Oracle Solaris 11.4

gea

Well-Known Member
Dec 31, 2010
2,520
852
113
DE
ZFS Encryption as a ZFS property
with a key per filesystem is a feature of Oracle Solaris and an upcoming feature of Open-ZFS

In the light of the upcoming EU ruleset dsgvo that even demands state of the art datasecurity at a technical level, I concentrate to make ZFS encryption (lock/unlock) accessable for end-users without admin access to the storage management GUI (User-Lock/Unlock) and to allow a locking/unlocking based on a timetable ex Auto-UnLock on working days in the morning and Auto-Lock in the evening.

User-Lock/Unlock via SMB and watched folders (working in current napp-it dev)
User-Lock is a new napp-it Pro feature to allow a user to lock/unlock a filesystem without access
to the Storage administration software. For User-Lock/Unlock, you must

- create an encrypted filesystem
- use a file or https based key
- enable User-Lock in ZFS Filesystems >> Encryption

- start the autolock service in menu Services

The service creates a ZFS filesystem "pool"/ UserEncryption with a subfolder per encrypted filesystem.
Enable SMB sharing for this filesystem with a wanted ACL setting for the share and its subfolders
per encrypted filesystems (for userlock enabled filesystems).

Content of these subfolders
Folders: =lock and =unlock
Controlfile: =switcher.move
Statusfile: service-state.xx_yy (xx=service state, yy=lockstate) ex service-state.online_locked

To unlock a filesystem: move the file =switcher.move to the folder =unlock
To lock a filesystem: move the file =switcher.move to the folder =lock

Auto-Lock (todo)
is a Pro feature to automatically lock/unlock a filesystem based on a timetable
 

dswartz

Active Member
Jul 14, 2011
435
37
28
I tried spinning up an oracle 11.4 VM under ESXi (just to play a bit.) Got everything installed and enabled (I thought), but could not for the life of me get the smb share I created to show up for either a windows server 2012 VM or a windows 10 pro workstation. The oracle vm (named 'solaris') doesn't even show up in networking browsing :( The smb server is running, and etc... Any ideas on what I might be missing? Thanks!
 

gea

Well-Known Member
Dec 31, 2010
2,520
852
113
DE

dswartz

Active Member
Jul 14, 2011
435
37
28
1. Yes, sorry, should have mentioned that I did this.
2. Supposedly yes. I was doing it the old way "zfs set sharesmb=on tank/foo". Maybe that's not the right way, but there was no indication of anything wrong...
 
  • Like
Reactions: gigatexal

dswartz

Active Member
Jul 14, 2011
435
37
28
This is getting stranger and stranger. I downloaded and installed a CE version of nexentastor 5.1. Same damn thing. I create a dataset and share via smb. 'smb status' in nexenta shell shows it shared as tank_nexentastor, but it is not visible from: windows 7 pro or windows 10 pro. The two windows workstations show up fine in each other's network views, as does my wife's windows 7 laptop. The only things that seem to not show up are some flavor of solaris CIFS servers. I was interested in playing around with SMB3, but not enough to spend days banging my head against the wall like this. This *should* just work. I have confirmed that the smb server is running, and the share is valid, but nada. If there is something missing, they really should give you some indication, rather than nothing. Sorry to rant, but ugh...
 

gea

Well-Known Member
Dec 31, 2010
2,520
852
113
DE
On Solaris 11.2 and older Illumos based systems, SMB sharing via the ZFS and kernelbased SMB server was enabled with a simple set sharesmb=on and everything was working. A newer Solaris added new features like multiple shares (and share permissions) per filesystem what requires additional steps to enable SMB, see Oracle manuals if you want to set via console. In napp-it I care about in the GUI,

I cannot comment about NexentaStor 5. But on newer Illumos based systems (that NexentaStor5 relies upon) netbios is disabled per default. This is the service that publishes a share and when disabled you can only access a share via \\ip\sharename (propably a security related decision).

check "sharectl get smb" for this property and and optionally enable.
 
