Solaris 10 Administration Topics Workshop                                 2 - Virtualization                              ...
About the Speaker                         Peter Baer Galvin - 781 273 4100                         pbg@cptech.com         ...
Objectives                        Cover a wide variety of topics in Solaris 10                        Useful for experienc...
More Objectives                        What makes novice vs. advanced administrator?                           Bytes as we...
Prerequisites                        Recommend at least a couple of years of                        Solaris experience    ...
About the Tutorial                        Every SysAdmin has a different knowledge set                        A lot to cov...
Fair Warning                        Sites vary                        Circumstances vary                        Admin know...
Why Listen to Me                   20 Years of Sun experience                   Seen much as a consultant                 ...
Slide Ownership                        As indicated per slide, some slides                        copyright Sun Microsyste...
Overview                                     Lay of the Land                        Copyright 2009 Peter Baer Galvin - All...
Schedule                         Times and Breaks                        Copyright 2009 Peter Baer Galvin - All Rights Res...
Coverage                        Solaris 10+, with some Solaris 9 where                        needed                      ...
Outline                        Overview                        Objectives                        Virtualization choices in...
Polling Time                        Solaris releases in use?                           Plans to upgrade?                  ...
Your Objectives?                        Copyright 2009 Peter Baer Galvin - All Rights Reserved   15Saturday, May 2, 2009
Your Lab Environment                        Apple Macbook Pro                           3GB memory                        ...
Lab Preparation                        Have device capable of telnet on the                        USENIX network         ...
Lab Preparation                        Or...                           Use virtualbox                           Use your o...
Lab Preparation                        Or...                           Use virtualbox                           Use your o...
Choosing Virtualization Technologies                        (See separate “virtualization comparison”                     ...
!"#$%&()*"+,(-+*(.#&!/01*)"2                        /012(301$%$%4-, 5%1$"0#(!067%-,)*(5%1$"0#%80$%4-                      ...
!"#$%&&()*+,""-*+.&-/                   ! !"#$%&()"*+$&*,%-                        " 9-:"-*$;-(#-<$&#*,1#-*=$.-.)(+$>)),0(...
!"#$%&#()*+(),()*-.)/"#$.0#/.12                         !"#$%&()"*+$&*,%($*-(.&%+/$#(0$12&*,                              ...
Zones, Containers, and                                LDOMS                        Copyright 2009 Peter Baer Galvin - All ...
Overview                        Cover details and use of Zones/Containers                        and LDOMS                ...
Zones Overview                        Think of them of chroot on steroids                        Virtualized operating sys...
Zones Overview - 2                        Low physical resource use                             Up to 8192 zones per syste...
Other Virtualization Options                        Many virtualization options to consider                             Co...
!"#$%&()"*+                               !"#$%"(8%!"(-*9:;0<&%%/=<&3,9:<:>(9:?@AB@C@:C1                           !"#$%"(...
(From the Solaris 10 Sun Net Talk about Solaris 10 Security)                              Copyright 2009 Peter Baer Galvin...
Zone Limits                        Only one OS installed on a system                        One set of OS patches         ...
Sparse vs. Whole Root Zone                                    Sparse                                 Whole-Root           ...
!"#$%&($%)*+,$-+                                                                 !"#$%"&##(&)                             ...
!"#$%&($%)*+,$-+.%)/01+$23"",                                                                 !"#$%"&##(&)                ...
Global Zone                        Aka the usual system                        Global Is assigned ID 0 by the system      ...
Global Zone - 2                        Provides a complete and consistent product                        database that con...
Global Zone - 3                        Is the only zone with knowledge of non-global                        zone existence...
Non-global Zones                        Non-Global Is assigned a zone ID by the system when the                        zon...
Non-global Zones -2                        Can contain additional software, directories, files, and other data             ...
“Sparse” and “Whole Root” Zones                        By default /lib, /platform, /sbin, /usr are LOFS read-only mounted ...
Non-global Zone States                        Configured - The zone’s configuration is complete and committed to            ...
(From System Administration Guide: N1Grid Containers, Resource Management, and Solaris Zones)                             ...
Zone boot                        Note that zoneadm allows “boot” “reboot”                        “halt” and “shutdown”. On...
Zone Configuration                        Data from the following are not referenced or copied when a zone is              ...
Zone Configuration                        zlogin –C logs in to a just-boot virgin zone                            Only root...
sysidcfg                        Create to shorten first boot questions                        File gets copied into <zoneho...
Zone Configuration - 2             # zonecfg -z app1             app1: No such zone configured             Use create to be...
Zone Configuration - 3             # df -k             Filesystem              kbytes    used     avail capacity   Mounted ...
Zone Configuration - 4             # ls -l /opt/zone             total 2             drwx------   4 root      other       5...
Zone Configuration - 5             net:                  address: 192.168.118.140                physical: pnc0            ...
Zone Configuration -6             Zone <app1> is initialized.             The file </opt/zone/app1/root/var/sadm/system/log...
Zone Configuration -7             # zoneadm -z app1 boot             zoneadm: zone app1: WARNING: pcn0:2: no matching subne...
Zone Configuration -8             rebooting system due to change(s) in /etc/default/init             [NOTICE: Zone rebootin...
Zone Configuration -9             Creating new rsa public/private host key pair             Creating new dsa public/private...
Zone Configuration -10          # useradd -u 101 -g 14 -d /export/home/pbg -s /bin/bash             pbg          # passwd p...
Zone Configuration - 11                  # zoneadm list -v               ID NAME             STATUS     PATH               ...
Zones and ZFS                        Installing a zone with its root on ZFS is not supported as                        the...
Zone Script             create -b             set zonepath=/opt/zones/zone0             set autoboot=false             add...
Zone Script             add   inherit-pkg-dir             set   dir=/usr             end             add   inherit-pkg-dir...
Life in a Zone             # ifconfig -a             lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index...
Life in a Zone - 2             $ telnet 192.168.80.140             . . .             $ df -k             Filesystem       ...
Life in a Zone - 3             $ ps -ef                  UID   PID   PPID   C    STIME TTY        TIME CMD                ...
Life in a Zone - 4             # mount -p             / - / ufs - no rw,intr,largefiles,logging,xattr,onerror=panic       ...
Zone Clone                        As of S10 8/07, zones are “cloneable”                            Much faster than instal...
Zone Clone (cont)                        A cloned zone is unconfigured and must be                        configured        ...
Zone Clone (cont)                        So to clone zone1 to make zone2                            # zonecfg -z zone1 exp...
Zone Migration                        Zones can be moved between like systems                            Available S10 8/0...
Zone Migration (cont)                        Can dry-run an attach / detach via the “-n” option to                        ...
Other Cool Zone Stuff                  ps –Z shows zone in which each process is running                  Can use resource...
Labs                        Create a “simple” zone                        Install it                        Boot it       ...
Zones and DTrace                  Zones can get some DTrace privileges (starting 11/06)                  # zonecfg -z my-z...
Fair-share Scheduling                        Solaris has many scheduler classes available                        A thread ...
!"#$%&"$(%&)(*+,($                Fair-share Scheduling              !"#$%&"$(%&)(*+,($               !"#$%&"$(%&)(*+,($  ...
Zones and Fair Share Scheduling                        FSS allows all CPU to be used if needed, but overuse to            ...
Zones and Fair-share scheduling (2)                        Check the shares of the global zone                           p...
FX Scheduler                        Time-share is heavy weight scheduler                           Has to calculate for ev...
!"#$%&()*+,-.*(/,,0+                ! 9-*&4#-:$,)$4()"0$5)*-#$(-*)"(-*$*"5$1*$3/;*<$                  .-.)(+<$=>?$)##-,&)#...
!"#$%&()*+,-.*(/,,0+                ! 95-(-$&*$)#-$0)):$)#;&4"(1,&)#$0-($!):1(&*$&#*,1#-                ! <+$=-;1":,>$)#-$...
DRPs                        You can make “DRP”s non-dynamic by not including                        a variation in the ran...
Zones and Dynamic Resource Pools                        Assign zones to dedicated CPU resources                           ...
Zones and DRPs (cont)                        Copyright 2009 Peter Baer Galvin - All Rights Reserved   81Saturday, May 2, 2...
Zones and DRPs (cont)                        Create a pool (from global zone) via                   # # enable DRPs       ...
Zones and DRPs (cont)                   pset pset_default                             int pset.sys_id -1                  ...
Zones and DRPs (cont)                 Create a new one-CPU processor set called email-pset                 # poolcfg -c cr...
Zones and DRPs (cont)                        Check the config             # pooladm                  system my_system      ...
Zones and DRPs (cont)                        Check the config                 pset pset_default                         int...
DRPs                        Note that you can give ranges of CPUs to                        be used in DRPs               ...
