Page 1 Solaris 10 Container Guide - Functionality status up to Solaris 10 10/09 and OpenSolaris 2009.06 - Detlef Drewanz, Ulrich Gräf, et al. Sun Microsystems GmbH Effective: 30/11/2009 Functionalities Use Cases Best Practices Cookbooks...
Page 2: Table Of Contents
Version 3.1-en Solaris 10 Container Guide - 3.1 Table of contents Disclaimer...VI Revision control...VI 1. Introduction...1 2. Functionality...2 2.1. Solaris Containers and Solaris 2.1.1. Overview...2 2.1.2. Zones and software 2.1.3. Zones and security...4 2.1.4. Zones and privileges...4 2.1.5. Zones and resource 2.1.5.1.
Page 3 Version 3.1-en Solaris 10 Container Guide - 3.1 4.1.5.1. Software installation by the global zone – usage in all 4.1.5.2. Software installation by the global zone – usage in a local 4.1.5.3. Software installation by the global zone – usage in the global 4.1.5.4.
Page 4 Version 3.1-en Solaris 10 Container Guide - 3.1 4.5. Management and monitoring...55 4.5.1. Using boot arguments in 4.5.2. Consolidating log information of 4.5.3. Monitoring zone 4.5.4. Extended accounting with 4.5.5. Auditing operations in the 4.5.6. DTrace of processes within a 4.6.
Page 5 Version 3.1-en Solaris 10 Container Guide - 3.1 5.2. Network...81 5.2.1. Change network configuration for shared IP 5.2.2. Set default router for shared IP 5.2.3. Network interfaces for exclusive IP 5.2.4. Change network configuration from shared IP instance to exclusive IP 5.2.5.
Page 6: Disclaimer
Version 3.1-en Solaris 10 Container Guide - 3.1 Disclaimer Disclaimer Sun Microsystems GmbH does not offer any guarantee regarding the completeness and accuracy of the information and examples contained in this document. Revision control Version Contents 30/11/2009 Adjustment with content of „Solaris Container Leitfaden 3.1“...
Page 7 Version 3.1-en Solaris 10 Container Guide - 3.1 Disclaimer Version Contents Drawings 1 - 6 as an image 06/11/2006 General chapter virtualization Additional network examples 27/10/2006 Revision control table reorganized (the latest at the top) References amended Hardening of zones amended...
Page 8: Introduction
By making Solaris 10 available on 31 January 2005, an operating system with groundbreaking innovations has been provided by Sun Microsystems. Among these innovations are Solaris Containers that can be used - among other things - to consolidate and virtualize OS environments, to isolate applications, and for resource management.
Page 9: Functionality
Version 3.1-en Solaris 10 Container Guide - 3.1 2. Functionality 2. Functionality 2.1. Solaris Containers and Solaris Zones 2.1.1. Overview [ug] Solaris Zones is the term for a virtualized execution environment system level (in contrast to HW virtualization). Solaris Containers are Solaris Zones with Resource Management. The term is frequently used (in this document as well) as a synonym for Solaris Zones.
Page 10 In Unix, all objects such as programs, files and shared libraries are loaded only once as a shared memory segment which improves overall performance. For Solaris 10, this also includes zones; that is, no matter how frequently e.g. a program or a shared library is used in zones: in the main memory, it will occupy space only once.
Page 11: Zones And Software Installation
Solaris 10 5/08, like earlier Solaris versions, is certified according to Common Criteria EAL4+. This certification was performed by the Canadian CCS. The Canadian CCS is a member of the group of certification authorities of Western states of which the Federal Office for Information Security (BSI, Bundesamt für Sicherheit in der Informationstechnik) is also a member.
Page 12: Zones And Resource Management
The maximum CPU usage of zones can be set (cp u -c ap s ). This setting is an absolute limit with regard to the CPU capacity used and can be adjusted to 1/100 CPU exactly (starting with Solaris 10 5/08).
Page 13: Memory Resource Management
Solaris 10 Container Guide - 3.1 2. Functionality 2.1.5.2. Memory resource management [ug] In Solaris 10 (in an update of Solaris 9 as well), main memory consumption can be limited at the level of zones, projects and processes. This is implemented with the so-called resource capping daemon (r ca pd ).
Page 14: Zones And High Availability
HA Solaris Container Agent. Such types of zones cannot be used as virtual nodes in a virtual cluster. s ola ri s 1 0 : Solaris 10 branded zones for OpenSolaris are in the planning stage (see http://opensolaris.org/os/project/s10brand/) 3.8 (certified)
Page 15: Solaris Container Cluster (Aka "Zone Cluster")
One has to know, however, that Oracle CRS, the so-called Oracle Clusterware an operating system independent cluster layer Solaris containers did not delegate to a non-global zone. Since Solaris 10 5/08 it is, however, possible to administer network interfaces even within a zone such that Oracle CRS can be operated there.
Page 16: Virtualization Technologies Compared
Version 3.1-en Solaris 10 Container Guide - 3.1 2. Functionality 2.2. Virtualization technologies compared [ug] Conventional data center technologies include Applications on separate computers This also includes multi-tier architectures with firewall, load balancing, web and application servers and databases. Applications on a network of computers This includes distributed applications and job systems.
Page 17: Domains/Physical Partitions
