Day 4 of 60: The learning zone

One of the new features that Solaris 10 has that I'm interested in is zones. A zone is lightweight virtualisation environment. Unlike VMWare, or Xen, the whole environment is not virtualised. You still have one running OS kernel which arbitrates access to the hardware, for example. A zone is more like a separate instance of the userland, with its own IP address, users, running processes, and so on.

In this respect Solaris Zones are very similar to FreeBSD Jails, and if I was going to sum it up I might call it "chroot on steroids, with a much better management interface."

I'm quite familiar with FreeBSD's Jail system, much less so with Zones. I've offered up a Zone to some of the pkgsrc developers so they can experiment with pkgsrc on Solaris 10, and I'm planning on using Zones for testing the changes that I'll be making to Sendmail, so I need to learn how to create and manage them.



BigAdmin has a page dedicated to zones, with links to many other resources. There's also the OpenSolaris Zones page to consider too. Of the available resources, this article by Brendan Gregg seemed the most comprehensive, and also the most up to date.

Reading through that article the small zone example seems most appropriate. I want to give the pkgsrc developers space to build packages, but I don't necessarily want them to be able to write to files outside their home directories. Since pkgsrc builds are relocatable (packages don't have to install under /usr/pkg this should be fine. Of course, I may have to revisit this decision later.

So, on with creating the zone. First, I'll check that there are no other zones.

# zoneadm list -cv
ID NAME STATUS PATH
0 global running /


That looks promising. zonecfg is used to create and manage zone configuration. I'm going to call the new zone pkgsrc-zone, it's root directory is going to be /export/pkgsrc-zone, and it's going to have the IP address 10.0.0.1.

# zonecfg -z pkgsrc-zone
pkgsrc-zone: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:pkgsrc-zone> create
zonecfg:pkgsrc-zone> set autoboot=true
zonecfg:pkgsrc-zone> set zonepath=/export/pkgsrc-zone
zonecfg:pkgsrc-zone> add net
zonecfg:pkgsrc-zone:net> set address=10.0.0.1
zonecfg:pkgsrc-zone:net> set physical=nge0
zonecfg:pkgsrc-zone:net> end
zonecfg:pkgsrc-zone> info
zonepath: /export/pkgsrc-zone
autoboot: true
pool:
inherit-pkg-dir:
dir: /lib
inherit-pkg-dir:
dir: /platform
inherit-pkg-dir:
dir: /sbin
inherit-pkg-dir:
dir: /usr
net:
address: 10.0.0.1
physical: nge0
zonecfg:pkgsrc-zone> verify
zonecfg:pkgsrc-zone> commit
zonecfg:pkgsrc-zone> exit


A word about zonecfg. I was pleasantly surprised to discover that it supports a command history and sensible editing defaults. Much nicer than many command line tools I've had to deal with.

I can re-run zoneadm list -cv to see the new zone.

# zoneadm list -cv
ID NAME STATUS PATH
0 global running /
- pkgsrc-zone configured /export/pkgsrc-zone


With the zone configured, I now need to create the zone's root directory, and install the files that will make up the zone.

# mkdir /export/pkgsrc-zone
# chmod 700 /export/pkgsrc-zone
# zoneadm -z pkgsrc-zone verify
# zoneadm -z pkgsrc-zone install
Preparing to install zone .
Creating list of files to copy from the global zone.
Copying <17971> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <1606> packages on the zone.
Initialized <1606> packages on zone.
Zone is initialized.
Installation of <9> packages was skipped.
Installation of these packages generated warnings:
The file contains a log of the zone installation.


The wall clock time to complete that last command was 15 minutes. With that done I can see that the zone's status has changed from "configured" to "installed", and the zone can be booted.

# zoneadm list -cv
ID NAME STATUS PATH
0 global running /
- pkgsrc-zone installed /export/pkgsrc-zone
# zoneadm -z pkgsrc-zone boot
# zoneadm list -cv
ID NAME STATUS PATH
0 global running /
1 pkgsrc-zone running /export/pkgsrc-zone


I can then use zlogin to connect to the zone. Since this is the first boot I'm asked the standard Solaris setup questions. The zone then reboots, and puts me at the console login prompt.

# zlogin -C pkgsrc-zone
[Connected to zone 'pkgsrc-zone' console]
Select a Language

0. English
1. French
2. German
3. Italian
4. Japanese
5. Korean

...

rebooting system due to change(s) in /etc/default/init


[NOTICE: Zone rebooting]


SunOS Release 5.10 Version Generic_Patch_118844-30 64-bit
Copyright 1983-2005 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
Hostname: pkgsrc-zone

pkgsrc-zone console login:


That's all relatively painless. And much easier than handrolling things. At $work I'm having to build chroot environments for testing, and making sure that the right files get copied, procfs is mounted, and all the other twiddly bits gets tiresome quite quickly. I'm quite pleased at how easy that was.

1 comment:

  1. you forgot to do:
    chmod 700 /export/pkgsrc-zone

    ReplyDelete