Email	Print Reprint
	add to:
	Del.icio.us Digg Google Furl	Slashdot Y! MyWeb Blink

A Secure Server Is an Optimized Server

Solaris 9 Operating Environment

by Stephanos Gosling

New Architect
October 2002

Like many admins, I use Solaris 7 and 8 extensively for my Web projects, due to their stability and scalability. As such, I was excited by the release of Solaris 9, which promised more of the same, along with many new features and deeper integration with other Sun products.

The Systems Administrator Kit includes the full Solaris distribution, documentation, and additional supported software, as well as unsupported free products and tools (mostly licensed under the GPL). Add to that StarOffice and trial versions of Oracle 9i and the Forte Suite of compilers and programming tools, and you're getting a hefty bundle. But here we'll focus on the contents of the operating system itself. In particular, some components that used to be add-ons are now part of the OS. For example, the Sun ONE middleware products for Web application development and deployment—which used to be called iPlanet products—are now bundled with Solaris, as are extras that were once part of the Easy Access Server.

At a Glance
	Solaris 9 Operating Environment
Company	Sun Microsystems
URL	www.sun.com/solaris
Price	Single Processor System Administrators Media Kit: $95, full media and documentation. $50, slimkit (media only).
Pros	Faster, more scalable, improved system management, inclusion of open source software as well as integration of other Sun middleware.
Cons	No SSH Server in the core install, significantly larger than previous releases but modular. GUI based management a bit sluggish.

Installation and Setup

Installing Solaris 9 proved simple enough, but with a few significant changes. Instead of OpenWindows, Tom's Window Manager is now the default window manager. And Sun has finally fixed the installation process to allow you to specify the default network route. That persistent omission was the bane of anyone with NIS or DNS servers on a different network, as the inability to access such servers made installations or a sysunconfig awkward.

Once all the core packages are installed and you reboot, you're presented with the familiar login prompt (for the core install), or after further package installs, you get the dtlogin for the X Window system. The Common Desktop Environment (CDE) is still the default desktop and behaves exactly as before. (There were rumors that GNOME would replace CDE, but although it's available on one of the bonus software CDs, it isn't installed by default.)

Odd tweaks and fixes aside, the most striking thing about the installation is the huge change in disk footprint. The core installation was 398MB for Solaris 8, and it has ballooned to 709MB for Solaris 9. All that space is consumed by new software in this release. Samba appears for the first time, along with Wietse Venema's TCP-Wrappers, and numerous new libraries. Of course, software like this has always been available as compilable source code, but this is the first time it has been available on the installation media itself. It is a welcome convenience. And if disk space is tight, Sun's work to make Solaris 9 more modular allows for smaller installations. You can remove a lot more of the software in Solaris 9 than you could in Solaris 8, and it'll still work.

Security

Sun has added a significant number of security enhancements and new features to Solaris. One welcome addition is an SSH daemon—Solaris 9 ships with the Sun SSH Server 1.0, which is based on the BSD-licensed OpenSSH. Solaris lacked this essential networking tool for years, forcing administrators to use software ported from other operating systems or commercial vendors.

Curiously, the SSH server is not part of the core-class install. The package can be added later, but as many will use the core-class install as a basis for specialized and secure servers—not to mention that SSH is de rigueur for remote shell access—its exclusion is inexplicable.

Less obvious but equally important are changes behind the scenes. One is a long awaited arrival: a pseudo-random number generator within the kernel. /dev/random is a common Unix kernel device that, through a number of sources within a computer, generates a nearly random stream of characters. Before its inclusion, random numbers had to be generated ad hoc, which had security and performance implications, especially for software requiring cryptographic functions. Now there is a single source of random numbers in the system that doesn't require user intervention.

In another change, the Pluggable Authentication Modules (PAM) have been reworked and the associated documentation has been much improved. PAM integration in Solaris 8 was relatively meager, so this is a meaningful improvement. Such revision was also necessary for the integration of the Sun ONE products. The most important of these, of course, is the Sun ONE Directory Server (nee iPlanet Directory Server). With PAM support for LDAP as an authentication source out of the box, Solaris 9 catches up with Windows 2000 (which connects to LDAP by way of Active Directory) and Linux (which can use OpenLDAP).

