I can agree with 95% of this whitepaper. This applies to all commercial Unicies though not just Solaris when compaired to Linux. These are the same reasons i do not consider Linux an enterprise OS yet…I am sure there are some that will disagreee with me
How can anyone compare reliability of an unproven Solaris 10 with long-availble RH AS3 ?.
Your kidding right? Linux doesn’t compair with current versions of Solaris its a given that 10 will be that much better.
When Solaris crashes it is really hard work to bring it back to life…
I personally have never seen an unrecoverable error happen on a Solaris server in 5 years of doing this. Even servers that aren’t well maintained (like at my current job) are rock solid..some have been up 900+ days(not bragging i think its very stupid to run a server that long but impressive never the less)
Hardly! Installing LTT is not a big deal for a competent admin. They skipped right over Xen and (others) in comparison with containers. Updating a system with just the drivers you want is possible on Linux, almost impossible on Solaris. Red Hat is not the only vendor available – by a very long shot – and they ARE overpriced, but this is a setup. Performance on Linux graphs are open for -serious- fudging. DTrace is really nowhere near the tool that it’s described, basically it is mostly a tool for digging yourself out of a hole or at least finding that you’ve dug yourself into one.
Unbiased? Not even remotely close to unbiased. I was a huge Sun/Solaris guy at one point (and I still run it on some machines), but this PDF leaves me cold.
The only good point they made here was PRM. I haven’t seen nice implementations of this for Linux.
>I personally have never seen an unrecoverable error
>happen on a Solaris server in 5 years of doing this. Even
>servers that aren’t well maintained (like at my current
>job) are rock solid..some have been up 900+ days(not
>bragging i think its very stupid to run a server that
>long but impressive never the less)
I have. Lots of times. I’ve had our Ultra 250 spontaneously reboot a few times. I keep patches in it every 30 days without fail, and use only the recommended patchsets. I’ve seen a mirror fail and corrupt the other side of the mirror. I’ve done updates from one OS version to the other and had all the mirrors lost… following the documentation for migration to the letter. I’ve had the OS suddenly “lose” an entire controller card.
So, leave the trash talking to the baseball game… this is the real world. P.S. I’ve been at computing in the enterprise since 1988 and have run both Linux and Solaris in my own business since 1994. Threw out my old Solaris versions the other day, 1.1.0 and 1.1.1 were in the box. So please, save the rah rah session.
Solaris doesn’t have anything that compares to SELinux, though this technology is not yet fully mature on the Linux side, it’s in Fedora Core 3 and will be in RHEL 4 (and, no doubt, competitors’ distros) before long. It is a much better and more powerful approach than ACLs, and was designed by world-class experts at the NSA.
But Solaris is going to have a bigger weakness: it’s about to become open source. When a formerly closed source product goes open source, the black hats will eagerly study the source code for security flaws, and launch exploits. With Linux, the developers have been working in that environment for more than a decade, and the easy stuff has long ago been fixed. It might not be a good idea to expose a Solaris 10 box directly to the Internet without an intervening non-Solaris firewall until we have several month’s experience with how well it stands up after the bad guys have access to source.
(Please note I am not making a “security by obscurity” argument; the issue is that Solaris formerly was partly protected by obscurity, and that is going away).
Solaris *probably* gives an enterprise customer some minor technical advantages.
Solaris *certainly* gives an enterprise customer a lot of strategic risk since Sun has a history of abandoning x86 customers when high-margin SPARC sales suffer. With Sun’s precarious stock market situation it would take a lot less to push them into that choice than it did last time.
The closest equivalent to DTrace in Linux is probably the Linux Trace Toolkit, which, with the separate DProbes facility, provides a similar type of dynamic tracing. However, using Linux Trace Toolkit requires building, installing, and booting a special kernel. This severely limits the use of LTT on production systems.
It’s not as if DTrace runs in userspace . One could see the *ability* to build, install and boot a special kernel a significant advantage. Also, LTT was recently merged into the -mm patchset and will possibly be included in the mainline kernel.
Thats nice…but who in their right mind would run it on a production server?
“They skipped right over Xen and (others) in comparison with containers.”
Possibly because they don’t really compare. Containers are a bit different. You should go look them up. A search for “Solaris Containers” on google would do wonders.
“Updating a system with just the drivers you want is possible on Linux”
uhmm….ya..sure
“DTrace is really nowhere near the tool that it’s described, basically it is mostly a tool for digging yourself out of a hole or at least finding that you’ve dug yourself into one.”
and how much have you used it pray-tell?
You know…I was never a fan of Sun. Then I saw the people who were against them.
So, leave the trash talking to the baseball game… this is the real world. P.S. I’ve been at computing in the enterprise since 1988 and have run both Linux and Solaris in my own business since 1994. Threw out my old Solaris versions the other day, 1.1.0 and 1.1.1 were in the box. So please, save the rah rah session.
Never said Solaris doesn’t crash. I reject the orginal posters statements that its hard to recover a Solaris box when it crashes thats just plain BS. Its not any harder than any other Unix OS to bring back, as long as it is built properly. So you have been using Solaris since 1994? and area collector of outdated software…I have ran across people that have been “computing in the enterprise” since the sixties and couldn’t build a server properly to save their life you may not be one of those but either way not impressed.
It is a nice article but as pointed out above the security part on Linux is much broader than precented in this document. Vanilla Linux installation often has quite weak secuirty, but so does vanilla Solaris installtions (and yes I have administered Solaris machines). Solaris can be enhanced but it is my experience that Linux secuity is much more flexibel and offers many more options for fine tuning than a secuity lock down in Solaris.
The hardware analysis is total BS, Solaris does not! have broad mainstream hardware support. Solaris does not even come close to Linux here, even OpenBSd has better mainstream hardware support (if you consider 32 CPU mainframes for being mainstream then yes Solaris has better hardware suppport than OpenBSD).
I think that the realese of Solaris will be an important event, but no it will not kill Linux (just as Linux did not kill FreeBSD). I like Sun alot (I type this on a Sun box), but I am afraid that in the modern IT enviroment even a move like this will not save them from Big Blue. I wish the best of luck to open Solaris and to Sun, i just think it is to little, to late.
I’m officially declaring that I won’t read anything about Solaris vs Linux wars. The reason is that Sun’s marketing machine has a direct interest in showing that Solaris is just like Linux or better, and I won’t give them my “ears.”
I didn’t read any comment in this thread, for example.
RedHat (and Fedora) has Security Enhanced Linux, Solaris 10 has Privileges (man ppriv). In either case you have to be very careful about using either one because your applications either have to be aware of the security policy tools, or you are going to have to conduct some serious testing based on your security policy.
For example, if your security requirements specify Labeled Security (Mandatory Access Control) you would purchase Trusted Solaris and Oracle Labeled Security, products specifically designed to work in a MAC environment. This kind of security is very restrictive in what can be done. Is it necessary, in most cases no.
And considering that Solaris 10 (formerly Solaris Express) has been available since August 2003, I don’t necessarily think it is “new” to the malicious user. Combine Zones, Privileges, enhanced password security options, Resource Management (which there is no Linux equivalent I am aware of), a Solaris 10 machine should be a pretty tough nut to crack.
“Possibly because they don’t really compare. Containers are a bit different. You should go look them up. A search for “Solaris Containers” on google would do wonders.”
In the June 2000 issue of PC Expert (a french magazine), a review of the HP Netserver LH 6000 concluded that going from 4 to 6 processors yielded negligible benefits. The test used was ZD ServerBench 99.
If this applies to Opteron servers too, why sould Solaris support fees increase at the same rate as the number of CPUs found in a system ? From the kernel point of view, does Solaris behave in a completely different way whether it sees 2 or 4 processors ?
How about you ellaborate on your claims instead of just blindly challenging others. As for updating a kernel with out bloating I do it all the time on gentoo. When a new kernel tree gets dumped into /usr/src/ I cp the .config over, make all modules_install install or maybe a make menuconfig to tweak some new options. After a successful upgrade I unmerge the old kernel tree and life goes on as usual. Also not to mention the hardware autodetection does is pretty damn good. Every time I start with a fresh make menuconfig, I seem to already have all the right hardware options present.
