Solaris Containers (Zones) HowTo

From Wikipedia, Solaris Containers (including Solaris Zones) is an implementation of operating system-level virtualization technology first made available in 2005 as part of Solaris 10.

A Solaris Container is the combination of system resource controls and the boundary separation provided by zones. Zones act as completely isolated virtual servers within a single operating system instance. By consolidating multiple sets of application services onto one system and by placing each into isolated virtual server containers, system administrators can reduce cost and provide all the same protections of separate machines on a single machine.

Solaris_Zones

Zones provide a new isolation primitive for the Solaris OS, which is secure, flexible, scalable and lightweight: virtualized OS services which look like different Solaris instances. Together with the existing Solaris Resource management framework, Solaris Zones forms the basis of Solaris Containers.

Watch this Science Notes for Solaris 10 Containers:

Solaris 8 containers on top of Solaris 10 host.

Types of Zones

There are two types of zones, global and non-global. Think of a global zone as the server itself, the traditional view of a Solaris system as we all know it, where you can login as root and have full control of the entire system. The global zone is the default zone and is used for system-wide configuration and control. Every system contains a global zone and there can only be one global zone on a physical Solaris server.

A non-global zone is created from the global zone and also managed by it. You can have up to 8192 non-global zones on a single physical systemthe only real limitation is the capability of the server itself. Applications that run in a non-global zone are isolated from applications running in a separate non-global zone, allowing multiple versions of the same application to run on the same physical server.

Zone States

Non-global zones are referred to simply as zones and can be in a number of states depending on the current state of configuration or readiness for operation. You should note that zone states only refer to non-global zones because the global zone is always running and represents the system itself. The only time the global zone is not running is when the server has been shut down.

Zone States
STATE DESCRIPTION
configured A zone is in this state when the configuration has been completed and storage has been committed. Additional configuration that must be done after the initial reboot has yet to be done.
incomplete A zone is set to this state during an install or uninstall operation. Upon completion of the operation, it changes to the correct state.
installed A zone in this state has a confirmed configuration. The zoneadm command is used to verify that the zone will run on the designated Solaris system. Packages have been installed under the zone’s root path. Even though the zone is installed, it still has no virtual platform associated with it.
ready The zone’s virtual platform is established. The kernel creates the zsched process, the network interfaces are plumbed and file systems are mounted. The system also assigns a zone ID at this state, but there are no processes associated with this zone.
running A zone enters this state when the first user process is created. This is the normal state for an operational zone.
Shutting Down + Down Transitional states that are only visible while a zone is in the process of being halted. If a zone cannot shut down for any reason, then it will also display this state.

Zone Features

This section describes the features of both the global zone and non-global zones.

The global zone has the following features:

  • The global zone is assigned zone ID 0 by the system.
  • It provides the single bootable instance of the Solaris Operating Environment that runs on the system.
  • It contains a full installation of Solaris system packages.
  • It can contain additional software, packages, file, or data that was not installed through the packages mechanism.
  • Contains a complete product database of all installed software components.
  • It holds configuration information specific to the global zone, such as the global zone hostname and the file system table.
  • It is the only zone that is aware of all file systems and devices on the system.
  • It is the only zone that is aware of non-global zones and their configuration.
  • It is the only zone from which a non-global zone can be configured, installed, managed, and uninstalled.

Non-global zones have the following features:

  • The non-global zone is assigned a zone ID by the system when it is booted.
  • It shares the Solaris kernel that is booted from the global zone.
  • It contains a subset of the installed Solaris system packages.
  • It can contain additional software packages, shared from the global zone.
  • It can contain additional software packages that are not shared from the global zone.
  • It can contain additional software, files, or data that was not installed using the package mechanism, or shared from the global zone.
  • It contains a complete product database of all software components that are installed in the zone. This includes software that was installed independently of the global zone as well as software shared from the global zone.
  • It is not aware of the existence of other zones.
  • It cannot install, manage, or uninstall other zones, including itself.
  • It contains configuration information specific to itself, the non-global zone, such as the non-global zone hostname and file system table.