Version 3.1-en Solaris 10 Container Guide - 3.1 2. Functionality 2.2.1. Domains/physical partitions [ug] A computer can be partitioned by configuration into sub-computers (domain, partition). Domains are almost completely physically separated since electrical connections are turned off. Shared parts are either very failsafe (cabinet) or redundantly structured (service processor, power supplies).
Page 18: Logical Partitions
Logical partitioning systems include the IBM VM operating system, IBM LPARs on z/OS and AIX, HP vPars, as well as VMware and XEN. Sun offers Logical Domains (SPARC: since Solaris 10 11/06) as well as Sun xVM VirtualBox (x86 and x64 architectures).
Page 19: Containers (Solaris Zones) In An Os
Disadvantages: HW maintenance: If a shared component fails, many or all zones may be affected. Solaris 10 recognizes symptoms of a future failure through FMA (Fault Management Architecture) and can deactivate the affected components (CPU, memory, bus systems) while running, or instead use alternative components that are available.
Page 20: Consolidation In One Computer
Version 3.1-en Solaris 10 Container Guide - 3.1 2. Functionality 2.2.4. Consolidation in one computer [ug] The applications are installed on a computer and used under different userid. This is the type of consolidation feasible with modern operating systems. Advantages: Application: All applications are executable as long as they are executable in the basic operating system and do not use their own OS drivers.
Page 21: Summary Of Virtualization Technologies
Version 3.1-en Solaris 10 Container Guide - 3.1 2. Functionality 2.2.5. Summary of virtualization technologies [ug] The virtualization technologies discussed above can be summarized in the following table compared to installation on a separate computer. Separate computer Separation Application SW maintenance...
Page 22 Version 3.1-en Solaris 10 Container Guide - 3.1 2. Functionality Physical Logical virtualisation virtualisation (Domains/ (logical partitions) physical partitions) HW error containment Separate OS / self-contained memory Isolation of the OS-Environment Figure 6: [dd] Comparison of virtualization technologies Resource virtualisation...
Page 23: Use Cases
Version 3.1-en Solaris 10 Container Guide - 3.1 3. Use Cases 3. Use Cases The following chapter discusses a variety of use cases for Solaris Containers and evaluates them. 3.1. Grid computing with isolation Requirement [ug] There is a need within a company to use free cycles on existing computers to perform a certain amount of computing work in the background.
Page 24: Small Web Servers
Version 3.1-en Solaris 10 Container Guide - 3.1 3. Use Cases 3.2. Small web servers Requirement [ug] One of the following situations exists: An Internet Service Provider (ISP) would like to have the option to set up web servers automatically, without additional costs. Based on this technology, the ISP wants to create an attractive offer for web servers with root access.
Page 25: Multi-Network Consolidation
Version 3.1-en Solaris 10 Container Guide - 3.1 3. Use Cases 3.3. Multi-network consolidation Requirement [dd] A company uses several different networks that are separated either by firewalls or by routers. Applications are run in the individual networks. The company would like to use the applications from different networks or security areas together on one physical system as an application itself does not require the capacity of a single system.
Page 26: Multi-Network Monitoring
Version 3.1-en Solaris 10 Container Guide - 3.1 3. Use Cases 3.4. Multi-network monitoring Requirement [dd] A company has several different networks that are separated into several levels either by firewalls or by routers. A variety of computers are installed in the individual networks. Administration is to be simplified, and the company would like to be able to "look into"...
Page 27: Multi-Network Backup
Version 3.1-en Solaris 10 Container Guide - 3.1 3. Use Cases 3.5. Multi-network backup Requirement [dd] A company has several different networks that are separated in different stages either by firewalls or by routers. Different computers are installed in the individual networks. The backup is to be simplified by allowing direct system backups in the individual networks to be performed from one location without having to connect the networks by routing.
Page 28: Consolidation Development/Test/Integration/Production
Version 3.1-en Solaris 10 Container Guide - 3.1 3. Use Cases 3.6. Consolidation development/test/integration/production Requirement [ug] Usually, further systems supporting the same application exist while an application is in production: Development systems Test systems Integration systems, with simulation of the application environment where applicable...
Page 29: Consolidation Of Test Systems
Version 3.1-en Solaris 10 Container Guide - 3.1 3. Use Cases 3.7. Consolidation of test systems Requirement [ug] To test software and applications, there are many test systems in the data center environment that are only ever used for tests. They are mostly used only for qualitative tests where systems are not stressed as with performance tests.
Page 30: Training Systems
Version 3.1-en Solaris 10 Container Guide - 3.1 3. Use Cases 3.8. Training systems Requirements [ug] In training departments, computers that are provided for training participants (including pupils/students) must frequently be reset. Solution [ug] The training systems are implemented by automatically installed zones: Sparse-root zones, that is, the zones inherit everything possible from the global zone.