Personally I’m not to interested in competiting with Solaris, they can continue to sell their servers and so on. I’m more interested in using Linux and solving problems with it. But if your going to challenge my methodes or tools used, expect a lively debate.
“Hardly! Installing LTT is not a big deal for a competent admin. They skipped right over Xen and (others) in comparison with containers.”
Solaris 10 supports containers as-is out of the box. Doesn’t Xen require applying custom patches and recompiling the kernel? Unless it is rolled into the main kernel distribution, there will always be the chance of Xen not working with a new point release of Linux.
“Updating a system with just the drivers you want is possible on Linux, almost impossible on Solaris.”
Drivers take up negligible disk space and are loaded on-demand. Basically, they aren’t in the kernel if you don’t use them. This is true for both Solaris and for modular-Linux (not all statically compiled).
“DTrace is really nowhere near the tool that it’s described, basically it is mostly a tool for digging yourself out of a hole or at least finding that you’ve dug yourself into one.”
Er, that’s _exactly_ what DTrace is–a profiling and debugging tool. If debugging tools aren’t for digging people out of holes, what are they for? As a profiling tool, it can help make your hardware more cost effective.
“Unbiased? Not even remotely close to unbiased. I was a huge Sun/Solaris guy at one point (and I still run it on some machines), but this PDF leaves me cold.”
Actually, Sun is very consistent in their comparisons between Solaris and Linux. They are clear to mention when they are talking specifically about Red Hat (support costs) or the kernel in general. They prominently put Linux (Red Hat and SuSE) into their product line up. Sun is less biased than you would think. Of course, Solaris is their flagship, but they don’t shut you out of Linux (they have even said their sales people get paid either way).
“I have. Lots of times. I’ve had our Ultra 250 spontaneously reboot a few times. I keep patches in it every 30 days without fail, and use only the recommended patchsets. I’ve seen a mirror fail and corrupt the other side of the mirror. …”
Do you know how to hook up a serial console and do a diagnostic boot? What about SunVTS? You’re treating Solaris as the scapegoat when you probably have a flaky component somewhere. Could be a bad CPU module, e.g.
Doesn’t Xen require applying custom patches and recompiling the kernel? Unless it is rolled into the main kernel distribution, there will always be the chance of Xen not working with a new point release of Linux.
At this point yes. But only until xen is considered stable.
Sun is less biased than you would think.
Schwartz, McNeally??? Unbiased??? Those two come to my mind as soon s I think of Sun.
“Solaris doesn’t have anything that compares to SELinux, though this technology is not yet fully mature on the Linux side, it’s in Fedora Core 3 and will be in RHEL 4 (and, no doubt, competitors’ distros) before long.”
The NSA-grade security stuff is stuff that practially no one uses, because Trusted environments are just a PITA. For the hard core NSA types, that’s why Sun has Trusted Solaris as a separate product. Solaris 10 is very adequate for general corporate networks.
“Solaris *certainly* gives an enterprise customer a lot of strategic risk since Sun has a history of abandoning x86 customers when high-margin SPARC sales suffer.”
Holy cow. Sun isn’t going to turn down a paying support customer, and they abide by a pretty clear support life cycle timeline. You are just oozing at the ears with FUD.
Containers are very similar TO THE END USER to what Xen is doing. There are differences, but do they really matter?
Xen is pretty stable, contrary to above. It’s at version 2.03 at last blush, IIRC. Yes, it’s a kernel patch… how feeping hard is it to do “patch -p1 <some.patch ; make modules_install ; make install” anyways?
Regarding serial port monitoring on my U250: U250 servers don’t come with video cards. Need I say any more?
Look up LTT. See if it’s anything like DTrace. You might be surprised. Frankly, most problems that need solving can be found with good old sar and vmstat. But I’m not knocking DTrace, just saying that it isn’t going to set the world on fire.
As for drivers taking up neg. space and being loaded on demand, install a working development set of Solaris and then list the modules loaded at boot. Piss, moan, cry, throw your hands up in the air as desired. I wish I could get back all the time I’ve spent in pkgrm hell removing drivers that are simply not desirable on a server, but which Sun insisted on installing!
P.S. I use Gentoo for my home box to fool around, Debian for most of my servers with my own custom compiles of software that I plan to use (qmail, apache, php, freeradius, erpc, ucspci-tools, etc.) and a smattering of FreeBSD, Red Hat. And… gasp… both Solaris x86; Solaris SPARC.
i think if solaris got more support for some linux admin software i would deffinately switch off of linux onto an enterprise version of solaris –just for the uptime
The NSA-grade security stuff is stuff that practially no one uses, because Trusted environments are just a PITA.
Fedora Core 3 uses seLinux by default, though the policies are lax.
In response to the comparison, there is also a Trusted Linux, made from the same people who did Trusted Solaris. In addition to the seLinux userland and kernel patches, there is rsbac-sources, lids, and grsecurity.
Linux system’s have pleanty of security options. Personally I don’t use any one of them, but you can.
<<“Solaris *certainly* gives an enterprise customer a lot of strategic risk since Sun has a history of abandoning x86 customers when high-margin SPARC sales suffer.”
Holy cow. Sun isn’t going to turn down a paying support customer, and they abide by a pretty clear support life cycle timeline. You are just oozing at the ears with FUD.>>
I guess you don’t care that Sun HAS ALREADY DONE EXACTLY THIS ONCE BEFORE (2002). Or perhaps you’re impressed by the fact that they’ve _double_ promised not to do it this time.
This is an outstanding paper because it finally tells the truth about Linux development model issues and other Linux inherent problems- problems that have nothing to do with UNIX but everything to do with religious movement behind Linux and GPL.
It is really great that Solaris can show Linux its place. Until now, if someone was dare to critisize “fix it yourself” GNU/Linux approach- they were labeled Microsoft fanboys.
UNIX community was standing silent.
Suddenly, Solaris for X86 appears and tells the truth about pathetic way of developing software by “the community.”
Software must be developed by the paid professionals managed by the paid managers who see the big picture and, if necessary, can force a developer to do not what he wants but what customer needs.
Now, if Linux advocates dare to speak, they are against Solaris. UNIX community will not stay still looking how “GNU is Not UNIX” fanboys trash UNIX and proper way of coding professional grade software.
It would be a stretch to say that Solaris will replace Linux overnight. But I know people who already installed Solaris in the test environment, and I believe that by the end of 2005 many companies will be using Solaris for x86 in many places where Linux runs today.
Papers like that one, presented to the management would help to make one and only right choice: dump crap forced on IT by necessity to save costs and use free of charge Solaris.
“There are differences, but do they really matter?”
Patching, rebuilding, and re-installing the OS kernel is not something I would be enthusiastic about doing. On my own time, I don’t care, but for work there are too many variables in making sure the configuration is correct. Often, rebuilding a kernel is an iterative process of learning what modules are needed by trial and error.
“Regarding serial port monitoring on my U250: U250 servers don’t come with video cards. Need I say any more?”
What does the video card have to do with it? The key phrase, here, is “serial port.” You know, that 25-pin female plug on the back of the server (two of them, labeled A and B). Setup a laptop with a terminal program like Minicom and a NULL-modem cable to your server, type Stop-D on your server after power-on, and sit back and bask in automatic diagnostic prowess. It’s all in the OpenBoot documentation at docs.sun.com.
“Frankly, most problems that need solving can be found with good old sar and vmstat. But I’m not knocking DTrace, just saying that it isn’t going to set the world on fire.”
Relative to DTrace, sar and vmstat are like stone wheels on cars. You’re certainly free to use them, but don’t complain about the rough ride.
I have to conclude from this that Linux 2.6’s performance eclipses solaris (pun intended).
Sun is in the unique position of being able to perform comprehensive benchmarks of both operating systems on a level playing field.
Sun’s best interest also includes showing Solaris performs better than Linux in as many areas as possible.
So the fact that they do not provide any evidence, but seem happy to declare a “draw” between the two systems is proof enough that Linux blows their socks off.
Frankly, I think that Solaris Containers are a bit overrated. Isolating applications in the software level can also be done in Linux using User-Space, so no advantages here.