Non-Global Zone Root File System Models

A non-global zone contains its own root (/) file system. The size and contents of this file system depend on how you configure the global zone and the amount of configuration flexibility that is required.

There is no limit on how much disk space a zone can use, but the zone administrator, normally the system administrator, must ensure that sufficient local storage exists to accommodate the requirements of all non-global zones being created on the system.

The system administrator can restrict the overall size of the non-global zone file system by using any of the following:

  • Standard disk partitions on a disk can be used to provide a separate file system for each non-global zone
  • Soft partitions can be used to divide disk slices or logical volumes into a number of partitions.
  • Use a lofi-mounted file system to place the zone on. For further information on the loopback device driver see the manual pages for lofi and lofiadm.
Sparse Root Zones

When you create a non-global zone, you have to decide how much of the global zone file system you want to be inherited from the global zone. A sparse root zone optimizes sharing by implementing read-only loopback file systems from the global zone and only installing a subset of the system root packages locally. The majority of the root file system is shared (inherited) from the global zone. Generally this model would require about 100 Megabytes of disk space when the global zone has all of the standard Solaris packages installed. A sparse root zone uses the inherit-pkg-dir resource, where a list of inherited directories from the global zone are specified.

Whole Root Zones

This model provides the greatest configuration flexibility because all of the required (and any other selected) Solaris packages are copied to the zone’s private file system, unlike the sparse root model where loopback file systems are used. The disk space requirement for this model is considerably greater and is determined by evaluating the space used by the packages currently installed in the global zone.

Networking in a Zone Environment

On a system supporting zones the zones can communicate with each other over the network, but even though the zones reside on the same physical system, network traffic is restricted so that applications running on a specified zone cannot interfere with applications running on a different zone.

Each zone has its own set of bindings and zones can all run their own network daemons. As an example, consider three zones all providing web server facilities using the apache package. Using zones, all three zones can host websites on port 80, the default port for http TRaffic, without any interference between them. This is because the IP stack on a system supporting zones implements the separation of network traffic between zones.

The only interaction allowed is for ICMP traffic to resolve problems, so that commands such as ping can be used to check connectivity.

Of course, when a zone is running, it behaves like any other Solaris system on the network in that you can telnet or ftp to the zone as if it was any other system, assuming the zone has configured these network services for use.

When a zone is created, a dedicated IP address is configured that identifies the host associated with the zone. In reality though, the zone’s IP address is configured as a logical interface on the network interface specified in the zone’s configuration parameters. Only the global zone has visibility of all zones on the system and can also inspect network traffic, using for example, snoop.

Zone Daemons

The zone management service is managed through the Service Management Facility (SMF), the service identifier is called: svc:/system/zones:default

There are two daemon processes associated with zones, zoneadmd and zsched.

The zoneadmd daemon starts when a zone needs to be managed. An instance of zoneadmd will be started for each zone, so it is not uncommon to have multiple instances of this daemon running on a single server. It is started automatically by SMF and is also shut down automatically when no longer required. The zoneadmd daemon carries out the following actions:

  • Allocates the zone ID and starts the zsched process
  • Sets system-wide resource controls
  • Prepares the zone’s devices if any are specified in the zone configuration
  • Plumbs the virtual network interface
  • Mounts any loopback or conventional file systems

The zsched process is started by zoneadmd and exists for each active zone (a zone is said to be active when in the ready, running, or shutting down state. The job of zsched is to keep track of kernel threads running within the zone. It is also known as the zone scheduler.

Configuring a Zone

Before a zone can be installed and booted it has to be created and configured. This section deals with the initial configuration of a zone and describes the zone components.

A zone is configured using the zonecfg command. The zonecfg command is also used to verify that the resources and properties that are specified during configuration are valid for use on a Solaris system. zonecfg checks that a zone path has been specified and that for each resource, all of the required properties have been specified.

