 11 Update 1 improvement in network system
    Link aggregation across multiple switches
    Improve ability to migrate VNIC configuration across to new system
  • Solaris 11 Update 1 Due in late 2012
    To co-inside with other SPARC and Intel releases
The presentation by Mark follows:

Over the last 6 months
- SPARC T4 Support
  (Some customers seeing 5-7x improvement in single thread improvement)
- Working on T5 in Lab
- Release Solaris 11
- SPARC SuperCluster
- Solaris Cluster 4.0
- Oracle Studio 12
- Oracle Enterprise Manager Ops Center 12c

- #1 UNIX
- Solaris 11 Update 1 to be released end of 2012
- First "Cloud" OS
  Satisfy traditional customer requirements for: availability, security, performance, scalability
- Shipped new network stack
  Scale to 40GBit via parallel pipes

Simplified Administration
- 3x faster provisioning over VMWare
- 4x faster upgrades over Red Hat
- 2.5x faster reboots over Red Hat
- 46% fewer hardware outages using FMA
- Designed-in Virtualization
- Scalable Data Management
- Advanced Protection

New availability
- Preparing to implement K-Splice under Solaris

Designed-in Virtualization
- Fully virualized
  OS, Network, and Storage
- Virtual Network Services built-in
- 15x better overhead efficiency over VMWare
- 4x Lower Latency over KVM

Scalable Data Management
- 10x storage savings for virtualization
- 2x storage compression
- 2x SPC-1 IOPS at 1/2 cost over NetApp

Advanced Protection / Security
- Immutable root file system
- 4.3x faster OpenSSL over AIX
- 3x faster ZFS encryption on SPARC over Westmere x86

Dramatically Faster Lifecycle Management
- Apply security fixes in minutes, during maintenance window, with fast reboot
- KSplice technology being actively investigated, to enable hot-patching

Cloud-Scale Networking Architecture
- Link aggregation across multiple switches
- vnic migration to new environment
- Hardware assisted resource management
- vlan: isolation & dynamic provisioning
- integrated: routing, firewall, load balancer, bridging, HA
- 4x lower latency over KVM

ZFS Virtualized Pooled Storage
- Scale out design. Built-in data services
- flash enabled virtual pools
- compression
- replication
- deduplication
- dataset encryption
- 10x dedup in virtualized environments
- rapid provisioning of virtualized storage resources (zfs snapshots, clones)
- no silent data corruption, ever

Oracle's Complete Cloud Management
- Self Service, provisioning
- billing for chargeback
- included in the base price of Solaris, if support

#1 UNIX. Engineered for Oracle
- Best of breed components
- Co-engineeered with Apps and hardware
- Unique value in engineered systems

Solaris on Exadata
- Performance from 400K IOPS to over 1 Million IOPS
- Enabling Zones under Exadata and SuperCluster, to allow customers to carve out the machines for public and private cloud services

Java 7 Performance Trends
- 2.2x improvement through JDK 7 development through tuning
- Java 7 Update 4 supports crypto hardware
- Java 7 Update 4 Solaris 4x-5x crypto performance improvement
- Java mission control, debugging leveraging dtrace
- Solaris Scheduler tuning for JVM

SPARC Future Work
- crypto speed enhancement
- oracle number enhancement
- memory versioning
- 3x-5x improvement

Solaris: Engine for ZFS Storage Appliance
- Best Performance - 2x faster than NetApp
- Best Efficiency - best analytics
- Best Quality - #1 Storage Magazine
- Best for Oracle Software - engineered together
  Used in Exadata, preferred backup solution for Exadata

Roadmap - Accelerating Investment
- Solaris 11 Express end of 2010
- Solaris 11 shipped end of 2011
- Solaris 11 Update 1 targeting end of 2012
- Solaris 12 requirements on the horizon
- SPARC T5 and M4 based systems in the lab
- Intel Sandy Bridge announcement on April 10
(The dates on the roadmap and positioning of technologies do not line up)

Thursday, April 19, 2012

SNMP Tab Update: SNMP Management Utilities

The following SNMP Management Utilities have been added to the SNMP Tab.