In fact, we can go one level higher with Linux by utilizing an OpenPower server and installing Linux, we can then do DLPARs and gain better security than using Solaris Containers. Each LPAR will be isolated and not sharing anything. It can also dynamically allocate resources between the LPARs.
Furthermore, in a year or so, this will not be much to talk about when Intel comes out with their microprocessor (Vanderpool)for the x86 platform that allows for virtualization. Solaris 10 will not have much advantage than Linux on this x86 platform when this comes out.
Since i’m at work, and can’t afford the time for a detailed reply to this PR pdf by Sun, i’ll just vent my frustration at marketing crap like this by posting my disappointment. I don’t trust Sun, never will trust Sun, and quite frankly i’d never recommend or use any of their products due to past and present behaviour. I’ll try and go thru the entire pdf reply by reply on various parts that i’m not impressed with when I get home.
well 900+ isnt that impressive i have had those kind of uptimes with both netbsd and linux. the uptime with these kinds of os have more to do with hardware. and sun have made som great hardware for long uptimes. (the netbsd box did run on sun hw). if people tend to get short uptime with linux then i would guess that it depends on cheap pc machines more than linux.
solaris is a great os but i would not say that having the greatest uptime would be one of the merits
The comments for these Linux vs Xxxx articles are mostly dumb.
Linux isn’t perfect. I doubt it will be perfect in my lifetime. With a bit of give or take on different issues I consider my Linux experiences are roughly equal to my windows experiences.
Linux makes a good server environment for competent linux system administrators. It would be nice if some of the problems I have could be avoided, but I understand that “no warranties included” is especially true with using Linux.
I’m pretty damn sure that the same can be said for Solaris.
Just like any other operating system.
btw. I’m not an electronics fascist, I hate all computers equally.
> Frankly, I think that Solaris Containers are a bit overrated. Isolating applications in the software level can also be done in Linux using User-Space, so no advantages here.
There is a huge advantage with Zones compared to UML. First and formost each zone is not a separate instance of OS running in memory, which means less system resources wasted on each OS instance — the upshot is that you can sqeeze out many more zones out of the same hardware that with UML, which means Solaris will be always more cost-effective than UML. Another thing to consider is the ease of maintenance with Solaris Zones — you can maintain one zone in respect to packages and patches just as easy as hundreds or thousands of zones, which means you need fewer sysadmins to baby seat the virtual servers, which means you save tons of money with Solaris.
> In fact, we can go one level higher with Linux by utilizing an OpenPower server and installing Linux, we can then do DLPARs and gain better security than using Solaris Containers. Each LPAR will be isolated and not sharing anything. It can also dynamically allocate resources between the LPARs.
So what, you can run Solaris on Sun Fire hardware that support domains and achieve even better resilience and security than LPARS (domains are absolutely independent of each other, whereas LPARS are not). Plus running LPARS (hypervisor on Power) wastes a lot of processor resources — you loose at least 30% of processor performance when you run LPARS. And oh yeah, there is no freaking way you can even dream of running 4000 virtual servers with LPARS — Solaris Zones beat LPARS hands down.
> Furthermore, in a year or so, this will not be much to talk about when Intel comes out with their microprocessor (Vanderpool)for the x86 platform that allows for virtualization
See above for problems with LPARS as Intel is going to suffer from exact same problems. You’re better off using Solaris Zones now than waiting for some Intel tech that is going to suck anyway.
I thought it was a good, balanced whitepaper. It points out some weaknesses in Linux, yes (OMG! Linux isn’t perfect!) but it can only lead to these weaknesses being adressed by the community and the vendors. Benchmarking and comparison are always good, the more the better.
I’m guessing that RH will offer a patched and supported version of the kernel with Xen / vserver / LTT pretty soon to to go head to head with Solaris….
To Russian Guy: oh my, did you even read the PDF?? your reply is completly irrelevant to the conclusions of the whitepaper!
> I’m guessing that RH will offer a patched and supported version of the kernel with Xen / vserver / LTT pretty soon to to go head to head with Solaris….
Even if RedHat makes Xen production ready, it will be inferior to Solaris Zones nevertheless. As I mentioned above Xen just as UML relies on independent instances of Linux running under VM, which means there will be much more significant performance impact with each new OS instance added and memory/resources wasted — Solaris Zones will make much better use of the same hardware. And again Xen and UML do not address the maintentance/administration problems, so the only value you get is savings in hardware when administration costs remain pretty much the same. Solaris zones reduce both parts of this cost equation — both hardware get better utilized and administrative efforts are reduced.
“And again Xen and UML do not address the maintentance/administration problems, so the only value you get is savings in hardware when administration costs remain pretty much the same. Solaris zones reduce both parts of this cost equation — both hardware get better utilized and administrative efforts are reduced.”
xen is already integrated with fedora by now and it is dead easy to use and maintain
>What does the video card have to do with it? The key phrase,
>here, is “serial port.”
So, if there is no video card… how do you suppose that I worked with the machine before it had IP connectivity? Hrm? Vulcan mind meld? I guess I did need to say more.
I’m probably confusing you still. Sorry.
>Patching, rebuilding, and re-installing the OS kernel is not
>something I would be enthusiastic about doing.
Guess you never used Solaris 1, then. Or was that SunOS4?
>I thought it was a good, balanced whitepaper.
You were wrong. Yes Solaris has some advantages here and there, but they damned Linux with faint praise where it has its advantages, and offered no way to back up their claims that Solaris is faster on particular loads or gave us any disclosure on their performance tests. They also failed to mention Xen, which is a major player in Linux-space. Saying that asking for a bug fix usually elicits a rude response from some random kiddy is also damning with faint praise – yes it can happen, but I’ll tell you what, I waited more than a year for Sun to fix its NFS problem that came up in Solaris 6 (or 7, memory is a funny thing) where if you had more than one IP address on a machine, NFSd would bind to only one address when sending outbound and that IP was usually not the first address on a given card, which caused all sorts of grief. Or how about when I bought x86 and specced out a box specifically for it, only to find out that x86 didn’t support the specific REVISION of the Adaptec controller I had, so wouldn’t recognize any drives… which took Sun eight months to fix. Sun doesn’t have very clean hands when it comes to fixing bugs, either.
> Guess you never used Solaris 1, then. Or was that SunOS4?
What relevance does SunOS have to Solaris 10, they absolutely fundamentally different operating systems. You’re running out of arguments aren’t you?
> which took Sun eight months to fix. Sun doesn’t have very clean hands when it comes to fixing bugs, either.
I’ve seen fixes delivered overnight by Sun, I guess it all depends on how well you can put the business justification in front of them. Overall I have a pretty good history with Sun delivering the fixes, so I can’t really agree there. I will prefer Sun’s methodology of fixing bugs to the hodge-podge Linux model any time of the day, because with Sun I at least have a throat to choke when something goes wrong.
I have to say that I was shocked to see how much support costs for Enterprise Redhat, compared to Solaris. I had no idea it cost so much. And no support for 4-CPU Redhat????
The article is a subtle hint for IT manager. It should be read as:
– Solaris is SUN. SUN is who to blame at when something goes wrong. Hurra!
– Solaris is more secure, stable and idiot-proof. Every (Big)admin want to hear that. (Big)admins have a family with kids and don’t want to be late for dinner every 2 days 😉
– Solaris from SUN is cheaper than Linux from red hat or novell. That make the boss happy!
Thank SUN! But don’t underestimate the power of the IBM-directed “community”.
“Solaris doesn’t have anything that compares to SELinux, though this technology is not yet fully mature on the Linux side, it’s in Fedora Core 3 and will be in RHEL 4 (and, no doubt, competitors’ distros) before long. It is a much better and more powerful approach than ACLs, and was designed by world-class experts at the NSA.”
Such a security model is already in Solaris 10, fully mature and non-performance degrading
Book: “System Administration Guide: Security Services” — Chapter 8 – 12 “Roles, Rights Profiles and Priveleges”
– Could someone please explain to me this Religous war from the Linux fan club?
– I, personally, love comparative pdf’s, you learn far more by by comparisons then blind faith.
– I would love to be able to get RedHat, or Solaris X in my shop, or for that matter Mac Os X Server. There’s a far greater change of Solaris, with a Enterprise company to back up the product, then Linux.
