Vous êtes sur la page 1sur 9

An Introduction to Solaris 11 Zones - Toki Winter

Page 1 of 9

An Introduction to Solaris 11 Zones


Solaris Zones (or Containers) were first introduced in Solaris 10. I wrote about them a while back in How to Get Started with Solaris Containers, but a lot has changed in Solaris 11. Solaris Zones provide an easy way to either provide a sparse chroot-like environment so that applications can run in an environment that will not be detrimental to global system resources, or a full branded environment (running a Solaris 10 branded zone, for example). Delegated administration can be configured so that a zone can be managed by someone other than the global sysadmin. Zones provide an excellent way to split a system into several logical units, each with their own filesystem resources, system resources and management. Most of what I wrote about previously is still very pertinent, but Solaris 11 has built upon zone technology, placing it at its very core.

In Solaris 10, the default IP type for zones was shared, which meant that the zone shared the IP stack with the global zone. Within a zone on Solaris 10, an administrator was unable to configure network settings, unless exclusive IP was used, in which case the zone would be bound to a physical NIC in the global zone, and that NIC would only be available for exclusive use by that zone. With Solaris 11, and virtual networking, all zones can be created with an exclusive IP type. A Virtual NIC (VNIC) is created for each zone, over some physical NIC on the global zone. This network virtualisation allows each zone to maintain its own TCP/IP stack, and the zone administrator can change the zones network configuration from within the zone itself. A new anet interface type has been introduced within zonecfg to handle this.

Solaris 11 zones are now provisioned using the new Image Packaging System (IPS) and in a default configuration, packages will be installed from the repository configured (http://pkg.oracle.com, for example) in the global zone. It would make sense to have a local repository if you were rolling out large numbers of systems or zones, but for our testing purposes, downloading a couple of hundred megabytes of packages is no big issue.

This article will walk through the creation of a simple Solaris 11 zone, and introduce a method of installing zones without operator intervention using System Profiles.

Filesystem Creation

http://www.tokiwinter.com/solaris-11-zones/

2/6/2014

An Introduction to Solaris 11 Zones - Toki Winter

Page 2 of 9

Zones are tightly integrated with ZFS in Solaris 11, and a new ZFS dataset (or datasets, depending on the configuration) will be created for each new zone provisioned. To aid in administration, Ill create a new dataset to hold my zones. I have a ZPool available (datapool) and will create the new dataset within this:
# zfs create -o mountpoint=/zones datapool/zonefs # zfs list datapool/zonefs NAMEUSEDAVAIL REFERMOUNTPOINT datapool/zonefs 31K 19.4G 31K /zones

I only have 19.4GB available, but as zones are an extremely sparse form of virtualisation technology, it will suffice for our requirements.

Zone Creation
Next, create the zone using zonecfg and set its zonepath to a subdirectory of our new /zones filesystem:
# zonecfg -z testzone-01 "create; set zonepath=/zones/testzone-01"

Youll note that the zone has been created and is now in the configured state:
# zoneadm list -cv ID NAMESTATUS PATH BRAND IP 0 global running / solaris shared - testzone-01 configured /zones/testzone-01 solaris excl

Here you can see that the zone is created with exclusive IP. A new VNIC will be created when the zone is booted, so for now youll see no additional interfaces when running dladm show-link just the interfaces currently configured in the global zone:
# dladm show-link LINK CLASS MTUSTATE OVER net0 phys 1500 up --

System Profiles
The sysconfig utility provided with Solaris 11 allows us to unconfigure or reconfigure a Solaris instance. It is essentially a fancy version of sys-unconfig provided with earlier Solaris versions. One of the subcommands, however, supplied by sysconfig is create-profile. This allows us to step through all of the screens normally presented at system installation time (whether provisioning physical systems or zones) and will write out an XML file containing all the choices we made a System Profile. This new

http://www.tokiwinter.com/solaris-11-zones/

2/6/2014

An Introduction to Solaris 11 Zones - Toki Winter

Page 3 of 9

XML format replaces the older sysidcfg format used previously when jumpstarting servers or provisioning zones. I can generate a master copy of this file from the global zone, and modify it to provide a template. This template can then be copied for each zone we wish to create, with the appropriate parameters substituted. Once the zone is installed using this profile, and booted, the appropriate system configuration will be performed automatically and the operator will not be prompted for information. This means that its easy to script the installation of Solaris 11 zones (as it was with Solaris 10).