Zones and DRPs (cont)                      Now enable FSS, make it default for pool_default          # poolcfg -c modify p...
Zones, Resources, and S10 8/07                  Much simpler now if you just want a zone to have dedicated                ...
Zones, Resources, and S10 8/07 (cont)                  Can use zonecfg for the global zone to persistently                ...
Zones and Networking S10 8/07                  Can now create exclusive-IP zones (i.e. dedicate an HBA port to a zone) kno...
Zones, Resources and 5/08                        CPU Caps Can limit the aggregated amount of CPU that a container’s CPUs c...
prctl vs zonecfg                        prctl can read resource settings in the                        global or child zon...
Zone Issues                        Zone cannot reside on NFS                            But zone can be NFS client        ...
Zone issues - cont                        Upgrading the global zone to a new Solaris release                        upgrad...
Zones and Packages                  # pkgadd -d screen*                  The following packages are available:            ...
Sparse Zones vs. Whole Root Zones                        When should you use “sparse”, when should you use                ...
Upgrading a System Containing Containers                        Supported methods vary, depending on                      ...
Zone Best Practices                        Note that global zone root can copy files directly into zones via their         ...
Zone Best Practices (2)                        Use zonecfg export to save each zone’s                        config setting...
Zones and /etc/system                        For variables no longer in /etc/system they can be set via the rctladm comman...
Zones and /etc/system (cont)                        Note that /etc/project is read at login                        Also to...
Branded Zones                        Shipped in S10 8/07                        Allows native binary execution of bins fro...
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
2009 04.s10-admin-topics2
Upcoming SlideShare
Loading in...5
×

2009 04.s10-admin-topics2

2,239

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,239
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
52
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

2009 04.s10-admin-topics2

  1. 1. Solaris 10 Administration Topics Workshop 2 - Virtualization By Peter Baer Galvin For Usenix Last Revision Apr 2009 Copyright 2009 Peter Baer Galvin - All Rights ReservedSaturday, May 2, 2009
  2. 2. About the Speaker Peter Baer Galvin - 781 273 4100 pbg@cptech.com www.cptech.com peter@galvin.info My Blog: www.galvin.info Bio Peter Baer Galvin is the Chief Technologist for Corporate Technologies, Inc., a leading systems integrator and VAR, and was the Systems Manager for Brown Universitys Computer Science Department. He has written articles for Byte and other magazines. He was contributing editor of the Solaris Corner for SysAdmin Magazine , wrote Petes Wicked World, the security column for SunWorld magazine, and Pete’s Super Systems, the systems administration column there. He is now Sun columnist for the Usenix ;login: magazine. Peter is co-author of the Operating Systems Concepts and Applied Operating Systems Concepts texbooks. As a consultant and trainer, Mr. Galvin has taught tutorials in security and system administration and given talks at many conferences and institutions. Copyright 2008 Peter Baer Galvin - All Rights Reserved 2Saturday, May 2, 2009
  3. 3. Objectives Cover a wide variety of topics in Solaris 10 Useful for experienced system administrators Save time Avoid (my) mistakes Learn about new stuff Answer your questions about old stuff Wont read the man pages to you Workshop for hands-on experience and to reinforce concepts Note – Security covered in separate tutorial Copyright 2009 Peter Baer Galvin - All Rights Reserved 3Saturday, May 2, 2009
  4. 4. More Objectives What makes novice vs. advanced administrator? Bytes as well as bits, tactics and strategy Knows how to avoid trouble How to get out of it once in it How to not make it worse Has reasoned philosophy Has methodology Copyright 2009 Peter Baer Galvin - All Rights Reserved 4Saturday, May 2, 2009
  5. 5. Prerequisites Recommend at least a couple of years of Solaris experience Or at least a few years of other Unix experience Best is a few years of admin experience, mostly on Solaris Copyright 2009 Peter Baer Galvin - All Rights Reserved 5Saturday, May 2, 2009
  6. 6. About the Tutorial Every SysAdmin has a different knowledge set A lot to cover, but notes should make good reference So some covered quickly, some in detail Setting base of knowledge Please ask questions But let’s take off-topic off-line Solaris BOF Copyright 2009 Peter Baer Galvin - All Rights Reserved 6Saturday, May 2, 2009
  7. 7. Fair Warning Sites vary Circumstances vary Admin knowledge varies My goals Provide information useful for each of you at your sites Provide opportunity for you to learn from each other Copyright 2009 Peter Baer Galvin - All Rights Reserved 7Saturday, May 2, 2009
  8. 8. Why Listen to Me 20 Years of Sun experience Seen much as a consultant Hopefully, youve used: My Usenix ;login: column The Solaris Corner @ www.samag.com The Solaris Security FAQ SunWorld “Petes Wicked World” SunWorld “Petes Super Systems” Unix Secure Programming FAQ (out of date) Operating System Concepts (The Dino Book), now 8th ed Applied Operating System Concepts Copyright 2009 Peter Baer Galvin - All Rights Reserved 8Saturday, May 2, 2009
  9. 9. Slide Ownership As indicated per slide, some slides copyright Sun Microsystems Thanks to Jeff Victor for input Feel free to share all the slides - as long as you don’t charge for them or teach from them for fee Copyright 2009 Peter Baer Galvin - All Rights Reserved 9Saturday, May 2, 2009
  10. 10. Overview Lay of the Land Copyright 2009 Peter Baer Galvin - All Rights ReservedSaturday, May 2, 2009
  11. 11. Schedule Times and Breaks Copyright 2009 Peter Baer Galvin - All Rights Reserved 11Saturday, May 2, 2009
  12. 12. Coverage Solaris 10+, with some Solaris 9 where needed Selected topics that are new, different, confusing, underused, overused, etc Copyright 2009 Peter Baer Galvin - All Rights Reserved 12Saturday, May 2, 2009
  13. 13. Outline Overview Objectives Virtualization choices in Solaris Zones / Containers LDOMS and Domains Virtualbox Xvm (aka Xen) Copyright 2009 Peter Baer Galvin - All Rights Reserved 13Saturday, May 2, 2009
  14. 14. Polling Time Solaris releases in use? Plans to upgrade? Other OSes in use? Use of Solaris rising or falling? SPARC and x86 OpenSolaris? Copyright 2009 Peter Baer Galvin - All Rights Reserved 14Saturday, May 2, 2009
  15. 15. Your Objectives? Copyright 2009 Peter Baer Galvin - All Rights Reserved 15Saturday, May 2, 2009
  16. 16. Your Lab Environment Apple Macbook Pro 3GB memory Mac OS X 10.4.10 VMware Fusion 1.0 Solaris Nevada 50 Containers Copyright 2009 Peter Baer Galvin - All Rights Reserved 16Saturday, May 2, 2009
  17. 17. Lab Preparation Have device capable of telnet on the USENIX network Or have a buddy Learn your “magic number” Telnet to 131.106.62.100+”magic number” User “root, password “lisa” It’s all very secure Copyright 2009 Peter Baer Galvin - All Rights Reserved 17Saturday, May 2, 2009
  18. 18. Lab Preparation Or... Use virtualbox Use your own system Use a remote machine you have legit access to Copyright 2009 Peter Baer Galvin - All Rights Reserved 18Saturday, May 2, 2009
  19. 19. Lab Preparation Or... Use virtualbox Use your own system Use a remote machine you have legit access to Copyright 2009 Peter Baer Galvin - All Rights Reserved 19Saturday, May 2, 2009
