Softpanorama

May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

Solaris Zones History

[Dec 15, 2005] Blueprint/Web Consolidation on the Sun Fire T1000 using Solaris Containers by Kevin Kelly

... Recent studies describe the challenges IT managers face administering the proliferation of x86-based servers used to run web services applications.... The combined capabilities of the Sun Fire T1000 server and Solaris Containers technology in particular offer significant promise as a web-tier consolidation platform....

This paper explores the configuration and testing of the Sun Fire T1000 server as a web-tier consolidation platform. It discusses methodologies used to consolidate multiple web servers onto a single Sun Fire T1000 server, and explains the steps used to configure the Solaris Containers. In addition, to determine the effectiveness of this approach, testing was performed to evaluate the consolidated Sun Fire T1000 system against a baseline configuration of current Xeon servers, a popular choice as web server platform.

Sun BluePrints Online - Articles May 2005

Over the years businesses have been building large-scale information systems to solve business problems, with a focus on building scalable and highly available IT infrastructures that can adapt change. Providing sufficient availability and performance for business applications was the primary driver for these efforts. Today, the need to protect technology investments and provide the same service levels at a lower price point is shifting the focus to reducing IT infrastructure cost and improving end user service level management. To help this effort, the Solaris Operating System includes Solaris Containers, a mechanism that provides isolation between software applications or services using flexible, software-defined boundaries.

This Sun BluePrint article discusses the challenges organizations face in dealing with resource and workload management. Solaris Containers, and their constituent technologies (projects, resource pools, Zones) are introduced and explained. Worked examples that show these technologies solving resource and workload management problems provide practical examples of how to use these technologies.

Note: This article is available in PDF Format only.

[Mar 11, 2005] Learning Solaris 10 » Zones Unofficial FAQ

This FAQ is NOT coming from an official Sun Source, be careful ! Still, I hope and believe that the answers are correct and will be very happy to correct them if they’re not.

Last updated : May 19 2005

Recent modifs : 1.3

Section 1 : Support

1.1 Do I need special hardware for running Zones ?
1.2 Which applications are supported to run on Zones ?
1.3 What about license costs if I run my application in a Zone on a specific number of CPUs?

Section 2 : Creation - Configuration

2.1 What are these four “add-inherit-pkg-dir” in my zone configuration and may I remove them?
2.2 Which kind of devices may I NOT add using the zonecfg “set devices” command?
2.3 How do I add a special netmask for a zone’s IP address?
2.4 How to hide a subdirectory of a directory that is loopback mounted from the Gloabl zone?
2.5 How do I add a filesystem to my non-global zone?

Section 3 : Administration

3.1. Why is snoop not working in a non-global zone?
3.2. How do I block traffic between non-global zones?
3.3. What is the patches story in non-global zones?

Section 4 : Integration with other Solaris features

4.1 : Zones & IPFilter?
4.2 : Zones & ZFS?
4.3 : Zones & IPQoS?
4.4 : Zones & IPsec?
4.5 : Zones & IPMP?
4.6 : Zones & DTrace?
4.7 : Zones & SunCluster?
4.8 : Zones & Solaris Volume Manager?
4.9 : Zones & Process Rights Management?

Section 6: files, commands & daemons

6.1 The zoneadmd daemon
6.2 The zsched daemon
6.3 The zcons driver
6.4 The zonecfg command
6.5 The zoneadm command
6.6 The zlogin command
6.7 The /etc/zones/my-zone.xml file
6.8 The /etc/zones/index file
6.9 The /etc/zones/SUNWdefault.xml file
6.10 The /etc/zones/SUNWblank.xml file

[Apr 5, 2005] BigAdmin Feature Article Consolidation Demo Using Solaris Containers

The goal is to demonstrate the capabilities of the Solaris 10 Operating System, using the Solaris Zones feature and Solaris Containers technology in an everyday situation, to facilitate and encourage customer adoption.

Equipment (Minimum)

Two zones are configured to be used as containers for an RDBMS and a web server. Some parameters are modified for each zone, to control the CPU and other resources in use, according to each application.

The demo is carried out simulating the load from the web server that is accessing information contained in the database. These two applications were selected because they solve a real business problem, but their different natures make them unsuited to share resources inside a traditional server or partition.