The zonecfg Command

The zonecfg command is used to configure a zone. It can run interactively, on the command-line, or using a command-file. A command-file is created by using the export subcommand of zonecfg. zonecfg carries out the following operations:

  • Create, or delete, a zone configuration
  • Add, or remove, resources in a configuration
  • Set the properties for a resource in the configuration
  • Query and verify a configuration
  • Commit (save) a configuration
  • Revert to a previous configuration
  • Exit from a zonecfg session

When you enter zonecfg in interactive mode, the prompt changes to show that you are in a zonecfg session. If you are configuring a zone called apps, then the prompt changes as follows:

# zonecfg -z apps
zonecfg:apps>

This is known as the global scope of zonecfg. When you configure a specific resource, the prompt changes to include the resource being configured. The command scope also changes so that you are limited to entering commands relevant to the current scope. You have to enter an end command to return to the global scope.

Below the lists the resource types that are applicable to the zonecfg command:

Resource Type Description
zonename The zonename identifies the zone and must be unique. It can’t be longer than 64 characters. It’s case-sensitive and must begin with an alpha-numeric character. It can also contain underbars (_), hyphens (-), and periods (.). The name global and all names beginning with SUNW are reserved and not allowed.
zonepath This is the path to the zone root in relation to the global zone’s root directory (/). To restrict visibility to non-privileged users in the global zone, the permissions on the zonepath directory should be set to 700.
fs Each zone can mount file systems. This resource specifies the path to the file system mount point.
inherit-pkg-dir This type specifies directories that contain software packages that are shared with the global zone, or inherited from the global zone. The non-global zone only inherits read-only access. There are four default inherit-pkg-dir resources included in the configuration, namely /lib, /sbin, /platform and /usr. The packages associated with these directories are inherited (in a read-only loopback file system mount) by the non-global zone.
net Each zone can have network interfaces that are plumbed when the zone transitions from the installed state to the ready state. Network interfaces are implemented as virtual interfaces.
device Each zone can have devices that are configured when the zone transitions from the installed state to the ready state.
rctl This type is used for zone-wide resource controls. The controls are enabled when the zone transitions from the installed state to the ready state. The zone-wide resource controls implemented in Solaris 10 are zone.cpu-shares and zone.max-lwps.
attr This is a generic type and is most often used for comments.

Some of the resource types described above also have properties that need to be configured if the resource type is to be used. The following list describes the properties and the parameters, along with examples of usage:

  • fs dir, special, raw, type, optionsThe following code gives an example of how these properties are used. The bold type indicates the keystrokes entered at the keyboard.
    zonecfg:apps> add fs
    zonecfg:apps:fs> set dir=/testmount
    zonecfg:apps:fs> set special=/dev/dsk/c0t1d0s0
    zonecfg:apps:fs> set raw=/dev/rdsk/c0t1d0s0
    zonecfg:apps:fs> set
    zonecfg:apps:fs> add options [logging, nosuid]
    zonecfg:apps:fs> end

    This code example specifies that /dev/dsk/c0t1d0s0 in the global zone is to be mounted on directory /testmount in the non-global zone and the raw device /dev/rdsk/c0t1d0s0 is the device to fsck before attempting the mount. The file system is of type ufs and a couple of mount options have been added too.

  • inherit-pkg-dir dirThis specifies the directory that is to be loopback mounted from the global zone. The following example shows that /opt/sfw is to be mounted:
    zonecfg:apps> add inherit-pkg-dir
    zonecfg:apps:inherit-pkg-dir> set dir=/opt/sfw
    zonecfg:apps:inherit-pkg-dir> end
  • net address, physicalThis specifies the setup of the network interface for the zone. The following code example specifies an IP address of 192.168.0.42 and that the physical interface to be used is hme0:
    zonecfg:apps> add net
    zonecfg:apps:net> set physical=hme0
    zonecfg:apps:net> set address=192.168.0.42
    zonecfg:apps:net> end
  • device matchThis specifies a device to be included in the zone. The following code example includes a tape drive, /dev/rmt/0:
    zonecfg:apps> add device
    zonecfg:apps:device> set match=/dev/rmt/0
    zonecfg:apps:device> end
  • rctl name, valueThere are two zone-wide resource controls, namely zone.cpu-shares and zone.max-lwps. The zone.cpu-shares limits the zone’s share of the CPU resources, and the zone.max-lwps limits the number of Lightweight Processes that the zone can run. These two controls prevent the zone from exhausting resources that could affect the performance or operation of other zones.