  20. 20. Choosing Virtualization Technologies (See separate “virtualization comparison” document) Copyright 2009 Peter Baer Galvin - All Rights Reserved 20Saturday, May 2, 2009
  21. 21. !"#$%&()*"+,(-+*(.#&!/01*)"2 /012(301$%$%4-, 5%1$"0#(!067%-,)*(5%1$"0#%80$%4- 9,4"16(!0-0.:-$ !"#$%&#()*+,( *%-.#()* O1-2($4(B#D%P%#%$< O1-2($4(%,4#0$%4- C4.%60#(;4:0%-, *4#01%,(=4-$0%-1, *4#01%,(9,4"16 ;<-0:%6(*<,$: !0-0.1(>*9!A ;4:0%-, *"-(D5! >?4-,(@(*9!A L- =4-$0%-1,(B41(C%-"D G(H-(*4#01%,(IJK 5!M01 *4#01%,(E(=4-$0%-1, /<&1N5 *4#01%,(F(=4-$0%-1, !"#$%&()*+*,-.*$/()0(&-,1(+$2$3)0+(&45,$6778 Copyright 2009 Peter Baer Galvin - All Rights Reserved 21Saturday, May 2, 2009
  22. 22. !"#$%&&()*+,""-*+.&-/ ! !"#$%&()"*+$&*,%- " 9-:"-*$;-(#-<$&#*,1#-*=$.-.)(+$>)),0(&#,=$ ?)(;<)1:@:(&A-#$3/B$",&<&C1,&)#=$D!$.1#14-.-#,$ )*,*=$>&#-@4(1&#-:$*-"(&,+ " !&#4<-@;-(#-<=$5-,-()4-#-)"*$100<&1,&)#$ -#A&()#.-#,* ! ./*$0&1(!/+,0(."0$&*- " %1E&.&C-*$51(:?1(-$&*)<1,&)# ! 2"3&1$#(."0$&*4(5&%+6$#(7$18&*,- " %"<,&0<-$;-(#-<*=$>"<<$D!$-#A&()#.-#,*=$ 5-,-()4-#-)"* ! F-5#)<)4&-*$1(-$).0<-.-#,1(+ !"#$%&()*+*,-.*$/()0(&-,1(+$2$3)0+(&45,$6778 Copyright 2009 Peter Baer Galvin - All Rights Reserved 22Saturday, May 2, 2009
  23. 23. !"#$%&#()*+(),()*-.)/"#$.0#/.12 !"#$%&()"*+$&*,%($*-(.&%+/$#(0$12&*, 812/#.2()*: 812/#.2()*7 812/#.2()*; 812/#.2()*< 812/#.2()*= !13#.2*4*&!13*4*5"(6/ !137 8139"/() !678)()09 345 !678) :;"< !/*(3.0 ;=*$<&1(;"<$&* !"#$%&()*+*,-.*$/()0(&-,1(+$2$3)0+(&45,$6778 Copyright 2009 Peter Baer Galvin - All Rights Reserved 23Saturday, May 2, 2009
  24. 24. Zones, Containers, and LDOMS Copyright 2009 Peter Baer Galvin - All Rights Reserved 24Saturday, May 2, 2009
  25. 25. Overview Cover details and use of Zones/Containers and LDOMS Note that Xen (x64 only) and Virtualbox (open source x64 only) are coming No slides yet Copyright 2009 Peter Baer Galvin - All Rights Reserved 25Saturday, May 2, 2009
  26. 26. Zones Overview Think of them of chroot on steroids Virtualized operating system services Isolated and “secure” environment for running apps Apps and users (and superusers) in zone cannot see / effect other zones Delegated admin control Virtualized device paths, network interfaces, network ports, process space, resource use (via resource manager) Application fault isolation Detach and attach containers between systems Cloning of a zone to create identical new zone Copyright 2009 Peter Baer Galvin - All Rights Reserved 26Saturday, May 2, 2009
  27. 27. Zones Overview - 2 Low physical resource use Up to 8192 zones per system! Differentiated file system Multiple versions of an app installed and running on a given system Inter-zone communication is only via network (but short-pathed through the kernel No application changes needed – no API or ABI Can restrict disk use of a zone via the loopback file driver (lofi) using a file as a file system Can dedicate an Ethernet port to a zone Allowing snooping, firewalling, managing that port by the zone Copyright 2009 Peter Baer Galvin - All Rights Reserved 27Saturday, May 2, 2009
  28. 28. Other Virtualization Options Many virtualization options to consider Containers is just one of them Xen (xVM) - being integrated into Solaris Nevada Run other OSes (linux, win) with S10+ has the host Industry semi-standard Para-virtualization, x86 only LDOMs - hard partitions, shipped in May 2007 Run multiple copies of Solaris on the same coolthreads chip (Niagara, Rock in the future) Some resource management - move CPUs and mem VMWare - solaris as a guest, not a host so far, x86 only Traditional Sun Domains - SPARC only, Enterprise servers only Copyright 2009 Peter Baer Galvin - All Rights Reserved 28Saturday, May 2, 2009
  29. 29. !"#$%&()"*+ !"#$%"(8%!"(-*9:;0<&%%/=<&3,9:<:>(9:?@AB@C@:C1 !"#$%"(8%!"(&%%#D(E( &$(8%!" %++,*-.-(8%!" (%)%$%*(8%!" 8%!"(&%%#D(E8%!"E/G2V6 8%!"(&%%#D(E8%!"E$"F 8%!"(&%%#D(E8%!"E355 2G2#"/(2"&*+,"2 $"F(2"&*+,"(5&%H",# H"2(5&%H",# /G2V6(5&%H",# R!*+&%!/"!# T556+,3#+%! -53#&%61 -T53,."(9@=@::1 -H:2"1 -/G2V6)1 3N)+#(2"&*+,"2 ,&G5#%(5&%H",# 355(N2"&2(5&%H )F3(N2"&2(5&%H -3N)+#)1 -2261 -2.M(F32.M(5&2#3#1 -2.M(F32.M(5&2#3#1 2",N&+#G(2"&*+,"2 5&%7G(5&%H",# 2G2#"/(5&%H",# 2G2#"/(5&%H",# -6%4+!M(QIK1 -5&%7G1 -+!"#)M(22.)1 -+!"#)M(22.)1 ,%!2%6" ./"0D: ./"0D= ./"0D9 L63#S%&/ 8,%!2 8,%!2 8,%!2 ./"0 ,"0D: ,"0D= ,"0D9 U+&#N36 EN2& EN2& EN2& EN2& ,"9 ,"0 8%!"3)/) 8%!"3)/) 8%!"3)/) 8%!"(/3!34"/"!# ,%&"(2"&*+,"2 &"/%#"(3)/+!E/%!+#%&+!4 563#S%&/(3)/+!+2#&3#+%! -8%!",S4M(8%!"3)/M(86%4+!1 -+!"#)M(&5,F+!)M(22.)M(@@@1 -IJKLM(IN!KOM(PQRK1 -2G2"*"!#)M()"*S23)/M(+S,%!S+4M@@@1 2#%&34"(,%/56"7 !"#$%&()"*+," !"#$%&()"*+," !"#$%&()"*+," -./"01 -,"01 -,"91 !"#$%&()*+*,-.*$/()0(&-,1(+$2$3)0+(&45,$6778 Copyright 2009 Peter Baer Galvin - All Rights Reserved 29Saturday, May 2, 2009
  30. 30. (From the Solaris 10 Sun Net Talk about Solaris 10 Security) Copyright 2009 Peter Baer Galvin - All Rights Reserved 30Saturday, May 2, 2009
  31. 31. Zone Limits Only one OS installed on a system One set of OS patches Only one /etc/system Although Sun working to move as many settings as possible out of /etc/ system System crash / OS crash -> all zones crash Each (sparse) zone uses ~ 100MB of disk some VM and physical memory (for processes and daemons running in the zone) - ~40MB of physical memory Copyright 2009 Peter Baer Galvin - All Rights Reserved 31Saturday, May 2, 2009
  32. 32. Sparse vs. Whole Root Zone Sparse Whole-Root Loop-back mount of system directories Full install of all system files (/usr, etc) Lots of disk space Little disk space use Each binary independent -> memory use Each zone shares global-zone system- binaries -> shared memory Apps may not be supported (but more likely) Apps may not be supported Cannot change system files Can change system files Inter-zone communication only via Inter-zone communication only via network networkSaturday, May 2, 2009
  33. 33. !"#$%&($%)*+,$-+ !"#$%"&##(&) 111&&&&1111&&&& )*#+,- ).- )/,0&&&111&&&1111&&1111 1111 3#+,&##(4&)*#+,-)*#+,7 . / 0 !"#$%"&02,5 3#+,&##(4&) 3#+,&02,5 )$2+ ).- )/,0 ,(6111 9)#-: !"#$%&()*+*,-.*$/()0(&-,1(+$2$3)0+(&45,$6778 Copyright 2009 Peter Baer Galvin - All Rights Reserved 33Saturday, May 2, 2009
  34. 34. !"#$%&($%)*+,$-+.%)/01+$23"", !"#$%"&##(&) 444&&&&4444&&&& )8#-/+ )*+ )./0&&&444&&&4444&&4444 4444 1#-/&##(7&)8#-/+)8#-/9 4 5 6 !"#$%"&0,/2 1#-/&##(7&) 1#-/&0,/2 56 )$,- )*+ )./0 /(3444 9)#-$: !"#$%&()*+*,-.*$/()0(&-,1(+$2$3)0+(&45,$6778 Copyright 2009 Peter Baer Galvin - All Rights Reserved 34Saturday, May 2, 2009
  35. 35. Global Zone Aka the usual system Global Is assigned ID 0 by the system Provides the single instance of the Solaris kernel that is bootable and running on the system Contains a complete installation of the Solaris system software packages Can contain additional software packages or additional software, directories, files, and other data not installed through packages Copyright 2009 Peter Baer Galvin - All Rights Reserved 35Saturday, May 2, 2009
  36. 36. Global Zone - 2 Provides a complete and consistent product database that contains information about all software components installed in the global zone Holds configuration information specific to the global zone only, such as the global zone host name and file system table Is the only zone that is aware of all devices and all file systems Copyright 2009 Peter Baer Galvin - All Rights Reserved 36Saturday, May 2, 2009
  37. 37. Global Zone - 3 Is the only zone with knowledge of non-global zone existence and configuration Is the only zone from which a non-global zone can be configured, installed, managed, or uninstalled Can see the file systems of the non-global zones (i.e. can copy files into the non-global zone roots for the non-global zones to see Copyright 2009 Peter Baer Galvin - All Rights Reserved 37Saturday, May 2, 2009