Steps

Preparations: Before installing the OS, prepare three IP addresses and CDs with Solaris 10 build 63, MySQL, and the Apache web server.

Note: You can get the Solaris 10 OS from the web site of the Sun Software Express program, and the other software from SunFreeware. If you need to simulate the load on the applications to check the boundaries of the containers, use the "CPU spinner" as described in Step 8 of the following Cookbook section.

  1. Install the Solaris OS.
  2. Configure the system after installation.
  3. Create the structure to hold the zones.
  4. Create and install two new zones.
  5. Update the resources for each zone including the global zone.
  6. Install and configure the RDBMS.
  7. Install and configure the web server.
  8. Create workloads.
  9. Monitor performance and manage resources.

Dan Price Blog: The View from the Moon Remote, Secure Zone Console Login

I have heard from a number of customers that folks would like remote login to zone consoles. In particular, they would rather not give out logins to the global zone in order to allow zone logins. (Really: I don't spend all of my time on the zones console...).

Fortunately, we can handle this in a nice way already. (Disclaimer: Please note that as stated by the script, the following techniques have not been subject to a rigorous security audit. I believe this technique to be sound, but neither I nor Sun warrant it to be so.)

To start, we'll add a user account to /etc/passwd for each zone we want to set up this way:

# cat >> /etc/passwd
z1:x:999999:999999:xanadu-z1:/tmp:/opt/extras/zoneshell
^D

# pwconv
# passwd z1
New Password: xxxyyy
Re-enter new Password: xxxyyy
passwd: password successfully changed for z1

In this case, the zone name is xanadu-z1 and we've picked a nice large UID and group ID. You could use whatever you like (but not a UID in use for something else! and never 0); you'll want a separate UID for each zone. In this case, /opt/extras/zoneshell is set as the z1 user's shell. We picked 'z1' as the account name because UNIX systems are typically limited to 8 letter account names (LOGNAME_MAX); since xanadu-z1  is 9 characters long (and zone names may be up to 64 characters long), we need to pick a convention to shorten things.

The zoneshell script is here; the script itself is very simple: it looks up the entry in /etc/passwd  and executes zlogin -C  for the zone named in the GECOS field.

Finally, we need to give the z1 account the ability to run zlogin; we do that by modifying the RBAC attributes for the z1 user.

# cat >> /etc/user_attr
z1::::profiles=Zone Management
^D


So, here's what it looks like:

$ ssh -l z1 xanadu
Password:xxxyyyy
Last login: Tue Jan 25 13:54:01 2005 from xxx
warning: using experimental, unsupported 'zoneshell'
[Connected to zone 'xanadu-z1' console]

I'd appreciate any feedback on whether this is helpful, or not!

docs.sun.com System Administration Guide Solaris Containers-Resource Management and Solaris Zones Using patchadd  in the Global Zone

To add a patch to the global zone and to all non-global zones, run patchadd as the global administrator in the global zone.

When patchadd is used in the global zone, the following conditions apply:

When you add a patch to the global zone and to all non-global zones, you do not have to consider whether the patch affects areas that are shared from the global zone.

The following steps are performed by the patchadd utility:

[Mar 22, 2005] Solaris Forums - zones and patching

Re: zones and patchingAuthor: Darren_Dunham
Mar 22, 2005 3:46 PM (reply 1 of 2)

> Hi, I'm fairly new to Solaris so sorry for possible
> dumb question.
> When I do patch OS in global zone are those changed
> reflected in sub-zones as well ? I do assume they are
> not, right ?

Actually, they usually are. If the patch doesn't apply to another zone (usually due to package differences), then it won't be applied. Otherwise it is. In a few cases, you can patch a non-global zone, but only if the packages allow it.

The docs have quite a bit of information on this.

http://docs.sun.com/app/docs/doc/817-1592/6mhahuoqn?a=view

[Mar 25, 2005] Solaris Forums - Log Files

Re: Log Files
Author:
Darren_Dunham Mar 23, 2005 11:50 AM (reply 1 of 2)
> If for example you have 5 zones installed will the
> global zones /var/adm/messages show up in the 5 zones
> log files

No. The general philosophy is that someone on a non-global zone should not have visibility into other zones or the global zone (without it being explicitly done).

