Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Papers We Love: Jails and Zones CTO bryan@joyent.com Bryan Cantrill @bcantrill
Papers we love: Jails and Zones • Discussing two important papers that form the foundation of thinking about OS-based virt...
Jails: Problem statement
Jails: Prior work
Jails aside: chroot(2)
Jails: Proposed solution
Jails: Advantages
Jails: jail(2)
Jails: Confining the filesystem
Jails: Confining the network
Jails: Implementation
Jails: Network management complexities
Jails: Filesystem management complexities
Jails: User management complexities
Jails: Unintended consequences
Jails: Networking limitations
Jails: Resource management limitations
Jails: Management limitations
Jails: Epilogue • Jails became easier to manage with jls/jps/ezjail/iocage • Jails were allowed to have multiple IPv4 addr...
Zones: Problem statement
Zones: Problem statement detail
Zones: Proposed solution
Zones: Block diagram
Zones: Design principles
Zones: Design principles, cont.
Zones: State model
Zones: Configuration
Zones: Installation
Zones: Application environment
Zones: Virtual platform
Zones: Console
Zones: Process model
Zones: Process model, cont.
Zones: IPC
Zones: System V IPC
Zones: Networking
Zones: Filesystem
Zones: Resource management
Zones: Observability and debugging
Zones: Security experience
Zones: Workloads
Zones: Epilogue • Crossbow added virtual NICs and exclusive IP stacks — and anti- spoof allowed exclusive IP stacks to be ...
Zones: Epilogue, cont. • Sun added notion of branded zones in 2006, including a nascent Linux brand (LX) — and then ripped...
Jails and Zones: Conclusions • Each of these technologies has served to inspire the other: zones was explicitly inspired b...
Upcoming SlideShare
Loading in …5
×

Papers We Love: Jails and Zones

3,718 views

Published on

Slides for my @papers_we_love talk at @paperswelovenyc on February 11, 2016. Video to come!

Published in: Technology
no profile picture user
  • Dating for everyone is here: ♥♥♥ http://bit.ly/39mQKz3 ♥♥♥
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating direct: ♥♥♥ http://bit.ly/39mQKz3 ♥♥♥
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Papers We Love: Jails and Zones

  1. 1. Papers We Love: Jails and Zones CTO bryan@joyent.com Bryan Cantrill @bcantrill
  2. 2. Papers we love: Jails and Zones • Discussing two important papers that form the foundation of thinking about OS-based virtualization and containers: • Jails: Confining the Omnipotent Root by Poul-Henning Kamp and Robert Watson, presented at SANE 2000 • Solaris Zones: Operating System Support for Consolidating Commercial Workloads by Dan Price and Andy Tucker, presented at LISA 2004 • As much as possible, want to let these papers speak for themselves — and provoke discussion!
  3. 3. Jails: Problem statement
  4. 4. Jails: Prior work
  5. 5. Jails aside: chroot(2)
  6. 6. Jails: Proposed solution
  7. 7. Jails: Advantages
  8. 8. Jails: jail(2)
  9. 9. Jails: Confining the filesystem
  10. 10. Jails: Confining the network
  11. 11. Jails: Implementation
  12. 12. Jails: Network management complexities
  13. 13. Jails: Filesystem management complexities
  14. 14. Jails: User management complexities
  15. 15. Jails: Unintended consequences
  16. 16. Jails: Networking limitations
  17. 17. Jails: Resource management limitations
  18. 18. Jails: Management limitations
  19. 19. Jails: Epilogue • Jails became easier to manage with jls/jps/ezjail/iocage • Jails were allowed to have multiple IPv4 addresses • Some jail-based resource management was added, including CPU binding and • System V IPC was virtualized, but remains out-of-tree • VIMAGE added exclusive IP stacks to jails, but it remains a build- time option and “is considered experimental”
  20. 20. Zones: Problem statement
  21. 21. Zones: Problem statement detail
  22. 22. Zones: Proposed solution
  23. 23. Zones: Block diagram
  24. 24. Zones: Design principles
  25. 25. Zones: Design principles, cont.
  26. 26. Zones: State model
  27. 27. Zones: Configuration
  28. 28. Zones: Installation
  29. 29. Zones: Application environment
  30. 30. Zones: Virtual platform
  31. 31. Zones: Console
  32. 32. Zones: Process model
  33. 33. Zones: Process model, cont.
  34. 34. Zones: IPC
  35. 35. Zones: System V IPC
  36. 36. Zones: Networking
  37. 37. Zones: Filesystem
  38. 38. Zones: Resource management
  39. 39. Zones: Observability and debugging
  40. 40. Zones: Security experience
  41. 41. Zones: Workloads
  42. 42. Zones: Epilogue • Crossbow added virtual NICs and exclusive IP stacks — and anti- spoof allowed exclusive IP stacks to be deployed safely • Resource management became much more complete, adding memory capping, CPU capping, I/O throttling • ZFS revolutionized zone installation/configuration • With introduction of IPS packaging, Solaris got rid of so-called “sparse root” zones... • ...and Joyent added sparse root zones back to SmartOS (thanks to no IPS and no global zone package management)
  43. 43. Zones: Epilogue, cont. • Sun added notion of branded zones in 2006, including a nascent Linux brand (LX) — and then ripped LX out in 2010 • LX brand revived by Joyent in 2014 in SmartOS and completed (first deployed into production in early 2015) • Overlay network support added to SmartOS by Joyent, allowing software-defined VXLAN-based networks in non-global zones
  44. 44. Jails and Zones: Conclusions • Each of these technologies has served to inspire the other: zones was explicitly inspired by jails — and the jails networking work has been explicitly inspired by Crossbow • These two papers are important because they capture not just the what, but the why of their respective works • These technologies were both ahead of their time; it’s invaluable now to be able to understand their motivations! • In the words of the late, great Jim Gray: You need to write more!

×