In the Zone, Creating OpenSolaris Zones.

I’m really enjoying using OpenSolaris as our server / NAS at home, its a different ball game to Linux but an interesting one never the less. One of the cool features of Solaris are the Solaris Zones (or Solaris Containers). Zones are an implementation of operating system-level virtualisation where the kernel isolates multiple instances of the user-space available. Something like chroot but so much more. Unlike running under a hypervisor (like VMWare or VirtualBox), Zone’s have very little (if any) overhead.

As I’ve come to realise, because of the way Solaris works in general, you can have multiple (isolated & secure) Zones for each application service exposed by the server – eg. one for Tomcat, one for Glassfish, maybe both Apache 1.3.x and 2.x, MySql, Postgres etc. Whats more, you can limit how much resources these Zones can utilise. They all have their own configuration including network routing (coupled with OpenSolaris Crossbow) and you can make for one kick ass setup that won’t break another area of the operating system.

In the Zones.

Here’s a guide on setting up a new Zone in OpenSolaris, configuring it and booting it.

Me Against the Music, its all in the global zone

When we first install OpenSolaris we’ve already got ourselves into a zone (the parent to all other zones) which is known as the global Zone.

You can find this by trying out the following to list all the available zones on a virgin install of OpenSolaris.

zoneadm list -vc
 ID NAME             STATUS     PATH                           BRAND    IP
 0 global           running    /                              native   shared
 

The output will be something like above. Now we can go about creating ourselves a zone for playing around in.

When working with zones, we only need to worry about three commands (damn I love that!). The zoneadm command to manage the physical zone, zonecfg command for configuring the zone and zlogin to login to the zone from the global zone.

First we have to do a bit of planning and thinking about what we’re going to do about this zone.

Here are few things to consider:

  • What do you want to run in the zone?
  • Will it need networking and have it exposed outside of the machine?
  • Where will the zone reside on your disk?
  • Would you like to limit the amount of CPUs the zone can see?
  • Would you like to limit the amount of RAM the zone can utilise?
  • Do you want to automatically boot the Zone when OpenSolaris starts?

For this post, we’re going to create a simple Zone (we won’t install anything).

Toxic Zone

Creating a zone we specify a zone to the zonecfg command.

zonecfg -z toxic

You’ll get something like this appearing because the zone doesn’t exist, thats fine.

toxic: No such zone configured
Use 'create' to begin configuring a new zone.

Then you will be inside the zonecfg configuration.

Lets configure this zone to have the following:

  • Reside in /base/zones/
  • Autoboot with OpenSolaris
  • Shared IP of 192.168.0.24 bound to physical interface e1000g1

Follow me:


zonecfg:toxic> create
zonecfg:toxic> set zonepath=/base/zones/
zonecfg:toxic> set autoboot=true
zonecfg:toxic> add net
zonecfg:toxic:net> set address=192.168.0.24
zonecfg:toxic:net> set physical=e1000g1
zonecfg:toxic:net> end
zonecfg:toxic> verify
zonecfg:toxic> commit
zonecfg:toxic> exit

This will create the configuration, verify, write it and exit. You can verify it was created by running the list command again:

zoneadm list -vc
ID NAME             STATUS         PATH
0 global           running        /
- toxic            configured     /base/zones

Its currently in a configured state, you can read more about the Non-Global State Model in the documentation. Next thing to do is to install the zone – this will get the base packages setup and configured for use.

zoneadm -z toxic install

Everytime, boot her up.

Next lets boot this bad baby up.

zoneadm -z toxic boot

Now if we do a list again we’ll see that our state has changed to running.

zoneadm list -vc
ID NAME             STATUS         PATH
0 global           running        /
- toxic            running        /base/zones

Now we have to configure the zone itself – just like a real machine. For this we use the zlogin command to login to the zone console.

zlogin toxic
[Connected to zone 'toxic' pts/5]
Last login: Sat Nov 21 17:52:43 on pts/5
Sun Microsystems Inc.   SunOS 5.11      snv_127 November 2008

After that we’re now in the toxic zone. Anything we do inside here, stays within this zone and won’t affect our global or other zones. But before we continue we really should configure our networking.

First lets modify our /etc/nsswitch.conf file with vi.

passwd:     files
group:      files
hosts:      files dns
ipnodes:    files
networks:   file

Make sure the hosts entry has dns as above. Next we need to configure the nameservers.


echo 'nameserver 192.168.0.254' > /etc/resolv.conf

That will create a resolv.conf file with the nameserver which you can get from the global zone as it would be different for everyone:

cat /etc/resolv.conf
nameserver 192.168.0.254

Breath on me, reboot the zone.

Now we can access the networking like the global zone. So you can do a package refresh and update-image too.


pkg refresh && pkg image-update

If it succeeds we have correctly setup our zone and its ready for use – you may want to reboot the zone however. To do this, exit the toxic console.


exit
logout

[Connection to zone 'toxic' pts/5 closed]

Then lets reboot the zone.

zoneadm -z toxic reboot

Now we login to the toxic zone:

zlogin toxic
[Connected to zone 'toxic' pts/5]
Last login: Sat Nov 21 17:58:44 on pts/5
Sun Microsystems Inc.   SunOS 5.11      snv_127 November 2008

Outrageous, removing the zones.

Now how about removing this zone and trying again? First get out of the zone console and back to your global zone. Issue the halt command to shutdown the zone.

exit
zoneadm -z toxic halt

Once stopped simply remove it.

zoneadm -z toxic uninstall
zonecfg -z toxic delete

You can make sure its gone by using the list command. That’s all there is to it!

Now you can consider yourself, In The Zone.

Related Articles

Comments have been disabled.