Other pertinent security additions include the addition of IPSEC with IKE (Internet Key Exchange), which allows automated VPN connections with other Solaris servers as well as most firewall and network devices. Also, Solaris 9 is updated to include the full version of Sun's High Availability firewall, SunScreen 3.2.

[click for larger image] The Solaris Management Console allows granular control over many aspects of the system, but the new resource-limiting system—as seen here—is particularly exciting.

Management for Big Iron

The Solaris Management Console (SMC) has undergone a big makeover behind the scenes. Considerably faster than its predecessor, it now resembles a feature-complete tool for managing all aspects of a server. Gone are the days of using different tools for different management tasks—no more admintool or metatool. User, share, and disk management tools, as well as a variety of monitoring applications, can be controlled and accessed through a single Java interface. This improved resource management system also boasts new modules for existing and new features; Logical Volume Management (formerly Solstice Disk Suite) is now integrated.

Roles have been extended and Projects, a method of process management, is new. The aim is to improve resource allocation among users and to offer a baseline level of performance on a heavily loaded server. In traditional Unix process scheduling, a process is allotted CPU time based on its priority (related to its type) and its niceness (assigned by the administrator). But such granular control does not scale well with large numbers of users. In Solaris 9, these functions are augmented by Projects. A Project consists of processes and tasks (groups of related processes). The administrator applies the resource control in the SMC, limiting the number of file descriptors, stack size, and so forth for processes; CPU time and number of lightweight processes for tasks; and CPU time for Projects themselves.

Moreover, the administrator can specify what happens if preset limits are reached. This schema is then applied to the user base—to users, groups, or roles. (Role-based access control was introduced in Solaris 8 as a method of abstracting execution rights from traditional Unix file permissions.) This allows a simple, scalable method of process management. Of little use on single-user computers or dedicated systems, it really comes into its own as server size and user base increases. If your company has a midframe-class server and one or more departments jostling for CPU runtime and memory, Solaris 9 is calling. In this area at least, its flexibility exceeds both BSD and Linux.

Happy Developers

Solaris 9 is clearly intended to please developers of all kinds; the change in the licensing scheme suggests this. The prepackaged software only sweetens the deal. And the price/feature ratio on a developer platform such as an Ultra 10 or Blade 100 is now exceedingly attractive.

As you would expect, Solaris 9 is a complete Java development platform. As well as the requisite J2EE JVM, you get two servlet containers: the Sun ONE Application server as well as Jakarta Tomcat 4, the reference open source offering.

But enough about the features; how is Solaris 9 to use? The answer: very nice indeed. Subjectively, it is faster than its predecessor for the single user, and the difference is especially evident on older single processor computers. This is due to improvements both to the scheduling architecture and to the threading and memory management changes. Solaris 9 boots quicker, shuts down quicker, and simply "feels" fast, especially on smaller servers. Testing on a Sun Ultra 5S with 512MB RAM, external SCSI storage, and an UltraSPARC IIi processor the difference was obviously noticeable, as well as on the E250s I tested.

The core system behaves as Solaris always has, rock-solid and reassuringly predictable. For larger environments, the SMC provides a consistent, easy-to-use interface for management. My one complaint about the SMC is that it can be sluggish to use. It is a great deal faster than its predecessor, but it's still not snappy. This is solely because it is a Java application burdened by the overhead that comes with the JVM.

Unless you are constrained by legacy applications, I recommend taking a serious look at Solaris 9. It offers the stability that we've come to expect from Solaris, with greater scalability. And the integration of new software packages demonstrates a new focus for Sun. Solaris 9 is a comprehensive operating environment, rather than simply an enhanced operating platform. Highly recommended.

Stephanos is a senior Unix administrator working in London for an international Internet software development house. He looks forward to feedback at stephanos@lineone.net.

RELATED ARTICLES What's Open About OpenSolaris? OS: Does That Mean Operating Systems, Open Source, or Both?		TOP 5 ARTICLES No Top Articles.