  38. 38. Non-global Zones Non-Global Is assigned a zone ID by the system when the zone is booted Shares operation under the Solaris kernel booted from the global zone Contains an installed subset of the complete Solaris Operating System software packages Contains Solaris software packages shared from the global zone (“sparse zone”) Can contain additional installed software packages not shared from the global zone Copyright 2009 Peter Baer Galvin - All Rights Reserved 38Saturday, May 2, 2009
  39. 39. Non-global Zones -2 Can contain additional software, directories, files, and other data created on the non-global zone that are not installed through packages or shared from the global zone Has a complete and consistent product database that contains information about all software components installed on the zone, whether present on the non-global zone or shared read-only from the global zone Is not aware of the existence of any other zones Cannot install, manage, or uninstall other zones, including itself Has configuration information specific to that non-global zone only, such as the non-global zone host name and file system table Copyright 2009 Peter Baer Galvin - All Rights Reserved 39Saturday, May 2, 2009
  40. 40. “Sparse” and “Whole Root” Zones By default /lib, /platform, /sbin, /usr are LOFS read-only mounted from global zone into child zone Ergo those can’t be modified by child zone Packages installed in child zone only install non (/lib, /platform, /sbin, /usr) components into the child zone’s file systems Saves disk space Saves memory Whole root zone removes those mounts Packages install entirely Ergo child zone can modify its /lib, /platform, /sbin, /usr Some apps not supported in zones, some only in whole root, some in sparse root Per app check with app vendor! Note that ZFS clone use for zone builds may mean that sparse root is no longer useful! Copyright 2009 Peter Baer Galvin - All Rights Reserved 40Saturday, May 2, 2009
  41. 41. Non-global Zone States Configured - The zone’s configuration is complete and committed to stable storage, not initially booted Incomplete - During an install or uninstall operation Installed - The zone’s configuration is instantiated on the system but no virtual platform. Files copied into zoneroot. Ready - The virtual platform for the zone is established. The kernel creates the zsched process, network interfaces are plumbed, file systems are mounted, and devices are configured. A unique zone ID is assigned by the system, no processes associated with the zone have been started. Running - User processes associated with the zone application environment are running. Shutting down and Down - These states are transitional states that are visible while the zone is being halted. However, a zone that is unable to shut down for any reason will stop in one of these states. Copyright 2009 Peter Baer Galvin - All Rights Reserved 41Saturday, May 2, 2009
  42. 42. (From System Administration Guide: N1Grid Containers, Resource Management, and Solaris Zones) Copyright 2009 Peter Baer Galvin - All Rights Reserved 42Saturday, May 2, 2009
  43. 43. Zone boot Note that zoneadm allows “boot” “reboot” “halt” and “shutdown”. Only “shutdown” and “boot” execute the smf commands Also note that there are many options to these commands (such as zoneadm boot -- - m verbose) Copyright 2009 Peter Baer Galvin - All Rights Reserved 43Saturday, May 2, 2009
  44. 44. Zone Configuration Data from the following are not referenced or copied when a zone is installed: Non-installed packages Patches Data on CDs and DVDs Network installation images Any prototype or other instance of a zone In addition, the following types of information, if present in the global zone, are not copied into a zone that is being installed: New or changed users in the /etc/passwd file New or changed groups in the /etc/group file Configurations for networking services such as DHCP address assignment, UUCP, or sendmail Configurations for network services such as naming services New or changed crontab, printer, and mail files System log, message, and accounting files Copyright 2009 Peter Baer Galvin - All Rights Reserved 44Saturday, May 2, 2009
  45. 45. Zone Configuration zlogin –C logs in to a just-boot virgin zone Only root can zlogin – normal zone access is via network The usual sysidconfig questions are asked (hostname, name service, timezone, kerberos) The zone root directory must exist prior to zone installation Zone reboots to put configuration changes into effect (a few seconds) Messages look like a system reboot (within your window) Copyright 2009 Peter Baer Galvin - All Rights Reserved 45Saturday, May 2, 2009
  46. 46. sysidcfg Create to shorten first boot questions File gets copied into <zonehome>/root/etc Sample contents: name_service=DNS {domain_name=petergalvin.info name_server=63.240.76.19 search=arp.com} network_interface=PRIMARY {hostname=zone00.petergalvin.info} timezone=US/Eastern terminal=vt100 system_locale=C timeserver=localhost root_password=aMG0YPkgZQPqo <obviously change this> security_policy=NONE nfsv4_domain=dynamic Copyright 2009 Peter Baer Galvin - All Rights Reserved 46Saturday, May 2, 2009
  47. 47. Zone Configuration - 2 # zonecfg -z app1 app1: No such zone configured Use create to begin configuring a new zone. zonecfg:app1> create zonecfg:app1> set zonepath=/opt/zone/app1 zonecfg:app1> set autoboot=false zonecfg:app1> add net zonecfg:app1:net> set physical=pnc0 zonecfg:app1:net> set address=192.168.118.140 zonecfg:app1:net> end zonecfg:app1> add fs zonecfg:app1:fs> set dir=/export/home zonecfg:app1:fs> set special=/export/home zonecfg:app1:fs> set type=lofs zonecfg:app1:fs> end zonecfg:app1> add inherit-pkg-dir zonecfg:app1:inherit-pkg-dir> set dir=/opt/sfw zonecfg:app1:inherit-pkg-dir> end zonecfg:app1> verify zonecfg:app1> commit zonecfg:app1> exit Copyright 2009 Peter Baer Galvin - All Rights Reserved 47Saturday, May 2, 2009
  48. 48. Zone Configuration - 3 # df -k Filesystem kbytes used avail capacity Mounted on /dev/dsk/c0d0s0 5678823 2689099 2932936 48% / /devices 0 0 0 0% /devices /dev/dsk/c0d0p0:boot 10296 1401 8895 14% /boot proc 0 0 0 0% /proc mnttab 0 0 0 0% /etc/mnttab fd 0 0 0 0% /dev/fd swap 600780 28 600752 1% /var/run swap 600776 24 600752 1% /tmp /dev/dsk/c0d0s7 4030684 32853 3957525 1% /export/home # zoneadm -z app1 verify WARNING: /opt/zone/app1 does not exist, so it cannot be verified. When zoneadm install is run, install will try to create /opt/zone/app1, and verify will be tried again, but the verify may fail if: the parent directory of /opt/zone/app1 is group- or other-writable or /opt/zone/app1 overlaps with any other installed zones. could not verify net address=192.168.118.140 physical=pnc0: No such device or address zoneadm: zone app1 failed to verify Copyright 2009 Peter Baer Galvin - All Rights Reserved 48Saturday, May 2, 2009
  49. 49. Zone Configuration - 4 # ls -l /opt/zone total 2 drwx------ 4 root other 512 Aug 21 12:44 test # mkdir /opt/zone/app1 # chmod 700 /opt/zone/app1 # ls -l /opt/zone total 4 drwx------ 2 root other 512 Sep 16 15:14 app1 drwx------ 4 root other 512 Aug 21 12:44 test # zonadm -z app1 verify could not verify net address=192.168.118.140 physical=pnc0: No such device or address zoneadm: zone app1 failed to verify # zonecfg -z app1 zonecfg:app1> info zonepath: /opt/zone/app1 autoboot: false Copyright 2009 Peter Baer Galvin - All Rights Reserved 49Saturday, May 2, 2009
