1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
Seminar:Oracle Solaris 11 Built for Clouds (43516)
Presenter: Orgad KimchiPrincipal software EngineerOracle
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Agenda
• Oracle Solaris 11 Built for Clouds • Oracle Solaris 11: Built for DevOps - Nadav Lankin, Founder at DevOpsJLM• Advanced Resource Management and Scalability Features for Cloud Environment using Solaris 11 - Haim Tzadok, CEO at Grigale• Cloud Observation & Performance Analysis using Solaris 11 Dtrace - Amit Hurvitz, Principal Engineer at Oracle• Cloud Observation & Performance Analysis using Solaris 11 Dtrace – Orgad Kimchi, Principal Engineer at Oracle
Agenda
• Virtualization• Security and Compliance• Networking• Data management
Solaris 11 Cloud technologies
Oracle Solaris 11
• Mission Critical Meets Cloud
Solaris 11Best Foundation of Your Enterprise Class Cloud
Highly Available, Secure Platform for Enterprise Apps
Large-scale CloudManagement
Predictive self healing ZFS data integrity End to end encryption Compliance reporting DTrace observability Immutable zones Application Aware Clustering
Automated Install Fast, Fail-safe Packaging Zero overhead Server, Storage, Network
virtualization Comprehensive cloud management solution
Built for Cloud Infrastructure
Integrated VirtualizationSecurity
Automated Install
Packaging Zones
ZFS
Integrated Virtualization
Designed-inVirtualization• Built-in server,
storage, network virtualization
• Zone clusters• Solaris 10 Zones• Dedicated zone
network and data resources
• Integrated load balancer, router, firewall
• Flexible network virtualization and resource controls
• Automatic network configuration
AdvancedProtection• Pervasive, fast
encryption• Restricted root
privileges• Always-on auditing• Secure by default• Read-only root• Active Directory
integration• Advanced user access
controls
ScalableData Management • Integrated
deduplication, compression
• Flash + disk storage pools
• End-to-end data integrity
• Infinite snapshots and clones
• No cost replication• Extreme scale
128-bit FS with integrated storage management
Oracle Solaris 11 Mission Critical Meets Cloud
SimplifiedAdministration• Cloud designed
installation• Distro constructor• Dependency-check
packaging• Fool-proof updates• Fast reboot• Delegated zone
administration• Dtrace production
safe observability• Auto service case
creation for hardware failures
Oracle Solaris 11
Designed-inVirtualization
Built-in VirtualizationOracle Solaris 11 Zones
• Secure, light-weight virtualization• Scales to 100s of zones/ node• Delegated administration• ZFS datasets, boot environments• Zone-specific observability• Solaris 10 Zones• NFS Server• Network stack isolation and
resource management
Co-engineered with installation, security, ZFS, networking, IPS, SPARC and x86
hypervisors
15x lower overhead vs. VMWare4x lower latency vs. KVM
High Availability Using Oracle Solaris Cluster
Virtualized ANDhighly available
• Industry’s onlyapplication-specific failover solution for virtualized applications
• Continuous cloud service availability• 2.5x faster failure detection and
recovery vs competitor
Mission Critical Meets Cloud
Oracle WebLogic
Server
Oracle WebLogic
Server
WebServer-Tier
zonesCluster
Application Server-Tier
zones Cluster
PeopleSoft Application
Server
PeopleSoft Application
Server
OracleRAC
Oracle RAC
DatabaseServer-Tier
zones Cluster
Seamless UpgradesOracle Solaris 11 Zones, Oracle VM
• Seamless upgrades from previous version• Live migration with OVM SPARC and OVM x86
Solaris 10
LiveMigrate
S10 Zone
Solaris 11
Oracle VM
S11 ZoneS10 Zone
Solaris 11
S10 Zone
Oracle VM
S11 Zonev2v
Solaris 10
p2v
S10 Zone
Data at Cloud Scale
Breakthrough Efficiency• Scale Out Design. Built-in Data Services. No License Fees.