Page 31: Server Consolidation
Version 3.1-en Solaris 10 Container Guide - 3.1 3. Use Cases 3.9. Server consolidation Requirement [ug] In a data center, several applications run whose workload is too low (often much less than 50%). The computers themselves usually require a lot of electricity, cooling and space.
Page 32: Confidentiality Of Data And Processes
Version 3.1-en Solaris 10 Container Guide - 3.1 3. Use Cases 3.10. Confidentiality of data and processes Requirement [ug] In the data center, applications are running on different computers because Certain departments want to be certain that data and processes are not seen by other departments.
Page 33: Test Systems For Developers
Version 3.1-en Solaris 10 Container Guide - 3.1 3. Use Cases 3.11. Test systems for developers Requirement [ug] Developers need test systems to test their application. Frequently, the interaction of several computers must be tested as well. Resources for the installation of test systems are usually limited.
Page 34: Solaris 8 And Solaris 9 Containers For Development
Solution [ug] On a current system under Solaris 10, Solaris 8 or Solaris 9 zones are set up with the development environment installed for the appropriate operating system. The details: Branded zones, that is, the environment of an older Solaris version is active within the zone.
Page 35: Solaris 8 And Solaris 9 Containers As Revision Systems
Migration to an up-to-date operating system or to up-to-date hardware requires a new software version. Solution [ug] Legacy systems are run in Solaris 8 or Solaris 9 containers on an up-to-date Solaris 10 system. The details: Branded zones, that is, the environment of an older Solaris is active within the zone.
Page 36: Hosting For Several Companies On One Computer
Version 3.1-en Solaris 10 Container Guide - 3.1 3. Use Cases 3.14. Hosting for several companies on one computer Requirement [ug] An application service provider operates systems for a variety of companies. The systems are underutilized. Solution [ug] The applications are consolidated into zones on one computer. The details: Separate file systems for each zone.
Page 37: Sap Portals In Solaris Containers
"Sun Solaris and SAP": http://de.sun.com/servicessolutions/virtualization/ressourcen.jsp All SAP applications are run in Solaris 10 containers on shared storage Whole-root zones provide the required level of flexibility and safety for SAP operation ZFS as the basis for container implementation, to minimize downtime for SAP systems A toolset consisting of several different scripts allows quick and easy construction of a virtualization solution with Solaris containers and ZFS for SAP systems.
Page 38: Upgrade- And Patch-Management In A Virtual Environment
Minimal downtime required through live upgrade and ZFS High flexibility and "plan-ability" through update-on-attach High security through "rollback" options Simple administration and simple operation Technologies are available in Solaris 10 free of licensing fees Effective: 30/11/2009 Figure 20: [da] Live upgrade Figure 21: [da] Update-on-attach...
Page 39: Flying Zones" - Service-Oriented Solaris Server Infrastructure
Functionality in case of disaster Solution [os] Business-critical applications are run in Solaris 10 zones both on SPARC as well as on x64 systems. Functionality in case of disaster and location-spanning shifting of zones occurs within a grid cluster by means of Sun Cluster 3.1. The details: Sparse root zones, that is, the zones inherit everything possible from the global zone Manual relocation of zones.
Page 40: Solaris Container Cluster (Aka "Zone Cluster")
Version 3.1-en Solaris 10 Container Guide - 3.1 3. Use Cases 3.18. Solaris Container Cluster (aka "zone cluster") Requirement [hs] In a virtualized environment based on Solaris containers, the administrator of a zone should also be able to administer the cluster part of the application in the zone.
Page 41: Best Practices
Version 3.1-en Solaris 10 Container Guide - 3.1 4. Best Practices 4. Best Practices The following chapter describes concepts for the implementation of architectures with Solaris containers. 4.1. Concepts 4.1.1. Sparse-root zones [dd] Sparse root zones are zones that inherit the following directories from the global zone as...
Page 42: Comparison Between Sparse-Root Zones And Whole-Root Zones
Version 3.1-en Solaris 10 Container Guide - 3.1 4. Best Practices 4.1.3. Comparison between sparse-root zones and whole-root zones [dd] From the considerations listed above, a comparison can be drawn between sparse-root zones and whole-root zones. In the vast majority of cases, sparse-root zones are used.
Page 43: Software Installations In Solaris And Zones
Version 3.1-en Solaris 10 Container Guide - 3.1 4. Best Practices 4.1.5. Software installations in Solaris and zones [dd] The zones' directory structure is determined mainly from the need to install software with special needs in this area. Prior to creating the zones, this question should also be discussed extensively with regards to the intended purpose of the zone.
Page 44: Software Installation By The Global Zone - Usage In The Global Zone
