Solaris stability and upgrades (was RE: [SunRescue] help a guy run 2.6 on his 670MP)

Loomis, Rip rescue at sunhelp.org
Wed May 16 10:19:49 CDT 2001 

We have three 2.5.1 boxen here (all SPARC 10-
class machines)--two to support US Government
folks (there are still a *lot* of fielded
systems that are running 2.5.1...heck there
are a ton still running 4.1.3_U1 !) and one
as a "victim" to teach internal classes on
hacking and exploits.  From the best one of
the bunch:

darksparc% uptime
 10:37am  up 102 day(s), 17:58,  3 users,  load average: 0.07, 0.03, 0.02
darksparc% uname -a
SunOS darksparc 5.5.1 Generic_103640-12 sun4m sparc SUNW,SPARCstation-10
darksparc%

The last power down was to replace a bad
external disk, and the one before that (at
~200 days) was when the building power was
shut off.   Otherwise this system would
have > 365 day uptime.  It's a production
system (DNS server and GCC compile host) but
not heavily loaded.

Of course, *all three* of those systems are
behind multiple layers of packet filtering
and firewalls...friends don't let friends put
Solaris boxen "naked" on the Internet.

90% of the users have "sudo all" privileges
as well, which means I'm less concerned about
exploits that require a local user account...
but I think that few of us on
the list are running Solaris 2.5.1 as ISPs.
Then again, my home ISP is still running
Sol 2.6 on their shell account server...
and the latest Gauntlet firewall for Solaris
still requires 2.6.  Actually the last Raptor
install we did still required 2.6.

Off the top of my head, the biggest reasons
to upgrade to Solaris 7 or later are:
 - Kernel-level auditing gets un-fscked
	in Solaris 8 (supposedly...)
 - RBAC/RSBAC in Solaris 8 (Solaris 8 tries
	to merge in a lot of the security
	features formerly only found in
	"Trusted Solaris"
 - POSIX threads (pthreads) finally work
	correctly in Solaris 7 and later
	(they're implemented but...odd...
	in 2.6)
 - 64-bit kernel support in Solaris 7
	and later (for Ultra 2s or better...
	consensus seems to be that the
	Ultra 1 buglets in 64-bit mode are
	severe enough that Ultra 1s shouldn't
	run in 64-bit mode unless absolutely
	necessary) 

Reasons not to upgrade:
 - If you have software that requires a
	specific older version
	o  Gauntlet/Raptor firewalls

 - If you have hardware that requires a
	specific older version
	o  MGX+ 24-bit color SBus board
	   (thanks Mike N.!) -- note that
	   the 32-bit drivers from 2.6
	   work fine under Solaris 7
	o  "be" 100BaseTX cards
 	o  VME chassis (there is a binary
	   patch method that will allow
	   at least 2.6/7 to run)
	o  SM100
	o  SunPC 486-class SBus co-processor
	o  sun4/sun4d/sun4c hardware support
	   were all dropped along the way
	   (sun4c still supported in 7 but
	   dropped in 8; not sure about the
	   other architectures)

The other advantage/disadvantage of any
upgrade is of course the housecleaning
aspect--cleaning out the cruft and installing
the latest patch cluster is nice, but if
your system is poorly documented you may
have trouble re-creating it...

Anyone have a better list of convincing
reasons to stay put or upgrade?  This
is probably another topic that should
go on thisoldsun.* ....

--
Rip Loomis
Brainbench MVP for Internet Security
http://www.brainbench.com (Transcript 1923411)


> -----Original Message-----
> From: Jonathan Katz [mailto:jon at jonworld.com]
> Sent: Wednesday, May 16, 2001 9:34 AM
> To: rescue at sunhelp.org
> Subject: Re: [SunRescue] help a guy run 2.6 on his 670MP
> 
> 
> On Wed, May 16, 2001 at 01:42:31AM -0400, Mike Nicewonger wrote:
> > Aw c'mon Dave, I long for the days of NT servers :) <mike 
> ducks!> I ran
> > 2.5.1 on my Big Beefy [tm]670 for a while with nary a hick-up.
> 
> 2.5.1 isn't all that bad as long as you patch the heck out of it. I've
> seen 400-500 day uptimes from it on SS20s through E4000s.
> 
> -Jon
> _______________________________________________
> rescue maillist  -  rescue at sunhelp.org
> http://www.sunhelp.org/mailman/listinfo/rescue
>

More information about the rescue mailing list