SNMP - Management Utilities
[HTML] - net-snmp snmp agent and snmp libraries
[HTML] - collectd back-end collecting engine
[HTML] - collection 4 front-end graphing engine
[HTML] - Add close option to collectd snmp plug-in

Wednesday, April 18, 2012

SSH Debugging: Tunnel Timeout

SSH Debugging: Tunnel Timeout
SSH is a tool which allows for encryption of credentials as well as traffic (command line or proxied TCP streams) when attaching a session between two servers (covered in article #1.) The session can be connected automatically, through the use of shared keys (covered in article #2.) When the SSH tunnel is traversing firewalls, keep-alive traffic can be initiated, so the firewall will not terminate the tunnel due to lack of traffic (covered in this article.)

When SSH must pass through a firewall, it is not uncommon that the firewall may terminate sessions or sockets which pass through a firewall (juniper, firewall1, etc.) into a DMZ, when they have been idle for a period of time. This can be solved either on the client or server end. It is not necessary to add the clause to both the client and server side.

Client Timeout:
On the client machine, one can add a line to the /etc/ssh/ssh_config file, to allow the client to send a packet every 60 seconds, to keep the firewall from terminating an idle tunnel.
sun9999/root# grep ^ServerAliveInterval /etc/ssh/ssh_config
ServerAliveInterval 60
Server Timeout:
On the server machine, one can add a line to the /etc/ssh/sshd_config file, to allow the server to initiate a timeout to the client every 60 seconds, to keep the firewall from terminating an idle tunnel.
sun9999/root# grep ^ClientAliveInterval /etc/ssh/sshd_config
ClientAliveInterval 60
The SSH service must be restarted, in order to use the new settings.
sun9999/root# svcs ssh
online Apr_06 svc:/network/ssh:default

sun9999/root# svcadm disable ssh
sun9999/root# svcs ssh
disabled 9:52:03 svc:/network/ssh:default

sun9999/root# svcadm enable ssh
sun9999/root# svcs ssh
online 9:52:08 svc:/network/ssh:default
The disable and enable is all that is required, but being a little paranoid, I prefer to see the status before and after making changes such as this to a critical access protocol.

Monday, April 16, 2012

Apple MacOSX Malware: Java Exploit Phase 2

Apple MacOSX Malware: Java Exploit Phase 2

As noted in a previous article, MacOSX experienced a pretty severe malware exploit, through an Oracle Java vulnerability. It appears a second Java exploit targeting Apple Macintosh OSX is current active on the Internet.

Previous Resolution:
Apple engaged a Java fix, as well as forcing the shutdown of Java applets, by default. The latter was considered pretty heavy-handed, but considering the second exploit was just revealed, one must wonder whether Apple was aware of this issue looming on the horizon.

New Java Exploit:
An writer at described the new malware issue.
This new threat is a custom OS X backdoor, which appears to have
been designed for use in targeted attacks. After it is activated on an infected
system, it connects to a remote website in typical C&C fashion to fetch
instructions. The backdoor contains functionality to make screenshots of the
user’s current session and execute commands on the infected machine.

It appears from the screenshot that there is a Microsoft ASPX involved, in the malware. a Microsoft system seems to be receiving/controlling the malware. Whether this means this is some type of hybrid malware (infecting a Microsoft system) or the malware designer is using Microsoft OS as their virus distribution system is an interesting question.

Solaris Tab: Solaris Resource Management

A new sub-section was added to the Solaris Tab referred to as Solaris Resource Management.

Included in this tab are new white papers, as well as a consolidation of other Solaris White Papers, previously posted.

As was done in former style, the complete title of the document is in the lower categorized sections, while the shortened title of the document is in the upper common indexed section.