Having /var/adm/messages visible into another zone could release information that you don't want. So each has their own syslog.

--
Darren Re: Log Files
Author: emacs-user Mar 25, 2005 8:23 AM (reply 2 of 2) Yes, /var/adm/messages will show up in each zone, and they will be separate files.

However, if you want to have integrated logging, use syslog to send the syslog output from each zone to the global zone's syslog.

[Mar 14, 2005] Solaris Forums - Enforcing non-global zone auditing from global zoneEnforcing non-global zone auditing from global zone Author: vladgrama

Hello,

You have two choices for configuring auditing with zones: either you have one daemon in the global zone auditing everything or you configure per-zone audit daemons (by setting the perzone policy)

What wasn't clear from documentation, but I realized in practice is that even if there is just one audit daemon in the global zones, the events that are audited in the non-global zones are the ones specified in the audit_control file from the non-global zone. This means that root in a non-global zone can alter the audit_control file and practically disable auditing for the zone by removing all flags.

I would like to have an option where the global zone has full control over what events are logged from a non-global zone. So that root in the non-global zone can't change that.

A workaround for me was to make /etc/security an inherit-pkg-dir thus the audit_control file can no longer be modified from nonglobal zones. However I think a cleaner solution would be desirable in the future.

Vlad.

[Mar 16, 2005] Re: Zones and projects Author: izfromsun

Do you know about 'prctl' ?

http://docs.sun.com/app/docs/doc/816-5165/6mbb0m9p5?a=view

zones are a natural extension of projects (i.e. a secure containment for projects, if you will). The header for 'prctl' man page doesn't include zones:

prctl– get or set the resource controls of running processes, tasks, and projects

...but some of the parameters do accept 'zone' as an argument.

Could that help ?

the other thing may be worth trying is to create a pool ,then a pset, then associate a pool with a pset (all with 'poolcfg') [ wrapped around with 'pooladm(1M)' ]

then... 'poolbind' the zoneid to the resource pool like so:
'poolbind -p zone_pool -i zoneid 2'

(where zoneid is seen from: 'zoneadm list -vi')

-Isaac

[Mar 17, 2005] Re: rcapd and zones. Author: vladgrama

I've just found the answer for my "limiting zone RSS" question in topic
http://forum.sun.com/thread.jspa?threadID=22407&tstart=15

I quote from there:

David.Comay:

There isn't yet support for something like zone.max-rss but it's
indeed something that we're looking at doing. At the moment,
the non-global zone administrator can configured rcapd(1M) inside
the zone but the global zone administrator does not have a way of
limiting an individual zone's memory usage.

For now, for me it's enough that I can use rcapd inside a zone. Maybe explicitely saying this in the docs/man pages would be useful.

[Mar 11, 2005] BigAdmin Feature Meet the Architects Software Express for Solaris (Solaris 10) Andrew Tucker -- Solaris Zones Architect

Solaris Zones (a component of the N1 Grid Container functionality) is a new feature for maximizing the use of your Solaris systems, and getting "better bang for the buck." Zones allow unrelated applications to be run on the same system in a way that isolates each application from the rest, avoiding the security and configuration problems that can occur when running applications together. Each zone is an application environment that includes a set of processes, a part of the file system hierarchy, and one or more network interfaces. To an application or user in a zone, it looks like they have a full Solaris system to themselves -- when in fact they may be sharing it with a number of other zones on the same system. Zones also allow delegated administration: Each zone can have a different root password, and the root user in one zone isn't able to affect anything outside his or her zone.

The original idea for zones started a number of years ago when we were talking with customers about server consolidation. At the time, we had added a number of resource management features to the Solaris OS, allowing an administrator to control how CPUs were allocated to different applications. Customers were interested in improving the utilization of their servers, but were unable to "stack" or consolidate multiple applications on the same box. Some of reasons for this were related to resource allocation, but many were due to the need to isolate applications in terms of configuration, security, and administration.

We developed zones as a way to address these problems. Now, multiple applications running on the same system (but in different zones) can be completely isolated --- even if someone gains super-user access in one zone due to a security hole they won't have access to the rest of the zones in the system. And we can do this in a way that is lightweight and flexible. There's still only one operating system instance to patch, back up, monitor, and so on. And you can use zones on anything from a single-CPU 1U server to a 72-CPU Sun Fire 15K server.