    The following example sets the number of CPU shares to 20:

    zonecfg:apps> add rctl
    zonecfg:apps:rctl> set.cpu-shares
    zonecfg:apps:rctl> set value=(priv=privileged,limit=20,action=none)
    zonecfg:apps:rctl> end
  • attr name, type, valueThe attr resource type is mainly used for adding a comment to a zone. The following example adds a comment for the zone apps:
    zonecfg:apps> add attr
    zonecfg:apps:attr> set
    zonecfg:apps:attr> set
    zonecfg:apps:attr> set value="The Application Zone"
    zonecfg:apps:attr> end

Viewing the Zone Configuration

The zone configuration data can be viewed in two ways:

  • Viewing a file
  • Using the export option of zonecfg

Both of these are described here:

The zone configuration file is held in the /etc/zones directory and is stored as an xml file. To view the configuration for a zone named testzone, you would enter:

# cat /etc/zones/testzone.xml

The alternative method of viewing the configuration is to use the zonecfg command with the export option. The following example shows how to export the configuration data for zone testzone:

# zonecfg -z testzone export

By default, the output goes to stdout, but this can be changed by entering a filename instead. If you save the configuration to a file, then it can be used at a later date, if required, as a command file input to the zonecfg command. This option is useful if you have to recreate the zone for any reason.

Installing a Zone

When a zone has been configured, the next step in its creation is to install it. This has the effect of copying the necessary files from the global zone and populating the product database for the zone. You should verify a configuration before it is installed to ensure that everything is set up correctly.

To verify the zone configuration for a zone named testzone enter the following command:

zoneadm -z testzone verify

If, for example, the zonepath does not exist, or it has not had the correct permissions set, then the verify operation will generate a suitable error message.

When the zone has been successfully verified it can be installed, as follows:

zoneadm -z testzone install

A number of status and progress messages are displayed on the screen as the files are copied and the package database is updated.

Notice that whilst the zone is installing, its state will change from configured to incomplete. The state will change to installed when the install operation has completed.

Booting a Zone

Before issuing the boot command, a zone needs to be transitioned to the ready state. This can be done using the zoneadm command as follows:

zoneadm -z testzone ready

The effect of the ready command is to establish the virtual platform, plumb the network interface and mount any file systems. At this point though, there are no processes running.

To boot the zone testzone, issue the following command:

zoneadm -z testzone boot

Confirm that the zone has booted successfully by listing the zone using the zoneadm command as follows:

zoneadm -z testzone list -v

The state of the zone will have changed to running if the boot operation was successful.

Note

No Need to Ready If you want to boot a zone, then there is no need to transition to the ready state. The boot operation does this automatically prior to booting the zone.

Halting a Zone

To shut down a zone, issue the halt option of the zoneadm command as shown in the following:

zoneadm -z testzone halt

The zone state changes from running to installed when a zone is halted.

Rebooting a Zone

A zone can be rebooted at any time without affecting any other zone on the system. The reboot option of the zoneadm command is used to reboot a zone as shown here to reboot the zone testzone:

zoneadm -z testzone reboot

The state of the zone should be running when the reboot operation has completed.

Uninstalling a Zone

When a zone is no longer required, it should be uninstalled before it is deleted. In order to uninstall a zone, it must first be halted. When this has been done, issue the uninstall command as shown here to uninstall the zone testzone:

zoneadm -z testzone uninstall -F

The -F option forces the command to execute without confirmation. If you omit this option, then you will be asked to confirm that you wish to uninstall the zone.

Deleting a Zone

When a zone has been successfully uninstalled, its configuration can be deleted from the system. Enter the zonecfg command as shown here to delete the zone testzone from the system:

zonecfg -z testzone delete -F

The -F option forces the command to execute without confirmation. If you omit this option, then you will be asked to confirm that you wish to delete the zone configuration.

