Oracle Solaris 11 - Ad Valoremkonferenciak.advalorem.hu/uploads/files/INFR_Vegh_Karoly.pdf ·...
Transcript of Oracle Solaris 11 - Ad Valoremkonferenciak.advalorem.hu/uploads/files/INFR_Vegh_Karoly.pdf ·...
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Oracle Solaris 11 Security. Speed. Simplicity.
Karoly Vegh Principal Systems Consultant
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
3
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
COMPLETE.
DataBase integration
Virtualization OpenStack OS
4
Secure
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
• Security and Compliance
• Virtualization and Cloud
• Oracle SW integration
Oracle Confidential – Internal/Restricted/Hig
5
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Security and Compliance
Oracle Confidential – Internal/Restricted/Hig
6
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
End to End Cryptography
• Cryptographic platform automatically accelerates Java, Oracle Database, OpenSSL, and custom applications
• Cryptographic protection of data at rest and in motion
• High performance hardware based cryptography, near 0% overhead
• Meet compliance obligations with high performance disk encryption
• Integrates with Oracle Key Manger
Secure Application: Oracle Solaris Cryptoframework
Applications
Java
Oracle Database
Operating System Utilities
Storage
Virtualization
Firmware
7
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
EU Global Data Protection Regulation
Regulation/Law not a Directive
Immediate effect on 28 EU members after 2 year transition period
Does not require any enabling legislation to be passed by
governments
Extends the scope to all foreign companies processing data of EU
residents
Unify Data Protection within the EU with a single law
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Oracle SuperCluster Security Technologies Compute Storage Network Database
Secure Isolation
§ Physical
§ Electrical
§ Hypervisor-Mediated
§ Kernel-Mediated
§ Physical
§ ASM Instances
§ ZFS Data Sets
§ Physical (Ethernet)
§ Ethernet VLANs
§ InfiniBand Partitions
§ Multitenant
§ Instances
§ Schema
§ Labels
Access Control
§ RBAC / Privileges
§ LDOM Administration
§ Zone Administration
§ ZFS ACLs
§ Exadata Security
§ NFS Security
§ IP Filter / iptables
§ Switch ACLs
§ Audit Vault and Database Firewall
§ Roles and Privileges
§ Real Application
Security
§ Database Vault
Data Protection
§ Immutable Zones
§ Read-Only Mounts
§ ZFS Administration
§ ZFS Encryption
§ LOFI Encryption
§ TDE
§ SSH
§ SSL / TLS
§ IPsec / IKE
§ Virtual Private DB
§ Data Masking
§ Redaction
Monitoring and Auditing
§ Solaris Auditing
§ Linux Auditing
§ BART / AIDE
§ ZFS Storage Appliance Logs
§ Exadata Storage Auditing
§ IP Filter / iptables
§ Switch Logs
§ Database Auditing
§ Audit Vault and
Database Firewall
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Easy
Compliance
One Step
Compliance Reporting
Stay
compliant
A More Compliant Deployment How can we report my compliance status to my auditors?
10
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Simple Compliance Reporting
11
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
• Evaluations
– Common Criteria validated: EAL4 (highest for commercial SW) • EAL5 ist PRISM@NSA
• Data OnTap, VMWare Vsphere is EAL2
– FIPS 140-2 validated Crypto (govermental and industrial sector: correctly implementing cryptographic algorithms) • (often procurement requirement)
An Assured Platform What external security validations does Oracle test against?