[Mar 7, 2005] System Administration Guide- Solaris Containers [PDF]

Jan 2005 update. This is a large old guide (334 pp). Contains an example of zone creation.

[Mar 7, 2005] Solaris Forums - Solaris Zones

Zone Best Practice Author: birkbeck01

I am wondering how best to use zones and if Sun says that there is no (or little) performance lost using zones should we be using zones for all software. i.e. Give no user access to the global zone.

Possible setup:
1) Set up Solaris 10 and Global zone with no USER Access and no real software installed/running (unless it is need for zones)!!

2) Set up 1 or more zones where you run all your applications and user access.

and of course the leading question should you have 1 zone or many zones e.g. a zone runs one piece of software (oracle, ldap server, computer server, http)

Andrew

Solaris 10 for Experienced System Administrators :: SA-225-S10

Has a zone lab that creates one network zone. It also discusses configuring resource pools (poolcfg), fair share scheduling (FSS) and resource capping (memory cap, etc).

Peter's Solaris Zone -- A minimalist zone needs about 50Meg of disk and 15Meg of memory to support 10 processes.

My favourite feature in Solaris 10 is zones. (I don't care what Sun marketing call 'em this week, either. They're zones.) Isolated containers that give the appearance of a separate system to applications while being hosted by a master system.

This little test was inspired by the desire to be able to run individual applications in isolated managed environments. I'm thinking of servers such as tomcat or mysql, where you only want enough support to run the one application, and you only need a single network port to gain access.

One of the problems with mysql, tomcat, and other similar servers, is that you can generally only run one instance on a machine. Yes, you can hack it so that you can fiddle port numbers and the like to get multiple copies running, but the idea here was to run the applications inside their own zones. That way, they think they have the machine to themselves and the multiple instances don't conflict with each other. You only need to communicate from the global zone, so you can send all traffic over the loopback.

Big Bubbles (no troubles) Running WebSphere in a Solaris zone

"My new rule of thumb is that absolutely no Internet facing service be run in anything but a non-global zone. Anything less is being reckless."
- Jarod Jenson, Aeysis

OK, right, that's the new paradigm, is it? Let's see if we can make IBM WebSphere Application Server run inside a non-global zone then.

There ought to be a number of advantages to this architecture:

Jimmy Andriambao's Weblog Weblog What is a Solaris Zone ? How to set it quickly ?

A “Zone” is what you can imagine as a virtual machine. You can install another Solaris operating system into and from the same host. It means that the main operating system, named "Global Zone" will host one or more OSes. You can see it like if the main OS is the father of many children. But each child process are and behave like if they were installed on a different host. The Global Zone has access to the hosted (runned) zones but the zones themselves have no access to the host (Global Zone).

Remember Vmware ? it‘s a true virtual computer, ok ? Well, Solaris 10 provide you “almost” the same thing but the differences are big! Both have one same main host.

You can launch or reboot any zones without rebooting the main OS (Global Zone). Each of them will have a different IP address but can/will use the network hardware interface you want.

So you can launch Apache from a single zone or in each zones you run. Also you can run a zone with a different patches level than the Global Zone has. From the Global Zone, you can “ssh“ to one of the zones or remote serial login in.

It‘s wonderful, many things are possible.

The zone will use the files from the Global Zone… Understand ? it means you don‘t need a big file system. That‘s very useful.

So what you need are :


For our test, I used an ULTRA 10 Sparc computer, so the 1st real network interface is named : “hme0“. Take care to use a free IP address. I prefered to use an IP address which is on the same subnet. Also note that by using “hme0” this IP address will be binded to the real hme0 (from the Global Zone : At the end of the document, you can see my ifconfig output from the main OS)

Zones a better alternative for virtualization

While Xen does sound interesting, for production virtualization, I think Solaris Zones is a much better alternative. It still gives you a secure environment, but it saves a lot of memory and disk space. You don't have to run and maintain a full-blown OS for each service you run. And, Zones let you create multiple-cpu containers, unlike Xen (currently).