  50. 50. Zone Configuration - 5 net: address: 192.168.118.140 physical: pnc0 zonecfg:app1> remove physical=pnc0 zonecfg:app1> add net zonecfg:app1:net> set physical=pcn0 zonecfg:app1:net> set address=192.168.118.140 zonecfg:app1:net> end zonecfg:app1> exit # zoneadm -z app1 verify # zoneadm -z app1 install Preparing to install zone <app1>. Creating list of files to copy from the global zone. Copying <2199> files to the zone. Initializing zone product registry. Determining zone package initialization order. Preparing to initialize <779> packages on the zone. Initializing package <0> of <779>: percent complete: 0% . . . Copyright 2009 Peter Baer Galvin - All Rights Reserved 50Saturday, May 2, 2009
  51. 51. Zone Configuration -6 Zone <app1> is initialized. The file </opt/zone/app1/root/var/sadm/system/logs/install_log> contains a log of the zone installation. # zoneadm list -v ID NAME STATUS PATH 0 global running / 1 test running /opt/zone/test # df -k Filesystem kbytes used avail capacity Mounted on /dev/dsk/c0d0s0 5678823 2766177 2855858 50% / /devices 0 0 0 0% /devices /dev/dsk/c0d0p0:boot 10296 1401 8895 14% /boot proc 0 0 0 0% /proc mnttab 0 0 0 0% /etc/mnttab fd 0 0 0 0% /dev/fd swap 594332 32 594300 1% /var/run swap 594500 200 594300 1% /tmp /dev/dsk/c0d0s7 4030684 32853 3957525 1% /export/home Copyright 2009 Peter Baer Galvin - All Rights Reserved 51Saturday, May 2, 2009
  52. 52. Zone Configuration -7 # zoneadm -z app1 boot zoneadm: zone app1: WARNING: pcn0:2: no matching subnet found in netmasks(4) for 192.168.118.131; using default of 192.168.118.131. # zoneadm list -v ID NAME STATUS PATH 0 global running / 1 test running /opt/zone/test 2 app1 running /opt/zone/app1 # telnet 192.168.118.140 Trying 192.168.118.140... telnet: Unable to connect to remote host: Connection refused # zlogin -C app1 [Connected to zone app1 console] Select a Locale 0. English (C - 7-bit ASCII) 1. U.S.A. (UTF-8) 2. Go Back to Previous Screen Please make a choice (0 - 2), or press h or ? for help: 0 . . . Copyright 2009 Peter Baer Galvin - All Rights Reserved 52Saturday, May 2, 2009
  53. 53. Zone Configuration -8 rebooting system due to change(s) in /etc/default/init [NOTICE: Zone rebooting] SunOS Release 5.10 Version s10_63 32-bit Copyright 1983-2004 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. Hostname: zone-app1 The system is coming up. Please wait. starting rpc services: rpcbind done. syslog service starting. Sep 16 15:48:24 zone-app1 sendmail[7567]: My unqualified host name (zone-app1) unknown; sleeping for retry Sep 16 15:49:24 zone-app1 sendmail[7567]: unable to qualify my own domain name (zone-app1) -- using short name WARNING: local host name (zone-app1) is not qualified; see cf/ README: WHO AM I? /etc/mail/aliases: 12 aliases, longest 10 bytes, 138 bytes total Copyright 2009 Peter Baer Galvin - All Rights Reserved 53Saturday, May 2, 2009
  54. 54. Zone Configuration -9 Creating new rsa public/private host key pair Creating new dsa public/private host key pair The system is ready. zone-app1 console login: root Password: Sep 16 15:51:08 zone-app1 login: ROOT LOGIN /dev/console Sun Microsystems Inc. SunOS 5.10 s10_63 May 2004 # cat /etc/passwd root:x:0:1:Super-User:/:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin: . . . noaccess:x:60002:60002:No Access User:/: nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/: Copyright 2009 Peter Baer Galvin - All Rights Reserved 54Saturday, May 2, 2009
  55. 55. Zone Configuration -10 # useradd -u 101 -g 14 -d /export/home/pbg -s /bin/bash pbg # passwd pbg New Password: Re-enter new Password: passwd: password successfully changed for pbg # zoneadm list -v ID NAME STATUS PATH 3 app1 running / # exit zone-app1 console login: ~. [Connection to zone app1 console closed] Copyright 2009 Peter Baer Galvin - All Rights Reserved 55Saturday, May 2, 2009
  56. 56. Zone Configuration - 11 # zoneadm list -v ID NAME STATUS PATH 0 global running / 1 test running /opt/zone/test 3 app1 running /opt/zone/app1 # uptime 3:53pm up 5:14, 1 user, load average: 0.23, 0.34, 0.43 # telnet 192.168.118.140 Trying 192.168.118.140… Connected to 192.168.118.140. Escape character is ‘^]’. Login: pbg Password: Copyright 2009 Peter Baer Galvin - All Rights Reserved 56Saturday, May 2, 2009
  57. 57. Zones and ZFS Installing a zone with its root on ZFS is not supported as the system then lacks the ability to be upgraded. Note that “add fs” can be used to add access to a ZFS file system to a zone Beyond that, “add dataset” delegates a ZFS file system to a zone, removes it from the global zone The zone can manage the file system, except where management would effect other file systems / parent file system Filesystem contents can still be seen from global zone via zonepath +mountpoint (i.e. /zones/zone00/zfs/zonefs/zone00) # zfs create zfs/zonefs/zone00 # zonecfg -z zone00 zonecfg:zone00> add dataset zonecfg:zone00:dataset> set name=zfs/zonefs/zone00 zonecfg:zone00:dataset> end Copyright 2009 Peter Baer Galvin - All Rights Reserved 57Saturday, May 2, 2009
  58. 58. Zone Script create -b set zonepath=/opt/zones/zone0 set autoboot=false add inherit-pkg-dir set dir=/lib end add inherit-pkg-dir set dir=/platform end add inherit-pkg-dir set dir=/sbin end Copyright 2009 Peter Baer Galvin - All Rights Reserved 58Saturday, May 2, 2009
  59. 59. Zone Script add inherit-pkg-dir set dir=/usr end add inherit-pkg-dir set dir=/opt/sfw end add net set address=192.168.128.200 set physical=pcn0 end add rctl set name=zone.cpu-shares add value (priv=privileged,limit=1,action=none) end Copyright 2009 Peter Baer Galvin - All Rights Reserved 59Saturday, May 2, 2009
  60. 60. Life in a Zone # ifconfig -a lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 lo0:1: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 zone test inet 127.0.0.1 netmask ff000000 lo0:2: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 zone app1 inet 127.0.0.1 netmask ff000000 pcn0: flags=1004843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4> mtu 1500 index 2 inet 192.168.80.128 netmask ffffff00 broadcast 192.168.80.255 ether 0:c:29:44:a9:df pcn0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 zone test inet 192.168.80.139 netmask ffffff00 broadcast 192.168.80.255 pcn0:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 zone app1 inet 192.168.80.140 netmask ffffff00 broadcast 192.168.80.255 Copyright 2009 Peter Baer Galvin - All Rights Reserved 60Saturday, May 2, 2009
  61. 61. Life in a Zone - 2 $ telnet 192.168.80.140 . . . $ df -k Filesystem kbytes used avail capacity Mounted on / 9515147 1894908 7525088 21% / /dev 9515147 1894908 7525088 21% /dev /export/home 10076926 10369 9965788 1% /export/home /lib 9515147 1894908 7525088 21% /lib /platform 9515147 1894908 7525088 21% /platform /sbin 9515147 1894908 7525088 21% /sbin /usr 9515147 1894908 7525088 21% /usr proc 0 0 0 0% /proc mnttab 0 0 0 0% /etc/mnttab fd 0 0 0 0% /dev/fd swap 1043072 16 1043056 1% /var/run swap 1043056 0 1043056 0% /tmp $ touch /usr/foo touch: /usr/foo cannot create Note that virtual memory (and therefore swap) are global resources Copyright 2009 Peter Baer Galvin - All Rights Reserved 61Saturday, May 2, 2009
  62. 62. Life in a Zone - 3 $ ps -ef UID PID PPID C STIME TTY TIME CMD root 11120 11120 0 11:00:35 ? 0:00 zsched pbg 11377 11347 0 11:01:28 pts/8 0:00 ps -ef root 11229 11120 0 11:00:40 ? 0:00 /usr/sbin/cron root 11341 11120 0 11:00:46 ? 0:00 /usr/sfw/sbin/snmpd root 11266 11120 0 11:00:41 ? 0:00 /usr/lib/im/htt -port 9010 -s yslog -message_locale C root 11339 11336 0 11:00:46 ? 0:00 /usr/lib/saf/ttymon root 11250 11120 0 11:00:41 ? 0:00 /usr/lib/utmpd root 11264 11261 0 11:00:41 ? 0:00 /usr/sadm/lib/smc/bin/smcboot root 11261 11120 0 11:00:41 ? 0:00 /usr/sadm/lib/smc/bin/smcboot root 11227 11120 0 11:00:40 ? 0:00 /usr/sbin/nscd root 11218 11120 0 11:00:40 ? 0:00 /usr/lib/autofs/automountd root 11325 11120 0 11:00:45 ? 0:00 /usr/lib/dmi/snmpXdmid -s zon e-app1 root 11239 11120 0 11:00:40 ? 0:00 /usr/lib/sendmail -bd -q15m root 11265 11261 0 11:00:41 ? 0:00 /usr/sadm/lib/smc/bin/smcboot root 11230 11120 0 11:00:40 ? 0:00 /usr/sbin/inetd -s root 11273 11266 0 11:00:42 ? 0:00 htt_server -port 9010 -syslog -message_locale C root 11129 11120 0 11:00:36 ? 0:00 init Copyright 2009 Peter Baer Galvin - All Rights Reserved 62Saturday, May 2, 2009