Exam Alert

Remember the Force Unlike most other Unix commands, zoneadm and zonecfg use an uppercase letter F to force the command to be executed without prompting you for confirmation. All other commands, such as mv, rm, and umount, for example, always use a lowercase letter f. Make sure you are aware of this anomaly when you sit for the exam.

Zone Login

When a zone is operational and running, the normal network access commands can be used to access a zone, such as telnet, rlogin, and ssh, but a non-global zone can also be accessed from the global zone using zlogin command. This is necessary for administration purposes and to be able to access the console session for a zone. Only the Superuser (root), or a role with the RBAC profile “Zone Management” can use the zlogin command from the global zone.

The syntax for the zlogin command is as follows:

zlogin [-CE] [-e c] [-l username] zonename
zlogin [-ES] [-e c] [-l username]  zonename  utility  [argument...]

zlogin works in three modes:

  • Interactivewhere a login session is established from the global zone.
  • Non-interactivewhere a single command or utility can be executed. Upon completion of the command (or utility), the session is automatically closed.
  • Consolewhere a console session is established for administration purposes.

Here the Solaris Zone creation example:
—————————————————-
bash-3.00# mkdir -m 700 /zones/zone1

bash-3.00# zonecfg -z zone1
zone1: No such zone configured
Use ‘create’ to begin configuring a new zone.
zonecfg:zone1> create
zonecfg:zone1> set zonepath=/zones/zone1
zonecfg:zone1> set autoboot=true
zonecfg:zone1> add inherit-pkg-dir
zonecfg:zone1:inherit-pkg-dir> set dir=/opt
zonecfg:zone1:inherit-pkg-dir> end
zonecfg:zone1> add net
zonecfg:zone1:net> set address=10.32.16.10/24
zonecfg:zone1:net> set physical=e1000g0
zonecfg:zone1:net> set defrouter=10.32.16.1
zonecfg:zone1:net> end
zonecfg:zone1> add attr
zonecfg:zone1:attr> set name=comment
zonecfg:zone1:attr> set type=string
zonecfg:zone1:attr> set value=”first zone”
zonecfg:zone1:attr> end
zonecfg:zone1> verify
zonecfg:zone1> commit
zonecfg:zone1> exit

————————
bash-3.00# zonecfg -z zone1 info
zonename: zone1
zonepath: /zones/zone1
brand: native
autoboot: true
bootargs:
pool:
limitpriv:
scheduling-class:
ip-type: shared
inherit-pkg-dir:
dir: /lib
inherit-pkg-dir:
dir: /platform
inherit-pkg-dir:
dir: /sbin
inherit-pkg-dir:
dir: /usr
inherit-pkg-dir:
dir: /opt
net:
address: 10.32.16.10
physical: e1000g0
defrouter: 10.32.16.1
attr:
name: comment
type: string
value: “first zone”
bash-3.00#
—————————-

bash-3.00# zoneadm -z zone1 install
/zones/zone1 must not be group readable.
/zones/zone1 must not be group executable.
/zones/zone1 must not be world readable.
/zones/zone1 must not be world executable.
could not verify zonepath /zones/zone1 because of the above errors.
zoneadm: zone zone1 failed to verify

{if you got an error like above, please make sure directory mode of your zone:

bash-3.00# ls -ld /zones/zone1/
drwxr-xr-x   2 root     root         512 Aug  8 22:31 /zones/zone1/
bash-3.00# chmod 700 /zones/zone1
bash-3.00# ls -ld /zones/zone1/
drwx——   2 root     root         512 Aug  8 22:31 /zones/zone1/
bash-3.00#

{Run again the ‘zone install’ command.