Zones a better alternative for virtualization
2005-02-21 08:02:45 Sysadmn [Reply | View]

The other way-cool part of Solaris Zones versus UML, BSD Jails, or Xen is that they're tied to resource limits. I hope Xen picks this up - it's great to be able to tell a virtual machine, "If things get busy, you get at most 1/2 a CPU and 512 MB of memory. If no one else is busy, use all you want." We can put 10 dev instances on a machine - each developer thinks they have their own machine (including reboots, root password, etc). The only thing they can't do is load testing - but that's what QA is for, right?

Brad's Blog Zone Creation. blastwave.org have an (older) article about creating zones in Solaris 10.

Google Groups comp.unix.solaris

Following:
http://docs.sun.com/app/docs/doc/816-5166/6mbb1kql9?a=view
I did a `zonecfg -z my-zone3`
and then a
# zoneadm -z my-zone3 install
ERROR: zones not available on this system
zoneadm: zone 'my-zone3': '/usr/lib/lu/lucreatezone' failed with exit code 71.

# uname -a
SunOS not 5.10 s10_72 sun4u sparc SUNW,UltraAX-i2

# pkginfo | grep -i zone
application SUNWluzone Live Upgrade (zones support)
system SUNWzoner Solaris Zones (Root)
system SUNWzoneu Solaris Zones (Usr)

# pkginfo | grep -i Live
application SUNWlur Live Upgrade (root)
application SUNWluu Live Upgrade (usr)
application SUNWluzone Live Upgrade (zones support)

I think all the packages that should be loaded are. The Live update seems to
work by its self.

Any idea what is wrong?

Sun Inner Circle Newsletter - Getting to the Bottom of Solaris Containers - July 2006

Running a zone require substantial memory resources: " Q: Is it true that if several Zones share the same application, then only one instance of the application needs to be installed? Is there enough isolation so that an error in one instance of the application won't affect the same application in another Zone?"
A: As for your first question, it is possible for Zones to share the same application instance, but the decision to do so depends on if the administrator is installing the application in a directory that each Zone can see (for example, /usr in Apache). Otherwise each Solaris Zone will require a private copy of the application. With regards to your second question, every application in every Zone has its own instance (and processes) that are totally isolated from one another. Isolation is a prime reason why Sun built Solaris Zones the way it did.
Inner Circle July 2006

One of the key breakthrough technologies in Solaris 10, Solaris Containers has the ability to promote server consolidation, as well as improve application availability and manageability. In this interview, Inner Circle plays 20-plus questions with Sun virtualization experts Joost Pronk van Hoogeveen, Jeff Victor, and Chien-Hua Yen to more fully understand the potential, capabilities, and limitations of Solaris Containers and Solaris Zones.

IC: What are the differences among Logical Domains, Solaris Zones, and Solaris Containers?

Joost Pronk van Hoogeveen: Domains are a type of hardware partitioning, so the partitioning is done at the hardware level. Solaris Zones are part of Solaris Containers technology. As such, Zones manage the namespace isolation (separate IP addresses and users, for example) for Containers. Containers and Zones are a type of operating system virtualization, where the partitioning is not done at the hardware level, but rather within the operating system itself.

IC: Are Zones and Containers the same thing?

Jeff Victor: Not exactly. The official definition for a Solaris 10 Container is a Solaris Zone using resource management features. But in casual conversation, few people distinguish between Zones and Containers.

IC: Aside from Zones, what else comprises Solaris Containers?

Joost Pronk van Hoogeveen: Solaris Containers are made up of two major components: Solaris Zones and Solaris Resource Manager (SRM). SRM manages the physical system resources every Container receives, and Solaris Zones control the namespace isolation. Together, Zones and SRM form the basis for Solaris Containers.

IC: What distinguishes Solaris Containers from virtual domain technologies, such as LPARs?

Joost Pronk van Hoogeveen: LPARs are a typical virtual machine technology with a hypervisor layer between the hardware and the operating system, whereas Solaris Containers are a type of operating system virtualization. Virtual domains and virtual machines allow different types of operating systems to be run concurrently on the same physical machine. But, as with all virtual machine technologies, there is significant performance overhead to this approach. By contrast, Solaris Containers are very lightweight and create hardly any performance overhead. But Solaris Containers permit only a single operating system version.

IC: What are the relative advantages of Solaris Containers when compared to LPARs?

Jeff Victor: Solaris Containers have a number of advantages, including lower operating system licensing and support costs, lower hardware costs due to better granularity, reduced management workload, and greater application availability.