  63. 63. Life in a Zone - 4 # mount -p / - / ufs - no rw,intr,largefiles,logging,xattr,onerror=panic /dev - /dev lofs - no zonedevfs /export/home - /export/home lofs - no /lib - /lib lofs - no ro,nodevices,nosub /platform - /platform lofs - no ro,nodevices,nosub /sbin - /sbin lofs - no ro,nodevices,nosub /usr - /usr lofs - no ro,nodevices,nosub proc - /proc proc - no nodevices,zone=app1 mnttab - /etc/mnttab mntfs - no nodevices,zone=app1 fd - /dev/fd fd - no rw,nodevices,zone=app1 swap - /var/run tmpfs - no nodevices,xattr,zone=app1 swap - /tmp tmpfs - no nodevices,xattr,zone=app1 # hostname zone-app1 # zonename app1 Copyright 2009 Peter Baer Galvin - All Rights Reserved 63Saturday, May 2, 2009
  64. 64. Zone Clone As of S10 8/07, zones are “cloneable” Much faster than installing a zone As of 10/08 zones on ZFS -> ZFS clone - instantaneous Usable only if the zones of similar configs Configure a zone i.e. zone00 Install the zone Configure a new zone i.e. zone01 Then rather than zoneadm install, with zone00 halted, do # zoneadm –z zone01 clone –m copy zone00 Copyright 2009 Peter Baer Galvin - All Rights Reserved 64Saturday, May 2, 2009
  65. 65. Zone Clone (cont) A cloned zone is unconfigured and must be configured When ZFS used as clone file system # zoneadm -z <newzone> clone <oldzone> Can clone a zone’s previously-taken snapshot via # zoneadm -z <newzone> clone -s <snapshot name> <oldzone> Copyright 2009 Peter Baer Galvin - All Rights Reserved 65Saturday, May 2, 2009
  66. 66. Zone Clone (cont) So to clone zone1 to make zone2 # zonecfg -z zone1 export -f configfile Edit configfile to change zonepath and address (at least) Create zone2 via zonecfg -z zone2 -f configfile Halt zone1 via zoneadm -z zone1 halt Clone zone1 via zoneadm -z zone2 clone zone1 Use “-m copy” if zone1 on UFS Boot up both zones Check status via zoneadm list -iv Copyright 2009 Peter Baer Galvin - All Rights Reserved 66Saturday, May 2, 2009
  67. 67. Zone Migration Zones can be moved between like systems Available S10 8/07 Separate the zone from its current system # zoneadm –z <zone> detach Note zone must be halted first Attach a detached zone to a different system (assuming its file system is now visible there, send a tarball, etc) # zoneadm –z <zone> attach [-F] Note zone must be configured before this can work Note new system is validated to assure the zone can function there To create a config for a zone that is detached rather than having to zonecfg it from scratch # zonecfg –z <zone> create -a zonepath Copyright 2009 Peter Baer Galvin - All Rights Reserved 67Saturday, May 2, 2009
  68. 68. Zone Migration (cont) Can dry-run an attach / detach via the “-n” option to see if the attach will work Can upgrade the attaching zone on the attaching system via “-u” but only if all packages on the attaching system are as new or newer than the detaching system Can force an attach if a detach could not be done (dead system for example) Best to save your zone cfg files for use on the attach system (or you have to recreate them) Copyright 2009 Peter Baer Galvin - All Rights Reserved 68Saturday, May 2, 2009
  69. 69. Other Cool Zone Stuff ps –Z shows zone in which each process is running Can use resource manager with zones Zones can use global naming services Use features to enable or disable accounts per zone Interzone networking executed via loopback for performance Copyright 2009 Peter Baer Galvin - All Rights Reserved 69Saturday, May 2, 2009
  70. 70. Labs Create a “simple” zone Install it Boot it Configure it Look around in it - file systems, processes, resource use, users, etc Halt it Copyright 2009 Peter Baer Galvin - All Rights Reserved 70Saturday, May 2, 2009
  71. 71. Zones and DTrace Zones can get some DTrace privileges (starting 11/06) # zonecfg -z my-zone zonecfg:my-zone> set limitpriv="default,dtrace_proc,dtrace_user" zonecfg:my-zone> exit DTrace can use zonenames are predicates to filter results # dtrace -n syscall:::/zonename==”zone1”/ {@[probefunc]=count()} Copyright 2009 Peter Baer Galvin - All Rights Reserved 71Saturday, May 2, 2009
  72. 72. Fair-share Scheduling Solaris has many scheduler classes available A thread has priority 0-169, user threads are 0-59 The higher the priority, the sooner scheduled on CPU Scheduler class decides how the priority is modified over time Default user-land is Time-sharing Time-sharing dynamically changes the priority of each thread based on its activity If a thread used it time quantum, its priority decreases (The quantum is the scheduling interval) Kernel uses “sys” class Have a look via ps -elfc Copyright 2009 Peter Baer Galvin - All Rights Reserved 72Saturday, May 2, 2009
  73. 73. !"#$%&"$(%&)(*+,($ Fair-share Scheduling !"#$%&"$(%&)(*+,($ !"#$%&"$(%&)(*+,($ 2 22 1 Bac up k AppSer er v 3 1 Bac up k Bac up abas k Dat e 3 1 AppSer er Dat e v abas Web AppSer er v 3 Web Dat e abas Web Database gets 4 / 4+3+2+1= 40% of all CPU ! !! 5 4 ! $ $!% 4 $!% $ time available to container !""#"!"$# "% !""#"!"$# ! "% ! 4 !"#$%&())*+#,%-,*.*/,#0/%$& $ $!%5 !""#"!"$# "% !"#$%&())*+#,%-,*.*/,#0/%$& !"#$%&()*+*,-.*$/()0(&-,1(+$2$3)0+(&45,$6778 !"#$%&())*+#,%-,*.*/,#0/%$& !"#$%&()*+*,-.*$/()0(&-,1(+$2$3)0+(&45,$6778 Copyright 2009 Peter Baer Galvin - All Rights Reserved 73 !"#$%&()*+*,-.*$/()0(&-,1(+$2$3)0+(&45,$6778Saturday, May 2, 2009
  74. 74. Zones and Fair Share Scheduling FSS allows all CPU to be used if needed, but overuse to be limited based on “shares” given to CPU users Shares give to projects et al, and/or to containers Load the fair share schedule as the default schedule class dispadmin –d FSS Move all processes into the FSS class priocntl -s -c FSS -i class TS Give the global zone some (2) shares Note this is not persistent across reboots! prctl -n zone.cpu-shares -v 2 -r -i zone global Copyright 2009 Peter Baer Galvin - All Rights Reserved 74Saturday, May 2, 2009
  75. 75. Zones and Fair-share scheduling (2) Check the shares of the global zone prctl -n zone.cpu-shares -i zone global Add a zone-wide resource control (1 share) to a zone (within zonecfg) (before S10U5) zonecfg:my-zone> add rctl zonecfg:my-zone:rctl> set name=zone.cpu- shares zonecfg:my-zone:rctl> add value (priv=privileged,limit=1,action=none) zonecfg:my-zone:rctl> end How many total shares are given out on a given machine? Copyright 2009 Peter Baer Galvin - All Rights Reserved 75Saturday, May 2, 2009
  76. 76. FX Scheduler Time-share is heavy weight scheduler Has to calculate for every thread that ran in the last quantum, every quantum Plus decreases priority on CPU hogs Instead consider “FX” - fixed scheduler class All priorities stay the same Light weight schedule can gain back a few percent of CPU Copyright 2009 Peter Baer Galvin - All Rights Reserved 76Saturday, May 2, 2009
  77. 77. !"#$%&()*+,-.*(/,,0+ ! 9-*&4#-:$,)$4()"0$5)*-#$(-*)"(-*$*"5$1*$3/;*<$ .-.)(+<$=>?$)##-,&)#* ! @$0))A$1#$B-$1**)&1,-:$C&,5$3/;*$1#:$1$*5-:"A-( ! 3/;*$1#$B-$1**&4#-:D " :+#1.&1AA+<$B+$)#E&4"(&#4$1$.&#&.".$1#:$.1F&.".$ #".B-($)E$3/;*$,51,$1$G)#-$)($0))A$*5)"A:$"*- " B+$!)A1(&*$C5-#$&,$:-&:-*$,)$,(1#*E-($3/;*$1.)#4$ -F&*,&#4$0))A*$C&,5$H,5(-*5)A:H$1#:$H&.0)(,1#-H$ 01(1.-,-(* " *,1,&1AA+<$B+$H0&##&#4H$1$3/;$,)$1$0))A$2$"*-E"A$,)$ -#*"(-$,51,$1$0()-**$*,1+*$)#$1$3/;$1#:$:)-*#H,$ *51(-$,5-$3/;H*$15- " @$3/;$&*$.)I-:$B-,C--#$0))A*$C5-#$1#$H&.0)(,1#,H$ C)(JA)1:$*"(01**-*$&,*$",&A&G1,&)#$,5(-*5)A:$E)($1$ *"EE&&-#,$0-(&):$)E$,&.- !"#$%&()*+*,-.*$/()0(&-,1(+$2$3)0+(&45,$6778 Copyright 2009 Peter Baer Galvin - All Rights Reserved 77Saturday, May 2, 2009
