Professional Documents
Culture Documents
Solaris Zones
Solaris Zones
Zones or LDOMs?
Recently (especially since the SPARC T4 release) I got this question a
couple of times - "We are running/migrating to T2/T3/T4 servers, and
considering for our setup the virtualization possibilities. What shall we
go for, zones or ldoms?"
Of course one can't answer this question without talking about the
platform requirements and the reasons to pick the right technologies,
but before we'd go into details, let me get the most important
statement straight:
Zones and LDOMs are not rivalling, but complementary technologies. If
you need kernelspace separation, use ldoms. But run your applications
in zones within those ldoms anyway!
Let's get some terminology clear first:
LDOMs are now called Oracle VM for SPARC. I will use these terms
interchangably.
Zones have started their lives as project Kevlar, then named
zones, then marketed as containers, we are now back to zones
again.
LDOMs are the HW-Virtualization technology of the SPARC-T (CMT,
ChipMultiThreading, Coolthread, sun4v, etc) server series, it is
their ability to carve up the server into Logical DOMains, running
on a hypervisor that runs in the firmware.
Zones are the featherweight OS-Virtualization technology of
Solaris on all of the platforms (Sparc-T, Sparc-M and x86 too)
Every T server is running ldoms. If you don't partition your box
into domains, you are still running one single large ldom, called
the primary domain, encapsulating the complete server.
Every Solaris 10+ OS installation has one zone, the global zone
(GZ). This is where the [shared] kernel[space] runs, and the nonglobal zones (NGZ) are the containers separating applications in
the userspace.
To give you an idea: run S10 and S11 in ldoms next to eachother within
the same box, run branded and native zones on top of them
To summarize:
The question shouldn't be about zones vs. ldoms. Use zones, they are
your friends. The question is, if you partition your T-SPARC server into
ldoms below your global zones to run your NGZs in.
Especially with Solaris 11, with Crossbow, the new network
virtualization technology (that enables all your NGZs to have a
dedicated IP stack) and the possibility to run Solaris 11 native zones
and Solaris10 branded zones on top of Solaris 11, you have two quite
powerful technologies to really get your server's worth - and by that I
mean having a high server utilization. The higher that utilization is, the
more you get for your costs.
Isolate
Security
Transparency
Virtualization
Memory
Capping
Dynamic
Resource Pools
Fair share
scheduler
Key Points : Depends on our hardware capability we can create the non-global
zones up to 8191.
Each zone has an ID assigned by system when it's booted with the
global zone, always listed as zone ID 0.
Only the global zone contains a bootable Solaris kernel and is aware
of all devices, file systems, zones.
Share binaries with the global zone and also called as Native Zones.
/usr, /platform, /sbin, /lib are the FS are shared from global zone as
read-only loopback filesystem.
Very Less disk Space is sufficient for creating this type of Zones.
Quick and Very less time is required to create this type of Zones.
ZONE States
As shown in below image we can understand the flow of zone states
clearly.
ZONE
States
Configured Configuration was completed and Committed
Incomplete Transition state during install or uninstall Operations
Installed
Ready
Running
Shutting d
own
Down
Path of the zone root which is from global zone's file space.
Autoboot
pool
net
fs
inheritpkg-dir
device
rctl
attr
Zone comments
also please note the below "sub commands", this will also important
while configuration the zone.
SUB
COMMANDS
add
cancel
commit
create
delete
Destroy configuration.
end
exit
info
remove
revert
set
verify
Let we can see how to add the listed zone components with using
"zonecfg" command
* Set zonepath and Autoboot (the zones
servicesvc:/system/zones:defaultmust also be enabled when we go for
autoboot=true)
zonecfg:zone1> set zonepath=/export/home/zone1
zonecfg:zone1> set autoboot=true
zonecfg:zone1> verify
zonecfg:zone1> commit
zonecfg:zone1> exit
* In the following example, Filesystem is added into the non-global zone
bash-3.00# zonecfg -z zone1
zonecfg:zone1> add fs
zonecfg:zone1:fs> set dir=/test/mnt
zonecfg:zone1:fs> set special=/dev/vx/dsk/zonedg/vol1
zonecfg:zone1:fs> set raw=/dev/vx/rdsk/zonedg/vol1
zonecfg:zone1:fs> set type=vxfs
zonecfg:zone1:fs> end
zonecfg:zone1> verify
zonecfg:zone1> commit
zonecfg:zone1> exit
* In the following example, Network is added into the non-global zone
zonecfg:zone1> add net
zonecfg:zone1:net> set physical=e1000g0
zonecfg:zone1:net> set address=192.168.10.35
zonecfg:zone1:net> end
zonecfg:zone1> verify
zonecfg:zone1> commit
zonecfg:zone1> exit
* In the following example, ZFS Dataset filesystem is added into the
non-global zone
bash-3.00# zonecfg -z zone1
zonecfg:zone1> add dataset
zonecfg:zone1:dataset> set name=zonepool/zone1vol
zonecfg:zone1:dataset> end
zonecfg:zone1> verify
zonecfg:zone1> commit
zonecfg:zone1> exit
* In this example, Specify the Memory Limits. Each limit is optional, but
at least one must be set.
