In the Zone, Creating OpenSolaris Zones.
I’m really enjoying using OpenSolaris as our server / NAS at home, its a different ball game to Linux but an interesting one never the less. One of the cool features of Solaris are the Solaris Zones (or Solaris Containers). Zones are an implementation of operating system-level virtualisation where the kernel isolates multiple instances of the user-space available. Something like chroot but so much more. Unlike running under a hypervisor (like VMWare or VirtualBox), Zone’s have very little (if any) overhead.
As I’ve come to realise, because of the way Solaris works in general, you can have multiple (isolated & secure) Zones for each application service exposed by the server – eg. one for Tomcat, one for Glassfish, maybe both Apache 1.3.x and 2.x, MySql, Postgres etc. Whats more, you can limit how much resources these Zones can utilise. They all have their own configuration including network routing (coupled with OpenSolaris Crossbow) and you can make for one kick ass setup that won’t break another area of the operating system.
In the Zones.
Here’s a guide on setting up a new Zone in OpenSolaris, configuring it and booting it.
Me Against the Music, its all in the global zone
When we first install OpenSolaris we’ve already got ourselves into a zone (the parent to all other zones) which is known as the global
Zone.
You can find this by trying out the following to list all the available zones on a virgin install of OpenSolaris.
zoneadm list -vc
ID NAME STATUS PATH BRAND IP
0 global running / native shared
The output will be something like above. Now we can go about creating ourselves a zone for playing around in.
When working with zones, we only need to worry about three commands (damn I love that!). The zoneadm
command to manage the physical zone, zonecfg
command for configuring the zone and zlogin
to login to the zone from the global zone.
First we have to do a bit of planning and thinking about what we’re going to do about this zone.
Here are few things to consider:
- What do you want to run in the zone?
- Will it need networking and have it exposed outside of the machine?
- Where will the zone reside on your disk?
- Would you like to limit the amount of CPUs the zone can see?
- Would you like to limit the amount of RAM the zone can utilise?
- Do you want to automatically boot the Zone when OpenSolaris starts?
For this post, we’re going to create a simple Zone (we won’t install anything).
Toxic Zone
Creating a zone we specify a zone to the zonecfg
command.
zonecfg -z toxic
You’ll get something like this appearing because the zone doesn’t exist, thats fine.
toxic: No such zone configured
Use 'create' to begin configuring a new zone.
Then you will be inside the zonecfg
configuration.
Lets configure this zone to have the following:
- Reside in
/base/zones/
- Autoboot with OpenSolaris
- Shared IP of
192.168.0.24
bound to physical interfacee1000g1
Follow me:
zonecfg:toxic> create
zonecfg:toxic> set zonepath=/base/zones/
zonecfg:toxic> set autoboot=true
zonecfg:toxic> add net
zonecfg:toxic:net> set address=192.168.0.24
zonecfg:toxic:net> set physical=e1000g1
zonecfg:toxic:net> end
zonecfg:toxic> verify
zonecfg:toxic> commit
zonecfg:toxic> exit
This will create the configuration, verify, write it and exit. You can verify it was created by running the list command again:
zoneadm list -vc
ID NAME STATUS PATH
0 global running /
- toxic configured /base/zones
Its currently in a configured
state, you can read more about the Non-Global State Model in the documentation. Next thing to do is to install the zone – this will get the base packages setup and configured for use.
zoneadm -z toxic install
Everytime, boot her up.
Next lets boot this bad baby up.
zoneadm -z toxic boot
Now if we do a list again we’ll see that our state has changed to running.
zoneadm list -vc
ID NAME STATUS PATH
0 global running /
- toxic running /base/zones
Now we have to configure the zone itself – just like a real machine. For this we use the zlogin
command to login to the zone console.
zlogin toxic
[Connected to zone 'toxic' pts/5]
Last login: Sat Nov 21 17:52:43 on pts/5
Sun Microsystems Inc. SunOS 5.11 snv_127 November 2008
After that we’re now in the toxic
zone. Anything we do inside here, stays within this zone and won’t affect our global or other zones. But before we continue we really should configure our networking.
First lets modify our /etc/nsswitch.conf
file with vi.
passwd: files
group: files
hosts: files dns
ipnodes: files
networks: file
Make sure the hosts entry has dns as above. Next we need to configure the nameservers.
echo 'nameserver 192.168.0.254' > /etc/resolv.conf
That will create a resolv.conf
file with the nameserver which you can get from the global zone as it would be different for everyone:
cat /etc/resolv.conf
nameserver 192.168.0.254
Breath on me, reboot the zone.
Now we can access the networking like the global zone. So you can do a package refresh and update-image too.
pkg refresh && pkg image-update
If it succeeds we have correctly setup our zone and its ready for use – you may want to reboot the zone however. To do this, exit the toxic console.
exit
logout
[Connection to zone 'toxic' pts/5 closed]
Then lets reboot the zone.
zoneadm -z toxic reboot
Now we login to the toxic
zone:
zlogin toxic
[Connected to zone 'toxic' pts/5]
Last login: Sat Nov 21 17:58:44 on pts/5
Sun Microsystems Inc. SunOS 5.11 snv_127 November 2008
Outrageous, removing the zones.
Now how about removing this zone and trying again? First get out of the zone console and back to your global zone. Issue the halt command to shutdown the zone.
exit
zoneadm -z toxic halt
Once stopped simply remove it.
zoneadm -z toxic uninstall
zonecfg -z toxic delete
You can make sure its gone by using the list command. That’s all there is to it!
Now you can consider yourself, In The Zone.