Hello world,
Solaris Express 02/04 is now available, and this post is to announce
one of the exciting new features, a means of partitioning a single
Solaris instance into isolated application environments called "zones."
(Note that Zones and Resource Management are related subsets of "N1
Grid Containers"; N1GC = S10RM + Zones.) Each zone can be separately
administered and each zone can run an independent set of applications.
Zones allow one or more processes to run in isolation from other
activity on the system. Processes running in a given zone cannot
monitor or affect processes running in other zones. For example, a
process running in a zone will only be able to send signals to other
processes in the same zone, regardless of user id and other credential
information. Likewise, processes in zones will be unable to control
global aspects of the system configuration such as run level, most
physical devices, and network routing tables. (The exception is the
global zone, which is discussed under Security, below.)
Features:
* Security
Network services can be run in a zone, limiting the potential damage
in the event of a security violation. No process running within a
zone, even one with superuser credentials, is allowed to affect
activity in other zones. Certain activities, such as rebooting or
shutting down the system as a whole, will only be permitted in the
global zone. An administrator logged into the global zone can
monitor the activity of applications running in other zones and
control the system as a whole. The global, or default, zone will
always exist.
* Isolation
Zones allow the deployment of multiple applications on the same
machine, even if the applications operate in different trust domains,
require exclusive use of a global resource, or present difficulties
with global configurations. Individual zones can have their own set
of users and their own root password and when rebooted, any other
zones running on the system are unaffected.
* Virtualization
Zones provide a virtualized environment that can hide details such
as physical devices and the system's primary IP address and host
name from the application. This can be useful in supporting rapid
deployment and redeployment of applications since the same environment
can be maintained on different physical machines.
* Granularity
Zones can provide isolation at almost arbitrary granularity. A
zone does not require a dedicated CPU, physical device, or chunk of
physical memory. These resources can either be multiplexed across
a number of zones running within a single system, or allocated on a
per-zone basis using resource management features available in the
operating system.
* Transparency
Zones avoid changing the environment in which applications execute
except when necessary to achieve the goals of security and isolation.
Zones do not present a new API or ABI to which applications must
be ported. Instead, they provide the standard Solaris interfaces
and application environment, with some restrictions that affect
applications attempting to perform privileged operations.
Here is a sample session of a configuring, installing and booting a
zone; note that the zlogin command in the second window is run between
commands 7 and 8 in the first window.
----- cut here: start first window -----
[root:1] zoneadm list -cv
ID NAME STATUS PATH
0 global running /
[root:2] zonecfg -z luke
luke: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:luke> create
zonecfg:luke> set zonepath=/export/home/luke
zonecfg:luke> set autoboot=true
zonecfg:luke> add inherit-pkg-dir
zonecfg:luke:inherit-pkg-dir> set dir=/opt
zonecfg:luke:inherit-pkg-dir> end
zonecfg:luke> add net
zonecfg:luke:net> set address=129.146.86.66/24
zonecfg:luke:net> set physical=eri0
zonecfg:luke:net> end
zonecfg:luke> verify
zonecfg:luke> commit
zonecfg:luke> ^D
[root:3] zoneadm list -cv
ID NAME STATUS PATH
0 global running /
- luke configured /export/home/luke
[root:4] zoneadm -z luke install
Preparing to install zone <luke>.
Creating list of files to copy from the global zone.
Copying <2203> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <905> packages on the zone.
Initialized <905> packages on zone.
Successfully initialized zone <luke>.
[root:5] zoneadm list -cv
ID NAME STATUS PATH
0 global running /
- luke installed /export/home/luke
[root:6] cat /usr/local/etc/luke.sysidcfg
system_locale=C
terminal=xterm
network_interface=primary {
hostname=luke
}
security_policy=NONE
name_service=NIS {
domain_name=sunsoft.eng.sun.com
}
timezone=US/Pacific
root_password=4bw/KFH3xRPUE
[root:7] cp /usr/local/etc/luke.sysidcfg /export/home/luke/root/etc/sysidcfg
[root:8] zoneadm -z luke boot
[root:9] zoneadm list -cv
ID NAME STATUS PATH
0 global running /
1 luke running /export/home/luke
[root:10]
----- cut here: end first window -----
----- cut here: start second window -----
[root:1] zlogin -C luke
[Connected to zone 'luke' console]
[NOTICE: zone booting up]
SunOS Release 5.10 Version s10_51 64-bit
Copyright 1983-2004 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
Hostname: luke
The system is coming up. Please wait.
starting rpc services: rpcbind keyserv ypbind done.
rebooting system due to change(s) in /etc/default/init
[NOTICE: zone rebooting]
SunOS Release 5.10 Version s10_51 64-bit
Copyright 1983-2004 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
Hostname: luke
The system is coming up. Please wait.
NIS domain name is sunsoft.eng.sun.com
starting rpc services: rpcbind keyserv ypbind done.
syslog service starting.
/etc/mail/aliases: 12 aliases, longest 10 bytes, 138 bytes total
Creating new rsa public/private host key pair
Creating new dsa public/private host key pair
The system is ready.
luke console login:
----- cut here: end second window -----
We encourage you to check out the AnswerBook at BigAdmin:
http://www.sun.com/bigadmin/content/zones
Or better yet, go to:
http://wwws.sun.com/software/solaris/solaris-express/get.html
There you can download Solaris Express 02/04 and try Zones yourself!
Enjoy,
-- John Beck and the rest of the Zones team