zonecfg:zone1> add capped-memory
zonecfg:zone1:capped-memory> set physical=50m
zonecfg:zone1:capped-memory> set swap=100m
zonecfg:zone1:capped-memory> set locked=30m
zonecfg:zone1:capped-memory> end
zonecfg:zone1> verify
zonecfg:zone1> commit
zonecfg:zone1> exit
* In this example, Assigning Dedicated CPU (1-3). we can set the
importance as well.
zonecfg:zone1> add dedicated-cpu
zonecfg:zone1:dedicated-cpu> set ncpus=1-3
zonecfg:zone1:dedicated-cpu> set importance=2
zonecfg:zone1:dedicated-cpu> end
zonecfg:zone1> verify
zonecfg:zone1> commit
zonecfg:zone1> exit
*In this example, specifies Capped CPU of 3.5 CPUs for the zone1
zonecfg:zone1> add capped-cpu
zonecfg:zone1:capped-cpu> set ncpus=3.5
zonecfg:zone1:capped-cpu> end
zonecfg:zone1> verify
zonecfg:zone1> commit
zonecfg:zone1> exit
How to Identify Sparse or Whole Root Zones
First question in your mind is to identify the Non-Global Zone whether
they Sparse or Whole Root Zone in real time. This post will help you to
find those details in handy ways. Theoretically everyone having good
knowledge about Sparse and Whole Root Zones. But in real
time.....Please follow the Steps.
Here We have 2 Non-Global zone, but we are not sure which one is
Sparse or Whole Root Zones. Let us identify them.
autoboot: true
bootargs:
pool:
limitpriv:
scheduling-class: FSS
ip-type: shared
hostid:
net:
address: 192.168.1.20/24
physical: e1000g0
[root@Sol10 ~]#
above configuration is for Whole Root zone
[root@Sol10 ~]# zonecfg -z Sol10LZ1 info
zonepath: /export/zones/Sol10LZ1
brand: native
autoboot: true
bootargs:
pool:
limitpriv:
ip-type: shared
inherit-pkg-dir:
dir: /lib
inherit-pkg-dir:
dir: /platform
inherit-pkg-dir:
dir: /sbin
inherit-pkg-dir:
dir: /usr
net:
address: 192.168.1.21/24
physical: e1000g0
[root@Sol10 ~]#
If you find those inherit-pkg-dir of /lib, /platform, /sbin, /usr then blindly
we can tell this is Sparse Root Zone. these files shared as Read Only file
systems from its Global. FYI, Still we can't identify the GlobalZone
Name from its non-global zone until unless you placed any script to find
those details or "arp -a|grep -i SPLA" you might get more IP, But one of
the IP is from Global, however its hard to find the details. I will post
soon to find the Global Zone Name from non-global in easiest way.
Thanks for reading this Post, if you have any doubt please comment, i
will respond you.
CPU
1. Dedicated CPU
To see the CPU information in the global zone you can use
global# psrinfo -v
global# psrinfo -vp
After you have confirmed the CPUs you want to use, you can add a fixed
no of CPUs to the zone.
zonecfg:zone01> add dedicated-cpu
zonecfg:zone01:dedicated-cpu> set ncpus=1-2
zonecfg:zone01:dedicated-cpu> set importance=10 (optional, default
is 1)
zonecfg:zone01:dedicated-cpu> end
Memory
Capped Memory
zonecfg:my-zone> add capped-memory
zonecfg:zone01:capped-memory> set physical=50m [max memory that
can be used by this zone]
zonecfg:zone01:capped-memory> set swap=100m
zonecfg:zone01:capped-memory> set locked=30m [memory locked for
use by this zone]
zonecfg:zone01:capped-memory> end
File system
a. Loopback FS
zonecfg:zone01> add fs
zonecfg:zone01:fs> set dir=/usr/local
zonecfg:zone01:fs> set special=/opt/zones/my-zone/local
zonecfg:zone01:fs> set type=lofs
zonecfg:zone01:fs> end
here /usr/local will be readable and writable in non-global zone
b. Normal file system
zonecfg:zone01> add fs
zonecfg:zone01:fs> set dir=/data01
zonecfg:my-zone01:fs> set special=/dev/dsk/c1t1d0s0
zonecfg:my-zone01:fs> set raw=/dev/rdsk/c1t1d0s0
zonecfg:my-zone01:fs> add options [logging, nosuid] (optional)
zonecfg:my-zone01:fs> end
ZFS dataset
When we delegate a dataset to a non-global zone we can do any
operation on that dataset inside of the zone without requiring global
zone to configure it all the time.