Version 3.1-en Solaris 10 Container Guide - 3.1 4. Best Practices 4.1.5.3. Software installation by the global zone – usage in the global zone non-pkg software Software A is installed by the global zone e.g. in /software/A /software/A is available to the global zone as a writable directory.
Page 45: Storage Concepts
With the new ZFS file system by Solaris 10, this can be achieved with little effort. Since Solaris 10 10/08, ZFS can be used as zone root. Prior to Solaris 10 10/08, although it was possible to run a zone on ZFS, an upgrade was not supported; therefore, Solaris 10 10/08 is urgently recommended for zones on ZFS.
Page 46: Root Disk Layout
4.1.6.5. ZFS within a zone [ug] Solaris 10 6/06 makes the new ZFS file system available for the first time. Since ZFS is not based on a special mounted device, a mechanism is implemented in the z on ec f g command by which a ZFS file system can be transferred to a zone.
Page 47: Options For Using Zfs In Local Zones
Version 3.1-en Solaris 10 Container Guide - 3.1 4. Best Practices 4.1.6.6. Options for using ZFS in local zones [hes] Depending on the manner of configuration of ZFS in zones, there are different application options for ZFS in zones. ZFS operation in a...
Page 48: Network Concepts
Version 3.1-en Solaris 10 Container Guide - 3.1 4. Best Practices 4.1.7. Network concepts 4.1.7.1. Introduction into networks and zones [dd] A network address is not mandatory when configuring a zone. However, services within a zone can only be reached from the outside through the network. Therefore at least one network address per zone is typically required (configurable with zo n ec fg ).
Page 49: Exclusive Ip Instance
For exclusive IP zones: The firewall and its rules must be configured, started and administered in the respective local zone. IP filter is part of Solaris 10 and OpenSolaris. It contained as a firewall and was extended such that it can also be used as a firewall between a system's shared IP zones.
Page 50: Zones And Limitations In The Network
Version 3.1-en Solaris 10 Container Guide - 3.1 4. Best Practices 4.1.7.6. Zones and limitations in the network [dd] Zones have different limitations related to network configurations. The following table shows the differences separated by zone type and IP instance type. Some functionalities can be configured and used within zones themselves (+), affect only the functionality of zones, or can be used by services within a zone, or cannot be used at all in local zones (-).
Page 51: Additional Devices In Zones
Version 3.1-en Solaris 10 Container Guide - 3.1 4. Best Practices Effective: 30/11/2009 4.1.8. Additional devices in zones 4.1.8.1. Configuration of devices [ug] In principle, a local zone uses no physical devices. To use network interfaces exclusively in one zone, the zone has to be configured as an exclusive IP zone (4.1.7.4 Exclusive IP instance...
Page 52: Separate Name Services In Zones
Version 3.1-en Solaris 10 Container Guide - 3.1 4. Best Practices Effective: 30/11/2009 4.1.9. Separate name services in zones [ug] Name services include among other things the hosts database and the userids (p as sw d , s ha dow ) and are configured with the file / e tc / ns sw i tc h. co n f, which exists separately in each local zone.
Page 53: Paradigms
Version 3.1-en Solaris 10 Container Guide - 3.1 4. Best Practices 4.2. Paradigms Paradigms are design rules for the construction of zones. Depending on the application, a decision must be made which one of them should be applied. 4.2.1. Delegation of admin privileges to the application department [ug] Administration of an application can be delegated to the department responsible for the application.
Page 54: One Application Per Zone
Version 3.1-en Solaris 10 Container Guide - 3.1 4. Best Practices 4.2.3. One application per zone [ug] Another paradigm is to always install one application per zone. A zone has very little overhead; basically, only the application processes are separated from the rest of the system by tagging them with the zone ID.
Page 55 Version 3.1-en Solaris 10 Container Guide - 3.1 4. Best Practices administrator. With the software products described here, the requirements with respect to visualization and flexibilization of containers right up to disaster recovery concepts can be covered completely. Primary Site...
Page 56: Solaris Container Cluster
Version 3.1-en Solaris 10 Container Guide - 3.1 4. Best Practices 4.2.5. Solaris Container Cluster [hs] One of the essential properties of containers is the possibility to delegate administrative tasks to the administrator or the user of one or more containers. If high availability of a container is ensured by the use of the HA Solaris container agent, this is not visible to the administration of the container concerned - which is usually the desired situation.
Page 57: Configuration And Administration
Since Solaris 10 11/06, this can be done with the command z on ea d m c lo n e . Additionally to copying the directories some tests are performed.
Page 58: Automatic Configuration Of Zones By Script
4.3.9. Installation and administration of a branded zone [ug] Branded zones are supported since Solaris 10 8/07. Solaris for x86 contains the brand lx which allows a Linux environment to be made available in a zone. This type of zone can be created as...
Page 59: Lifecycle Management
