OmniOS 151046 LTS (OpenSource Solaris fork/ Unix)

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

gea

Well-Known Member
Dec 31, 2010
3,141
1,182
113
DE
Release notes: omnios-build/ReleaseNotes.md at rn · citrus-it/omnios-build · GitHub

OmniOS "On Monday, Mai 1st OmniOS plans to release OmniOS r151046. There are a bunch of pretty cool new features in the upcoming release, but as it is with cool new features, they also tend to cause regressions. Have a look at the preliminary release notes to get an idea of what is in store (and please let us know if you see any errors or omissions there).

At the moment we are testing the release candidate, and in order to have the best quality release possible, we could really use your help!"


To upgrade to the release candidate use the following package repositories:

OmniOS r151046 (release candidate) (omnios)
OmniOS r151046 extra (extra.omnios)

If you upgrade to the release candidate now, you can later upgrade to the final release.

If you want to try the installation media, you can find them here

Index of /media/r151046/.rc/


The unique selling point of Solaris is the kernelbased SMB server with the following enhancements:
  • SMB now supports 256-bit ciphers.
  • SMB now has a new configuration option to enable support for short names. Only very old applications on old clients need short names, however it is necessary to support running the Windows Protocol Test Suites.
  • ls can show a Domain user or the Windows SID

ls.PNG

If you look at the output of ls it looks strange for a Unix filer.
The file 1.txt is created locally by root and owner/group is Unix root and the output of ls is as expected

The file 2.txt was created by a Windows client on OmniOS 151046 (both AD members).
ls -l gives gea@local.de (AD user) and ls -n returns the Windows SID of gea@local.de

ls -nn gives the (ephemeral) Unix uid/gid

This is exactly the same info that you get from Windows and Properties > Security > Owner

Why can you see the AD user as owner and not a Unix uid/gid as you would expect on a Unix filesystem like ZFS?
The reason is that the Solaris SMB server use Windows SID directly as an extended ZFS attribute. This gives a worldwide unique user identification as the domain is part of the SID. A Unix uid like 102 is not unique. Even after a backup/restore AD ACL remain intact without any mappings that you need when you use SAMBA instead the Solaris kernelbased SMB .


Udate
If you update to the release candidate, you can later update to the final release
 
Last edited:

gea

Well-Known Member
Dec 31, 2010
3,141
1,182
113
DE
The new minimalistic Solaris fork OmniOS long term stable r151046 (Unix) is out

Open-ZFS in its genuine Solaris environment
Perfect ZFS/OS integration with bootenvironments for troublefree up/downgrades and lowest resource needs for ZFS.

Opensource but with a commercial support contract option.
Regular often biweekly Security and bugfix updates are free.

A dedicated software repository per stable release
No sudden new features or unexpected behaviours, only security and bugfixes
Update is possible up from last r151038LTS. Switch repository, pkg update and reboot.

Fileservices like iSCSI/FC, kernelbased NFS and the multithreaded SMB server are part of the Solaris OS
with unique integration of Windows ntfs alike ACL and direct support of Windows SID for AD users to preserve permissions in backups, local Windows alike SMB groups and zero config ZFS snaps as Windows previous versions. Easy SMB config (no samba.cfg), just turn it on/off.
 
  • Like
Reactions: gb00s and ano

gea

Well-Known Member
Dec 31, 2010
3,141
1,182
113
DE
Security update r151046e (2023-05-31)

Weekly release for w/c 29th of May 2023.
This is a non-reboot update

Security Fixes
Curl has been updated to version 8.1.2, fixing CVE-2023-28319, CVE-2023-28320, CVE-2023-28321, CVE-2023-28322.
OpenSSL has been updated to versions 1.1.1u and 3.0.9, fixing CVE-2023-2650. OpenSSL 1.0.2 has also been patched against this.
 
  • Like
Reactions: gb00s

gea

Well-Known Member
Dec 31, 2010
3,141
1,182
113
DE
Security and feature update r151046h (2023-06-20)

Weekly release for w/c 19th of June 2023.
This update requires a reboot

Security Fixes

Python has been updated to version 3.11.4;
Vim has been updated to version 9.0.1443.

Other Changes
SMB NetLogon Client Seal support;
Windows clients could get disconnected when copying files to an SMB share;
%ymm registers were not correctly restored after signal handler;
The svccfg command now supports a -z flag to manage services within zones;
The startup timeout for the system/zones service has been increased to resolve problems when starting a large number of bhyve zones in parallel in conjunction with a memory reservoir configuration;
Use automatic IBRS when available;
blkdev and lofi did not properly initialise cmlb minor nodes;
The ping command would fail when invoked with -I 0.01;
In exceptional circumstances, a zone could become stuck during halt due to lingering IP references;
An issue with resolving DNS names which have only multiple AAAA records has been resolved;
Improvements within the nvme driver to resolve a race and allow it to bind to devices that are under a legacy PCI root;
In exception circumstances, the system could panic when dumping a userland process core.
 
