Introducing Solaris Zones

John Beck <jbeck+news at eng.sun.com>
 
From: John Beck <jbeck+news at eng.sun.com>
Newsgroups: comp.unix.solaris
Subject: Introducing Solaris Zones
Date: Wed, 25 Feb 2004 22:23:34 +0000 (UTC)
Organization: Sun.Software.Solaris
Lines: 173
Message-ID: <c1j796$24c$1@news1nwk.SFbay.Sun.COM>
NNTP-Posting-Host: opal.sfbay.sun.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: news1nwk.SFbay.Sun.COM 1077747814 2188 129.146.86.88 (25 Feb 2004 22:23:34 GMT)
X-Complaints-To: usenet@news1nwk.sfbay.sun.com
NNTP-Posting-Date: Wed, 25 Feb 2004 22:23:34 +0000 (UTC)
X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.3


Hello world,

Solaris Express 02/04 is now available, and this post is to announce
one of the exciting new features, a means of partitioning a single
Solaris instance into isolated application environments called "zones."
(Note that Zones and Resource Management are related subsets of "N1
Grid Containers"; N1GC = S10RM + Zones.)  Each zone can be separately
administered and each zone can run an independent set of applications. 

Zones allow one or more processes to run in isolation from other
activity on the system.  Processes running in a given zone cannot
monitor or affect processes running in other zones.  For example, a
process running in a zone will only be able to send signals to other
processes in the same zone, regardless of user id and other credential
information.  Likewise, processes in zones will be unable to control
global aspects of the system configuration such as run level, most
physical devices, and network routing tables.  (The exception is the
global zone, which is discussed under Security, below.)

Features:

* Security
  Network services can be run in a zone, limiting the potential damage
  in the event of a security violation.  No process running within a
  zone, even one with superuser credentials, is allowed to affect
  activity in other zones.  Certain activities, such as rebooting or
  shutting down the system as a whole, will only be permitted in the
  global zone.  An administrator logged into the global zone can
  monitor the activity of applications running in other zones and
  control the system as a whole.  The global, or default, zone will
  always exist.

* Isolation  
  Zones allow the deployment of multiple applications on the same
  machine, even if the applications operate in different trust domains,
  require exclusive use of a global resource, or present difficulties
  with global configurations.  Individual zones can have their own set
  of users and their own root password and when rebooted, any other
  zones running on the system are unaffected.

* Virtualization 
  Zones provide a virtualized environment that can hide details such
  as physical devices and the system's primary IP address and host
  name from the application.  This can be useful in supporting rapid
  deployment and redeployment of applications since the same environment
  can be maintained on different physical machines.

* Granularity
  Zones can provide isolation at almost arbitrary granularity.  A
  zone does not require a dedicated CPU, physical device, or chunk of
  physical memory.  These resources can either be multiplexed across
  a number of zones running within a single system, or allocated on a
  per-zone basis using resource management features available in the
  operating system.

* Transparency
  Zones avoid changing the environment in which applications execute
  except when necessary to achieve the goals of security and isolation.
  Zones do not present a new API or ABI to which applications must
  be ported.  Instead, they provide the standard Solaris interfaces
  and application environment, with some restrictions that affect
  applications attempting to perform privileged operations.

Here is a sample session of a configuring, installing and booting a
zone; note that the zlogin command in the second window is run between
commands 7 and 8 in the first window.

----- cut here: start first window -----
[root:1] zoneadm list -cv
  ID NAME             STATUS         PATH                          
   0 global           running        /                             
[root:2] zonecfg -z luke
luke: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:luke> create
zonecfg:luke> set zonepath=/export/home/luke
zonecfg:luke> set autoboot=true
zonecfg:luke> add inherit-pkg-dir
zonecfg:luke:inherit-pkg-dir> set dir=/opt
zonecfg:luke:inherit-pkg-dir> end
zonecfg:luke> add net
zonecfg:luke:net> set address=129.146.86.66/24
zonecfg:luke:net> set physical=eri0
zonecfg:luke:net> end
zonecfg:luke> verify
zonecfg:luke> commit
zonecfg:luke> ^D
[root:3] zoneadm list -cv
  ID NAME             STATUS         PATH                          
   0 global           running        /                             
   - luke             configured     /export/home/luke             
[root:4] zoneadm -z luke install
Preparing to install zone <luke>.
Creating list of files to copy from the global zone.
Copying <2203> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <905> packages on the zone.
Initialized <905> packages on zone.                                
Successfully initialized zone <luke>.
[root:5] zoneadm list -cv
  ID NAME             STATUS         PATH                          
   0 global           running        /                             
   - luke             installed      /export/home/luke             
[root:6] cat /usr/local/etc/luke.sysidcfg 
system_locale=C
terminal=xterm
network_interface=primary {
        hostname=luke
}
security_policy=NONE
name_service=NIS {
        domain_name=sunsoft.eng.sun.com
}
timezone=US/Pacific
root_password=4bw/KFH3xRPUE
[root:7] cp /usr/local/etc/luke.sysidcfg /export/home/luke/root/etc/sysidcfg
[root:8] zoneadm -z luke boot                                                
[root:9] zoneadm list -cv
  ID NAME             STATUS         PATH                          
   0 global           running        /                             
   1 luke             running        /export/home/luke             
[root:10]
----- cut here: end first window -----

----- cut here: start second window -----
[root:1] zlogin -C luke
[Connected to zone 'luke' console]

[NOTICE: zone booting up]


SunOS Release 5.10 Version s10_51 64-bit
Copyright 1983-2004 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
Hostname: luke
The system is coming up.  Please wait.
starting rpc services: rpcbind keyserv ypbind done.

rebooting system due to change(s) in /etc/default/init 


[NOTICE: zone rebooting]


SunOS Release 5.10 Version s10_51 64-bit
Copyright 1983-2004 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
Hostname: luke
The system is coming up.  Please wait.
NIS domain name is sunsoft.eng.sun.com
starting rpc services: rpcbind keyserv ypbind done.
syslog service starting.
/etc/mail/aliases: 12 aliases, longest 10 bytes, 138 bytes total
Creating new rsa public/private host key pair
Creating new dsa public/private host key pair
The system is ready.

luke console login: 
----- cut here: end second window -----

We encourage you to check out the AnswerBook at BigAdmin:

  http://www.sun.com/bigadmin/content/zones

Or better yet, go to:

  http://wwws.sun.com/software/solaris/solaris-express/get.html

There you can download Solaris Express 02/04 and try Zones yourself!

Enjoy,
-- John Beck and the rest of the Zones team

 

 

 

 Last changes: Friday, March 23, 2007 08:27:10 AM,
:P 2004 filibeto.org, site statistics