– Aren’t these two OS’s “Sister OS’s”. Man, I’d be happy to be running on either. This is like trying to pick from two shades of white! With DTrace a serious plus for our shop.
A simple search would have helped you find the answer.
I know the answer and I have done the search. I am calling Anonymous (IP: 61.95.184.—) on his BS.
SELinux and Solaris use RBAC which is a MAC. They very similar, or atleat more similiar, to each other.
The claim that “they are no way similar” is rubbish. In fact, Solaris has had RBAC since Solaris 8 or 9. The privileges, crypto frame work is new in Solaris 10, ao is the Auditing. These are man feature Sun put into vanilla solaris from Trusted Solaris. If you read the SELinux FAQ, the NSA clearly says SELinux is not a “Trusted” system. It just provides RBAC(MAC) and type enforcement.
So the article is right Solaris 10 gets an upper hand over linux. The Article also mentions the SELinux patch.
The security in Trusted Solaris is not an add-on, it is an integral part of the product. For example the root user is a role (RBAC). For more (and correct) information read:
fedora core 3,4 and rhel 4 will come with selinux by default. unlike trusted solaris which is a seperate add on. learn it first
Are you really that stupid? Yes. And let me guess you have no clue what you are talking about. I just got done saying SELinux is not the same as Trusted Solaris. Trusted Solaris is not an Add on, it is a seperate product.
Features that SELinux has is the similar as the one in Solaris 10. RBAC was in before Solaris 10. and guess what it already is in the OS distribution?
RBAC is a mandatory access control mechanism that is used in SELinux and Solaris alike. Solaris 10 also has privileges and a cryptographic framework.
SELinux.org FAQ
“Is Security-enhanced Linux a Trusted Operating System?
No. The phrase “Trusted Operating System” generally refers to an operating system that provides sufficient support for multilevel security and evidence of correctness to meet a particular set of government requirements. Security-enhanced Linux incorporates useful ideas from these systems but focuses upon mandatory access controls. It is expected that this work would be combined with other efforts (e.g., auditing and documentation) to construct a “trusted” system. “
“Introducing New Security Features in the Solaris 10 Operating System
The Solaris 10 Operating System (OS) includes advanced security features that were once only available to customers of the Trusted Solaris OS. The Solaris 10 OS is designed to provide comprehensive, indepth security, protecting the enterprise at multiple levels, such as system security, strong authentication, encrypted communications, access controls, and accountability.
With the Solaris 10 OS, Sun raises the bar yet again by offering key technologies that protect against buffer overflow attacks launched from the network or security violations by trusted insiders. Some of the new security enhancements include Solaris Containers (formerly N1 Grid Containers) technology, Solaris Process Rights Management, and an encryption infrastructure that enables applications to take advantage of cryptographic hardware.
It is impossible to patch the kernel for most commercial Linux distributions in use in Enterprise space, which is what Sun is talking about.
This isn’t a college, it’s not some geek sitting at their home computer installing Linux from a free distribution, it’s business, and business is about support contracts.
When your server crashes — and oh yes, Linux can and does crash — you need to be able to contact your vendor’s techncial support. Installing any kernel patch — any at all — or even rebuilding the official kernel from source is a sure fire way of ensuring that they will not provide you with any support.
You see, you’re paying Redhat or SuSE to test the kernel and the software that they provide, in a controlled environment, to ensure that it meets availability and reliability constraints. Your paying this because if your e-mail server is down for three days, it’s a disaster for your company. If your users can’t access their web accounts, your screwed. If you can’t bill or process payments, again, you’re in some pretty deep problems.
As soon as you install a non-standard configuration or start using kernel extensions, you basically guarauntee that these folks who you are paying to provide you with support will not provide you with support.
If you like Linux, if you want to run it, go right ahead. If you think Xen meets your requirements — and if you’re willing to support the box and every application running on it yourself — then, again, go right ahead. But understand, you’re not Sun’s target market.
“Software must be developed by the paid professionals managed by the paid managers who see the big picture and, if necessary, can force a developer to do not what he wants but what customer needs.”
Exaggerating a bit, aren’t you? You seem to think all proprietary software is top of the line. That’s funny, because I can cite quite a few examples that are simply not no matter what type of software we’re talking about. You think Solaris is better than Linux? Fine. Are all closed source operating systems better than Linux? That certainly seems to be a matter of opinion.
Admit it, Russian Guy, there’s something about Open Source that you just can’t stand and can’t help flaming it whenever you get the chance. If it’s the zealots, you certainly ought to be able to see that even Solaris has fanatics as well.
>Are all closed source operating systems better than Linux?
I was told that Solaris 10 is open source.
>there’s something about Open Source that you just can’t stand
Yes, I can not stand an open source zealot spitting in my face when I dared to say that Linux is less than perfect.
I have no problem with Solaris 10 open source, which they intend to develop in professional way.
>even Solaris has fanatics as well.
When I find one who will label me a liar when I say that Solaris is not 100% compatible with, say, HP-UX- then I may change my mind.:)
Until now, I only had this problem with a zealot from open source OpenOffice when I had to tell him we can’t replace our MS Office (yet) because of lack of compatibility in some minor, but critical for us Office features.
May be it were just me, but I had to deal with opensource Linux/OpenOffice zealots few years ago when we evaluated possibility of transition to Linux from UNIX and Windows.
The way I look at it is that they are both fine OS’es. Sames goes for OSX and the bsds. I think Linux is ready for enterprise but it does have some limitations when it comes to LVM and Crash Dumping. I think some of this is impartial to the x86 arch than anything. I will say that this though, I work for an automaker and they are using linux as its new os for production db, webserver and application server. We just the same amount of problems with linux as we HPUX, AIX and even Solaris. Now we do have in house builds that are based on SUSE with support from IBM (which by the by isn’t that great when your working midnights).
Both OS’s crash and Depending on what you have running on said machine, both Solaris and Linux and be a total pain to try to recover. Especially if your talking a DB with terabytes of data and UFS logging not enabled.
With that being said, if ask personaly what I would recommend. It would depend on appliation, budget and how much load the server would have to deal with.
Nice read. I has expected something totally biased (read M$) instead it was quite frank. Only two nitpicks:
– Linux more expensive than Solaris
Perhaps with some support options, but generally Linux is viewed as cheaper?
– Linux has nothing like DTrace
Correct, but kprobes ought to have been mentioned.
Summary:
David Burn’s conclusion is that both Linux and Solaris are valid options for the enterprise.
He does point out, correctly, that Solaris has an edge when it comes to security and stability (as in change).
Suport costs are a toss up as any serious enterprise will buy a contract from Red Hat or Novell if they deploy Linux.
I can agree with 95% of this whitepaper. This applies to all commercial Unicies though not just Solaris when compaired to Linux. These are the same reasons i do not consider Linux an enterprise OS yet…I am sure there are some that will disagreee with me
How can anyone compare reliability of an unproven Solaris 10 with long-availble RH AS3 ?.
When Solaris crashes it is really hard work to bring it back to life…
How can anyone compare reliability of an unproven Solaris 10 with long-availble RH AS3 ?.
Your kidding right? Linux doesn’t compair with current versions of Solaris its a given that 10 will be that much better.
When Solaris crashes it is really hard work to bring it back to life…
I personally have never seen an unrecoverable error happen on a Solaris server in 5 years of doing this. Even servers that aren’t well maintained (like at my current job) are rock solid..some have been up 900+ days(not bragging i think its very stupid to run a server that long but impressive never the less)
Hardly! Installing LTT is not a big deal for a competent admin. They skipped right over Xen and (others) in comparison with containers. Updating a system with just the drivers you want is possible on Linux, almost impossible on Solaris. Red Hat is not the only vendor available – by a very long shot – and they ARE overpriced, but this is a setup. Performance on Linux graphs are open for -serious- fudging. DTrace is really nowhere near the tool that it’s described, basically it is mostly a tool for digging yourself out of a hole or at least finding that you’ve dug yourself into one.
Unbiased? Not even remotely close to unbiased. I was a huge Sun/Solaris guy at one point (and I still run it on some machines), but this PDF leaves me cold.
The only good point they made here was PRM. I haven’t seen nice implementations of this for Linux.