IC: How do Solaris Containers compare to the virtual machine approach advocated by VMware?

Jeff Victor: Containers provide multiple isolated workload environments with strict security and resource management features. Because there is only one operating system image, the Solaris Containers method is very efficient and reduces management chores. VMware provides the ability to simultaneously host multiple operating system images, as well as the ability to choose different operating system types (Linux, Solaris, and Windows). However, as with all virtual machines, there is a performance penalty with VMware. Also, with VMware and other virtual machine technologies each operating system image must be managed separately.

IC: I have installed Solaris 10 within VMware. Can I use Solaris Containers to virtualize within VMware?

Joost Pronk van Hoogeveen: Yes. Solaris Containers will work within any Solaris 10 instance, so you can evaluate the benefits of operating system virtualization within virtual machines in your particular environment.

IC: With regards to Solaris Zones, what is the global Zone, and are there any local Zones?

Chien-Hua Yen: There are two types of Zones: global Zones and non-global Zones. The official name for a "local" Zone is a "non-global" Zone. A global Zone contains a fully functional installation of the Solaris Operating System that is bootable by the system hardware. So, an installation of the Solaris Operating System becomes the global Zone when it is booted by the system hardware. Only one global Zone runs on a system. Then, the global Zone administrator creates non-global Zones with Zonecfg(1M) and Zoneadm(1M). The global Zone controls the installation, maintenance, operation, and destruction of all non-global Zones.

IC: What is the recommended maximum number of Zones a system can hold, and what are the ease-of-use considerations for a large number of Zones on a single machine?

Chien-Hua Yen: The limiting factors in the maximum number of Zones a server can handle are the amount of memory and disk space available. A Zone can occupy anywhere from ~150MB to 3GB disk space depending on how the Zone is configured. Each Zone also takes some memory for system processes. Still, managing a Zone is very similar to managing a system — except it is easier to manage a Zone because you can patch or backup all Zones using a single command.

IC: Are the physical CPU and RAM shared among Zones? Is it possible to allocate different resources to different Zones?

Jeff Victor: Solaris Zones share CPUs. An administrator can use Solaris Dynamic Resource Pools to assign one or more CPU(s) to a Solaris Zone. Also, the Solaris Fair-Share Scheduler can guarantee that a certain Solaris Zone gets a predetermined minimum amount of processing power. Plus, the Solaris Fair-Share Scheduler helps ensure that CPU power is not wasted because processing resources are only constrained once the system reaches 100 percent utilization. When it comes to RAM, Solaris Zones share the amount of physical memory available on the system. The amount of physical memory that a Zone uses cannot be constrained as it stands now, but Sun is working on a feature that will address this issue soon.

IC: How easy is it to modify resource allocations on a per-Container basis so that resources are more finely managed across all Solaris Containers on a system?

Joost Pronk van Hoogeveen: Resource Management assignments to a Container can be modified at any time without the need for Container reboot. For more information on resource allocation and isolation, check out an in-depth Sun BluePrints article.

IC: With Solaris Containers, what kind of overhead can be expected per CPU (or per core)?

Jeff Victor: For small numbers of Containers, the overhead is hardly measurable — certainly less than 1 percent. A very large configuration with hundreds of Zones sees as much as a 4 percent overhead, which is still very low by comparative standards.

IC: Is it true that if several Zones share the same application, then only one instance of the application needs to be installed? Is there enough isolation so that an error in one instance of the application won't affect the same application in another Zone?

Joost Pronk van Hoogeveen: As for your first question, it is possible for Zones to share the same application instance, but the decision to do so depends on if the administrator is installing the application in a directory that each Zone can see (for example, /usr in Apache). Otherwise each Solaris Zone will require a private copy of the application. With regards to your second question, every application in every Zone has its own instance (and processes) that are totally isolated from one another. Isolation is a prime reason why Sun built Solaris Zones the way it did.

IC: How does patching work? Do I have to patch all the Zones or only the global Zone?

Chien-Hua Yen: For details, check out patchad(1M) or an in-depth article at the Sun BigAdmin portal. In summary, it is possible to patch all Zones from the global Zone or each Zone individually from either the global Zone or the non-global Zone.

IC: Do you need to take down non-global Zones when patching the global Zone?