Further information on the topic of patching can also be found here (http://blogs.sun.com/patch/) and here (http://www.sun.com/bigadmin/features/articles/patch_management.jsp). 4.4.2. Patching with live upgrade [ug/dd] Starting with Solaris 10 8/07, live upgrade can also be applied to patching on zones if the zonepath is located on ZFS. (See also Cookbook: local zones ) .
Page 60: Patching With Upgrade Server
4.4.4. Patching with zoneadm attach -u [ug/dd] With Solaris 10 10/08, the command zo ne a dm a t ta ch -u is available with which a zone can be updated to the status of the new target system during z on ea d m But this does not provide a new upgrade option.
Page 61: Re-Installation And Service Provisioning Instead Of Patching
Version 3.1-en Solaris 10 Container Guide - 3.1 4. Best Practices 4.4.6. Re-installation and service provisioning instead of patching [dd] Patching of zones can force zones into single user mode, when system patches are applied. Zone patching can therefore lead into halting the services provided. This service interruption can vary in length depending on the type of the patches, the number of zones and the number of patches to be installed.
Page 62: Backup Of Zones With Zfs
, by transporting the contents there using zf s s en d and z fs re ce i ve . 4.4.9. Migration of a zone to another system [dd] Since Solaris 10 11/06, the functionality of migration of installed local zones from one system to another is possible. This migration is done using stopped zones.
Page 63: Consolidating Log Information Of Zones
[ug] With the p r s t a t command (since Solaris 8), processes with the highest workload can be viewed similar to the command t o p , which is well-known on other platforms. In Solaris 10, the command pr st a t has been extended by the option - Z, which allows the user to see a summary display of the workload for each zone (even the global zone).
Page 64: Dtrace Of Processes Within A Zone
-n io:::start'{@[zonename] = count()}' Starting with Solaris 10 11/06, DTrace can also be applied to processes within the own local zone. The privileges d t r a c e _ p r o c and d t r a ce _ us er need to be assigned to the zone (zo ne cfg :s e t l i m i t p r i v = d e f a u l t ,d tr ac e _p ro c, d tr ac e _u se r ).
Page 65: Resource Management
Unused resource shares are not available to others. Example: resource pools with processor sets 4.6.2. CPU resources [ug] CPU resources can be limited on several different levels in Solaris 10: Capping of CPU time for a zone Resource pools with processor set (global zone only)
Page 66: Fair Share Scheduler (Fss)
The value of z o n e . c p u - s h a r e s must be set in the zone by zo n ec fg : a dd rc tl . From Solaris 10 8/07, the number of shares can be adjusted more easily with z on ec f g: s et cp u - s h a r e s = <...
Page 67: Limiting Memory Resources
Solaris 10 Container Guide - 3.1 4. Best Practices 4.6.3. Limiting memory resources [ug] Memory usage by zones is calculated almost exactly (since Solaris 10 8/07). This is done in the following way: First, the set of all memory segments of the processes in the zone is determined.
Page 68: Limiting Locked Memory
From Solaris 10 8/07, upper limits for these values can be set in the zone configuration. These values can be modified in the zone configuration or from the global zone. The administrator of the local zone is not able to change these values.
Page 69: Solaris Container Navigator
Version 3.1-en Solaris 10 Container Guide - 3.1 4. Best Practices 4.7. Solaris container navigator [dd] The following segment navigates through the considerations required prior to the application of Solaris containers. These include both the examination of applications for compatibility with Solaris containers as well as the selection of various configuration options, and aspects of container installation.
Page 70 Version 3.1-en Solaris 10 Container Guide - 3.1 4. Best Practices A-3: Self-qualification of an application in a container A-3-1: If necessary, note additional details in: “Qualification Best Practices for Application Support in Non-Global Zones” http://developers.sun.com/solaris/articles/zone_app_qualif.html Use of Solaris Application Scanners...
Page 71 Version 3.1-en Solaris 10 Container Guide - 3.1 4. Best Practices B: Determining the configuration of a container B-4: zonecfg:brand=native B-5: Determine container concept sparse root or whole root B-6: Determine file system layout B-7: Determine additional zonecfg:inherit-pkg-dir B-8: Consider access to additional file systems of the global zone;...
Page 72: Cookbooks
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 5. Cookbooks The Cookbooks chapter demonstrates the implementation of conceptional Best Practices with concrete examples. 5.1. Installation and configuration 5.1.1. Configuration files [dd] File: /e tc / z o n e s / i n d e x Lists all configured zones of a system, incl.
Page 73: Special Commands For Zones
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 5.1.2. Special commands for zones [dd/ug] The creation and usage of zones in Solaris 10 is done by the following commands: Command Description zoneadm(1M) Administration of zones (installation/uninstallation, booting/rebooting/halting, listing)
Page 74: Command Description
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks The following commands allow information to be displayed depending on the zones: Command Description df(1M) displays the zone mounts ifconfig(1M) zone <zonename> assigns a virtual IP address to a zone...