  • Like
Reactions: gigatexal

dswartz

Active Member
Jul 14, 2011
435
37
28
Just spent an hour groveling through their documentation. It sure seems like I did what I was supposed to, but I can't mount a share even using the explicit \\IP\sharename. I'll probably take another look some other time, but for now, fooey...
 

gea

Well-Known Member
Dec 31, 2010
2,520
852
113
DE
Weird
Illumos based systems are known about a "It just works, zero config" behaviour at least via \\IP\sharename. I cannot see a reason why this should be different with NexentaStor, as this is a Illumos distribution with their own dedicated webbased management software. The only thing that I remember when I used NS was a very restrictive ACL setting (everything closed by default) while with napp-it I set a everything open as default. But such permission settings wll not affect accessing a share itself.

Oracle is different. They want to be different, better and complicated.
 

dswartz

Active Member
Jul 14, 2011
435
37
28
To be fair, I didn't do much with nexentastor. The 5.x release is totally revamped and managed through a ubuntu web appliance, and I'm not confident I did everything right. That said, my main motivation for wanting to play with Solaris 11.4 was to test out SMB3, so OmniOS (not having that yet?) isn't worth getting involved with again...
 

gea

Well-Known Member
Dec 31, 2010
2,520
852
113
DE
Nexenta has integrated SMB3 into their fork of Illumos, just like they did with SMB 2.1. It takes then some time to upstream to common Illumos (OI, OmniOS, SmartOS etc)
 

gea

Well-Known Member
Dec 31, 2010
2,520
852
113
DE
They must not upstream every extra from their Illumos fork, but as they integrate the goodies from others it is nice to do so as they did with SMB2. As sources are open, everyone can include like OmniOS did with LX Container from SmartOS. They point is more that it costs to support extras and for other distributions this seems not important enough for their use cases.
 

gea

Well-Known Member
Dec 31, 2010
2,520
852
113
DE
Solaris Analytics and Solaris Dashboard

"One of the key features of Oracle Solaris 11.4 is Solaris Analytics. This is a radical redesign of the way that we look at how our Solaris systems are performing. To set the scene for why and how it is useful to you, let's take a short walk along memory lane for a minute."

What is this BUI thing anyway?
 

chune

Member
Oct 28, 2013
107
22
18
Just spent an hour groveling through their documentation. It sure seems like I did what I was supposed to, but I can't mount a share even using the explicit \\IP\sharename. I'll probably take another look some other time, but for now, fooey...
windows 10 will now remove smbv1 if you are not on a domain. I believe gea outlined in another thread that most solarish things still rely on smbv1.
 

sstillwell

New Member
Feb 21, 2018
12
0
1
59
But on newer Illumos based systems (that NexentaStor5 relies upon) netbios is disabled per default. This is the service that publishes a share and when disabled you can only access a share via \\ip\sharename (propably a security related decision).
On Active Directory-based systems, it's intended that all name resolution (including bare/canonical host name resolution like \\SERVERNAME\SHARENAME) should be resolved through DNS rather than NetBIOS. Mostly that just means that your hostnames need to exist in your local DNS zone and proper DNS search paths are configured on the clients - either manually or via DHCP. Same reasoning for the deprecation of file sharing via NetBIOS ports (137-139, NBT over IP) and changing to port 445 (SMB over IP ).

With newer versions of BIND supporting dynamic updates from DHCP, this isn't as onerous of a thing as it might be, although the initial setup is harder than setting up a Microsoft DNS server on your AD controller.
 

tic226

New Member
Feb 2, 2017
20
3
3
119
DE
Any news on the Intel 10GbE driver front? X552 wasn't recognized in 11.3 which was a dealbreaker..

Edit: Sadly not:
sol114.jpg
 
Last edited:

brutalizer

Member
Jun 16, 2013
54
11
8
ZFS in Solaris 11.4 has some new interesting features. Oracle bought Greenbyte for their superior best in class deduplication. And now ZFS in 11.4 has "deduplication v2.0" - I guess it is using the superior Greenbyte dedup tech:
Ex-Sun Micro CTO reveals Greenbytes 'world-beating' dedupe

And another big ZFS news is this: it is now possible to shrink current arrays! Blockpointer rewrite has probably been implemented for this. So you can rebuild your 5-disk raidz1 to use 4-disks instead. This info is taken from official Oracle Solaris blog. I cannot remember where right now.
EDIT:
Keeping word, no matter how long it takes aka. ZFS DEVICE REMOVAL
 
Last edited: