Best Practices with IPS on Oracle Solaris 11
33
Copyright © 2013, Oracle and/or its affiliates. All rights reserved. 1
-
Upload
glynnfoster -
Category
Technology
-
view
2.969 -
download
10
description
This session was presented at Oracle OpenWorld 2013, and covers some of the best practices for the new packaging system in Oracle Solaris 11, IPS.
Transcript of Best Practices with IPS on Oracle Solaris 11
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.1
Oracle Solaris 11Best Practices for Software Lifecycle ManagementBart Smaalders, Solaris EngineeringGlynn Foster, Solaris Product Management
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.3
Program Agenda
Administrative Challenges
Package Management Overview & Demo
Best Practices With IPS
Looking Towards The Future
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.4
Administrative Challenges
Manage more with less Lower operating costs Reduce complexity and avoid
error prone processes Avoid / constrain virtualization
sprawl Reduced planned and
unplanned system downtime
Preventing You From Focusing On Your Business
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.5
Image Packaging System (IPS)
Seamless package and packageupdate management – noseparate patches anymore!
Streamlined software deliverythrough networked repositories
Failsafe system updates Integrated with Oracle Solaris
Zones
A New Way To Manage Software In Oracle Solaris 11
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.6
ZFS Boot Environments
Zero initial investment Easy to use, fast and reliable Fast reboot lowers planned and
unplanned maintenance windows Integrated with Oracle Solaris
Zones
Safety Net For Your Data Center Operations
Active BE
Active BENew BE
Active BEUpdated BE
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.7
Failsafe System UpdateReduce Your Risk In Applying Critical Updates
6:00 Start UpdateMaintenance window 6-7pm
6:04 rebootSystem up and running again
New Security Update
6:01-6:02 New ZFS Boot Environment created, updates downloaded and applied
6:00-6:01 Dependency checks, update planning – including virtualized environments
Fail safe system updateAdministrators can revert into an older boot environment if something goes wrong
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.8
Dr Martin HallerSystem Management Director, City of Nuremberg
“Updating is so easy that we’ve evenmade the systems automaticallyupdate every week”
TECHNOLOGY DIFFERENTIATORS• IPS• Oracle Solaris Zones• Oracle Solaris Cluster• Service Management Facility
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.9
Anonymous CustomerSolaris Community Advisory Board
“With Solaris 10, it took 2 months to roll outa new patchset across the enterprise. WithSolaris 11, it takes 10 days.”
TECHNOLOGY DIFFERENTIATORS• IPS• ZFS Boot Environments
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.10
Demo Time
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.11
Best Practices With IPS #1
Enforces best practice Kernel changes will automatically
create a new boot environment It doesn’t cost anything (disk or time) Can be used for every administrative
change – not just software updates!
Always Use ZFS Boot Environments
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.12
Support Repository Updates
Consolidated update of bug fixes forcustomers on Oracle Premier Support
Issued on a monthly basis Incorporations constrain software to be
well tested by Oracle 5 digit versioning scheme
– release.update.sru.build.respinFor example, Oracle Solaris 11.1.6.4.0
Applying Updates To Your System
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.13
Critical Patch Updates
Every 3rd SRU is called an officialOracle Critical Patch Update (CPU)
Cumulative security fixes See My Oracle Support (MOS)
Document ID 1547593.1
Applying Updates To Your System
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.14
Interim Diagnostic Relief
Fixes to provide point relief for, or helpfurther diagnoses of, critical issues
Delivered using package archives– Sync to a local repository if necessary
Fixes get rolled into a future SRU release Must be within 24 months of latest release See MOS Document ID 1452392.1
Temporary Relief When You Need It
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.15
Best Practices With IPS #2
Perform a dry run of your update to see what will change# pkg update -nv
Don’t try to pick and choose what fixes you want to apply from an SRU
– We do hundreds of hours of testing so you don’t have to!
