This page is a collection of resources related to Solaris 10 partitioning technology, a.k.a. zones. The newer the release of Solaris 10, the more features it has to support zones.
This page is based on Solaris 10 08/07 release. The complete documentation can be found on:
http://docs.sun.com/app/docs/doc/817-1592/zone?a=view
See also OpenSolaris Zones and Containers FAQ
A zone is a partition, or an isolated operating system execution environment, that is created within a single instance of the Solaris OS. Zones provide a virtual layer that abstracts physical machine resources from the OS.
One may think of Solaris zones as Sun’s own version of VMware software or IBM LPARs.
In general, zones allow for more efficient utilization of machine resources. In situations where rack space and/or budget are the constraints, it maybe advisable to look into Solaris zones.
In practice, it is easy to configure and install zones. A default zone creation takes only about 10 minutes.
It is easy to pre-configure one zone and then clone it to a number of identical zones that can be used for testing of different scenarios and/or development: one zone per a developer, for example.
A zone can be migrated from one machine to the other, so zones are not confined to a single host. For example, a zone can be built, tested and then shipped to a customer.
Important! A non-global zone cannot run nfs/server service.
The first mandatory zone called global is created when the Solaris 10 OS is installed. Any subsequent zones are called non-global. Therefore, there is only one global zone and it has zone id 0. Theoretically, it is possible to create 8191 non-global zones.
The global zone runs a single instance of a Solaris kernel. The global zone is aware of a hardware layer. It can address devices by their hardware paths.
All non-global zones do not run their own instances of a kernel, instead they share the global zone kernel. They cannot address devices by their hardware paths.
The global zone is aware about all non-global zones. The global zone is used to configure, install and manage non-global zones.
A non-global zone is not aware of any other zones but itself. It can be managed within itself only in terms of a stand-alone OS that is abstracted from a hardware layer. It cannot manage itself as a whole, i.e. as a zone. From a user’s perspective it has no knowledge of a zone except its name.
There are two types of non-global zones: sparse root and whole root.
Sparse root zones can access Solaris packages from a global zone in a read-only mode. By default, a zone is created as a sparse zone and it re-uses /lib, /platform, /usr and /sbin folders. These folders are mounted via loop back file system (LOFS) to the non-global zone’s root. To be a sparse zone, a zone must have a resource
inherit-pkg-dirA default sparse zone with the above mounted folders takes only about 100MB. In comparison, the full Solaris installation with Companion software is about 5GB.The drawback of sparse zones is limited flexibility when dealing with packages.
A whole root zone does not have inherit-pkg-dir resource and therefore, is more flexible. The drawback is that it takes much more disk space and is longer to install, clone or migrate.
A shared-IP zone shares the data-link layer of a network interface with a global zone. This means that a non-global zone must be on the same network as a global zone. It must have a different IP but this IP should belong to the same network as the global zone’s IP. Subsequently it shares the same gateway. Only the data-link layer must be shared. The upper layers may not be. Another words, the non-global zone may use different name resolution services, run its own instances of web and email services, etc.
Technically, a shared-IP zone creates an alias for the interface that is shared with a global zone. Therefore, it must have a static IP. Data-link properties of a network interface may be configured from a global zone only. Another words, parameters such as speed, duplex and autonegotiation can be set from the global zone only. There is no access to data-link properties from the shared-IP non-global zone; for example, dladm command will not work.
An exclusive-IP zone is a new feature that is available in Solaris 10 08/07 release. It allows to have a dedicated data link layer in non-global zones, i.e. that is not shared with the global zone. It could be in a form of a physical interface or a VLAN. Therefore, a non-global zone’s network traffic can be isolated from the global zone’s one.
An exclusive-IP zone offers more freedom. Interfaces can be configured via DHCP; IP routing, packet filtering, NAT, multipathing (IPMP), IPSec, snoop, ndd, dladm are supported.
To setup an exclusive-IP zone set the zone property “ip-type” to exclusive
zonecfg:zonename> set ip-type=exclusiveResources Control
The following OS resources can be controlled by setting the zone properties using zonecfg command:
On a zone level it is preferable to use a global property name as shown above. Alternatively, one may use the properties of rctl resource to set zone-wide or project-wide limits prefixing the properties with “zone.” or “project.” respectively.
Memory can also be controlled by setting the following properties of capped-memory resource using zonecfg command:
A number of physical CPUs can be dedicated to a zone via dedicated-cpu resource and its properties:
zoneadm list -icv
To configure a zone, use zonecfg command. See man pages for more details. For example,
zonecfg -z <zonename> zonename: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:zonename>create zonecfg:zonename>set zonepath=/export/home/zonename zonecfg:zonename>add net zonecfg:zonename:net>set address=192.168.25.101/24 zonecfg:zonename:net>set physical=bge0 zonecfg:zonename:net>end zonecfg:zonename>exit
The above will create a sparse zone with /lib, /usr, /platform and /sbin read-only shared with the global zone.
