Even with the popularity of open source and Linux, commercial Unix platforms are still an important part of most
data centers. The most widely used versions of Unix are IBM's AIX, Hewlett-Packard's HP-UX and Solaris from Oracle-Sun. In this tip, I offer an overview of recent enhancements made to each of these Unix distributions.
AIX 6 was released in November 2007 and updated in October 2009. AIX 7 was just released in August 2010. Since AIX 7 is brand new, I'll examine features of both versions.
AIX 6 and 7 are available in three editions:
- Express Edition: economical and intended for smaller workloads
- Standard Edition
- Enterprise Edition: includes additional management capabilities
AIX 6 introduced Workload Partitions (WPARs), software-based virtualization that allows multiple AIX environments to run on a single system. WPARs provide isolation from other processes and WPARs. Each WPAR may have unique administrator control, network addresses, file systems, users and groups. Processor and system resources are shared and apportioned between WPARs.
WPARs share a single global instance of AIX as compared with Logical Partitions (LPARs), each of which runs an independent copy of AIX. When the WPAR global instance is patched, all subordinate WPARs inherit the patch. AIX 7 adds Trusted Kernel Extensions, which can limit access to specific kernel extensions to particular WPARs. With Life Application Mobility, applications in a WPAR can be moved without stopping and re-starting, so workloads can be balanced across multiple systems.
AIX 6 also provides numerous security enhancements:
- Role-Based Access Control is used to grant management access to specific users.
- Trusted AIX provides compartmentalized multi-level security, allowing restriction of access to specific system resources and devices, such as partitions, networks or printers.
- The enhanced journaled file system extended now provides an encrypted file system (EFS) using a variety of encryption algorithms.
- The new secure by default installation option restricts the system and network services to the minimum to maximize security.
- Trusted execution mode verifies application integrity via digital signature before execution to reduce the risk of software tampering.
- Cryptographic framework provides hardware acceleration for cryptographic functions, such as those used in the EFS, IP security or trusted execution.
Availability enhancements in AIX 6 include:
- Concurrent kernel update allows certain modifications to be made without requiring a system restart.
- Dynamic tracing simplifies debugging by allowing probes to be placed in existing application or kernel code without requiring recompilation.
AIX 7 introduces Cluster Aware, which provides commands and APIs to create clusters of individual AIX systems. These clusters may be managed as a single group, you can monitor events and disk space, and performance data for the entire cluster is available.
Also new in AIX 7 is the Event Infrastructure, used by Cluster Aware, which can monitor pre-defined system events.
HP-UX 11i was originally released in 2000 and the latest major version is HP-UX 11i v3 (11.31), released in 2007. The latest update (6th) to 11.31 was in March 2010.
HP-UX is provided in one of four combinations of operating system and application bundles, called an operating environment (OE):
- Base (BOE) is the standard version.
- Virtualization Server (VSE-OE) is BOE plus the HP Virtual Server Environment and GlancePlus monitoring tools.
- High Availability (HA-OE) is BOE plus Serviceguard availability tools and GlancePlus monitoring tools.
- Data Center (DC-OE) is all of the above.
The Virtual Server Environment provides virtualization capabilities and workload management tools. Hardware and software isolation is achieved using a hard partition, or nPartition, which establishes boundaries that completely protect one virtual machine from any faults in another (including software, hardware or electrical faults). In HP-UX 11.31, dynamic nPartitions can be modified while the partition is in use.
Software-only isolation is achieved using a virtual partition, or vPar, which runs its own instance of HP-UX and has its own share of CPU, memory and I/O. HP-UX 11.31 introduces dynamic memory migration between vPars and allows mixed vPar versions within a single nPartition.
Dynamic Root Disk allows cloning and updating of a running root file system, assisting in system recovery and reducing downtime during upgrades.
Unified File Cache integrates the different mechanisms used for file caching: page cache and buffer cache. This eliminates the possibility of file system inconsistencies when using system calls that depend on differing mechanisms.
Encrypted Volume File System 2.0 provides AES encryption at the file or volume level. Security containment isolates system resources and provides fine-grained privileges and role-based access control.
Solaris 10 was first released in 2005. Updated releases are named by the month and year of release. The latest update, also called Update (U8), is Solaris 10 10/09, released in October 2009.
The Zettabyte File System (ZFS), introduced early in Solaris 10, can now support the root file system and be used to boot the system. Support for user- and group-level disk quotas has also been added to ZFS.
Solaris Zones and Solaris Containers provide virtualization and resource containment. Zones isolate one or more application services within the operating system. A Container is a Zone that also manages operating system resources to prevent one Zone from consuming all real system resources. Recently added resource management features allow CPU usage to be limited in multiple ways: fair-share, capped or dedicated. Memory and network bandwidth resources can also be managed.
A Zone may establish a separate instance of the TCP/IP networking stack through an Exclusive IP Zone, allowing the Zone to have a unique network configuration.
Logical domains (now called Oracle VM Server for SPARC) provide a higher level of virtualization abstraction. A logical domain runs a virtual machine within which an operating system can be booted, halted and rebooted (requires Solaris 10 11/06, U3, or later). Other operating systems supported by SPARC hardware may also be supported. Ubuntu Linux can be run in a logical domain.
Many security features previously available in a special release of Solaris called Trusted Solaris have been incorporated into the regular release as of Solaris 10 5/08 (U5). Solaris Trusted Extensions include fine-grained privileges using Mandatory Access Control for policy-based access to system resources such as devices, files, networks, printing and window management. User Rights Management provides role-based access control and complies with the Federal Information Processing Standard.
ABOUT THE AUTHOR: King Ables holds BA and MSc degrees in computer science and has worked in customer support, software development, systems and network administration, and user education. He has written numerous technical articles for online and print journals and is author or co-author of three books on Unix and Linux.