>I personally have never seen an unrecoverable error
>happen on a Solaris server in 5 years of doing this. Even
>servers that aren’t well maintained (like at my current
>job) are rock solid..some have been up 900+ days(not
>bragging i think its very stupid to run a server that
>long but impressive never the less)
I have. Lots of times. I’ve had our Ultra 250 spontaneously reboot a few times. I keep patches in it every 30 days without fail, and use only the recommended patchsets. I’ve seen a mirror fail and corrupt the other side of the mirror. I’ve done updates from one OS version to the other and had all the mirrors lost… following the documentation for migration to the letter. I’ve had the OS suddenly “lose” an entire controller card.
So, leave the trash talking to the baseball game… this is the real world. P.S. I’ve been at computing in the enterprise since 1988 and have run both Linux and Solaris in my own business since 1994. Threw out my old Solaris versions the other day, 1.1.0 and 1.1.1 were in the box. So please, save the rah rah session.
Solaris doesn’t have anything that compares to SELinux, though this technology is not yet fully mature on the Linux side, it’s in Fedora Core 3 and will be in RHEL 4 (and, no doubt, competitors’ distros) before long. It is a much better and more powerful approach than ACLs, and was designed by world-class experts at the NSA.
But Solaris is going to have a bigger weakness: it’s about to become open source. When a formerly closed source product goes open source, the black hats will eagerly study the source code for security flaws, and launch exploits. With Linux, the developers have been working in that environment for more than a decade, and the easy stuff has long ago been fixed. It might not be a good idea to expose a Solaris 10 box directly to the Internet without an intervening non-Solaris firewall until we have several month’s experience with how well it stands up after the bad guys have access to source.
(Please note I am not making a “security by obscurity” argument; the issue is that Solaris formerly was partly protected by obscurity, and that is going away).
Solaris *probably* gives an enterprise customer some minor technical advantages.
Solaris *certainly* gives an enterprise customer a lot of strategic risk since Sun has a history of abandoning x86 customers when high-margin SPARC sales suffer. With Sun’s precarious stock market situation it would take a lot less to push them into that choice than it did last time.
The closest equivalent to DTrace in Linux is probably the Linux Trace Toolkit, which, with the separate DProbes facility, provides a similar type of dynamic tracing. However, using Linux Trace Toolkit requires building, installing, and booting a special kernel. This severely limits the use of LTT on production systems.
It’s not as if DTrace runs in userspace
. One could see the *ability* to build, install and boot a special kernel a significant advantage. Also, LTT was recently merged into the -mm patchset and will possibly be included in the mainline kernel.
On the other hand, DTrace is much more powerful.
—
Ziga
“LTT is not a big deal for a competent admin”
Thats nice…but who in their right mind would run it on a production server?
“They skipped right over Xen and (others) in comparison with containers.”
Possibly because they don’t really compare. Containers are a bit different. You should go look them up. A search for “Solaris Containers” on google would do wonders.
“Updating a system with just the drivers you want is possible on Linux”
uhmm….ya..sure
“DTrace is really nowhere near the tool that it’s described, basically it is mostly a tool for digging yourself out of a hole or at least finding that you’ve dug yourself into one.”
and how much have you used it pray-tell?
You know…I was never a fan of Sun. Then I saw the people who were against them.
So, leave the trash talking to the baseball game… this is the real world. P.S. I’ve been at computing in the enterprise since 1988 and have run both Linux and Solaris in my own business since 1994. Threw out my old Solaris versions the other day, 1.1.0 and 1.1.1 were in the box. So please, save the rah rah session.
Never said Solaris doesn’t crash. I reject the orginal posters statements that its hard to recover a Solaris box when it crashes thats just plain BS. Its not any harder than any other Unix OS to bring back, as long as it is built properly. So you have been using Solaris since 1994? and area collector of outdated software…I have ran across people that have been “computing in the enterprise” since the sixties and couldn’t build a server properly to save their life you may not be one of those but either way not impressed.
Uhh, ever hear of Trusted Solaris?
It is a nice article but as pointed out above the security part on Linux is much broader than precented in this document. Vanilla Linux installation often has quite weak secuirty, but so does vanilla Solaris installtions (and yes I have administered Solaris machines). Solaris can be enhanced but it is my experience that Linux secuity is much more flexibel and offers many more options for fine tuning than a secuity lock down in Solaris.
The hardware analysis is total BS, Solaris does not! have broad mainstream hardware support. Solaris does not even come close to Linux here, even OpenBSd has better mainstream hardware support (if you consider 32 CPU mainframes for being mainstream then yes Solaris has better hardware suppport than OpenBSD).
I think that the realese of Solaris will be an important event, but no it will not kill Linux (just as Linux did not kill FreeBSD). I like Sun alot (I type this on a Sun box), but I am afraid that in the modern IT enviroment even a move like this will not save them from Big Blue. I wish the best of luck to open Solaris and to Sun, i just think it is to little, to late.
I’m officially declaring that I won’t read anything about Solaris vs Linux wars. The reason is that Sun’s marketing machine has a direct interest in showing that Solaris is just like Linux or better, and I won’t give them my “ears.”
I didn’t read any comment in this thread, for example.
(Mutes…)
RedHat (and Fedora) has Security Enhanced Linux, Solaris 10 has Privileges (man ppriv). In either case you have to be very careful about using either one because your applications either have to be aware of the security policy tools, or you are going to have to conduct some serious testing based on your security policy.
For example, if your security requirements specify Labeled Security (Mandatory Access Control) you would purchase Trusted Solaris and Oracle Labeled Security, products specifically designed to work in a MAC environment. This kind of security is very restrictive in what can be done. Is it necessary, in most cases no.
And considering that Solaris 10 (formerly Solaris Express) has been available since August 2003, I don’t necessarily think it is “new” to the malicious user. Combine Zones, Privileges, enhanced password security options, Resource Management (which there is no Linux equivalent I am aware of), a Solaris 10 machine should be a pretty tough nut to crack.
“Possibly because they don’t really compare. Containers are a bit different. You should go look them up. A search for “Solaris Containers” on google would do wonders.”
What about Linux-VServer?
http://linux-vserver.org/
Also relating to DTrace, check out LTT (http://www.opersys.com/LTT/).
In the June 2000 issue of PC Expert (a french magazine), a review of the HP Netserver LH 6000 concluded that going from 4 to 6 processors yielded negligible benefits. The test used was ZD ServerBench 99.
If this applies to Opteron servers too, why sould Solaris support fees increase at the same rate as the number of CPUs found in a system ? From the kernel point of view, does Solaris behave in a completely different way whether it sees 2 or 4 processors ?
How about you ellaborate on your claims instead of just blindly challenging others. As for updating a kernel with out bloating I do it all the time on gentoo. When a new kernel tree gets dumped into /usr/src/ I cp the .config over, make all modules_install install or maybe a make menuconfig to tweak some new options. After a successful upgrade I unmerge the old kernel tree and life goes on as usual. Also not to mention the hardware autodetection does is pretty damn good. Every time I start with a fresh make menuconfig, I seem to already have all the right hardware options present.
Personally I’m not to interested in competiting with Solaris, they can continue to sell their servers and so on. I’m more interested in using Linux and solving problems with it. But if your going to challenge my methodes or tools used, expect a lively debate.
It’s a paper from Sun. Check the url :
http://www.sun.com/solutions/documents/white-papers/Solaris-Linux-W…
http://www.sun.com . You know the conclusion.
“Hardly! Installing LTT is not a big deal for a competent admin. They skipped right over Xen and (others) in comparison with containers.”
Solaris 10 supports containers as-is out of the box. Doesn’t Xen require applying custom patches and recompiling the kernel? Unless it is rolled into the main kernel distribution, there will always be the chance of Xen not working with a new point release of Linux.
“Updating a system with just the drivers you want is possible on Linux, almost impossible on Solaris.”
Drivers take up negligible disk space and are loaded on-demand. Basically, they aren’t in the kernel if you don’t use them. This is true for both Solaris and for modular-Linux (not all statically compiled).
“DTrace is really nowhere near the tool that it’s described, basically it is mostly a tool for digging yourself out of a hole or at least finding that you’ve dug yourself into one.”