To add companion software installed in /opt/sfw, use the following commands:
zonecfg -z <zonename> zonecfg:zonename>add inherit-pkg-dir zonecfg:zonename:inherit-pkg-dir>set dir=/opt/sfw zonecfg:zonename:inherit-pkg-dir>end zonecfg:zonename>exit
To make /usr/local writable and non-inherited, use the following commands:
zonecfg -z <zonename> zonecfg:zonename>add fs zonecfg:zonename:fs>set dir=/usr/local zonecfg:zonename:fs>set special=/opt/local zonecfg:zonename:fs>set type=lofs zonecfg:zonename:fs>end zonecfg:zonename>exit
Keypoints ( more details are on http://docs.sun.com/app/docs/doc/819-5461/gayov?a=view ): * You can add a ZFS file system or a ZFS clone to a non-global with or without delegating administrative control * You can add a ZFS volume as a device to non-global zones * You cannot associate ZFS snapshots with zones at this time * Do not use a ZFS file system for a global zone root path or a non-global zone root path in the Solaris 10 releases because of issues with the Solaris upgrade process. * Adding an fs resourse with a zfs type allows the non-global zone to share space with the global zone, though a zone administrator cannot control properties or create new file systems in the underlying file system hierarchy * Addidng a zfs dataset (a file system or a clone) allows to delegate control over the dataset and its children to a non-global zone. The zone administrator can create and destroy file systems or clones within that dataset, and modify properties of the datasets * ZFS storage pools cannot be created or modified within a non-global zone * The zoned property of a zfs dataset is automatically turned on at the first boot. If the zoned property is set, the dataset cannot be mounted or shared in the global zone
To add a zfs file system to a zone:
zonecfg -z <zonename> zonecfg:zonename>add fs zonecfg:zonename:fs>set type=zfs zonecfg:zonename:fs>set special=tank/zone/zonename zonecfg:zonename:fs>set dir=/export/shared zonecfg:zonename:fs>end
Note that in the above case the goal is solely to share space with the global zone. The mountpoint property of the zfs file system must be set to legacy, and the file system cannot already be mounted in another location. A zone administrator can create and destroy files within the file system but cannot change properties on the file system such as atime, readonly, compression, and so on. If the primary goal is to delegate the administration of storage to a zone, then
zonecfg -z <zonename> zonecfg:zonename>add dataset zonecfg:zonename:dataset>set name=tank/zone/zonename zonecfg:zonename:dataset>end
In the above case a zone administrator can set file system properties, as well as create children. In addition, the zone administrator can take snapshots, create clones, and otherwise control the entire file system hierarchy.
To add a zfs raw volume to a non-global zone use
zonecfg -z <zonename> zonecfg:zonename>add device zonecfg:zonename:device>set match=/dev/zvol/dsk/tank/vol zonecfg:zonename:device>end
The above is not recommended for security purposes.
zonecfg -z <zonename> zonecfg:zonename>remove inherit-pkg-dir=/sbin zonecfg:zonename>remove inherit-pkg-dir=/usr zonecfg:zonename>remove inherit-pkg-dir=/platform zonecfg:zonename>remove inherit-pkg-dir=/lib zonecfg:zonename>exit
zonecfg -z <zonename> zonecfg:zonename>set ip-type=exclusive zonecfg:zonename>add net zonecfg:zonename:net>set address=192.168.202.10/24 zonecfg:zonename:net>set physical=bge1 zonecfg:zonename:net>end zonecfg:zonename>exit
zonecfg -z <zonename> zonecfg:zonename>add attr zonecfg:zonename:attr>set name=comment zonecfg:zonename:attr>set type=string zonecfg:zonename:attr>set value="This is dev zone" zonecfg:zonename:attr>end zonecfg:zonename>exit
To install a zone, use zoneadm command. See man pages for more details.
zoneadm -z <zonename> install
To boot a zone, use zoneadm command:
zoneadm -z <zonename> boot
To automatically configure a zone first time it boots, place sysidcfg file in <zonepath>/root/etc folder, for example, /export/home/zonename/root/etc, from the global zone prior to booting. See man sysidcfgfor more details.
system_locale=C
terminal=vt100
network_interface=primary {
hostname=kalgan-2
}
security_policy=NONE
name_service=DNS {
domain_name=hibet.ru
name_server=212.248.26.3
search=hibet.ru,betline.ru
}
timezone=Europe/Moscow
root_password=<crypt password from /etc/shadow>
system_locale=C
terminal=vt100
network_interface=primary {
hostname=v490-stb
ip_address=212.248.26.14
netmask=255.255.255.224
protocol_ipv6=no
default_route=212.248.26.1
}
security_policy=NONE
name_service=DNS {
domain_name=hibet.ru
name_server=212.248.26.3
search=hibet.ru,betline.ru
}
timezone=Europe/Moscow
root_password=<crypt password from /etc/shadow>
To login to a zone from the same host, use:
zlogin <zonename>
To login to a zone’s console (a la ALOM), use this
zlogin -C -e "#" <zonename>
To login over a network use whatever mechanism is configured in a zone, for example, ssh, telnet or rsh. Ssh is preferred for security reason.
To halt a zone From a zone:
halt
or
shutdown -i 0
From a global zone non-interactively:
zlogin <zonename> halt
or
zoneadm -z <zonename> halt
zoneadm -z <zonename> halt zoneadm -z <aonename> uninstall -F zonecfg -z <zonename> delete -F
From a global zone:
zoneadm -z <zone-template> halt zonecfg -z <zone-template> export -f zone.cfg
Modify zone.cfg file as needed. Particularly, change zonepath and IP address(es). Then
zonecfg -z <clone-name> -f zone.cfg zoneadm -z <clone-name> clone <zone-template>
From a global zone:
zoneadm -z <zonename> halt zoneadm -z <zonename> detach tar -cf zonename.tar <zonepath>
Copy zonename.tar to a new host. On the new host execute:
tar -xf zonename.tar zonecfg -z <zonename> zonename: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:zonename>create -a <zonepath> zonecfg:zonename>info
Make any necessary adjustments to the configuration. Then
zonecfg:zonename>exit zoneadm -z <zonename> attach