Solaris Reference Material
2010-06 [PDF] Sun SPARC Enterprise Servers System and Resource Mgmt
2010-10 [HTML] Solaris 10 Sys Adm Guide: Zones, Containers, Resource Mgmt
2010-11 [HTML] Solaris 11 Sys Adm Guide: Zones, Containers, Resource Mgmt
2011-06 [PDF] Resource Mgmt Case Study for Mixed Workloads and Server Sharing
2011-11 [HTML] Solaris 11 Administration: Zones and Resource Mgmt

Solaris Resource Management
2010-06 [PDF] Sun SPARC Enterprise Servers System and Resource Management
2010-10 [HTML] Solaris 10 Sys Adm Guide: Zones, Containers, Resource Management
2010-11 [HTML] Solaris 11 Sys Adm Guide: Zones, Containers, Resource Management
2011-06 [PDF] Resource Management Case Study for Mixed Workloads and Server Sharing
2011-11 [HTML] Solaris 11 Administration: Zones and Resource Management

Friday, April 13, 2012

Zero-Day Exploit: WICD under Linux

This has been a bad week for computing systems.

  • Oracle Java exploit under Apple MacOSX, open and shut case.

  • Microsoft Zero-Day Exploit in nearly all applications, still somewhat open.

  • Adobe Acrobat Reader (Windows, MacOSX and Linux), open and shut case.

  • Now a Linux Security issue, open and shut case.
WICD Linux Exploit

As published in the patch description.

Backtrack 5 R2 (the latest version) allowed the student to overwrite settings to gain a root shell. The flaw was found in wicd (the Wireless
Interface Connection Daemon)
What is WICD?

A network connection manager that aims to simplify wired and wireless networking in Linux.
If you are a wireless Linux user of WICD, get your patch.

Thursday, April 12, 2012

Solaris Tab: Solaris LDom's / Oracle VM for SPARC Addendums

The Solaris Tab was recently updated with some white papers.

White papers were placed in date order, using shortened titles on the top, for easy access, while they were categorized with their full titles on the bottom according to topic.

Solaris Reference Material

2007-07 [PDF] Understanding and Deploying Logical Domains
2010-05 [PDF] Best Practices for Data Reliability with LDom's
2010-05 [PDF] Best Practices for Network Availability with LDom's
2010-05 [PDF] Increase Application Scalability and Improve Utilization with LDom's

Solaris LDoms / Oracle VM Server SPARC
  • 2007-07 [PDF] Beginners Guide to Oracle VM Server for SPARC:Understanding and Deploying Logical Domains
  • 2010-05 [PDF] Best Practices for Data Reliability with Oracle VM Server for SPARC
  • 2010-05 [PDF] Best Practices for Network Availability with Oracle VM Server for SPARC
  • 2010-05 [PDF] Increase Application Scalability and Improve System Utilization with Oracle VM Server for SPARC

Wednesday, April 11, 2012

Windows: Security Issues Again

Zero-Day Flaw in Windows Apps Since Early 2000's

Zero-Day Exploit:

A Zero-Day Exploit means that you turn-on or install software - you are vulnerable. Most PC's shipped applications bundled like MS Office on PC's, right out of the factory. Microsoft posted a security bulletin in April regarding some vulnerabilities.

Exploit Description:

The Register writes:

One of the four critical patches in the batch – MS12-027 – addresses an Active X issue that impacts numerous application and creates a mechanism to drop malware onto vulnerable Windows systems.

Microsoft warned of attacks in the wild against the zero-day flaw, which affects an unusually wide range of Microsoft products and Microsoft users. Applications affected include Office 2003 through 2010 on Windows; SQL Server 2000 through 2008 R2; BizTalk Server 2002; Commerce Server 2002 through 2009 R2; Visual FoxPro 8; and Visual Basic 6 Runtime.
And quotes:

"Attackers have been embedding the exploit for the underlying vulnerability CVE-2012-0158 into an RTF document and enticing the target into opening the file, most commonly by attaching it to an email," Wolfgang Kandek CTO at security services firm Qualys explains. "Another possible vector is through web browsing..."

Basically, if you have a MS Windows platform with any Microsoft Application (i.e. Works, Office, Internet Explorer, etc.) - you are vulnerable... and Microsoft is warning users that attacks will begin to surge in the next 30 days, while people have not yet patched their system.

