The Software Express from Sun

Peter Baer Galvin

There was a time when Sun customers could receive SunOS on floppies -- lots and lots of floppies. Loading that version was not much fun. Then Sun began allowing customers to download current versions of Solaris. And now, Sun has added to the fun by enabling downloads of "snapshots" of future Solaris releases. The Software Express for Solaris (SX) program allows existing Sun customers to download an evolving release of Solaris. While writing three CDs worth of downloads may not seem like fun to some, those of us who like experimenting with new features and evaluating new functions now have a new way to have a great time.

The difficult part of describing this new Sun access method is that it has no equivalents, so it defies easy labeling. For example, it's not a beta-test program. There is no application process, and the software is fully supported, although it is "early-release" software. The best way to consider this service is that, for free, you can download snapshots of Solaris. These snapshots are versions of Solaris that are not currently available any other way -- not beta, and certainly not in a Sun box. Periodically, however, Sun will capture one of these snapshots and package it, or something like it, as a full Solaris release.

This month, I'll look at the Software Express (SX) program in detail and explain how the program works, how well it works, and what's in those snapshots.

Brief History

The SX implementation has been used at Sun for more than two years, allowing engineers to exchange current versions of their code and allowing systems administrators at Sun to get the latest builds of Sun's software for installation on internal systems. In September 2003, Sun expanded its use to anyone outside the company who was interested in trying these early releases.

Since then, there has been a predictable release every month. There are more frequent internal releases but, of those, only the best ones are made available for public consumption. Each release must pass complete Sun release testing. At this time, more than 3000 individuals have registered and used SX.

How It Works

The software available includes SPARC and x86 snapshots of the Sun Solaris development cycle. The download and use of SX and the snapshots is under non-disclosure, because Sun wants to contain discussion of features and bugs. (I received permission for this column.) There are two access methods available. For free, the software can be downloaded. However, there is no technical support available, no discussion groups, no detailed roadmaps, and so on. It is strictly a "give it a try" arrangement. For $99 per year, a user gets access to the downloads as well as all of those other features. Bugs may be submitted through a Web site, but not via phone. With paid access, the operating system can even be used in commercial environments.

Note that with either package, feedback on bugs and features can be given to Sun. Sun indicated that some sites are running these releases in commercial, production environments. These customers apparently felt that the new features outweighed the risk of running a very new release. It is important to note that there will be no patches released against the downloadable software. Rather, customers are expected to download the next release, which should include fixes to most of the bugs in the previous release. Overall, the features of the $99 service are well worth the cost. One limit to joining the program is that you need an existing right-to-use license for Solaris on the machine(s) that will host SX releases. This is not a way to run Solaris for free.

The downloads themselves are easy to manage. Of course, the files are large, so a fast pipe is almost required. Sun provides a download tool, but on Windows XP I had no luck getting it to work. Rather, just using a Web browser and a cable modem brought the CD images to my hard disk within an hour or so. I used Easy CD Creator to write the images to CD, but any software that can create bootable CDs should work. For English-language deployments, three CD images are needed. Non-English language versions are also available and require extra downloads. No tools or extra CDs are available. Documentation is available from a password-protected section of http://docs.sun.com.

After the download, the rest of the installation looks just like a "normal" Solaris rollout. All of the standard features are included, plus the features Sun added after Solaris 9. The software can be used for an initial install or upgrade.

Solaris Next

Evaluating the newly installed software took quite a bit of time, as there are currently more than 200 features unavailable in Solaris 9. It includes the new TCP stack implementation (codenamed Fire Engine), NFS V4, and a cryptography framework. It also has DTrace, a wild new kernel trace facility. Of course, some things never change -- I still had to run catman -w to index the man pages installed on the system! According to the file /etc/release, the version I tested was "Solaris 10 s10_46 SPARC", build 46 of Solaris 10. There are several major new features in this release, including the following.

