Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
2.1 : What are these four “add-inherit-pkg-dir” in my zone configuration and may I remove them?
2.2 : Which kind of devices may I NOT add using the zonecfg “set devices” command?
2.3 : How do I add a special netmask for a zone’s IP address?
2.4 : How to hide a subdirectory of a directory that is loopback mounted from the Gloabl zone?
2.5 : How do I add a filesystem to my non-global zone?
2.6 : How many containers can one domain or computer have, both theoretically and realistically?
2.7 : How do I configure the identity (hostname, timeserver, timezone,… ) of a non-global zone?
2.8 : How do I configure a default route for a non-global zone?
2.9 : Is it possible to clone a non-global zone?
2.10 : Where do zone installation default files come from?
2.11 : May I install a zone in a NFS-exported directory so that diskless clients may run them?
2.12 : Is it possible to configure/install non-global zones directly from a Jumpstart server?
2.13 : Is there a graphical tool that can be used to configure/install zones ?
Section 3 : Administration
5.1 Can I prevent one non-global zone from consuming all the CPU time?
5.2 Can I prevent one application in a non-global zone from using all the CPU time?
5.3 Can I prevent a non-global zone from consuming all the memory?
5.4 Can I run a non-global zone processes on specific CPUs?
5.5 Can I bind several non-global zones to the same resource pool?
5.6 Can I dynamically change the number of FSS shares assigned to non-global zones?
5.7 Is there a way to dynamically or permanently assign shares to the global zone ?
==============================================================
===================
==============================================================
===================
Section 1 : General
1.3 What about license costs if I run my application in a Zone on a specific number of CPUs?
It is possible to give one Zone exclusive access to a number of CPUs, through the ressource pools
functionality ( see section 5 ). Sun is pushing so that ISVs would base their licensing cost on the
amount of CPUs assigned to the Zone, as opposed to the total number of CPUs.
This Oracle document officially recognizes a Zone as hardware partitioning technology, much like a
Solaris Domain. If your zone is bound to a 3 CPUs ressource pool, Oracle only requires a 3 CPU
license.
1.6 : Would there be a reason to use zones even if I want to run only ONE workload on my Solaris
server?
Absolutely! For security reasons, run your workload in one non-global zone. The security barriers
built around it make sure that any security leak that would allow an intruder to hack the non-global
zone will not allow him to take control of the Global zone ie the server. If you were careful enough
to use some defensive technique in the Global zone, like for instance some intrusion detection
tool(s), you will then be able to watch what the attacker is doing while he is not able to hide from
you.
“BrandZ is a framework that extends the Solaris Zones infrastructure to create Branded Zones,
which are zones that contain non-native operating environments. The term “non-native” is
intentionally vague, as the infrastructure allows for the creation of a wide range of operating
environments.
(…)
The lx brand enables Linux binary applications to run unmodified on Solaris, within zones running a
complete Linux userspace. The combination of BrandZ and the lx brand will be productized as
Solaris Containers for Linux Applications.”
This project is still a work-in-progress.
==============================================================
===================
2.1 : What are these four “add-inherit-pkg-dir” in my zone configuration and may I remove them?
Absolutely. These are there because by default, Solaris wants the non-global zone and the Global
zone to share the text segments from the executables and shared libraries that are part of the 4
“add-inherit-pkg-dir” : /usr, /platform, /sbin, /lib. These 4 directories are loopback mounted from
the Global zone into your non-global zone in read-only mode. The other advantages of this
technique are the smaller disk footprint needed for the non-global zone and possibly the speed of
the non-global zone installation, since less packages will need to be copied ( only those with the
pkginfo(4) parameter SUNW_PKGTYPE set to root ).
If you remove them from the zone configuration, your zone will require approx. 2GB of disk space
but you will have the maximum flexibility for additional software installation.
Note that creating a zone with the -b option will result in an empty configuration, without any “add-
inherit-pkg-dir”. ( see question 6.9 )
global# zonecfg -z my-zone
my-zone: No such zone configured
Use ‘cretae’ to begin configuring a new zone.
zonecfg:my-zone> create -b
zonecfg:my-zone> info
zonepath:
autoboot: false
pool:
zonecfg:my-zone>
2.2 : Which kind of devices may I NOT add using the zonecfg “set devices” command?
2.4 : How to hide a subdirectory of a directory that is loopback mounted from the Gloabl zone ?
Suppose that you want to have /usr in the non-global zone loopback mounted from the Global zone
but that you don’t want your non-global zone to have access to /usr/local.
• Export the device node and mount from the non-global zone:
• Mount the FS directly from the Global zone when the non-global zone is running:
• Using lofiadm
2.6 : How many containers can one domain or computer have, both theoretically and realistically?
One single instance of Solaris has a theoretical limit of 8192 zones. The real-life number will of
course depends on resource consumption, namely CPU, memory and network usage as well as
storage needs.
2.7 : How do I configure the identity (hostname, timeserver, timezone,… ) of a non-global zone?
After the non-global zone has been installed, all kind of typical identity information needs to be
provided. It can be done in two ways:
• Interactively : the Global zone administrator boots the zone for the first time. A “sysidtool”
process ( the same that the one used for a standard installation ) is then launched inside
the non-global zone. The administrator needs then to connect to the non-global zone
console using the “zlogin -C my-zone” command. He will then be able to provide answers
to all the common questions. The zone will then reboot.