  • Like
Reactions: gb00s

gea

Well-Known Member
Dec 31, 2010
3,141
1,182
113
DE
Security and feature update OmniOS r151046l LTS (2023-07-20)

Weekly release for w/c 17th of July 2023.
This update requires a reboot

Security Fixes
OpenSSH updated to version 9.3p2, fixing CVE-2023-38408.
The prgetsecflags() interface leaked a small (4 byte) portion of kernel stack memory - illumos 15788.
OpenJDK packages have been updated to 11.0.20+8 and 17.0.8+7.

Other Changes
Various improvements to the SMB idmap service have been backported:
illumos 14306
illumos 15556
illumos 15564 Most notably, it was previously possible to get flurries of log messages of the form
Can't get SID for ID=0 type=0 and this is now resolved.

The UUID generation library could produce invalid V4 UUIDs.
An issue with python header files that could cause some third party software to fail compilation has been resolved.
 
Last edited:
  • Like
Reactions: gb00s

gea

Well-Known Member
Dec 31, 2010
3,141
1,182
113
DE
Critical security update OmniOS r151038dm (2023-07-25)

To update, run pkg update
To undo update: boot in former bootenvironment


Weekly release for w/c 24th of July 2023.
This update requires a reboot

Changes
AMD CPU microcode updated to 20230719, mitigating CVE-2023-20593 on some Zen2 processors.
Intel CPU microcode updated to 20230512, refer to Intel's release notes for details.


Actions you need to take:

If you are not running the affected AMD parts, then there is nothing you need to do.
If you are running the affected AMD parts then you will need to update the AMD microcode.

Note, only Zen 2 based products are impacted. These include AMD products
known as:

* AMD EPYC 7XX2 Rome (Family 17h, model 31h)
* AMD Threadripper 3000 series Castle Peak (Family 17h, model 31h)
* AMD Ryzen 3000 Series Matisse
* AMD Ryzen 4000 Series Renoir (family 17h, model 60h)
* AMD Ryzen 5000 Series Lucienne (family 17h, model 68h)
* AMD Ryzen 7020 Series Mendocino (Family 17h, model a0h)

We have pushed an initial commit which provides a microcode fix for this
issue for the following processor families:

* Family 17h, model 31h (Rome / Castle Peak)
* Family 17h, model a0h (Mendocino)

 
  • Like
Reactions: gb00s

gea

Well-Known Member
Dec 31, 2010
3,141
1,182
113
DE
A few years ago Intel CPUs were unsecure, now AMD is affected.
If you think a move to cloud based services due unsecure local servers instead on premise services is the solution, you may find that the possible problems there are even worse as more services and users may be affected.

Everything is under fire now and the most important thing is that you prefer settings that are quite save and keep your systems up to date.
 
  • Like
Reactions: gb00s

piranha32

Active Member
Mar 4, 2023
189
140
43
A few years ago Intel CPUs were unsecure, now AMD is affected.
If you think a move to cloud based services due unsecure local servers instead on premise services is the solution, you may find that the possible problems there are even worse as more services and users may be affected.
"The cloud is just someone else’s computer"
 
  • Like
Reactions: gb00s

gea

Well-Known Member
Dec 31, 2010
3,141
1,182
113
DE
Security update OmniOSce v11 r151046n (2023-08-03)

Weekly release for w/c 31st of July 2023.
This is a non-reboot update

Security Fixes
OpenSSL packages updated to versions 3.0.10 / 1.1.1v / 1.0.2u-1, resolving CVE-2023-3817, CVE-2023-3446, CVE-2023-2975.
OpenJDK 8 has been updated to version 1.8.0u382-b05.


To update, run "pkg update"
To undo update: boot in former bootenvironment
 
  • Like
Reactions: gb00s

gea

Well-Known Member
Dec 31, 2010
3,141
1,182
113
DE
Release Notes for OmniOSce v11 r151046
r151046u (2023-09-20)
Weekly release for w/c 18th of September 2023.

This is a non-reboot update
Security Fixes
  • Curl has been updated to version 8.3.0
  • OpenJDK has has been updated to 11.0.20.1+1 and 17.0.8.1+1
  • Python has been updated to version 3.11.5
  • OpenSSL has been updated to version 3.0.11