Chien-Hua Yen: No. It is not necessary to bring down the non-global Zones when patching the global Zone. However, if the job includes a kernel patch, the global Zone will need to be rebooted before the patch takes effect. And, once the global Zone is rebooted, all of the non-global Zones will be brought down.

IC: In the event of a kernel panic, what happens to the Solaris Containers?

Chien-Hua Yen: If the kernel panics, all the Zones go down with it, because there is only one kernel instance supporting all Zones. However, under normal circumstances it is possible to shut down each individual Zone without affecting other Zones. And, if a Zone crashes, the other Zones will not be affected.

IC: Did Sun consider creating a graphic way to configure Containers to make them more user friendly?

Joost Pronk van Hoogeveen: There is a Sun Management Center (Sun MC) add-on called the Solaris Container Manager that is a GUI for managing Containers.

IC: Is it possible to run two or more Containers on one physical server with two or more Oracle database instances running inside each of those Containers? If so, how will the system handle memory management in both Containers and across all Oracle instances?

Joost Pronk van Hoogeveen: Yes. It is possible to create any combination of Oracle databases and Solaris Containers just as if it were a number of database instances on separate machines. And, the Containers will isolate shared memory just as if they were separate machines. Check out this BigAdmin article for more information.

IC: How do ISVs like Oracle and Informix handle license issues when enterprises are using Solaris Containers?

Joost Pronk van Hoogeveen: Sun recommends that database vendors base licensing on the resource pools that are assigned to individual Solaris Containers. So far, Oracle has adopted this policy.

IC: When building processor sets for a Sun Fire T2000 server, does one assign Containers based on the number of processors or the number of threads? In other words, will a four-core (16 thread) chip multithreading chip give me four or 16 "processors" to build sets against?

Joost Pronk van Hoogeveen: On a Sun Fire T2000 server every thread is exposed as a (virtual) CPU. So, the Solaris Resource Manager can create sets on an individual thread basis — meaning all 16 threads are assignable in the example cited.

IC: Are there minimum server size requirements for starting to use Containers? For example, would it be feasible to use Containers on a low-end server such as the SunFire 280R?

Joost Pronk van Hoogeveen: Containers can be installed on any system that supports Solaris 10 — from laptops to high end servers.

IC: Does any tool exist that can verify if an application is Container compliant?

Chien-Hua Yen: Yes. You can download the Solaris Ready Test Suite and also access the Solaris qualification tool. The tool set consists of a DTrace script for checking privileges and device nodes that are not available in a non-global Zone, as well as a source scanning tool for checking the use of non-Zone compliant APIs.

BigAdmin Feature Meet the Architects Software Express for Solaris (Solaris 10) by Andrew Tucker -- Solaris Zones Architect

June 2005

Solaris Zones (a component of the N1 Grid Container functionality) is a new feature for maximizing the use of your Solaris systems, and getting "better bang for the buck." Zones allow unrelated applications to be run on the same system in a way that isolates each application from the rest, avoiding the security and configuration problems that can occur when running applications together. Each zone is an application environment that includes a set of processes, a part of the file system hierarchy, and one or more network interfaces. To an application or user in a zone, it looks like they have a full Solaris system to themselves -- when in fact they may be sharing it with a number of other zones on the same system. Zones also allow delegated administration: Each zone can have a different root password, and the root user in one zone isn't able to affect anything outside his or her zone.

The original idea for zones started a number of years ago when we were talking with customers about server consolidation. At the time, we had added a number of resource management features to the Solaris OS, allowing an administrator to control how CPUs were allocated to different applications. Customers were interested in improving the utilization of their servers, but were unable to "stack" or consolidate multiple applications on the same box. Some of reasons for this were related to resource allocation, but many were due to the need to isolate applications in terms of configuration, security, and administration.

We developed zones as a way to address these problems. Now, multiple applications running on the same system (but in different zones) can be completely isolated --- even if someone gains super-user access in one zone due to a security hole they won't have access to the rest of the zones in the system. And we can do this in a way that is lightweight and flexible. There's still only one operating system instance to patch, back up, monitor, and so on. And you can use zones on anything from a single-CPU 1U server to a 72-CPU Sun Fire 15K server.

See also Solaris history



Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March, 12, 2019