Step Into the Virtual Zone

by Charlie Schluting

When it comes to Solaris 10 virtualization, Zones are where it's at.

The virtualization spotlight may be shining on recent hardware improvements, but that is but one facet of this popular technology. Virtualization at software layer has been gaining ground as well. Sun Microsystem's Solaris 10 is no exception to this, and has implemented Solaris Zones as a key component of its OS virtualization strategy.

Zones are useful for many tasks, including testing and server consolidation. Sun defines a zone as "a virtual operating system abstraction that provides a protected environment in which applications run. The applications are protected from each other to provide software fault isolation. To ease the labor of managing multiple applications and their environments, they co-exist within one operating system instance, and are usually managed as one entity."

The concept of zones is fairly straightforward. The already-running OS is the global zone, and any added zones are non-global. Certain administrative functions can be performed only from the global zone, such as editing the zone configuration. The configuration holds important data that impacts the way a zone operates, including: delegated file systems, resource controls and device configurations. You can apply patches to the global zone, and if the non-global zones share /usr, /sbin, /platform and /lib with the global, they are automatically patched in unison. If you opt to create a zone with its own copy of these file systems, it will have to be patched separately.

Here's a quick walk through of creating a simple zone. A really neat feature of zones is that you can create them on a ZFS file system, and the root file system in the zone will be ZFS. You can't actually have a ZFS root file system in Solaris 10 yet, but you can inside a zone. A trivial example of creating a ZFS pool from one partition, and then a file system is:

# zpool create test c0t0d0s7
# zfs create test/zones
# zfs set quota=3g test/zones
# zfs list
test                   104K  64.5G  25.5K  /test
test/zones            24.5K  3.00G  24.5K  /test/zones

Easy as pie. We'd like to talk about the features more than provide a copy and paste-able "howto," so the specifics of the commands shown in this article are left as an exercise to the reader.

Now, let's create a zone. We’ll want to share some file systems with the global zone. This is the minimum configuration necessary to set up a simple zone:

# zonecfg -z myzone
myzone: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:myzone> create
zonecfg:myzone> set autoboot=true
zonecfg:myzone> set zonepath=/test/zones/myzone
zonecfg:myzone> add net
zonecfg:myzone:net> set address=
zonecfg:myzone:net> set physical=bge0
zonecfg:myzone:net> end
zonecfg:myzone> verify
zonecfg:myzone> commit
# zoneadm list -cv
  ID NAME             STATUS         PATH                         
   0 global           running        /                            
   - myzone           configured     /test/zones/myzone

The configuration is stored in an XML file within /etc/zones. This step simply set up the configuration, but it can't be performed until it is "installed." This command was run on a fairly slow Sun Blade 1500, and took 26.5 minutes to complete:

# zoneadm -z myzone install
Preparing to install zone <myzone>.
Creating list of files to copy from the global zone.
Copying <59863> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <1127> packages on the zone.
Initialized <1127> packages on zone.
Zone <myzone> is initialized.

The entire install took only 84MB of space. Now that the zone is installed and consumes only a tiny amount of space, it can be booted by running zoneadm –z myzone boot. You can connect to the console by using zlogin –C myzone and answer the usual timezone and directory services questions asked during a Solaris install. The zone is ready to use afterward.

If 3GB turns out to be too small for the zone, you can either create another ZFS file system in the pool, or simply enlarge the file system with: zfs set quota=5g test/zones.

Several issues frequently arise when people begin using zones. Standard concerns include, backups, resource limiting and OS updates.

When an update to Solaris comes out, you can run the "upgrade" install option without worrying about the zones. Zones get updated at the same time, unless you've installed them on ZFS, as we did in the example. This is a bug that should be fixed in the next release. Many people shun the upgrade install option, choosing to always reinstall from scratch. Unfortunately, this means the non-global zones will have to be restored by restoring each file system manually.

Many people shun the upgrade install option, choosing to always reinstall from scratch. Unfortunately, this means the non-global zones will have to be restored by restoring each file system manually.

A ZFS file system can be backed up easily with zfs send and restored with zfs receive. If the global zone has not changed at all, it is possible to use an zone config obtained with zonecfg export. You can move zones between physical servers in this manner, only if they are at the same patch level. Hopefully in the future zones will be able to move between servers while they are running.

Backups, too, are a bit complicated. You don't want to simply run your normal backup software from the global zone, allowing it to include the zone install directory. Shared file systems are mounted with the loopback file system, and most backup programs will happily backup everything twice. One option is to backup each non-global zone separately, specifying only non-shared file systems. Legato, for example, can be configured to backup the hostname of a non-global zone and ignore non-UFS file systems.

Resource limiting can be easily accomplished in zones by using zonecfg to create resource control capabilities. The available options are quite complex, but the simplest form allows a fair-share scheduler to be used. You can configure a non-global zone to use, say, 60 percent of the CPU. The prctl command can then be used to adjust the assigned values on the fly, if required.

Zones are very flexible, and quite easy to use. Since they are OS-level virtualization and share a kernel, you can't run anything but another copy of the same operating system. This is a perfect way to consolidate servers because zones create very little overhead, yet still maintain a high degree of isolation from the host operating system.

This article was originally published on Enterprise Networking Planet.

This article was originally published on Wednesday Oct 18th 2006
Mobile Site | Full Site