Update your baseline with SRUs and Oracle Solaris Updates regularly
Know What’s In Your SRU But Don’t Try To Be Clever
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.16
Best Practices With IPS #3
When updating a system,sometimes it is not obvious whyit won’t work
Be more explicit about whatversion of Oracle Solaris you aretrying to update to
E.g., Updating to Oracle Solaris 11.1.10.5.0
# pkg update [email protected]
Troubleshooting A System Update
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.17
Best Practices With IPS #3
Review the history of successful and unsuccessful package operations # pkg history -l
Review any facets that have been lockedor unlocked
Verify the contents of the repository you’reupdating from to make sure the package versionexists! # pkg list -af packagename
Troubleshooting A System Update
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.18
Oracle Hosted Package Repositories
Oracle Solaris Release Repositoryhttp://pkg.oracle.com/solaris/release
Oracle Solaris Support Repositoryhttps://pkg.oracle.com/solaris/support
Oracle Solaris Repository Certificate Requesthttps://pkg-register.oracle.com
Ready For You To Connect Your Systems To, 24/7
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.19
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.20
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.21
Local Package Repositories
Needed for network restrictedenvironments
Better change control management Required if you’re applying IDRs to
Oracle Solaris Zones (using AI manifests) Sync directly from Oracle’s package
repositories or from ISO imagesavailable in MOS
Typical Use Case For Most Customers
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.22
Best Practices With IPS #4
Create separate repositories for dev, test, and prod– One repository per ZFS dataset
Construct the repository in two ways– Use repository ISOs, but keep fully populated!
– Sync a complete repository using pkgrecv
Use Apache proxies to consolidate the repository URLsProxypass /prod http://example.com:10080 nocanon max=200
Proxypass /test http://example.com:10081 nocanon max=200
Proxypass /dev http://example.com:10082 nocanon max=200
Use ZFS To Quickly Clone Repositories
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.23
Best Practices With IPS #4
Use SSL enabled Apache for secure access to the repository Create a Certificate Authority (CA) - self sign or 3rd party Create client certificates Configure Apache
SSLEngine On
SSLCertificateFile /path/to/server.cert
SSLCertificateKeyFile /path/to/server.key
SSLCertificateChainFile /path/to/ca_intermediate.pem
SSLCertificateFile /path/to/certs/repo_cas.pem
Use ZFS To Quickly Clone Repositories
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.24
Package Publishing
IPS contains a full suite of tools to create and publish packages to a repository – including best effort conversion of SVR4 and tarballs
Publish to package archives, p5p, if you want disconnected operations
Fully integrated into Automated Installer provisioning environments
Provide A Better Management Lifecycle For Your In-House Applications
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.25
Best Practices With IPS #5
Keep cloned repositories fromOracle free of local customizations
Don’t include system defined directoriesin your manifests
If delivering configuration changes, take advantage of preserve and overlay attributes on the file action
Create Separate Repositories For Republishing Content
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.26
Looking Towards The Future
Simplified repository management– Easy repository mirroring
– Apache serving packages without proxyconfiguration
Firmware dependencies Minimal server group package Intelligent release notes metadata
Some Projects Coming Down The Line
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.27
Looking Towards The Future
Security package that includes CVEmetadata
User images Remote administration (RAD) interfaces Ksplice – kernel hot fixes
Some Projects Coming Down The Line
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.28
Further Resources
Oracle Technology Networkhttp://www.oracle.com/technetwork/server-storage/solaris11/technologies/ips-323421.html
Oracle Solaris 11 Product Documentationhttp://docs.oracle.com/cd/E26502_01/index.html
Oracle Solaris 11 Developer Documentationhttp://docs.oracle.com/cd/E26502_01/html/E21383/index.html
My Oracle Support (MOS) – Oracle Solaris 11 Support CenterDocument ID 1559480.2
Where To Get More Information About IPS
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.29
More Oracle Solaris Events
General Sessions Breakout Sessions Hands-on Labs Demos
http://bit.ly/OOW13-Solaris
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.30
Learn More
@ORCL_Solaris
facebook.com/oraclesolaris
Oracle Solaris Insider
blogs.oracle.com/solaris
youtube.com/oraclesolarisoracle.com/solaris
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.31
Graphic Section Divider
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.32
Copyright © 2013, Oracle and/or its affiliates. All rights reserved.33