  78. 78. !"#$%&()*+,-.*(/,,0+ ! 95-(-$&*$)#-$0)):$)#;&4"(1,&)#$0-($!):1(&*$&#*,1#- ! <+$=-;1":,>$)#-$0)):$-?&*,*>$@0)):A=-;1":,B ! 95-*-$1#$C-$C)"#=$,)$1$0)):D " /()-**>$,1*E>$0()F-,>$3)#,1&#-( ! G$3)#,1&#-($1#$C-$*,1,&1::+$1**&4#-=$,)$1#$ -?&*,&#4$H*51(-=I$0)):$J5-#$,5-$3)#,1&#-($C)),* " %":,&0:-$3)#,1&#-(*$1#$*51(-$,51,$0)): " !"5$1$3)#,1&#-($)#:+$"*-*$(-*)"(-*$J5-#$&,$&*$ ("##&#4 ! G$3)#,1&#-($1#$C-$1**&4#-=$,)$1$,-.0)(1(+$0)): " /)):$)#:+$-?&*,*$J5&:-$3)#,1&#-($("#* " 951,$0)):$1##),$C-$*51(-=$J&,5$),5-($3)#,1&#-(* !"#$%&()*+*,-.*$/()0(&-,1(+$2$3)0+(&45,$6778 Copyright 2009 Peter Baer Galvin - All Rights Reserved 78Saturday, May 2, 2009
  79. 79. DRPs You can make “DRP”s non-dynamic by not including a variation in the range (i.e. 2 to 2 rather than 1 to 2) Probably preferred rather than real dynamic With pools, interrupts and I/O only occur in the default pool This can help pin a process to a set of CPUS Cache stays hot, less context switching So consider a DRP config with the kernel in the default pool and all apps in another pool Copyright 2009 Peter Baer Galvin - All Rights Reserved 79Saturday, May 2, 2009
  80. 80. Zones and Dynamic Resource Pools Assign zones to dedicated CPU resources Used to assign zone to processor set Can be dynamically created, deleted, modified Can be used with FSS Can be used to reduce Oracle (and other?) costs! Consider two DRPs, one with an email container and one with 2 X web server containers (and global) (from http://www.sun.com/software/solaris/ howtoguides/containersLowRes.jsp): Copyright 2009 Peter Baer Galvin - All Rights Reserved 80Saturday, May 2, 2009
  81. 81. Zones and DRPs (cont) Copyright 2009 Peter Baer Galvin - All Rights Reserved 81Saturday, May 2, 2009
  82. 82. Zones and DRPs (cont) Create a pool (from global zone) via # # enable DRPs # pooladm –e # # save current config # pooladm –s # # show current state, at start only pool_default exists global# pooladm system my_system string system.comment int system.version 1 boolean system.bind-default true int system.poold.pid 638 pool pool_default int pool.sys_id 0 boolean pool.active true boolean pool.default true int pool.importance 1 string pool.comment pset pset_default Copyright 2009 Peter Baer Galvin - All Rights Reserved 82Saturday, May 2, 2009
  83. 83. Zones and DRPs (cont) pset pset_default int pset.sys_id -1 boolean pset.default true uint pset.min 1 uint pset.max 65536 string pset.units population uint pset.load 7 uint pset.size 8 string pset.comment cpu int cpu.sys_id 1 string cpu.comment string cpu.status on-line cpu int cpu.sys_id 0 string cpu.comment string cpu.status on-line cpu int cpu.sys_id 3 string cpu.comment string cpu.status on-line cpu int cpu.sys_id 2 string cpu.comment string cpu.status on-line Copyright 2009 Peter Baer Galvin - All Rights Reserved 83Saturday, May 2, 2009
  84. 84. Zones and DRPs (cont) Create a new one-CPU processor set called email-pset # poolcfg -c create pset email-pset (uint pset.min=1; uint pset.max=1) Create a resource pool for the processor set # poolcfg -c create pool email-pool Link the pool to the processor set # poolcfg -c associate pool email-pool (pset email-pset) Set an objective (if including a range of processors (i.e. min <> max) # poolcfg -c modify pset email-pool (string pset.poold.objectives="wt-load") Activate the configuration # pooladm -c Copyright 2009 Peter Baer Galvin - All Rights Reserved 84Saturday, May 2, 2009
  85. 85. Zones and DRPs (cont) Check the config # pooladm system my_system string system.comment int system.version 1 boolean system.bind-default true int system.poold.pid 638 pool email-pool int pool.sys_id 1 boolean pool.active true boolean pool.default false int pool.importance 1 string pool.comment pset email pool pool_default int pool.sys_id 0 boolean pool.active true boolean pool.default true int pool.importance 1 string pool.comment pset pset_default pset email-pset int pset.sys_id 1 boolean pset.default false uint pset.min 1 uint pset.max 1 string pset.units population uint pset.load 0 uint pset.size 1 string pset.comment cpu int cpu.sys_id 0 string cpu.comment string cpu.status on-line Copyright 2009 Peter Baer Galvin - All Rights Reserved 85Saturday, May 2, 2009
  86. 86. Zones and DRPs (cont) Check the config pset pset_default int pset.sys_id -1 boolean pset.default true uint pset.min 1 uint pset.max 65536 string pset.units population uint pset.load 7 uint pset.size 7 string pset.comment cpu int cpu.sys_id 1 string cpu.comment string cpu.status on-line cpu int cpu.sys_id 3 string cpu.comment string cpu.status on-line cpu int cpu.sys_id 2 string cpu.comment string cpu.status on-line Copyright 2009 Peter Baer Galvin - All Rights Reserved 86Saturday, May 2, 2009
  87. 87. DRPs Note that you can give ranges of CPUs to be used in DRPs If you do be sure to set an “objective” else nothing will be dynamic Note that some software licenses allow licensing of the app for only those CPUs in the DRP that the zone is attached to (i.e. only pay for your DRP CPUs, not all CPUs)(!) Copyright 2009 Peter Baer Galvin - All Rights Reserved 87Saturday, May 2, 2009
  88. 88. Zones and DRPs (cont) Now enable FSS, make it default for pool_default # poolcfg -c modify pool pool_default (string pool.scheduler="FSS") Create an instance of the configuration # pooladm -c Move all the processes in the default pool and its associated zones under the FSS. # priocntl -s -c FSS -i class TS # priocntl -s -c FSS -i pid 1 Now have the zones use the DRPs # zonecfg –z email-zone zonecfg:email-zone> set pool=email-pool # zonecfg –z Web1-zone zonecfg: Web1-zone> set pool=pool_default zonecfg:Web1-zone> add rctl zonecfg:Web1-zone:rctl> set name=zone.cpu-shares zonecfg:Web1-zone:rctl> add value (priv=privileged,limit=3,action=none) zonecfg:Web1-zone:rctl> end # zonecfg -z Web2-zone zonecfg:Web2-zone> set pool=pool_default zonecfg:Web2-zone> add rctl zonecfg:Web2-zone:rctl> set name=zone.cpu-shares zonecfg:Web2-zone:rctl> add value (priv=privileged,limit=2,action=none) zonecfg:Web2-zone:rtcl> end Copyright 2009 Peter Baer Galvin - All Rights Reserved 88Saturday, May 2, 2009
  89. 89. Zones, Resources, and S10 8/07 Much simpler now if you just want a zone to have dedicated CPUs, memory limits (From http://blogs.sun.com/jerrysblog/feed/entries/atom?cat=%2FSolaris) zonecfg:my-zone> set scheduling-class=FSS zonecfg:my-zone> add dedicated-cpu zonecfg:my-zone:dedicated-cpu> set ncpus=1-4 zonecfg:my-zone:dedicated-cpu> set importance=10 zonecfg:my-zone:dedicated-cpu> end zonecfg:my-zone> add capped-memory zonecfg:my-zone:capped-memory> set physical=50m zonecfg:my-zone:capped-memory> set swap=128m zonecfg:my-zone:capped-memory> set locked=10m zonecfg:my-zone:capped-memory> end You have to enable poold via svcadm if “importance”used Still use dispadmin to set system-wide scheduling Copyright 2009 Peter Baer Galvin - All Rights Reserved 89Saturday, May 2, 2009
  90. 90. Zones, Resources, and S10 8/07 (cont) Can use zonecfg for the global zone to persistently set resource management settings in global Now can set other zone-wide resource limits easily zone.cpu-shares zone.max-locked-memory (locked property of the capped-memory resource is preferred) zone.max-lwps zone.max-msg-ids zone.max-sem-ids zone.max-shm-ids zone.max-shm-memory zone.max-swap (The swap property of the capped-memory resource is the preferred way to set this control) Copyright 2009 Peter Baer Galvin - All Rights Reserved 90Saturday, May 2, 2009