Dataset Encryption
DeduplicationReplicationCompression Flash-aware virtual storage pools
Reduce Storage Use by up to 10x Encryption With Line-Speed Performance
Rapid Provisioning of Virtualized Storage Resources
Cloud Ready Data Sharing• Built-in, flexible, transparent, hardware assisted
File SharingUnified User and Access Control with Active
Directory integration: ZFS, NFSv4, CIFS, WebDAV, FTP(S), SCP/SFTP
Cloud Ready OS installSolaris boot from SAN, iSCSI and FCoE
Zones on iSCSI/FCoE ZFS pools
Block Storage SharingRaw Disk & ZFS LUN: iSCSI, iSER, FCoE
For example we will create ZFS file system and share it using NFS.
root@zone1# zfs create -o encryption=on -o dedup=on -o compression=on -o mountpoint=/data -o sharenfs=on rpool/data
This used the following options :
-o encryption=on enable encryption
-o dedup=on enable deduplication
-o compression=on enable compression
-o mountpoint=/data mount point locayion
-o sharenfs=on share via NFS
We can see that we can create ZFS file system with encryption, compression and deduplication and share it using NFS in a single command!
11/3/13
Cloud Ready Data Sharing
Engineered Cloud SecurityAt Every Level
Security in the Cloud
• Delegated administration• Built-in Audit• Immutable Zones• Network and data layer protection• Encrypted data per tenant
Defense in Depth. Multitenancy Design.
Secure Data for Cloud Tenants• Encrypted. On the wire. On the disk.
ZFS Storage Pool Finance
Dataset
Finance
Zone
HRDataset
HR
Zone
SalesDataset
Sales
Zone
Security Tailored for the Cloud
Application Runtime
Immutable Zones, Sandboxing: new basic privileges (net_access,file_write, file_read), further executable address space reduction. Network data-link & IP anti-spoofing for Zones.
AuthenticationSSH X.509 Certificate support, Kerberos PKINIT (X.509). Kerberos data in LDAP. Root login disabled by default. Role auth via user password, Authentication caching.
Audit Auditing on by default, audit policy in SMF, Secure remote audit trail.
Delegation Sudo with auditing. Fine-grained user/password/RBAC management CLI with LDAP support.
Data SecurityZFS filesystem, swap, dump and zvol encryption, NFSv4/NT style ACLs, Multilevel security with file labeling. IPsec/IKE policy per zone. Per Zone NFS server and Kerberos Realm.
CryptographyTransparent Hardware Encryption for Solaris, Java. OpenSSL 4x faster.Trusted Platform Module (TPM) keystore, file integrity scannerSigned binaries & packages, Oracle Key Manager appliance integration
• Built-in, flexible, transparent, hardware assisted
Network at Cloud Scale
Virtualize, consolidate network infrastructure• Increase performance and reduce costs• Secure Isolation
Integrated functionality• Routing, Firewalling, Load Balancing, Bridging,
High Availability
4x Lower Latency vs KVM
Cloud-Scale Networking
Parallel networking stack. Built to scale.• Hardware assisted Network Resource Management• Optimized for performance at every level
Ease of Use• Automatic Networking mode• Fine grained observability• VLAN isolation, dynamic VLAN provisioning
Parallel Network Virtualization Architecture
Virtualization and QoS designed-in Independent Hardware Lanes with
dedicated resources (CPUs, I/O threads, interrupts): from the NIC to applications
VNIC behaves just like a regular NIC (link speed, stats, MAC address)
Hardware and software fanouts for best scalability
Adaptive polling, depending on load Scales with hardware advances Tightly integrated with zone
administration
Network Resource Control
Set bandwidth limit on a VNIC (virtual link speed)
QoS integrated in the core stack, no separate component to configure
Constrain the CPUs used by VNICs or data links by CPU ids or pool names
Integrated with Solaris resource management and zones
# dladm create-vnic -l net0 \-p maxbw=100M vnic0
Controlling and Observing FlowsControl the Un-Controllable
Bandwidth limits can be applied to traffic flows specified by the administrator; this includes datalinks in non-global zones
Managed by flowadm(1M) and specified by source and destination IP addresses, protocol, port number, etc.