Page 75: Root Disk Layout
Table 9: [dd] Root disk layout Since Solaris 10 10/08, a root file system and the zone path can also be set up on ZFS. This allows ZFS file systems to be used for the individual file systems, and it is not necessary to provide a large number of slices and volumes.
Page 76: Configuring A Sparse Root Zone: Required Actions
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 5.1.4. Configuring a sparse root zone: required Actions [dd] To change a sparse root zone into a whole root zone it is necessary to re-install the zone after change of the configuration. Therefore, before starting the configuration, the type of zone to be created must be selected wisely.
Page 77: Configuring A Whole Root Zone: Required Actions
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 5.1.5. Configuring a whole root zone: required Actions [dd] Whole root zones do not contain i nh e ri t- p kg -d i r z on ecf g c r e a t e from the default file / e tc/ z on e/ S UN Wd e fa ul t .x ml . Subsequently, all...
Page 78: Zone Installation
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 5.1.6. Zone installation [dd] Before using a zone for the first time it must be installed according to your configuration. The installation time varies depending on whether a sparse-root zone or a whole-root zone is installed.
Page 79: Uninstalling A Zone
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 5.1.8. Uninstalling a zone [dd] Installed zones are uninstalled by z o n e a dm - z <z o ne > un i ns ta l l . In doing so, the...
Page 80: Configuration And Installation Of A Solaris 8/Solaris 9 Container
1. Planning how the data areas and network interfaces of the sources under Solaris 8 (or Solaris 9) can be represented in the Solaris 10 system. 2. Then the Solaris 8 system is archived. The P2V tool supplied can be used for this, but also any other archiving tool such as tar or cpio.
Page 81: Storage Within A Zone
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 5.1.12. Storage within a zone [dd] Storage can be used in different ways in local zones. The type of use can be classified in the following ways: Device or NFS...
Page 82: The Global Zone Mounts A File System When The Local Zone Is Booted
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 5.1.12.3. The global zone mounts a file system when the local zone is booted [dd] File systems can be provided to a local zone by the global zone not only as loopback filesystems.
Page 83: User Level Nfs Server In A Local Zone
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 5.1.12.5. User level NFS server in a local zone [ug] The native NFS in the Solaris kernel can currently not be used as a server within a local zone. Instead, the unfs3d – an OpenSource NFS server – can be used (see the unfs3 project at SourceForge) which runs completely in userland and is therefore not subject to this limitation.
Page 84 Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks For dynamic configuration, the device's major and minor number must be determined. This information can be obtained with the ls command in the global zone. The option -L is important here...
Page 85: Several Zones Share A File System
[ug] ZFS allows additional attributes to be managed for each file system that are stored together with the file system (since Solaris 10 5/08). It is necessary, that the name of these additional attributes contains a ":". These so-called user attributes can both be viewed manually as well as be used in scripts.
Page 86: Configuring A Zone By Command File Or Template
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 5.1.13. Configuring a zone by command file or template [dd] Zones can be configured by using command files for zo ne c fg or by the use of templates. This allows quick and automatic configuration of many zones avoiding errors.
Page 87: Accelerated Automatic Creation Of Zones On A Zfs File System
1001177 With Solaris 10 11/06, the feature "Secure by default" was introduced for network services which allows all network services except for s s h d to be turned off or reconfigured by calling up n et ser vi ce s l i m i t e d such that they will only react to requests by lo c al ho s t. As a result, considerable safeguarding of zones in networks is possible using simple means.
Page 88: Network
[dd] In the zone configuration, the default router can be specified for a zone with a shared IP instance. Using this configuration option ensures that a certain network route is available in the global zone when a zone is booted (since Solaris 10 11/08) global# zonecfg -z keetonga zonecfg:keetonga>...
Page 89: Change Network Configuration From Shared Ip Instance To Exclusive Ip Instance
[dd] Zones that are already configured are run with shared IP instances up to Solaris 10 11/06. With the introduction of Solaris 10 8/07, it is possible to run zones with an own IP stack. Such a zone needs a different configuration, where ip-type is set to exclusive and the zone needs a physical interface or a tagged VLAN interface assigned.
Page 90: Ip Filter Between Exclusive Ip Zones On A System
If separation is required at the physical network level, it can be implemented by separate systems, Solaris domains or – since Solaris 10 8/07 – by exclusive IP instances. 5.2.7.1. Global and local zone with shared network [dd/ug] Two local zones, zone1 and zone2, are located in the same network segment as the global zone.