  91. 91. Zones and Networking S10 8/07 Can now create exclusive-IP zones (i.e. dedicate an HBA port to a zone) known as “IP Instances” Need this if you want advanced networking features in a zone (firewalls, snooping, DHCP client, traffic shaping) Each zone get its own IP stack (and soon xVM will too) zonecfg:my-zone>set ip-type=exclusive zonecfg:my-zone> add net zonecfg:my-zone:net> set physical=e1000g1 zonecfg:my-zone:net> end Now the zone can set its own IP address et al, can do IPMP within a zone “zonecfg set physical=” to one of the interfaces in an IPMP group Project Crossbow will allow virtual NICs to be IP instance entity (no longer tying up Ethernet port) Limited to Ethernet devices that use GLDv3 drivers (dladm show-link not reporting “legacy”) Copyright 2009 Peter Baer Galvin - All Rights Reserved 91Saturday, May 2, 2009
  92. 92. Zones, Resources and 5/08 CPU Caps Can limit the aggregated amount of CPU that a container’s CPUs can accumulate Although it is possible to use prctl(1M) command to manage CPU caps, the capctl Perl script that simplifies it # capctl <-P project> <-p pid> <-Z zone> <-n name> <-v value> * -P proj: Specify project id * -p pid: Specify pid * -Z zone: Specify zone name * -n name: Specify resource name * -v value: Specify resource value For example, to set a cap for project foo to 50% you can say: # capctl -P foo -v 50 To change the cap to 80%: # capctl -P foo -v 80 To see the cap value: # capctl -P foo To remove the cap: # capctl -P foo -v 0 Copyright 2009 Peter Baer Galvin - All Rights Reserved 92Saturday, May 2, 2009
  93. 93. prctl vs zonecfg prctl can read resource settings in the global or child zones Not persistent for setting variables Can’t set variables in the child zone zonecfg is persistent, but only runs in global zone Copyright 2009 Peter Baer Galvin - All Rights Reserved 93Saturday, May 2, 2009
  94. 94. Zone Issues Zone cannot reside on NFS But zone can be NFS client Each zone normally has a “sparse” installation of a package, if package is from “inherit-package-dir” directory tree By default, a package installed in global zone is installed in all existing non-global zones Unless the pkgadd –G or –Z options are used See also SUNW_PKG_ALLZONES and SUNW_PKG_HOLLOW package parameters Patches installed in global zone is installed in all non-global zones If any zone does not match patch dependencies, patch not installed Copyright 2009 Peter Baer Galvin - All Rights Reserved 94Saturday, May 2, 2009
  95. 95. Zone issues - cont Upgrading the global zone to a new Solaris release upgrades the non-global zones but depends on which upgrade method is used (hint - use live upgrade) Best practice is to keep packages and patches synced between global and all non-global zones Watch out for giving users root in a zone – could violate policy or regulations Flash Archive (flar) can be used to capture system containing zones and clone it, but only if zones are halted. Details at http://www.opensolaris.org/os/community/zones/ faq/flar_zones Copyright 2009 Peter Baer Galvin - All Rights Reserved 95Saturday, May 2, 2009
  96. 96. Zones and Packages # pkgadd -d screen* The following packages are available: 1 SMCscreen screen (intel) 4.0.2 Select package(s) you wish to process (or all to process all packages). (default: all) [?,??,q]: ## Not processing zone <zone10>: the zone is not running and cannot be booted ## Booting non-running zone <zone0> into administrative state ## waiting for zone <zone0> to enter single user mode... ## Verifying package <SMCscreen> dependencies in zone <zone0> ## Restoring state of global zone <zone0> ## Booting non-running zone <zone1> into administrative state ## waiting for zone <zone1> to enter single user mode... . . . ## Booting non-running zone <zone0> into administrative state ## waiting for zone <zone0> to enter single user mode... ## waiting for zone <zone0> to enter single user mode... ## Installing package <SMCscreen> in zone <zone0> Copyright 2009 Peter Baer Galvin - All Rights Reserved 96Saturday, May 2, 2009
  97. 97. Sparse Zones vs. Whole Root Zones When should you use “sparse”, when should you use “whole root” Check per-application support and/or requirements sparse zones don’t allow writes into /, /usr, etc by default, some apps don’t like that Can intermix sparse and whole-root on the same system Make a sparse root into a whole root # zonecfg create -b In the future, likely that the world will use whole root zones and ZFS cloning But zone roots on ZFS not supported until U6 because not upgradeable Copyright 2009 Peter Baer Galvin - All Rights Reserved 97Saturday, May 2, 2009
  98. 98. Upgrading a System Containing Containers Supported methods vary, depending on OS release being upgraded from Generally liveupgrade is best, but many details to consider Well documented at http://docs.sun.com/app/docs/ doc/820-4041/gdzlc?a=view Copyright 2009 Peter Baer Galvin - All Rights Reserved 98Saturday, May 2, 2009
  99. 99. Zone Best Practices Note that global zone root can copy files directly into zones via their zonepath directory Consider building at least one container per system Put all users and apps in there Fast to copy for testing Fast reboot Put it on shared storage for future attach / detach But watch out for limits dtrace app support in a zone Surprisingly, a global-zone mount within the zone file system is immediately seen in the zone Copyright 2009 Peter Baer Galvin - All Rights Reserved 99Saturday, May 2, 2009
  100. 100. Zone Best Practices (2) Use zonecfg export to save each zone’s config settings - store on a different system For every zone created, in its “virgin state”, create a clone of it and store it on a different system Put zones on ZFS for best feature set Consider configuring child zones to send syslog output to central syslog server Copyright 2009 Peter Baer Galvin - All Rights Reserved 100Saturday, May 2, 2009
  101. 101. Zones and /etc/system For variables no longer in /etc/system they can be set via the rctladm command, but only per project. This example is from the Sun installation guide for Weblogic on Solaris 10… Modify /etc/project in each zone the app will run in to contain the following additions to the resource controls for user.root (assuming the application will run as root): bash-3.00# cat /etc/project system:0:::: user.root:1:::: process.max-file-descriptor=(privileged,1024,deny); process.max-sem-ops=(privileged,512,deny); process.max-sem-nsems=(privileged,512,deny); project.max-sem-ids=(privileged,1024,deny); project.max-shm-ids=(privileged,1024,deny); project.max-shm-memory=(privileged,4294967296,deny) noproject:2:::: default:3:::: group.staff:10:::: Copyright 2009 Peter Baer Galvin - All Rights Reserved 101Saturday, May 2, 2009
  102. 102. Zones and /etc/system (cont) Note that /etc/project is read at login Also to enable warnings via syslog if the resource limits are approached execute the following commands once in each zone the app will run in (they update the /etc/ rctladm.conf file) Do this in the global zone, not persistent so script it: #rctladm -e syslog process.max-file-descriptor #rctladm -e syslog process.max-sem-ops #rctladm -e syslog process.max-sem-nsems #rctladm -e syslog process.max-sem-ids #rctladm -e syslog process.max-shm-ids #rctladm -e syslog process.max-shm-memory Copyright 2009 Peter Baer Galvin - All Rights Reserved 102Saturday, May 2, 2009
  103. 103. Branded Zones Shipped in S10 8/07 Allows native binary execution of bins from other operating systems Centos first Install a brandz zone, install the “guest” OS, then install binaries (RPMs et al) and run them Currently limited to centos and other 2.4-based distros Result - can use DTrace to analyze Linux perf problems See man pages for brands(5), lx(5) Copyright 2009 Peter Baer Galvin - All Rights Reserved 103Saturday, May 2, 2009
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×