This thing has been around a decade, a facility provided by the OS, and embedded into applications on nearly every Windows based server and/or desktop on the internet. A patch is available now, but another issue recently uncovered will not be fixed until next month.

By the way, If you are a Windows, Apple, or Linux user - Adobe Acrobat Reader needs some patching, too.

If you are a Solaris client user, your system should be fine.

Nightmare Scenario:

We just discussed several days back about an Apple vulnerability due to a third-party Java exploit. This one is due to a competing Microsoft Technology called "Active-X".

Welcome to the proverbial nightmare scenario for network managers - every system, everywhere, must be patched immediately, because of OS based issues with nearly every business and consumer application. Don't delay!

Solaris Tab: SPARC White Paper Addendums

The Solaris Tab was recently updated with some white papers.

A new category was added for SPARC White Papers.

White papers were placed in date order, using shortened titles on the top, for easy access, while they were categorized with their full titles on the bottom according to topic.

Solaris Reference Material
2010-04 [PDF] Oracle's Sun SPARC T5120/T5220, T5140/T5240 Server Architecture
2010-04 [PDF] Oracle Sun SPARC Enterprise T5440 Server Architecture
2011-02 [PDF] Oracle's SPARC T3-4, T3-2, T3-1, and T3-1B Server Architecture
2012-02 [PDF] Oracle's SPARC T4-1, T4-2, T4-4, and T4-1B Server Architecture
2012-04 [PDF] How the SPARC T4 Processor Optimizes Throughput Capacity: A Case Study

SPARC White Papers
2010-04 [PDF] Oracle's Sun SPARC Enterprise T5120/T5220 and Oracle's Sun SPARC Enterprise T5140/T5240 Server Architecture
2010-04 [PDF] Oracle Sun SPARC Enterprise T5440 Server Architecture
2011-02 [PDF] Oracle's SPARC T3-4, SPARC T3-2, SPARC T3-1, and SPARC T3-1B Server Architecture
2012-02 [PDF] Oracle's SPARC T4-1, SPARC T4-2, SPARC T4-4, and SPARC T4-1B Server Architecture
2012-04 [PDF] How the SPARC T4 Processor Optimizes Throughput Capacity: A Case Study

Monday, April 9, 2012

Ksplice: Kernal Update Without Reboot

[Ksplice image courtesy Linux by Knight]
Ksplice: Kernel Update Without Reboot

Operating Systems normally comprise two distinct layers: the kernel and the user space. Normally, updating the kernel would require a reboot, so the OS can apply a new kernel module. Operating Systems like Solaris created a mechanism called "live update" to update OS Kernel, OS User Space, or even third-party applications (not to mention provide rollback) with merely a reboot. Oracle Solaris 11 facilitates virtually unlimited patch/rollback cycles leveraging ZFS. The new Ksplice tool from Oracle allows for Linux to get closer to Solaris uptime requirements by providing for kernel updates without reboot, leaving OS User Space and Applications to normal reboot or application restart cycles.

Ksplice is a feature of Oracle Linux which installs kernel updates on live systems without reboot, it is free with Oracle Premier Linux Support, and is available today. Even IBM an developer network has some nice things to say about Ksplice, owned by Oracle, and provides a detailed description of how it works.

Ksplice will only work on kernel code distributed by Oracle, no third-party open source kernel modules. Ksplice: facilitates kernel updates in the memory of the system; is used in conjunction to Yum or Uptodate for Kernel and OS User Space binaries on-disk; does not provide for a mechanism to update applications.

Example Commands:
Some important commands, highlighted in a recent screen cast from Oracle include:
uptrack-update - allows for kernel version updates on a live system without boot
- shows updates on the
uptrack-show - shows updates and effective kernel version
uptrack-remove - allows rollback of kernel versions on a live system without boot
/etc/init.d/uptrack - installs Ksplice kernel updates or on-disk kernel on [re]boot; allow on-disk kernel or even allows to automatically install updates dynamically. - Web GUI interface to see updates on all servers

Screen Cast Video:
This screen cast provides a Ksplice overview, kernel patching demo, as well as a FAQ.