Page 91: Zones In Separate Network Segments Using The Shared Ip Instance
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 5.2.7.2. Zones in separate network segments using the shared IP instance [dd/ug] Two local zones, zone1 and zone2, are located in separated network segments and provide services for these network segments.
Page 92: Zones In Separate Network Segments Using Exclusive Ip Instances
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 5.2.7.3. Zones in separate network segments using exclusive IP instances [dd/ug] Two local zones, zone1 and zone2, are located in separated network segments and provide services for these network segments.
Page 93: Zones In Separate Networks Using The Shared Ip Instance
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 5.2.7.4. Zones in separate networks using the shared IP instance [dd/ug] Two local zones, zone1 and zone2, are located in separated networks and provide services for other networks. Each local zone should have its own physical interface in the network.
Page 94: Zones In Separate Networks Using Exclusive Ip Instances
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 5.2.7.5. Zones in separate networks using exclusive IP instances [dd] Two local zones, zone1 and zone2, are located in separated networks and provide services for other networks. Each local zone should have its own physical interface in the network.
Page 95: Zones Connected To Independent Customer Networks Using The Shared Ip Instance
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 5.2.7.6. Zones connected to independent customer networks using the shared IP instance [dd/ug] Two local zones, zone1 and zone2, are located in separated networks and provide services for a variety of customers in their own networks.
Page 96 Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 192.168.101.0 Customer Network 192.168.101.201 192.168.201.2 router bge1:1 - 192.168.201.1 Def router - 192.168.201.2 reject route 192.168.201.1 Figure 36: [dd] Zones connected to independent customer networks using the shared IP instance bge2:2 - 192.168.202.1...
Page 97: Zones Connected To Independent Customer Networks Using Exclusive Ip Instances
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 5.2.7.7. Zones connected to independent customer networks using exclusive IP instances [dd/ug] Two local zones, zone1 and zone2, are located in separated networks and provide services for a variety of customers in their own networks.
Page 98: Connection Of Zones Via External Routers Using The Shared Ip Instance
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 192.168.101.0 Customer Network 192.168.101.201 192.168.201.2 router bge1 - 192.168.201.1 Def router - 192.168.201.2 ip type: exclusive Figure 37: [dd] Zones connected to independent customer networks using exclusive IP instances 5.2.7.8. Connection of zones via external routers using the shared IP instance [dd/ug] A web server in zone1 is contacted from the internet and needs the application server in zone2 to fulfill the orders.
Page 99 Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks In order to avoid communication between the local zones through the shared TCP/IP stack, reject routes must be set in the global zone that prevent communication between the IP addresses of the two zones (or the use of ipfilter).
Page 100: Connection Of Zones Through An External Load Balancing Router Using Exclusive Ip Instances
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 5.2.7.9. Connection of zones through an external load balancing router using exclusive IP instances [dd/ug] A web server in zone1 is contacted from the internet and needs the application server in zone2 to fulfill the orders.
Page 101 Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 192.168.200.2 Addressing zone 2 as 192.168.102.1 bge2 - 192.168.201.2 bge3 - 192.168.201.1 ip type: exclusive bge1 - 192.168.200.1 Zone 2.1 Def router - 192.168.200.2 ip type: exclusive Zone 1 bge0 - 192.168.1.1...
Page 102: Lifecycle Management
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 5.3. Lifecycle management 5.3.1. Booting a zone [dd] zo ne adm - z < z o n e > b o o t starts up a zone, mounts the file systems, initializes the network interfaces, sets the resource controls and starts the service manager of the zone.
Page 103: Software Installation Per Mount
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks Alternatively, set the boot arguments permanently in a zone configuration: global# zonecfg -z keetonga zonecfg:keetonga> info bootargs bootargs: zonecfg:keetonga> set bootargs="-m verbose" zonecfg:keetonga> info bootargs bootargs: -m verbose zonecfg:keetonga> commit zonecfg:keetonga>...
Page 104: Software Installation With Provisioning System
5.3.5. Zone migration among systems [dd] Starting with Solaris 10 11/06, zones can be moved among physical systems. This can be achieved with z o n e a d m d e t a c h / a t t a c h . The following conditions must be observed before...
Page 105: Zone Migration Within A System
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 5.3.6. Zone migration within a system [ug] Let us assume that a zone named "test" is to be moved to another directory. Currently, this zone is located on /export/home/zone/test (zonepath).
Page 106: Duplicating Zones With Zoneadm Clone