Lets create our system profile:


# sysconfig create-profile -o /var/tmp/sysconfig.xml

Work through the screens as if you were installing Solaris for the first time, configuring network, timezone, root password, user, naming services, etc. It will have NO EFFECT on current system configuration, so dont be scared of it. I configured the parameters that Ill be changing with obviously bogus values for my configuration Hostname: NEWHOST, IP Address: 123.123.123.123, Gateway: 123.123.123.1, and DNS Servers: 123.1.2.1 and 123.1.2.3. Once the XML file had been generated and reviewed, I moved it to a secure location:
# mv /var/tmp/sysconfig.xml /root

Then, I created a copy of the configuration for the zone I was about to provision testzone-01, with the first substitution for hostname being made during the redirection to the new file:
# grep NEWHOST sysconfig.xml <propval type="astring" name="nodename" value="NEWHOST"/> # sed 's/NEWHOST/testzone-01/' sysconfig.xml > sysconfig_testzone-01.xml # grep testzone sysconfig_testzone-01.xml <propval type="astring" name="nodename" value="testzone-01"/>

I then substituted appropriate values for IP address, gateway and DNS servers. The netmask I specified during sysconfig create-profile is already correct for my network, so just substituting the correct IP address in place of 123.123.123.123 (my templated IP) will work:
# gsed -i 's/123.123.123.123/172.16.18.140/' sysconfig_testzone-01.xml # grep 172.16.18.140 sysconfig_testzone-01.xml <propval type="net_address_v4" name="static_address" value="172.16.18.140/24"/>

Substitute the value for the default gateway, and DNS servers, similarly using gsed:
# # # # # default gateway gsed -i 's/123.123.123.1/172.16.18.2/' sysconfig_zone-001.xml # first DNS server gsed -i 's/123.1.2.1/8.8.8.8/' sysconfig_zone-001.xml

http://www.tokiwinter.com/solaris-11-zones/

2/6/2014

An Introduction to Solaris 11 Zones - Toki Winter

Page 4 of 9

# # second DNS server # gsed -i 's/123.1.2.3/8.8.4.4/' sysconfig_zone-001.xml

The profile is now ready to use.

Zone Installation
Our zone is now ready to be installed using the new profile. Use the new -c <profile_name> option to

zoneadm install when installing the zone. Note that the -c option expects an absolute pathname to the
profile, or at least thats what I found to prevent strange errors about being unable to find the file. If we didnt use a system profile, wed have to step through the configuration screens on the first boot of the zone and specify all the information by hand.

Install the zone:


# zoneadm -z testzone-01 install -c /root/sysconfig_testzone-01.xml The following ZFS file system(s) have been created: datapool/zonefs/testzone-01 Progress being logged to /var/log/zones/zoneadm.20130204T235107Z.testzone-01.install Image: Preparing at /zones/testzone-01/root. AI Manifest: /tmp/manifest.xml.w7aOc4 SC Profile: /root/sysconfig_testzone-01.xml Zonename: testzone-01 Installation: Starting ... Creating IPS image Startup linked: 1/1 done Installing packages from: solaris origin: http://pkg.oracle.com/solaris/release/ DOWNLOAD PKGSFILESXFER (MB) SPEED Completed 183/183 33556/33556 222.2/222.2 2.2M/s PHASE ITEMS Installing new actions 46825/46825 Updating package state database Done Updating image state Done Creating fast lookup database Done Installation: Succeeded Note: Man pages can be obtained by installing pkg:/system/manual done. Done: Installation completed in 286.036 seconds. Next Steps: Boot the zone, then log into the zone console (zlogin -C) to complete the configuration process. Log saved in

01/ / /log/

global

/zoneadm 20130204T235107Z.testz

http://www.tokiwinter.com/solaris-11-zones/

2/6/2014

An Introduction to Solaris 11 Zones - Toki Winter

Page 5 of 9

http://www.tokiwinter.com/solaris-11-zones/

2/6/2014

An Introduction to Solaris 11 Zones - Toki Winter

Page 6 of 9

You will note that the IPS has been used for the zone installation and a new dataset has been created for this zone at datapool/zonefs/testzone-01.

Lets verify the zone state:


# zoneadm list -cv ID NAMESTATUSPATH BRAND IP 0 global running / solaris shared - testzone-01 installed /zones/testzone-01 solaris excl

Note the status change from configured to installed.


# dladm show-link LINK CLASS MTUSTATE OVER net0 phys 1500 up --

Our new VNIC has not yet been created.

Booting and Verifying the Zone


Boot the zone for the first time:
# zoneadm -z testzone-01 boot

And connect to the zones console, checking for errors during initial boot, manifest import, and system identification (which should be automated thanks to our system profile):
# zlogin -C -e '#.' testzone

Note that I specify a different escape sequence here (#.) from the default, to save confusion and possible disconnection via SSH escape sequences.

During zone boot, you may see the following message displayed on the zone console if youre deploying your zones on a virtualised global zone (for example: under VMware or VirtualBox):
Warning: Unable to verify add of static route on net0/v4 Error code = 3

Disconnect from the zones console if no other errors are generated. The Unable to verify add of

static route message is because you need to enable promiscuous mode on the global zones

http://www.tokiwinter.com/solaris-11-zones/

2/6/2014

An Introduction to Solaris 11 Zones - Toki Winter

Page 7 of 9

interface (whichever one the VNIC is being created over) for networking within the zone to work when the global zone itself is virtualised.