Er, that’s _exactly_ what DTrace is–a profiling and debugging tool. If debugging tools aren’t for digging people out of holes, what are they for? As a profiling tool, it can help make your hardware more cost effective.
“Unbiased? Not even remotely close to unbiased. I was a huge Sun/Solaris guy at one point (and I still run it on some machines), but this PDF leaves me cold.”
Actually, Sun is very consistent in their comparisons between Solaris and Linux. They are clear to mention when they are talking specifically about Red Hat (support costs) or the kernel in general. They prominently put Linux (Red Hat and SuSE) into their product line up. Sun is less biased than you would think. Of course, Solaris is their flagship, but they don’t shut you out of Linux (they have even said their sales people get paid either way).
“I have. Lots of times. I’ve had our Ultra 250 spontaneously reboot a few times. I keep patches in it every 30 days without fail, and use only the recommended patchsets. I’ve seen a mirror fail and corrupt the other side of the mirror. …”
Do you know how to hook up a serial console and do a diagnostic boot? What about SunVTS? You’re treating Solaris as the scapegoat when you probably have a flaky component somewhere. Could be a bad CPU module, e.g.
Doesn’t Xen require applying custom patches and recompiling the kernel? Unless it is rolled into the main kernel distribution, there will always be the chance of Xen not working with a new point release of Linux.
At this point yes. But only until xen is considered stable.
Sun is less biased than you would think.
Schwartz, McNeally??? Unbiased??? Those two come to my mind as soon s I think of Sun.
“Solaris doesn’t have anything that compares to SELinux, though this technology is not yet fully mature on the Linux side, it’s in Fedora Core 3 and will be in RHEL 4 (and, no doubt, competitors’ distros) before long.”
The NSA-grade security stuff is stuff that practially no one uses, because Trusted environments are just a PITA. For the hard core NSA types, that’s why Sun has Trusted Solaris as a separate product. Solaris 10 is very adequate for general corporate networks.
“Solaris *certainly* gives an enterprise customer a lot of strategic risk since Sun has a history of abandoning x86 customers when high-margin SPARC sales suffer.”
Holy cow. Sun isn’t going to turn down a paying support customer, and they abide by a pretty clear support life cycle timeline. You are just oozing at the ears with FUD.
Containers are very similar TO THE END USER to what Xen is doing. There are differences, but do they really matter?
Xen is pretty stable, contrary to above. It’s at version 2.03 at last blush, IIRC. Yes, it’s a kernel patch… how feeping hard is it to do “patch -p1 <some.patch ; make modules_install ; make install” anyways?
Regarding serial port monitoring on my U250: U250 servers don’t come with video cards. Need I say any more?
Look up LTT. See if it’s anything like DTrace. You might be surprised. Frankly, most problems that need solving can be found with good old sar and vmstat. But I’m not knocking DTrace, just saying that it isn’t going to set the world on fire.
As for drivers taking up neg. space and being loaded on demand, install a working development set of Solaris and then list the modules loaded at boot. Piss, moan, cry, throw your hands up in the air as desired. I wish I could get back all the time I’ve spent in pkgrm hell removing drivers that are simply not desirable on a server, but which Sun insisted on installing!
P.S. I use Gentoo for my home box to fool around, Debian for most of my servers with my own custom compiles of software that I plan to use (qmail, apache, php, freeradius, erpc, ucspci-tools, etc.) and a smattering of FreeBSD, Red Hat. And… gasp… both Solaris x86; Solaris SPARC.
aXoXlo# uname -a
SunOS aXoXlo 5.8 Generic_108529-17 i86pc i386 i86pc
aXoXlo# gcc -v
Reading specs from /opt/gnu/lib/gcc/i386-pc-solaris2.8/3.4.3/specs
(truncated)
aXoXlo# more /etc/release
Solaris 8 6/00 s28x_u1wos_08 INTEL
Copyright 2000 Sun Microsystems, Inc. All Rights Reserved.
Assembled 28 April 2000
Solaris 8 Maintenance Update 7 applied
Oh no! Shoot the infidel who dares speak against Solaris!
i think if solaris got more support for some linux admin software i would deffinately switch off of linux onto an enterprise version of solaris –just for the uptime
The NSA-grade security stuff is stuff that practially no one uses, because Trusted environments are just a PITA.
Fedora Core 3 uses seLinux by default, though the policies are lax.
In response to the comparison, there is also a Trusted Linux, made from the same people who did Trusted Solaris. In addition to the seLinux userland and kernel patches, there is rsbac-sources, lids, and grsecurity.
Linux system’s have pleanty of security options. Personally I don’t use any one of them, but you can.
We addressed LTT explicitly in our USENIX paper:
http://www.sun.com/bigadmin/content/dtrace/dtrace_usenix.pdf
And I have addressed (with perhaps more aggravation) here:
http://blogs.sun.com/roller/page/bmc/20040718#dtrace_vs_dprobes_ltt
You should also consult RedHat employee Daniel Berrange’s analysis, which I cited in the above:
http://berrange.com/bitsbobs/mlp/2004/07/dtrace
<<“Solaris *certainly* gives an enterprise customer a lot of strategic risk since Sun has a history of abandoning x86 customers when high-margin SPARC sales suffer.”
Holy cow. Sun isn’t going to turn down a paying support customer, and they abide by a pretty clear support life cycle timeline. You are just oozing at the ears with FUD.>>
I guess you don’t care that Sun HAS ALREADY DONE EXACTLY THIS ONCE BEFORE (2002). Or perhaps you’re impressed by the fact that they’ve _double_ promised not to do it this time.
This is an outstanding paper because it finally tells the truth about Linux development model issues and other Linux inherent problems- problems that have nothing to do with UNIX but everything to do with religious movement behind Linux and GPL.
It is really great that Solaris can show Linux its place. Until now, if someone was dare to critisize “fix it yourself” GNU/Linux approach- they were labeled Microsoft fanboys.
UNIX community was standing silent.
Suddenly, Solaris for X86 appears and tells the truth about pathetic way of developing software by “the community.”
Software must be developed by the paid professionals managed by the paid managers who see the big picture and, if necessary, can force a developer to do not what he wants but what customer needs.
Now, if Linux advocates dare to speak, they are against Solaris. UNIX community will not stay still looking how “GNU is Not UNIX” fanboys trash UNIX and proper way of coding professional grade software.
It would be a stretch to say that Solaris will replace Linux overnight. But I know people who already installed Solaris in the test environment, and I believe that by the end of 2005 many companies will be using Solaris for x86 in many places where Linux runs today.
Papers like that one, presented to the management would help to make one and only right choice: dump crap forced on IT by necessity to save costs and use free of charge Solaris.
Good lord, have you seen the price of trusted solaris? That sure changes the price argument
“There are differences, but do they really matter?”
Patching, rebuilding, and re-installing the OS kernel is not something I would be enthusiastic about doing. On my own time, I don’t care, but for work there are too many variables in making sure the configuration is correct. Often, rebuilding a kernel is an iterative process of learning what modules are needed by trial and error.
“Regarding serial port monitoring on my U250: U250 servers don’t come with video cards. Need I say any more?”
What does the video card have to do with it? The key phrase, here, is “serial port.” You know, that 25-pin female plug on the back of the server (two of them, labeled A and B). Setup a laptop with a terminal program like Minicom and a NULL-modem cable to your server, type Stop-D on your server after power-on, and sit back and bask in automatic diagnostic prowess. It’s all in the OpenBoot documentation at docs.sun.com.
“Frankly, most problems that need solving can be found with good old sar and vmstat. But I’m not knocking DTrace, just saying that it isn’t going to set the world on fire.”
Relative to DTrace, sar and vmstat are like stone wheels on cars. You’re certainly free to use them, but don’t complain about the rough ride.
Well, it was really funny to read. I hope Sun’s PR wasn’t responsible for this pathetic propaganda material – its so bad written…
But at last it was anyway funny to read – my favorits are UML and “kindly” asked support parts.
I have to conclude from this that Linux 2.6’s performance eclipses solaris (pun intended).
Sun is in the unique position of being able to perform comprehensive benchmarks of both operating systems on a level playing field.
Sun’s best interest also includes showing Solaris performs better than Linux in as many areas as possible.