Network Management Implications:
Solaris offers a single reboot for OS Kernel, OS User Space, and Applications updates, while Ksplice provides Oracle Enterprise Linux with a way to increase availability to avoid reboots with OS Kernel updates (while leaving third-party drivers, OS User Space, and Applications with solving the problem by themselves.)

With the ability of modern operating systems like Oracle Solaris and Oracle Linux to provide near 100% availability (with security), network management systems will increasingly leverage these two foundational components, so managed services providers will be able to provide better availability to their customers than ever before.

Saturday, April 7, 2012

Inevitable: Apple MacOSX Infected Via Java on Web

Inevitable: Apple MacOSX Infected via Java on Web

Desktop and Server based systems based upon Microsoft Windows platform have long been the most vulnerable platforms on the internet, providing the most efficient platform for malware writers to steal computing and network cycles from owners around the world. Various other open platforms (i.e. UNIX based systems), which serves much of the internet traffic, have long tried to keep from being infected, by applying more rigorous security rules at the OS level. Apple, being one such vendor who migrated to a UNIX platform, had been successful in keeping their clients secure - but finally a single Java based vulnerability has been discovered (and leveraged) to exploit some systems.

Virus Buster:
A virus vendor located in Russia recently published a short research article on a particular threat, which has been closed by Apple.

Doctor Web—the Russian anti-virus vendor—conducted a research to determine the scale of spreading of Trojan BackDoor.Flashback that infects computers running Mac OS X. Now BackDoor.Flashback botnet encompasses more than 550 000 infected machines, most of which are located in the United States and Canada. This once again refutes claims by some experts that there are no cyber-threats to Mac OS X.
While very uncommon, MacOSX based Apple Macintosh computers occasionally have third-party based software (i.e. Flash, Java, etc.) which can offer some level of vulnerability to all platforms, including MacOS, Windows, UNIX, etc.

The Origin:

The virus research company explains how computers get infected.

According to some sources, links to more than four million compromised web-pages could be found on a Google SERP at the end of March. In addition, some posts on Apple user forums described cases of infection by BackDoor.Flashback.39 when visiting
The Morphing:
Companies started working on a solution, but before Apple released a patch, there was an attempt to diversify the virus, so they might be able to survive once it was closed.

Attackers began to exploit CVE-2011-3544 and CVE-2008-5353 vulnerabilities to spread malware in February 2012, and after March 16 they switched to another exploit (CVE-2012-0507).
Security, At Last:
While this vulnerability has been "in the wild" on the internet for awhile, this particular virus was exterminated.

The vulnerability has been closed by Apple only on April 3, 2012.
Protecting Yourself:
This particular threat is not unique to Apple, but also other systems like Windows. Apple released a security patch, to close this vulnerability - it would be well advised that you regularly download updates from Apple to apply these patches whenever possible.

A general rule of thumb: STAY AWAY FROM IMMORAL (i.e. pornography) AND ILLEGAL (i.e. copyrighted material like music, videos, software, etc.) DOWNLOADS - NEVER VIEW OR DOWNLOAD SOFTWARE OFF OF THE INTERNET, UNLESS IT IS A WELL KNOWN SITE - NO MATTER WHAT COMPUTER YOU ARE ON... these sites notoriously try to download viruses to your computer!