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 13
Secure OpenStack-Based IaaS
• Secure services
– Minimum privileges
• Data at Rest
– ZFS Encryption
• Data in Motion
– Secure Migration
• Network
– Data link Protection
• Application
– Read only VM
Oracle Solaris Oracle Solaris Oracle Solaris
Zone Zone
Zone Zone
Zone
Zone
Zone
Zone
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Virtualization and Cloud
Oracle Confidential – Internal/Restricted/Hig
14
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 15
Solaris Virtualization vs. the Competition OS and Virtualization – Engineered Together
RHEL Native Zone or Kernel Zone Guest
VMware
HP
Traditional Hypervisors Separate, isolated, slow
Native Zones, Kernel Zones, OVM Engineered, performant, robust, secure
Zero Performance overhead
Oracle Solaris Host OS
Hardware
Dee
p In
tegr
atio
n
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Oracle Solaris 11
Seamless Transition from Oracle Solaris 10
16
V2V
P2V
Oracle Solaris Zones System Preflight
Checker
• Minimal transition effort:
– Reduce risk with automated checks before you move
– Tools move you quickly and simply
– Transition in minutes
Solaris 10 Zone
FUSION APPLICATIONS
Oracle Solaris 10
Solaris 10 Zone
DATABASE
DATABASE
Oracle Solaris 10
Solaris Zone
FUSION APPLICATIONS
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
• Protect at every level:
– Environment: Unique Read Only virtualization
– Memory: ADI on the chip
– Network: Embedded network protection
– Data at rest: ZFS encryption
– Data on the move: End to End Encryption
• No performance impact: Auto-offloading of CPU-intensive security functions
• Protect against malicious and unintentional acts
17
Enterprise Class Built-in Security Defense in Depth
None Flexible Fixed Strict
/, /usr, /lb, … Writeable Read Only Read Only Read Only
/etc Writeable Writeable Read Only Read Only
/var Writeable Writeable Writeable Read Only
other Writeable Read Only Read Only Read Only
Oracle Solaris
Solaris Zone
DATABASE
Solaris Zone
WEBLOGIC SERVER
VNIC VNIC
ZFS
PNIC PNIC
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Top US Wireless Service Provider Oracle Database-as-a-Service Private Cloud
18
Solution
• 26 T5-8s
• 22 T5-4s
• 3 data centers
• 2 secure areas for PCI compliance
Results
• Saved $500 per VM vs. x86/Red Hat
• Total saving $20,000,000
• 12:1 consolidation ratio
• Flexibility for easy provisioning with Solaris Zones
FUSION MIDDLEWARE WEBLOGIC SUITE
SOLARIS
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Oracle Solaris 11.3
• Next Generation Virtualization
– Simple administration
– Leverages Oracle Solaris resource management and network virtualization
– Seamless P2V and V2P
– Locked-down root file system for both guest and host
– Run “any” version, forward and backward compatibility
– Recognized as a License Boundary
19
Solaris Kernel Zones OS and Virtualization – Engineered Together
Infiniband Fabric
10GbE Network
Solaris 11.4 Zone Solaris 11.3 Zone
DATABASE
Solaris 11.2 Zone
WEBLOGIC SERVER
Virtual Router
SRU9
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Horizon
Cloud Management
Zones and Kernel Zones
Nova Compute Virtualization
Elastic Virtual Switch
Neutron Cloud Networking
ZFS File System
Cinder/Swift Cloud Storage
Unified Archives
Glance Image Deployment
Full OpenStack Distribution Integrated with Oracle Solaris
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
OpenStack Across Oracle’s Portfolio
Horizon Centralized Cloud Management
Oracle Solaris, Oracle Linux, Oracle VM
Nova / Ironic Self-Service Compute
and Bare Metal
Oracle Solaris, Oracle Linux, Oracle Virtual
Networking
Neutron Software Defined
Networking
Oracle Solaris, Oracle Linux, Oracle ZFSSA, Oracle FS1,
Oracle Tape Solutions, Oracle Axiom
Cinder / Swift / Manilla Cloud Scale Storage
Oracle Solaris, Oracle Linux, Oracle VM Templates, Oracle
Database 12c
Heat / Glance Murano / Trove
Platform as a Service
Built into the Infrastructure
21
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Cloud Ready Data Retention
22
SL8500
Large US Web Technology Provider
SWIF
T HSM
Object Storage
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Oracle Database Integration
Oracle Confidential – Internal/Restricted/Hig
23
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 24
Unique Advantages of Oracle Solaris for Oracle Database