Flows can be observed in real time with flowstat(1M), or a history can be obtained using extended accounting
Highly Available VNICs
Link Aggregation provides transparent failover and increased throughput to VNICs and zones
Compliant with IEEE 802.3ad IP Multipathing (IPMP) can
also be used, but needs to be configured from within zones
Dynamic VLAN ProvisioningElastic and Isolated Virtual Networks in the Cloud
Global zone dynamically sends updates to switch when VLANs are configured on physical NIC
Switch updates VLANs associated with each port
Messages are sent only from global zone
Data link protection can be used to block attempts from non-global zone to add unauthorized VLANs
Based on IEEE 802.1d standard
Virtual Multi-Tiered Architecture
Network Virtualization
Virtual NICs (VNICs), Virtual switching, Hardware-assisted virtualization, Automatic VNICs for zones, SR-IOV Integration, VLAN isolation, Anti-spoofing protection
Resource Control
Integrated QOS, Bandwidth limits, Mapping to CPUs or CPU pools for isolation
PerformanceParallel stack, NUMA I/O Framework, SR-IOV Integration, Dynamic Polling, Buffer Management, Pre-mapped buffers, Kernel Socket API, 4x Lower latency vs KVM, Converged Ethernet
Built-in Network Funtionality
Routing, Firewall, Load Balancing, VRRP, Bridging
ManagementIPMP re-architecture, Vanity naming, Automatic IP configuration, Centralized IP administration, Centralized data link administration, Consolidated data link properties, GLDv3 unification for legacy drivers
Observability Real-time data link, hardware, and flow statistics. History integrated with extended accounting. Capture local traffic through through virtual switch and IP loopback path.
APIs Committed GLDv3 APIs, pluggable TCP congestion algorithms, IP Filter Hooks, Kernel socket API
Cloud-Scale Networking With Solaris 11
Cloud DeploymentSimplified
Redefining Software Lifecycle Management
• Error-free safe software updates– Automatic dependency checking
of software packages– Cloned environment updated,
immediate rollback if needed• Reboot in seconds
– In-kernel boot loader putskernel into memory and switches
Safe Updates. Fast Reboots.
Safe Upgrade with Boot Environments
System updates are fast, reliable and reversible
Low initial investment
Improved user experience
Encouraged best practice
Fast reboot reduces planned maintenance windows
Unused
Other data
ZFS pool
Active Boot Env
New Boot Env
Other data
Unused
Other data
ZFS pool
Unused
Active Boot Env
Active Boot EnvNew Updated
Boot Env
1
2
Managing the Cloud from Applications-to-Disk
Driving Cloud Infrastructure Innovation
Security Immutable Zones
Deployment Linked Images, Parallel Zone Updates, AI Integration, IPS integration, Package minimization
NetworkVirtual NICS (VNICS), Automatic VNICs, Bandwidth Control, Exclusive IP by Default, Network Observability, Infiniband Enhancements, Data Center Bridging, Edge Virtual Bridging
Storage Zone Boot Environments, ZFS Datasets, Recursive ZFS send, NFS Server in a Zone, Zones on Shared Storage, Lofi improvements
Migration Pre-flight Checker, Solaris 10 Zones on Solaris 11, Zones install update for V2V archives
Management System Configuration, Clean Shutdown, Hung Zones, Zones “unavailable” state, Zonestat, Per Zone fsstat, Zones RAD Module
Web Tier
Application Tier
Database Tier
Finance Dataset
FinanceZone
HRDatase
t
HRZone
SalesDataset
SalesZone
Solaris 11, Solaris 11.1
Why Oracle Customers Choose Solaris
1. Reliable: If it must run, it’s on Solaris
2. Fast: World record leader for enterprise applications
3. Scalable: Engineered today for next generation systems. Invest for the future
4. Secure: Deeply integrated security. Trusted labeled configurations
5. Virtualized: Maximum resource utilization. Faster time to market
6. Engineered for Oracle: Best performance. Fastest deployments
7. SPARC and x86: Choice of industry’s leading enterprise architectures
8. Compatible: Preserves your investments. Avoids costly migrations
9. Trusted Vendor: One phone call
Top Reasons for Investing in Oracle Solaris Systems
36 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.