Tuesday, May 3, 2011

Zone Introduction


Zone Introduction

Zones are containers to segregate services so that they do not interfere with each other. One zone, the global zone, is the locus for system-wide administrative functions. Non-global zones are not able to interact with each other except through network interfaces. When using management commands that reference PIDs, only processes in the same zone will be visible from any non-global zone.
Zones requiring network connectivity have at least one dedicated IP address. Non-global zones cannot observe each other's network traffic. Users in the global zone, however, are able to observe the functioning of processes in non-global zones. It is usually good practice to limit user access to the global zone to system administrators. Other processes and users should be assigned to a non-global zone.
Each zone is assigned a zone name and a unique numeric zone ID. The global zone always has the name "global" and ID "0." A node name is also assigned to each zone, including global. The node names are independent of the zone names.
Each zone has a path to its root directory relative to the global zone's root directory.
A non-global zone's scheduling class is set to be the same as the system's scheduling class. If a zone is assigned to a resource pool, its scheduling class can be controlled by controlling the pool's scheduling class.
Non-global zones can have their own zone administrators. Their authority is limited to their home zone.
The separation of the environments allows for better security, since the security for each zone is independent. Separation also allows for the installation of environments with distinct profiles on the same hardware.
The virtualization of the environment makes it easier to duplicate an environment on different physical servers.
ZFS is supported in Solaris 10 zones from the 6/2006 release and after.

Zone Installation

The system administrator configures new non-global zones via the zonecfgcommand, administers them via zoneadm and logs into them via zlogin.

Zone States

Zone state information can be viewed with zoneadm list -iv from the global zone. Non-global zones have one of the following states:
  • configured: Configuration complete and in stable storage.
  • incomplete: Installation or uninstallation underway
  • installed: Configuration instantiated on system. Zone has no associated virtual platform.
  • ready: Virtual platform established, zsched started, IPs plumbed, filesystems mounted, zone ID assigned. No zone processes started yet.
  • running: This state entered when zone init process starts.
  • shutting down: Zone being halted.
  • down: Transitional state during zone shutdown.

Zone Control Commands

The following control commands can be used to manage and monitor transitions between states:
  • zlogin options zone-name
  • zoneadm -z zone-name boot
  • zoneadm -z zone-name halt
  • zoneadm -z zone-name install
  • zoneadm -z zone-name ready
  • zoneadm -z zone-name reboot
  • zoneadm -z zone-name uninstall
  • zoneadm -z zone-name verify
  • zonecfg -z zone-name: Interactive mode; can be used to remove properties of the following types: fs, device, rctl, net, attr
  • zonecfg -z zone-name commit
  • zonecfg -z zone-name create
  • zonecfg -z zone-name delete
  • zonecfg -z zone-name verify

Resource Management

Zones can be used to dynamically control resource allocations on a zone basis. This means that an application on a zone can be isolated and prevented from throttling other processes in other zones on the same server.

Zone Components

The following components may be included in a zone:
  • Zone name
  • zonepath: Path to the zone root in the global zone's file space.
  • autoboot: Whether to start the zone automatically. (Note that thesvc:/system/zones:default service needs to be running in SMF for this to work.)
  • pool: Associate the zone with a resource pool; multiple zones may share a pool.
  • net: Zone network interface
  • fs: File systems from the zone's /etc/vfstab, automounted file systems configured within the zone, manually mounted file systems or ZFS mounts from within the zone.
  • dataset: This allows a non-global zone to manage a ZFS file system.
  • inherit-pkg-dir: In a sparse root zone, represents directories containing packaged software that a non-global zone shares with the global zone. (Should not be used in a whole root zone.)
  • device: Devices that should be configured in a non-global zone.
  • rctl: Zone-wide resource controls such as zone.cpu-shares andzone.max-lwps
  • attr: Zone comments
The components can be set using the zonecfg command.

zonecfg Interactive Mode

In interactive mode, zonecfg can refer to either a global scope or a specific resource. If no zone is specified in the original zonecfg command, the scope is global by default.
If a select or add subcommand is used to specify a resource, the scope limited to that resource until an end or cancel command is issued.
The following subcommands are supported:
  • add: Add the specified resource or property to the configuration in the scope.
  • cancel: Ends the resource specification and returns to the global scope without retaining partially specified resources.
  • commit: Dump current configuration to disk.
  • create: In-memory configuration begun for a new zone. A -t templateoption specifies a template, -F overwrites an existing configuration, and -bcreates a blank configuration.
  • delete: Destroy the specified configuration.
  • end: Ends the resource specification
  • exit: Ends the zonecfg session.
  • export: Export the configuration in a form that can be used in a command file.
  • help: Context-sensitive help depending on the current scope
  • info: Display information about the configuration of the current scope.
  • remove: Remove the specified resource or property from the command scope.
  • revert: Return to the last state written to disk.
  • select: From the global scope, changes scope to the specified resource
  • set: Set the specified property to the specified value
  • verify: Verify the current configuration for correctness.

Adding Resources


zonecfg:zone-name> add dataset
zonecfg:zone-name:dataset> set name=pool/filesys
zonecfg:zone-name:dataset> end


zonecfg:zone-name> add fs
zonecfg:zone-name:fs> set directory=/mountpoint
zonecfg:zone-name:fs> set special=/dev/dsk/c#t#d#s#
zonecfg:zone-name:fs> set raw=/dev/rdsk/c#t#d#s#
zonecfg:zone-name:fs> set type=ufs
zonecfg:zone-name:fs> add options logging
zonecfg:zone-name:fs> end


zonecfg:zone-name> add inherit-pkg-dir
zonecfg:zone-name:inherit-pkg-dir> set dir=/package-home
zonecfg:zone-name:inherit-pkg-dir> end


zonecfg:zone-name> add net
zonecfg:zone-name:net> set physical=interface-name
zonecfg:zone-name:net> set address=xxx.xxx.xxx.xxx
zonecfg:zone-name:net> end
(Examples of interface names include hme0 and bge0.)


zonecfg:zone-name> add rctl
zonecfg:zone-name:rctl> set name=resource-name
zonecfg:zone-name:rctl> add value (priv=priv-level,limit=#,action=action-type)
zonecfg:zone-name:rctl> end

(See Resource Management for information about what sorts of values to use.)

Zone Models

There are two different zone models, sparse and whole root.
Sparse zones only contain a subset of the packages installed into the root zone. Additional packages can be brought in using the inherit-pkg-dir resources. Each sparse zone requires about 100MB of free space in the global file system. 40MB of free RAM are also recommended.
Whole root zones contain all required packages and also any optional Solaris packages that have been selected. The disk space required for whole root zones is as much as is required for a full installation. Whole root zones allow maximum configuration within the zone context.

Zone Creation Example


From within the global zone:
# zonecfg -z zone-name
zonecfg:zone-name> create
zonecfg:zone-name> set zonepath=/zone-root-path
(Note that the zone's root path cannot be on ZFS, though that capability is coming.)
zonecfg:zone-name> set autoboot=true
zonecfg:zone-name> add fs
zonecfg:zone-name:fs> set dir=/mount-point
zonecfg:zone-name:fs> set special=/global-source-dir
zonecfg:zone-name:fs> set type=lofs
zonecfg:zone-name:fs> end
(Inside the non-global zone, the mounted loopback file system will be readable and writable.)
zonecfg:zone-name> add dataset zonecfg:zone-name:dataset> set name=zone-pool/ZFS-filesys
zonecfg:zone-name:dataset> end
zonecfg:zone-name> verify
zonecfg:zone-name> commit
zonecfg:zone-name> end


Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)