DTrace

The engineering team that worked on the DTrace system functionality is proud of their new baby, as well they should be. They are running a discussion group at BigAdmin (http://www.sun.com/bigadmin/content/dtrace) and have posted some examples of DTrace use at comp.unix.solaris. This tool should be invaluable to systems programmers and developers who are debugging, performance tuning, or performance profiling their programs. It will also help systems administrators determine exactly what is happening on their systems. Of course, there is a bit of work to be done first. DTrace is not simple to use and requires an understanding of the "D" programming language to really drive it. Its power is impressive, though, making the learning effort worthwhile. The developers at Sun believe this tool makes Solaris the most observable operating system in history. With DTrace, the innards of Solaris are now available to debugging and probing.

"Fire Engine" Performance Enhancements

This major project is a re-architecture of the networking stack to improve performance and scalability. The implementation involves decreasing the number of locks involved in the network kernel code. Some performance improvement is already evident (estimated at 10%), with more coming as other aspects of the kernel are tuned to take advantage of the new stack. The net result of these changes is that the kernel will be able to drive fast networking HBAs at close to theoretically maximum speeds -- a welcome improvement.

Solaris Cryptographic Framework

Solaris now has a core set of APIs and SPIs (service provider interfaces) for user and kernel access to cryptography. It is based on open standards (PKCS#11) and allows for general access to both standard crypto libraries and crypto accelerators. Even without the accelerators, the new facility improves encryption performance significantly. The use of cryptography with Solaris should be easier and more uniform in the future based on this new feature. Also, Simple Authentication and Security Layer (SASL) is implemented, as described in RFC 2222.

NFS Version 4

This release implements a new standard NFS protocol, as specified in RFC 3530. It solves lots of long-standing issues in NFS, including file locking, NFS through firewalls, and security. It's also integrated with Kerberos V5 (SEAM).

Solaris Privileges

This new security implementation requires appropriate privileges for administrative tasks, not just superuser rights. It restricts processes to only those privileges that are required to perform a task. Sys admins can limit a program's access using the least privilege capability. There is also an API to access the privileges. Unmodified programs that run as root still have all privileges, but programs written to use this new facility are more secure and have fewer access rights. Many native programs have already been rewritten, so there are fewer setuid and setgid programs. A quick count showed 79 setuid and 26 setgid on the new system. This is far fewer than previous releases, believe it or not. Furthermore, devices now have a separate security policy. Permissions on a device file do not fully determine access to the device. Privileges might also be required for access to the device.

Many smaller changes to Solaris 9 can also be found in the latest SX release as listed in the accompanying sidebar. Amazingly, this is just a partial list of the new features found in SX that are headed for the official "Solaris Next" operating system release.

Conclusions

With the Software Express program, Sun has given systems administrators and developers a powerful new tool -- access to the future, today. The SX program is easy and cheap, and therefore very likable. The releases seem solid, with plenty of new features. Early access to these features will aid developers in writing more secure, efficient code, and aid administrators in planning future Solaris deployment and testing new features. Some folks find enough value in the new features to use these releases in production, which is certainly a strong vote of confidence.

Future snapshots will include performance improvements, Trusted Containers, and a new file system, plus quite a bit more. It's certainly worth the time, money, and effort to be involved in this program if your site is a heavy user of Solaris or is thinking about switching to or expanding use of Solaris.

For more information about SX, see:

http://wwws.sun.com/software/solaris/solaris-express/sol_index.html

Some information for this column was provided by very helpful people at Sun. They want to get the word out about SX and hope its success will lead to other software being included in the Software Express program. They include Bill Moffitt, Group Manager for Solaris Product Management; Jackie Bao, Product Line Manager for Software Express for Solaris' and Jill Berman, PR Manager at Sun.

Peter Baer Galvin (http://www.petergalvin.info) is the Chief Technologist for Corporate Technologies (www.cptech.com), a premier systems integrator and VAR. Before that, Peter was the systems manager for Brown University's Computer Science Department. He has written articles for Byte and other magazines, and previously wrote Pete's Wicked World, the security column, and Pete's Super Systems, the systems management column for Unix Insider (http://www.unixinsider.com). Peter is coauthor of the Operating Systems Concepts and Applied Operating Systems Concepts textbooks. As a consultant and trainer, Peter has taught tutorials and given talks on security and systems administration worldwide.