So the fact that they do not provide any evidence, but seem happy to declare a “draw” between the two systems is proof enough that Linux blows their socks off.
Frankly, I think that Solaris Containers are a bit overrated. Isolating applications in the software level can also be done in Linux using User-Space, so no advantages here.
In fact, we can go one level higher with Linux by utilizing an OpenPower server and installing Linux, we can then do DLPARs and gain better security than using Solaris Containers. Each LPAR will be isolated and not sharing anything. It can also dynamically allocate resources between the LPARs.
Furthermore, in a year or so, this will not be much to talk about when Intel comes out with their microprocessor (Vanderpool)for the x86 platform that allows for virtualization. Solaris 10 will not have much advantage than Linux on this x86 platform when this comes out.
Regards.
Since i’m at work, and can’t afford the time for a detailed reply to this PR pdf by Sun, i’ll just vent my frustration at marketing crap like this by posting my disappointment. I don’t trust Sun, never will trust Sun, and quite frankly i’d never recommend or use any of their products due to past and present behaviour. I’ll try and go thru the entire pdf reply by reply on various parts that i’m not impressed with when I get home.
Dave
well 900+ isnt that impressive i have had those kind of uptimes with both netbsd and linux. the uptime with these kinds of os have more to do with hardware. and sun have made som great hardware for long uptimes. (the netbsd box did run on sun hw). if people tend to get short uptime with linux then i would guess that it depends on cheap pc machines more than linux.
solaris is a great os but i would not say that having the greatest uptime would be one of the merits
The comments for these Linux vs Xxxx articles are mostly dumb.
Linux isn’t perfect. I doubt it will be perfect in my lifetime. With a bit of give or take on different issues I consider my Linux experiences are roughly equal to my windows experiences.
Linux makes a good server environment for competent linux system administrators. It would be nice if some of the problems I have could be avoided, but I understand that “no warranties included” is especially true with using Linux.
I’m pretty damn sure that the same can be said for Solaris.
Just like any other operating system.
btw. I’m not an electronics fascist, I hate all computers equally.
> Frankly, I think that Solaris Containers are a bit overrated. Isolating applications in the software level can also be done in Linux using User-Space, so no advantages here.
There is a huge advantage with Zones compared to UML. First and formost each zone is not a separate instance of OS running in memory, which means less system resources wasted on each OS instance — the upshot is that you can sqeeze out many more zones out of the same hardware that with UML, which means Solaris will be always more cost-effective than UML. Another thing to consider is the ease of maintenance with Solaris Zones — you can maintain one zone in respect to packages and patches just as easy as hundreds or thousands of zones, which means you need fewer sysadmins to baby seat the virtual servers, which means you save tons of money with Solaris.
> In fact, we can go one level higher with Linux by utilizing an OpenPower server and installing Linux, we can then do DLPARs and gain better security than using Solaris Containers. Each LPAR will be isolated and not sharing anything. It can also dynamically allocate resources between the LPARs.
So what, you can run Solaris on Sun Fire hardware that support domains and achieve even better resilience and security than LPARS (domains are absolutely independent of each other, whereas LPARS are not). Plus running LPARS (hypervisor on Power) wastes a lot of processor resources — you loose at least 30% of processor performance when you run LPARS. And oh yeah, there is no freaking way you can even dream of running 4000 virtual servers with LPARS — Solaris Zones beat LPARS hands down.
> Furthermore, in a year or so, this will not be much to talk about when Intel comes out with their microprocessor (Vanderpool)for the x86 platform that allows for virtualization
See above for problems with LPARS as Intel is going to suffer from exact same problems. You’re better off using Solaris Zones now than waiting for some Intel tech that is going to suck anyway.
I thought it was a good, balanced whitepaper. It points out some weaknesses in Linux, yes (OMG! Linux isn’t perfect!) but it can only lead to these weaknesses being adressed by the community and the vendors. Benchmarking and comparison are always good, the more the better.
I’m guessing that RH will offer a patched and supported version of the kernel with Xen / vserver / LTT pretty soon to to go head to head with Solaris….
To Russian Guy: oh my, did you even read the PDF?? your reply is completly irrelevant to the conclusions of the whitepaper!
> I’m guessing that RH will offer a patched and supported version of the kernel with Xen / vserver / LTT pretty soon to to go head to head with Solaris….
Even if RedHat makes Xen production ready, it will be inferior to Solaris Zones nevertheless. As I mentioned above Xen just as UML relies on independent instances of Linux running under VM, which means there will be much more significant performance impact with each new OS instance added and memory/resources wasted — Solaris Zones will make much better use of the same hardware. And again Xen and UML do not address the maintentance/administration problems, so the only value you get is savings in hardware when administration costs remain pretty much the same. Solaris zones reduce both parts of this cost equation — both hardware get better utilized and administrative efforts are reduced.
Use Solaris x86 if you can. Use Linux if you must.
“And again Xen and UML do not address the maintentance/administration problems, so the only value you get is savings in hardware when administration costs remain pretty much the same. Solaris zones reduce both parts of this cost equation — both hardware get better utilized and administrative efforts are reduced.”
xen is already integrated with fedora by now and it is dead easy to use and maintain
>What does the video card have to do with it? The key phrase,
>here, is “serial port.”
So, if there is no video card… how do you suppose that I worked with the machine before it had IP connectivity? Hrm? Vulcan mind meld? I guess I did need to say more.
I’m probably confusing you still. Sorry.
>Patching, rebuilding, and re-installing the OS kernel is not
>something I would be enthusiastic about doing.
Guess you never used Solaris 1, then. Or was that SunOS4?
>I thought it was a good, balanced whitepaper.
You were wrong. Yes Solaris has some advantages here and there, but they damned Linux with faint praise where it has its advantages, and offered no way to back up their claims that Solaris is faster on particular loads or gave us any disclosure on their performance tests. They also failed to mention Xen, which is a major player in Linux-space. Saying that asking for a bug fix usually elicits a rude response from some random kiddy is also damning with faint praise – yes it can happen, but I’ll tell you what, I waited more than a year for Sun to fix its NFS problem that came up in Solaris 6 (or 7, memory is a funny thing) where if you had more than one IP address on a machine, NFSd would bind to only one address when sending outbound and that IP was usually not the first address on a given card, which caused all sorts of grief. Or how about when I bought x86 and specced out a box specifically for it, only to find out that x86 didn’t support the specific REVISION of the Adaptec controller I had, so wouldn’t recognize any drives… which took Sun eight months to fix. Sun doesn’t have very clean hands when it comes to fixing bugs, either.
> Guess you never used Solaris 1, then. Or was that SunOS4?
What relevance does SunOS have to Solaris 10, they absolutely fundamentally different operating systems. You’re running out of arguments aren’t you?
> which took Sun eight months to fix. Sun doesn’t have very clean hands when it comes to fixing bugs, either.
I’ve seen fixes delivered overnight by Sun, I guess it all depends on how well you can put the business justification in front of them. Overall I have a pretty good history with Sun delivering the fixes, so I can’t really agree there. I will prefer Sun’s methodology of fixing bugs to the hodge-podge Linux model any time of the day, because with Sun I at least have a throat to choke when something goes wrong.
I have to say that I was shocked to see how much support costs for Enterprise Redhat, compared to Solaris. I had no idea it cost so much. And no support for 4-CPU Redhat????
The article is a subtle hint for IT manager. It should be read as:
– Solaris is SUN. SUN is who to blame at when something goes wrong. Hurra!
– Solaris is more secure, stable and idiot-proof. Every (Big)admin want to hear that. (Big)admins have a family with kids and don’t want to be late for dinner every 2 days 😉
– Solaris from SUN is cheaper than Linux from red hat or novell. That make the boss happy!
Thank SUN! But don’t underestimate the power of the IBM-directed “community”.
> But don’t underestimate the power of the IBM-directed “community”.
Is gentoo that IBM-directed community?
Gentoo is ideal for my dog, while compiling i will take the change and get out for a walk with my dog
)
And no support for 4-CPU Redhat????
—-
if you dont know what you are talking about then silence is better
“Solaris doesn’t have anything that compares to SELinux, though this technology is not yet fully mature on the Linux side, it’s in Fedora Core 3 and will be in RHEL 4 (and, no doubt, competitors’ distros) before long. It is a much better and more powerful approach than ACLs, and was designed by world-class experts at the NSA.”