zonecfg:zone01> add dataset
zonecfg:zone01> set name=tank/sales
zonecfg:zone01> end
Inherit package (sparse root zone only)
Now in case of sparse root zone we can inherit some of the packages
from the global zone.
zonecfg:my-zone> add inherit-pkg-dir
zonecfg:my-zone:inherit-pkg-dir> set dir=/opt/sfw
zonecfg:my-zone:inherit-pkg-dir> end
NOTE: These resources can not be modified once the zone is installed
IP
We can either give an exclusive IP using a dedicated interface to a nonglobal zone or use an existing interface in the global zone to share it
with the non-global zone. When we configure an exclusive IP we have to
configure IP address inside of the non-global zone and not during the
configuration.
a. Exclusive IP
zonecfg:my-zone> set ip-type=exclusive
zonecfg:zone01> add net
zonecfg:zone01:net> set physical=hme0
NOTE: No need to specify IP here you can control everything from inside
of the non-global zone
b. Shared IP
In this case zone uses a shared interface which is already plumbed and
being used in the global zone.
zonecfg:zone01> add net
zonecfg:zone01:net> set address=192.168.1.2
zonecfg:zone01:net> set physical=hme0
zonecfg:zone01:net> set defrouter=10.0.0.1 [optional]
zonecfg:zone01:net> end
Device
We can also directly assign a physical device like disk to a non-global
disk.
zonecfg:zone01> add device
zonecfg:zone01:device> set match=/dev/rdsk/c0t1d0
zonecfg:zone01:device> end
Comments
In case you want to add some comments like function of the non-global
zone or anything else for that matter.
zonecfg:zone01> add attr
zonecfg:zone01:attr> set name=comment
zonecfg:zone01:attr> set type=string
zonecfg:zone01:attr> set value="Hello World. This is my zone"
zonecfg:zone01:attr> end
Other
Other settings like scheduling class of the CPU in the non-global zone
can also be configured from the global zone.
zonecfg:zone01> set limitpriv="default,sys_time"
zonecfg:zone01> set scheduling-class=FSS
Other administrative commands
To reboot a zone :
# zoneadm -z reboot
To halt a zone :
# zoneadm -z zone halt
To uninstalling a zone :
# zoneadm -z zone uninstall -F
To delete an uninstalled zone : # zoneadm -z zone delete -F
Get all configuration info :
# zonecfg -z zone info
login into a zone in safe mode : # zlogin -S zone
prstat on all zones :
# prstat -Z
prstat on a single zone :
# prstat -z zone
control of the dataset you delegate to the non-global zone. For example
you can create your own child datasets under the dataset you delegate
and set properties of the delegated dataset etc. The ZFS file system
data will be available as a pool in the non-globa zone.
global # zonecfg -z zone01
zonecfg:zone01> add dataset
zonecfg:zone01:dataset> set name=rpool/data
zonecfg:zone01:dataset> end
zonecfg:zone01> commit
zonecfg:zone01> verify
zonecfg:zone01> exit
3. Adding ZFS volumes to non-global zones
global # zonecfg -z zone01
zonecfg:zone1> add device
zonecfg:zone1:device> set match=/dev/zvol/dsk/rpool/datavol
zonecfg:zone1:device> end
zonecfg:zone1> verify
zonecfg:zone1> commit
zonecfg:zone1> exit
Adding a CD-ROM to non-global zone
To adda a CD-ROM to the non-global zone :
global # zonecfg -z zone01
zonecfg:zone01> add fs
zonecfg:zone01:fs> set dir=/cdrom
zonecfg:zone01:fs> set special=/cdrom
zonecfg:zone01:fs> set
zonecfg:zone01:fs> end
zonecfg:zone01> verify
zonecfg:zone01> commit
zonecfg:zone01> exit
shared
ip-type: shared
hostid:
inherit-pkg-dir:
dir: /lib
inherit-pkg-dir:
dir: /platform
inherit-pkg-dir:
dir: /sbin
inherit-pkg-dir:
dir: /usr
net:
address: 192.168.10.35
physical: e1000g0
defrouter not specified
bash-3.00# zoneadm -z zone1 boot
bash-3.00#
bash-3.00# zoneadm list -cv
ID NAME
STATUS
PATH
BRAND IP
0 global
running /
native shared
3 zone1
running /export/zones/zone1
native shared
bash-3.00#
Since this is the first time that this zone is being booted up, some initial
configurations needs to be performed.
For this we need to login in zone console with using "zlogin -C zone1"
command.