bash-3.00# zoneadm -z zone1 install
Preparing to install zone <zone1>.
Creating list of files to copy from the global zone.
Copying <2901> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <1122> packages on the zone.
Initialized <1122> packages on zone.
Zone <zone1> is initialized.
Installation of these packages generated errors: <SUNWpostgr-82-libs SUNWpostgr-82-client SUNWpostgr-82-server-data-root SUNWpostgr-82-server SUNWpostgr-82-contrib SUNWpostgr-82-devel SUNWpostgr-83-server-data-root>
The file </zones/zone1/root/var/sadm/system/logs/install_log> contains a log of the zone installation.
bash-3.00#

bash-3.00# zoneadm list -cv
ID NAME             STATUS     PATH                           BRAND    IP
0 global           running    /                              native   shared
– zone1            installed  /zones/zone1                   native   shared
bash-3.00#
bash-3.00# zoneadm -z zone1 boot
bash-3.00# zoneadm list -cv
ID NAME             STATUS     PATH                           BRAND    IP
0 global           running    /                              native   shared
1 zone1            running    /zones/zone1                   native   shared
bash-3.00#
bash-3.00# zlogin -C zone1
[Connected to zone ‘zone1’ console]

{then press ENTER

{follow on screen instruction untill System identification is completed.

————————————————

Select a Locale

0. English (C – 7-bit ASCII)
1. U.S.A. (UTF-8)
2. Go Back to Previous Screen

Please make a choice (0 – 2), or press h or ? for help: 1

What type of terminal are you using?
1) ANSI Standard CRT
2) DEC VT52
3) DEC VT100
4) Heathkit 19
5) Lear Siegler ADM31
6) PC Console
7) Sun Command Tool
8) Sun Workstation
9) Televideo 910
10) Televideo 925
11) Wyse Model 50
12) X Terminal Emulator (xterms)
13) CDE Terminal Emulator (dtterm)
14) Other
Type the number of your choice and press Return: 3

Creating new rsa public/private host key pair
Creating new dsa public/private host key pair
Configuring network interface addresses:.

—Host Name——————————————————————

Enter the host name which identifies this system on the network.  The name
must be unique within your domain; creating a duplicate host name will cause
problems on the network after you install Solaris.

A host name must have at least one character; it can contain letters,
digits, and minus signs (-).

Host name zone1

F2_Continue    F4_Change    F6_Help

–Confirm Information———————————————————

> Confirm the following information.  If it is correct, press F2;
to change any information, press F4.

Host name: zone1

–Time Zone ——————————————————————-

On this screen you must specify your default time zone.  You can specify a
time zone in three ways:  select one of the continents or oceans from the
list, select other – offset from GMT, or other – specify time zone file.

> To make a selection, use the arrow keys to highlight the option and
press Return to mark it [X].

Continents and Oceans
————————————-
–   [ ] Africa
x   [ ] Americas
x   [ ] Antarctica
x   [ ] Arctic Ocean
x   [X] Asia
x   [ ] Atlantic Ocean
x   [ ] Australia
x   [ ] Europe
v   [ ] Indian Ocean

——————————————————————————
F2_Continue    F6_Help

–Country or Region———————————————————–

> To make a selection, use the arrow keys to highlight the option and
press Return to mark it [X].

Countries and Regions
————————
^   [ ] Cambodia
x   [ ] China
x   [ ] Cyprus
x   [ ] East Timor
x   [ ] Georgia
x   [ ] Hong Kong
x   [ ] India
x   [X] Indonesia
x   [ ] Iran
x   [ ] Iraq
x   [ ] Israel
x   [ ] Japan
v   [ ] Jordan

——————————————————————————-
F2_Continue    F6_Help

[NOTICE: Zone rebooting]

————————————————

SunOS Release 5.10 Version Generic_139556-08 32-bit

Copyright 1983-2009 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
Hostname: zone1
Reading ZFS config: done.

rebooting system due to change(s) in /etc/default/init

zone1 console login: root
Password:

—————————————————

OTHER USEFUL COMMAND:
# zoneadm -z zone1 halt
# zoneadm -z zone1 boot

remove net address=10.32.16.10/24    >>will delete ip address &  network physical

SOURCE:

system admin guide – Solaris Containers
Installing and Administering Solaris Container Manager 1.1

Solaris 10 System Administration Exam Prep2 by Bill Kalkins

4 responses to “Solaris Containers (Zones) HowTo

  1. i love this blog.. It always guide me to troubleshoot n configure something in my job.

    go brother.. nice shared
    Thank’s alot

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s