Such a security model is already in Solaris 10, fully mature and non-performance degrading
Book: “System Administration Guide: Security Services” — Chapter 8 – 12 “Roles, Rights Profiles and Priveleges”
http://docs.sun.com/app/docs/doc/816-4557
Book: “Solaris Security for Developers Guide ” — Ch 2 “Developing Privileged Applications”
http://docs.sun.com/app/docs/doc/816-4863
You can view them online or use the Download link for a PDF of the entire book.
and of course, there are the man pages for every command, user and kernel interface involved as well.
– Could someone please explain to me this Religous war from the Linux fan club?
– I, personally, love comparative pdf’s, you learn far more by by comparisons then blind faith.
– I would love to be able to get RedHat, or Solaris X in my shop, or for that matter Mac Os X Server. There’s a far greater change of Solaris, with a Enterprise company to back up the product, then Linux.
– Aren’t these two OS’s “Sister OS’s”. Man, I’d be happy to be running on either. This is like trying to pick from two shades of white! With DTrace a serious plus for our shop.
“- Could someone please explain to me this Religous war from the Linux fan club? ”
ask jonathan to stop lying about redhat being a proprietary distro and not LSB compliant
”
Such a security model is already in Solaris 10, fully mature and non-performance degrading ”
they are no way similar.
Such a security model is already in Solaris 10, fully mature and non-performance degrading ”
they are no way similar.
Explain. Youe post is tiled explanation and that is not one.
A simple search would have helped you find the answer.
http://www.sun.com/software/solaris/10/ds/security.jsp
A simple search would have helped you find the answer.
I know the answer and I have done the search. I am calling Anonymous (IP: 61.95.184.—) on his BS.
SELinux and Solaris use RBAC which is a MAC. They very similar, or atleat more similiar, to each other.
The claim that “they are no way similar” is rubbish. In fact, Solaris has had RBAC since Solaris 8 or 9. The privileges, crypto frame work is new in Solaris 10, ao is the Auditing. These are man feature Sun put into vanilla solaris from Trusted Solaris. If you read the SELinux FAQ, the NSA clearly says SELinux is not a “Trusted” system. It just provides RBAC(MAC) and type enforcement.
So the article is right Solaris 10 gets an upper hand over linux. The Article also mentions the SELinux patch.
SELinux and Solaris use RBAC which is a MAC. They very similar, or atleat more similiar, to each other.
—-
fedora core 3,4 and rhel 4 will come with selinux by default. unlike trusted solaris which is a seperate add on. learn it first
The security in Trusted Solaris is not an add-on, it is an integral part of the product. For example the root user is a role (RBAC). For more (and correct) information read:
http://docs.sun.com/app/docs/doc/816-1040/6m7g2p90n?a=view
fedora core 3,4 and rhel 4 will come with selinux by default. unlike trusted solaris which is a seperate add on. learn it first
Are you really that stupid? Yes. And let me guess you have no clue what you are talking about. I just got done saying SELinux is not the same as Trusted Solaris. Trusted Solaris is not an Add on, it is a seperate product.
Features that SELinux has is the similar as the one in Solaris 10. RBAC was in before Solaris 10. and guess what it already is in the OS distribution?
RBAC is a mandatory access control mechanism that is used in SELinux and Solaris alike. Solaris 10 also has privileges and a cryptographic framework.
SELinux.org FAQ
“Is Security-enhanced Linux a Trusted Operating System?
No. The phrase “Trusted Operating System” generally refers to an operating system that provides sufficient support for multilevel security and evidence of correctness to meet a particular set of government requirements. Security-enhanced Linux incorporates useful ideas from these systems but focuses upon mandatory access controls. It is expected that this work would be combined with other efforts (e.g., auditing and documentation) to construct a “trusted” system. “
http://www.nsa.gov/selinux/papers/ols2003-selinux/text6.html
Role-Based Access Control, Type Enforcement, optional Multi-Level Security, easily extensible to other models
http://www.sun.com/software/solaris/10/ds/security.jsp
“Introducing New Security Features in the Solaris 10 Operating System
The Solaris 10 Operating System (OS) includes advanced security features that were once only available to customers of the Trusted Solaris OS. The Solaris 10 OS is designed to provide comprehensive, indepth security, protecting the enterprise at multiple levels, such as system security, strong authentication, encrypted communications, access controls, and accountability.
With the Solaris 10 OS, Sun raises the bar yet again by offering key technologies that protect against buffer overflow attacks launched from the network or security violations by trusted insiders. Some of the new security enhancements include Solaris Containers (formerly N1 Grid Containers) technology, Solaris Process Rights Management, and an encryption infrastructure that enables applications to take advantage of cryptographic hardware.
How hard is it to patch the kernel?
It is impossible to patch the kernel for most commercial Linux distributions in use in Enterprise space, which is what Sun is talking about.
This isn’t a college, it’s not some geek sitting at their home computer installing Linux from a free distribution, it’s business, and business is about support contracts.
When your server crashes — and oh yes, Linux can and does crash — you need to be able to contact your vendor’s techncial support. Installing any kernel patch — any at all — or even rebuilding the official kernel from source is a sure fire way of ensuring that they will not provide you with any support.
You see, you’re paying Redhat or SuSE to test the kernel and the software that they provide, in a controlled environment, to ensure that it meets availability and reliability constraints. Your paying this because if your e-mail server is down for three days, it’s a disaster for your company. If your users can’t access their web accounts, your screwed. If you can’t bill or process payments, again, you’re in some pretty deep problems.
As soon as you install a non-standard configuration or start using kernel extensions, you basically guarauntee that these folks who you are paying to provide you with support will not provide you with support.
If you like Linux, if you want to run it, go right ahead. If you think Xen meets your requirements — and if you’re willing to support the box and every application running on it yourself — then, again, go right ahead. But understand, you’re not Sun’s target market.
“Software must be developed by the paid professionals managed by the paid managers who see the big picture and, if necessary, can force a developer to do not what he wants but what customer needs.”
Exaggerating a bit, aren’t you? You seem to think all proprietary software is top of the line. That’s funny, because I can cite quite a few examples that are simply not no matter what type of software we’re talking about. You think Solaris is better than Linux? Fine. Are all closed source operating systems better than Linux? That certainly seems to be a matter of opinion.
Admit it, Russian Guy, there’s something about Open Source that you just can’t stand and can’t help flaming it whenever you get the chance. If it’s the zealots, you certainly ought to be able to see that even Solaris has fanatics as well.
>You think Solaris is better than Linux?
Yes.
>Are all closed source operating systems better than Linux?
I was told that Solaris 10 is open source.
>there’s something about Open Source that you just can’t stand
Yes, I can not stand an open source zealot spitting in my face when I dared to say that Linux is less than perfect.
I have no problem with Solaris 10 open source, which they intend to develop in professional way.
>even Solaris has fanatics as well.
When I find one who will label me a liar when I say that Solaris is not 100% compatible with, say, HP-UX- then I may change my mind.:)
Until now, I only had this problem with a zealot from open source OpenOffice when I had to tell him we can’t replace our MS Office (yet) because of lack of compatibility in some minor, but critical for us Office features.
May be it were just me, but I had to deal with opensource Linux/OpenOffice zealots few years ago when we evaluated possibility of transition to Linux from UNIX and Windows.
These memories stil hunt me at night.:)
The way I look at it is that they are both fine OS’es. Sames goes for OSX and the bsds. I think Linux is ready for enterprise but it does have some limitations when it comes to LVM and Crash Dumping. I think some of this is impartial to the x86 arch than anything. I will say that this though, I work for an automaker and they are using linux as its new os for production db, webserver and application server. We just the same amount of problems with linux as we HPUX, AIX and even Solaris. Now we do have in house builds that are based on SUSE with support from IBM (which by the by isn’t that great when your working midnights).
Both OS’s crash and Depending on what you have running on said machine, both Solaris and Linux and be a total pain to try to recover. Especially if your talking a DB with terabytes of data and UFS logging not enabled.
With that being said, if ask personaly what I would recommend. It would depend on appliation, budget and how much load the server would have to deal with.