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 5.3.7. Duplicating zones with zoneadm clone [ug] Zone installation can be accelerated with z o ne ad m . .. c l on e . In this example, a zone named test is already configured and installed.
Page 107 Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks Now, zone test1 is configured in exactly the same way as zone test but has its own zonepath. global# zonecfg -z test1 info zonename: test1 zonepath: /container/test1 brand: native autoboot: false...
Page 108: Duplicating Zones With Zoneadm Detach/Attach And Zfs Clone
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 5.3.8. Duplicating zones with zoneadm detach/attach and zfs clone [ug] First, the zone "test" is moved to its own ZFS file system. The file system must only be available from root otherwise an error message will appear.
Page 109: Moving A Zone Between A Sun4U And A Sun4V System
CMT computers (Chip Multi Threading) with many cores and threads as well as virtualization support. The computer architectures differ slightly at the HW/SW interface, a fact that is reflected in a Solaris 10 installation by different contents in the filesystem.
Page 110 Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks Next, the zone is to be transported to a sun4v system named bashful. To do so, the contents and the configuration are saved: root@tiger [23] # cd /zone root@tiger [23] # tar cEvf u0.tar u0 root@tiger [24] # zonecfg -z u0 export >u0.export...
Page 111: Shutting Down A Zone
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 5.3.10. Shutting down a zone [dd] Zones can be shut down from the local zone itself or from the global zone. Depending on which option is used, running services are either completed or simply stopped.
Page 112 Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks The BE is now available e.g. under /.alt.s10-807+1. Next, the boot archive of this BE is updated and the BE is unmounted again. bootadm update-archive -R /.alt.s10-807+1 luumount s10-807+1 Finally, the new BE can be activated. To run the new BE, the total system must be restarted. It is important that live upgrade performs a final synchronization when turning the current BE off.
Page 113: Management And Monitoring
Unix accounting. With Solaris 10, a library (libe x a cc t (3L I B )) and an example program (/ u sr / de mo / libe xa cc t / ) are included that allow the accounting records to be analyzed easily.
Page 114: Resource Management
5.5.2. Limiting the CPU usage of a zone (CPU capping) [dd] Since Solaris 10 5/08, it is possible to cap the CPU time for a zone. CPU shares can be specified as potential capping values. Thus, the value 1.5, for example, represents a whole CPU and a half.
Page 115: Fair Share Scheduler
Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks 5.5.4. Fair share scheduler [ug] The ratio of CPU usage between zones or projects can be set. This is implemented by he so-called fair share scheduler. CPU shares are allocated as follows: For zones, by using a d d r c t l and the attribute zo n e.
Page 116: Dynamic Resource Pools For Zones
[dd] As already described in 4.6.2.5 Dynamic resource pools be used for zones since Solaris 10 8/07. The number of CPUs required is specified in the zone configuration. If the corresponding zone is started up, a temporary resource pool is created and assigned to the starting zone.
Page 117: Limiting The Physical Main Memory Consumption Of A Project
5.5.11. Implementing memory resource management for zones [dd] According to 4.6.3 Limiting memory resources zone can be limited starting with Solaris 10 8/07. The configuration for this takes place in the zone configuration. global # zonecfg -z zone1 zonecfg:zone1> add capped-memory zonecfg:zone1:capped-memory>...
Page 118 Version 3.1-en Solaris 10 Container Guide - 3.1 5. Cookbooks Settings for swap (= virtual memory), locked memory and other resource controls of a zone can be queried at runtime with p r c t l - i z o n e < zo ne > .
Page 119: A.1. Opensolaris – General
With respect to their functionality and use, OpenSolaris zones are comparable to Solaris 10 zones. Likewise, the resource manager functionalities of OpenSolaris are at least identical to those of Solaris 10 and in part enhanced. The following differences exist between the ipkg brand and the native brand: ipkg zones are very small (approx.
Page 120: Cookbook: Configuring An Ipkg Zone
Version 3.1-en Solaris 10 Container Guide - 3.1 A. Solaris Container in OpenSolaris A.1. Cookbook: Configuring an ipkg zone The configuration of the zone is done as usual with z on e cf g( 1M ) . root@cantaloup:~# zonecfg -z keetonga keetonga: No such zone configured Use 'create' to begin configuring a new zone.
Page 121: References
Menno Lageman, "Solaris Containers --What They Are and How to Use Them", Sun Blueprint, May 2005, http://www.sun.com/blueprints/0505/819-2679.pdf Sun Microsystems Inc., "System Administration Guide: Solaris Containers-Resource Management and Solaris Zones", http://docs.sun.com/app/docs/doc/817-1592 Solaris 10 Manual, 2006, OpenSolaris Project: "Crossbow: Network Virtualization and Resource Control"...

Sun Microsystems SOLARIS 10 Manual

Disclaimer

Revision Control

1 Introduction

2 Functionality

3 Use Cases

4 Best Practices

5 Cookbooks

Supplement

Quick Links

Need help?

Questions and answers

Related Manuals for Sun Microsystems SOLARIS 10

Summary of Contents for Sun Microsystems SOLARIS 10

Table of Contents