• DTrace intagration
• SQL views
• End-to-end performance analytics
Real Time
Analytics
• Locking Mechanism in KernelSpace
• Performance improvements via Platform Choice
RAC offloading
• Memory optimizations for Oracle Database: SGA resize
• No Downtime
Optimized Shared
Memory
• Cryptooffloading
• Zero performance impact
Transparent Data
Encryption
Oracle Confidential – Internal
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
CPU
Full MT-hot kernel, scales to 100s of cores and 1,000s of HW threads Support for Critical Threads features in T4 chip 5x performance improvement of high-resolution timer Multi-processing and multi-threading support for Oracle DB Multi-CPU binding for NUMA-aware interrupt distribution Multi CPU binding for pools
Memory
Large Page support Optimized Shared Memory (OSM) NUMA I/O Framework Fast DB Restart Latency-aware kernel memory allocator (x86, SPARC) Re-architecture of Virtual Memory sub-system (VM 2) Userland Fast-Memory Registration and Shared Protection Domain Read-only access to In-Memory Columnar Data In-Memory time stamps Up to 20x faster SGA fill times with VM2 and OSM integration Memory reservation pools
File System Userland file system for DB, Oracle File Server support
I/O
Support for low-latency Infiniband: RDSv3, SDP Direct I/O with concurrent writes Network Resource Management for RDSv3, Prioritized flows for TCP/IP IB I/O Resiliency
Examples of Optimizations for Oracle DB The Tip of the Iceberg
Key: Solaris 11.2 New in Solaris 11.3
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Observability Enhanced observability for segmentation faults Read-out of libdtrace by Oracle 12c Fine-grain IB performance stats for RDSv3 and OFUV
Reliability and Availability
Dynamic reconfiguration notifications for DB for resources rebalancing FMA callback for bad hardware Alternative Path Migration (APM) fail-over for RDSv3 Hot add and remove of IB HCA
Performance
Improved PGA performance 2x faster DB Start and Stop Kernel lock acceleration for Oracle RAC SR-IOV support for OVM SPARC
Multi-tenancy Zones: Secure isolation, lowest latency virtualization; Kernel Zones PDBs: Reservation of multiple virtual address spaces
Security Transparent crypto off-load for SPARC and x86; Immutable kernel and global zones
Examples of Optimizations for Oracle DB The Tip of the Iceberg
Key: Solaris 11.2 New in Solaris 11.3
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Up to 20x faster SGA Allocation
Optimized for Oracle
27
12 12 16 29 69 166 81 155 305
609
1221
3122
0
500
1000
1500
2000
2500
3000
3500
128GB 256GB 512GB 1TB 2T 5T
Seco
nd
s to
Fu
ll SG
A A
lloca
tio
n
SGA Size
TIME TO FULL SGA ALLOCATION Oracle Solaris 11.3, 2M pages RHEL 7.0, 2M pages
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Security and Compliance key takeaways
• Encryption built-in • Certified against external common security standards • Compliant out of the box • Compliance report made easy • Access Security through and through, as a systems foundation • Minimum privileges for all Services
28
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Virtualization key takeaways
• Integrated, built-in, additional costs: 0. • High Density consolidation, Zero overhead • License boundary • Investment protection (upgrade path) • Real Cost savings (Verizon) • The only read-only virtualization • Kernel Zones • Full OpenStack Distribution integrated in Oracle Solaris
29
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Oracle DB Integration key takeaways
• SW in Silicon • Memory Subsystem improvements specifically for the DB • Automatic Thread Optimization • RAC Offloading • SGA resizing without downtime • Fullstack Observability with DTrace
30
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
✓Secure and Compliant
✓Simple Management
✓Affordable Virtualisation
✓Cloud Features
✓Oracle SW Integrated
Your Enterprise Cloud
Oracle Solaris 11.3 – Security. Speed. Simplicity.
31
YOUR APP
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
AIX System Administrators Trained in a Week
Oracle Solaris 11 Training
UNIX System V-based operating systems
Get Started: IBM AIX to Oracle Solaris 11 Migration Fundamentals (30 min)
Get Trained: Oracle Solaris 11 System Administration for Experienced UNIX Administrators (5-days)
Get Certified
32
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | 33