Tuesday, April 3, 2012

POWER, AMD, Itanium, and SPARC

[IBM POWER5 Multi-Chip Module]
POWER, AMD, Itanium, and SPARC

[Sony Playstation]

Remembering the loss of POWER on the desktop and anticipating the loss of POWER on embedded gaming consoles, it seems AMD might pick-up the gaming console business.
Whatever manufacturer AMD will choose, with its heterogeneous systems architecture (HSA), it's facing interesting new challenges. The signs indicating that Sony intents to switch to x86 processors and AMD GPUs for its next Playstation generation (2013/2014) are mounting. That Cell is not an option for Sony anymore already became largely clear when Cell partner IBM pulled out. With AMD's HSA concept, Sony could even fit the chip with its own extensions (FPGAs, media processors, DSPs and so on). And also Microsoft is supposed to be highly interested in an extended cooperation with AMD, for its next Xbox generation.
August of 2011, IBM unplugged POWER on their high-end Super Computer.
The Power 755 was supposed to be at the heart of the petaflops-busting "Blue Waters" super at the University of Illinois, but IBM pulled the plug on that deal last August.
POWER 7+ is more than 6 months late, with the press being virtually silent about it. It seems the high-end, mid-range, low-end, desktop, and embedded gaming consoles are all experiencing POWER problems with IBM.

[Intel Intanium Processor, courtesy Kazor-PT]
Itanium Death Knell

There has been much discussion from Oracle, regarding the ceasing of Itanium application development. It seems Larry Ellison was really "The Oracle" he projected to be - Itanuim may officially be dead in 2016. (new link)
Oracle's fraud counter-claim against Hewlett-Packard was dismissed by a Californian Superior Court, but during the proceedings it became clear that the Itanium line really doesn't have much of a future anymore. About two years after the eight-core chip Poulson, scheduled for this year, rolls out, the Kittson is supposed to follow, and we might still see the minimally improved Kittson+. Then, around 2016, the Itanium line will finally be ceased.
It seems, with how big of an issue Itanium discontinuance rumors were, that there would be more press regarding the now confirmed death of Itanium.

[Japan's Oakleaf-FX petaflopper at the University of Tokyo courtesy The Register]
Fujitsu SPARC64

As other RISC and VLIW vendors are finding themselves on sinking ships, Fujitsu releases another generation of SPARC CPU for their #1 performing supercomputer platforms.
Fujitsu has fired up the first installation of its PrimeHPC FX10 massively parallel Sparc-based supercomputer, a machine called Oakleaf-FX that weighs in at 1.13 petaflops of peak raw performance... For the PrimeHPC FX10 machines, Fujitsu has etched a new 16-core Sparc64-IXfx processor that runs at 1.85GHz
SPARC under Fujitsu doubles down and lives on - with a very occasional article about about the vendor who creates the fastest supercomputer in the world.

[SPARC public roadmap February 2012, courtesy Oracle]
Oracle SPARC M-Series

When Oracle adjusted the SPARC roadmap - another M-Series with 6x the throughput was noted. The 16-64 socket platform has virtually no one in the industry speculating, which baffles this author.

An "unknown" blogger posted a comment, regarding the 10 month old #1 Fujitsu SPARC Super Computer article:
Too bad we'll probably never see those chips in an Oracle Server.
This writer is not exactly sure where an M-Series with 6x throughput will come from (in the next 6 months), unless it comes from Fujitsu's Super Computer investment. It seems pretty clear that the processor has to come from Fujitsu.

Oracle/Fujitsu M-Series receiving a significant boost is very good news for SPARC - considering other vendors (IBM POWER and Intel/HP Itanium) continue their decline.

[Oracle Magazine 2012 Cover with SPARC T5]
Oracle T Series

The March 2012 edition of Oracle Magazine had an image of the SPARC T5 processor, slated to be released later this year. With a doubling of the cores per socket and a doubling of the sockets per chassis - this should be a very nice addition to the SPARC family.

The addition of compression engines (in the T5), in addition to the well-know crypto engines in the SPARC T Series will be a welcome capability addition for general purpose computing. Fewer proprietary crypto cards, proprietary network devices with crypto engines, and proprietary disk arrays (sporting compression, encryption, and dedup) will be needed - to achieve outstanding performance of general purpose applications running under SPARC.

Oracle Magazine provided a comforting photo of another next-generation open architecture SPARC chip (SPARC is an open specification designed & manufactured by multiple vendors), as single-vendor proprietary CPU's from IBM (POWER) and Intel (Itanium) continue to demonstrate their decline.