This can be done from the global zone. To determine the physical network interface that needs to be placed into promiscuous mode, run dladm show-link:
# dladm show-link LINK CLASS MTUSTATE OVER net0 phys 1500 up -testzone-01/net0 vnic 1500 upnet0

You can also see that a VNIC has now been created for our zone (testzone-01/net0) over net0. Run a snoop on the physical interface in the global zone (in our case, net0 is virtualised at the VMware layer) identified via dladm show-link:
# snoop -d net0 >/dev/null 2>&1 &

Now, log into the zone and verify network connectivity:


# zlogin testzone-01 "ping google.com" google.com is alive

Looks good. Our zone was provisioned with the minimum of fuss, and we now have the foundations of a scriptable solution to provision many zones on-the-fly.

Logging into the zone, review the default ZFS configuration and ownership of our network interface:
zone# dladm show-link LINK CLASS MTUSTATE OVER net0 vnic 1500 up ? zone# zfs list NAMEUSED rpool 441M rpool/ROOT 441M rpool/ROOT/solaris 441M rpool/ROOT/solaris/var 28.0M rpool/VARSHARE 39K rpool/export 96.5K rpool/export/home 64.5K rpool/export/home/toki 32.5K

AVAILREFERMOUNTPOINT 19.0G 31K /rpool 19.0G 31K legacy 19.0G 412M / 19.0G 27.3M /var 19.0G 39K /var/share 19.0G 32K /export 19.0G 32K /export/home 19.0G 32.5K /export/home/toki

Of course, other datasets can be created in the global zone and added to a zone using zonecfg (as indeed can new VNICs with dladm create-vnic) but as you can see even a default zone configuration makes good use of the underlying core technologies present in Solaris 11.

http://www.tokiwinter.com/solaris-11-zones/

2/6/2014

An Introduction to Solaris 11 Zones - Toki Winter

Page 8 of 9

Back in the global zone, review that the zone is reported as running:
# zoneadm list -cv ID NAMESTATUSPATH BRAND IP 0 global running / solaris shared 10 testzone-01 running /zones/testzone-01 solaris excl

And review the various ZFS filesystems that were created in the global zone during the creation of testzone-01 (note that the user we specified to create during sysconfig also has their own ZFS dataset) :
# zfs list | grep testzone-01 datapool/zonefs/testzone-01 441M 19.0G 33K /zones/testzone-01 datapool/zonefs/testzone-01/rpool 441M 19.0G 31K /zones/testzone-01/root/rpool datapool/zonefs/testzone-01/rpool/ROOT 441M 19.0G 31K legacy datapool/zonefs/testzone-01/rpool/ROOT/solaris 441M 19.0G 412M /zones/testzone-01/root datapool/zonefs/testzone-01/rpool/ROOT/solaris/var 28.0M 19.0G 27.3M /zones/testzone datapool/zonefs/testzone-01/rpool/VARSHARE 39K 19.0G 39K /zones/testzone-01/root/var datapool/zonefs/testzone-01/rpool/export 96.5K 19.0G 32K /zones/testzone-01/root/export datapool/zonefs/testzone-01/rpool/export/home 64.5K 19.0G 32K /zones/testzone-01/root datapool/zonefs/testzone-01/rpool/export/home/toki 32.5K 19.0G 32.5K /zones/testzone

Its worth noting that our zone only consumes 441MB from the above highlighting how sparse the zones actually are a complete operating environment in less than 0.5GB.

Conclusion
This article has provided a brief introduction to zones on Solaris 11, how to provision them and some insights on how to automate their provisioning. Zones have been even more tightly integrated with the technologies at the core of Solaris, and enable simple segregation of services, or the ability to delegate administration of an entire operating environment to a different sysadmin. Whilst not covered in this article, zones can be used to virtualise Solaris 10 instances into branded zones and thus consolidate existing infrastructure you can run your Solaris 10 applications unmodified on Solaris 11 in a Solaris 10 branded zone.

There will be many more articles covering the use and administration of zones under Solaris 11, so stay tuned to tokiwinter.com for further information, tips and tricks.

Related posts:
1. How to Network Solaris 11 Zones Under VMware or VirtualBox 2. How to Update a File on All Zones at the Same Time 3. How to Get Started with Solaris Containers

http://www.tokiwinter.com/solaris-11-zones/

2/6/2014

An Introduction to Solaris 11 Zones - Toki Winter

Page 9 of 9

4. ZFS Part 1: Introduction 5. How to Upgrade from Solaris 10 to Solaris 11: Network Preparation

This entry was posted in UNIX & Linux How Tos and Tutorials and tagged automation, solaris, ZFS, zones on February 26, 2013 [http://www.tokiwinter.com/solaris-11-zones/] .

http://www.tokiwinter.com/solaris-11-zones/

2/6/2014