• Non interactively : the Global zone administrator creates the file /etc/sysidcfg in the non-
global zone directory tree. The file contains all the answers to the “sysidtool” command,
pretty much like in the Jumpstart network installation procedure. Detailed reference for this
file can be found on this docs.sun.com guide. For an example of this, refer to this zones lab
2.11 : May I install a zone in a NFS-exported directory so that diskless clients may run them?
No. Not supported.
==============================================================
===================
Section 3 : Administration
• Patches that can only be applied from the global zone, that apply to the global and all non-
global zones.
These patches set SUNW_PKG_ALLZONES=true in their pkginfo file. (See the pkginfo(4) man page for
more information.) These patches typically deliver binaries and files that affect the running OS.
Although they are only applicable in the global zone, they must take effect in all non-global zones as
well.
These packages set SUNW_PKG_ALLZONES=false. (See the pkginfo(4) man page for more information.)
These patches can be applied in the global zone for the global zone, or applied in a non-global zone for
the (same) non-global zone. These are typically application patches, such as those for a web server.
These variables cannot change from their FCS values, so a patch cannot set
SUNW_PKG_ALLZONES=true if the installed version is false. All these variables default to “false” if
not defined.
Thanks to Penny from Sun Micro for providing (most of) this answer.
NB One must take into account that what happens if a non-global zone cannot be brought online for
any reason during a patchadd operation, is more or less unclear.
You have some enterprise backup software like NetBackup or Legato Networker. Even
“ufsdump” requires access to devices which might not be available from the non-global zone.
You want to be able to restore your entire zone, not only the data it contains. Main example is
Disaster recovery.
• From non-global zone
You just want to be able to restore the data used in a non-global zone.
You want/need to use the backup tool of the application running in the non-global zone.
==============================================================
===================
==============================================================
===================
5.1 : Can I prevent one non-global zone from consuming all the CPU time?
Yes! The standard Resource Management features have been extended to zones. The Fair Share
Scheduler is a scheduling class controlling the proportion of CPU time that a certain entity may use.
The administrator of the Global zone is in charge of setting the new ressource control zone.cpu-
shares to assign a number of shares to each non-global zone ( the Global zone is assigned 1 share
by default ). The ratio of a non-global zone’s shares to the total number of shares defines the
minimum percentage of CPU time that all the processes running in that non-global zone is
authorized to use. ‘Minimum’ is important because the Resource Management model of Solaris
specifies that any portion of CPU time not requested by a certain entity ( the non-global zone in this
case ) may be used by the other entities. So in short, the new model is an extension that allows
CPU shares to be assigned to non-global zones in addition to projects.
5.2 : Can I prevent one application in a non-global zone from using all the CPU time?
Yes! The Resource Management model being hierarchical, the first thing to do is to assign a number
of shares to each non-global zone ( See 5.1 ). Within the non-global zone, the non-global zone
administrator may now create projects in the standard way to differentiate between workloads
running in the same non-global zone. Resource contention between these workloads can be resolved
by assigning FSS shares to the projects.
An example : if zone_1 is assigned 25% of all the shares and project_1 is created into zone_1 and
getting 40% of zone_1 CPU time, project_1 is ensured that it will be able to use a minimum of 10%
of CPU time ( 40% of 25% ).
5.3 : Can I prevent a non-global zone from consuming all the memory?
Yes! And no… The reource capping feature of Solaris Resource Management allows one to set an
upper bound to the amount of RAM used by a certain project. By creating projects inside a non-
global zone and setting the rcap.max-rss project parameter, you can limit the amount of memory
used by all the processes belonging to that project.
So it is not a zone-aware feature but it can be used within non-global zones through the use of
projects. Note as well that contrarily to resource controls, resource capping limits are only enforced
asynchronously by the rcapd daemon and not synchronously by the Kernel.
All the processes running in your non-global zone will then run on the CPUs you selected by creating
the processor set.
5.5 Can I bind several non-global zones to the same resource pool?
Yes! By binding more than one non-global zone to the same pool, you restore the contention
between processes running in the various non-global zones. You can control this contention by
assigning FSS CPU shares to each non-global zone ( See 5.1 ). Doing so grants you the right to use
a certain proportion of time of the CPUs defined in the associated bound processor set.
5.6 Can I dynamically change the number of FSS shares assigned to non-global zones?
Yes! From the Global zone, being the Global zone administrator, use :
5.7 Is there a way to dynamically or permanently assign shares to the global zone ?
The prctl command can be used for that purpose.
There is currently no way to do that permanently. A workaround is to use a transient SMF service
that starts before non-global zones are created and that sets the number of shares desired. This
value would be kept in the SMF repository and would then be safely stored and made modifiable
using svccfg. Menno Lageman from Sun provided a service manifest & the corresponding start
method in the following link.
==============================================================
===================
• To implement a door server for clients to request zone state changes. Doors are used to let
commands like zoneadm communicate with zoneadmd running in the non-global zones.
• To interface with zoneadm(1M) and zonecfg(1M), and zlogin(1M) to create, bring-up, and
tear down the non-global zone virtual platform. This includes mounting the filesystems,
creating devices in /dev, setting up network interfaces, configure zone-aware ressource
management parameters & creating the zsched process.
==============================================================
===================
==============================================================
==