2009 04.s10-admin-topics2

Solaris 10 Administration Topics Workshop
2 - Virtualization
By Peter Baer Galvin

For Usenix
Last Revision Apr 2009

Copyright 2009 Peter Baer Galvin - All Rights Reserved

Saturday, May 2, 2009

About the Speaker
Peter Baer Galvin - 781 273 4100
pbg@cptech.com
www.cptech.com
peter@galvin.info
My Blog: www.galvin.info
Bio
Peter Baer Galvin is the Chief Technologist for Corporate Technologies, Inc., a leading
systems integrator and VAR, and was the Systems Manager for Brown University's
Computer Science Department. He has written articles for Byte and other magazines. He
was contributing editor of the Solaris Corner for SysAdmin Magazine , wrote Pete's
Wicked World, the security column for SunWorld magazine, and Pete’s Super Systems, the
systems administration column there. He is now Sun columnist for the Usenix ;login:
magazine. Peter is co-author of the Operating Systems Concepts and Applied Operating
Systems Concepts texbooks. As a consultant and trainer, Mr. Galvin has taught tutorials
in security and system administration and given talks at many conferences and
institutions.

Copyright 2008 Peter Baer Galvin - All Rights Reserved 2


Objectives
Cover a wide variety of topics in Solaris 10

Useful for experienced system administrators

Save time

Avoid (my) mistakes

Learn about new stuff

Answer your questions about old stuff

Won't read the man pages to you

Workshop for hands-on experience and to reinforce concepts

Note – Security covered in separate tutorial



More Objectives
What makes novice vs. advanced administrator?
Bytes as well as bits, tactics and strategy
Knows how to avoid trouble
How to get out of it once in it
How to not make it worse
Has reasoned philosophy
Has methodology



Prerequisites

Recommend at least a couple of years of
Solaris experience
Or at least a few years of other Unix
experience
Best is a few years of admin experience,
mostly on Solaris



About the Tutorial

Every SysAdmin has a different knowledge set
A lot to cover, but notes should make good
reference
So some covered quickly, some in detail
Setting base of knowledge

Please ask questions
But let’s take off-topic off-line

Solaris BOF


Fair Warning
Sites vary
Circumstances vary
Admin knowledge varies
My goals
Provide information useful for each of you at
your sites
Provide opportunity for you to learn from
each other



Why Listen to Me
20 Years of Sun experience
Seen much as a consultant
Hopefully, you've used:
My Usenix ;login: column
The Solaris Corner @ www.samag.com
The Solaris Security FAQ
SunWorld “Pete's Wicked World”
SunWorld “Pete's Super Systems”
Unix Secure Programming FAQ (out of date)
Operating System Concepts (The Dino Book), now 8th ed
Applied Operating System Concepts



Slide Ownership

As indicated per slide, some slides
copyright Sun Microsystems
Thanks to Jeff Victor for input
Feel free to share all the slides - as long as
you don’t charge for them or teach from
them for fee



Overview
Lay of the Land

Copyright 2009 Peter Baer Galvin - All Rights Reserved


Schedule
Times and Breaks



Coverage

Solaris 10+, with some Solaris 9 where
needed
Selected topics that are new, different,
confusing, underused, overused, etc



Outline

Overview
Objectives
Virtualization choices in Solaris
Zones / Containers
LDOMS and Domains
Virtualbox
Xvm (aka Xen)



Polling Time
Solaris releases in use?
Plans to upgrade?
Other OSes in use?
Use of Solaris rising or falling?
SPARC and x86
OpenSolaris?



Your Objectives?



Your Lab Environment

Apple Macbook Pro
3GB memory
Mac OS X 10.4.10
VMware Fusion 1.0
Solaris Nevada
50 Containers



Lab Preparation
Have device capable of telnet on the
USENIX network
Or have a buddy
Learn your “magic number”
Telnet to 131.106.62.100+”magic number”
User “root, password “lisa”
It’s all very secure



Lab Preparation

Or...
Use virtualbox
Use your own system
Use a remote machine you have legit
access to



Choosing Virtualization Technologies

(See separate “virtualization comparison”
document)



!"#$%&'()*"+,(-+*(.#&!/01*)"2
/012(301$%$%4-, 5%1$"0#(!067%-',)*(5%1$"0#%80$%4-
9',4"16'(!0-0.':'-$

!"#$%&#'()*+,(
*%-.#'()*

O1'-2($4(B#'D%P%#%$< O1'-2($4(%,4#0$%4-

C4.%60#(;4:0%-, *4#01%,(=4-$0%-'1, *4#01%,(9',4"16'
;<-0:%6(*<,$': !0-0.'1(>*9!A
;4:0%-, *"-(D5! >?4-',(@(*9!A
L'- =4-$0%-'1,(B41(C%-"D G(H-(*4#01%,(IJK
5!M01' *4#01%,(E(=4-$0%-'1,
/<&'1N5 *4#01%,(F(=4-$0%-'1,

!"#$%&'()*+*,-.*$/()0(&-,1(+$2$3)0+(&45,$6778


!"#$%&'&()*+,""-*+.&-/
! !"#$%&'()"*+$&*,%'-
" 9-:"'-*$;-(#-<$&#*,1#'-*=$.-.)(+$>)),0(&#,=$
?)(;<)1:@:(&A-#$3/B$",&<&C1,&)#=$D!$.1#14-.-#,$
')*,*=$>&#-@4(1&#-:$*-'"(&,+
" !&#4<-@;-(#-<=$5-,-()4-#-)"*$100<&'1,&)#$
-#A&()#.-#,*
! ./*$0&1(!/'+,0'(."0$&*'-
" %1E&.&C-*$51(:?1(-$&*)<1,&)#
! 2"3&1$#(."0$&*'4(5&%+6$#(7$18&*,'-
" %"<,&0<-$;-(#-<*=$>"<<$D!$-#A&()#.-#,*=$
5-,-()4-#-)"*
! F-'5#)<)4&-*$1(-$').0<-.-#,1(+
!"#$%&'()*+*,-.*$/()0(&-,1(+$2$3)0+(&45,$6778


!"#$%&#'()*+(),()*-.)/"#$.0#/.12
!"#$%&'()"*+$&*,%'($*-(.&%+/$#(0$12&*,'

812/#.2()*: 812/#.2()*7 812/#.2()*;

812/#.2()*< 812/#.2()*=

!13#.2*4*&!13*4*5"(6/ !137
8139"/()

!678)()09 345
!678)
:;"<' !/*(3.0
;=*$<&1(;"<$&*'
!"#$%&'()*+*,-.*$/()0(&-,1(+$2$3)0+(&45,$6778


Zones, Containers, and
LDOMS



Overview

Cover details and use of Zones/Containers
and LDOMS
Note that Xen (x64 only) and Virtualbox
(open source x64 only) are coming
No slides yet



Zones Overview
Think of them of chroot on steroids
Virtualized operating system services
Isolated and “secure” environment for running apps
Apps and users (and superusers) in zone cannot see /
effect other zones
Delegated admin control

Virtualized device paths, network interfaces, network
ports, process space, resource use (via resource manager)
Application fault isolation
Detach and attach containers between systems
Cloning of a zone to create identical new zone


Zones Overview - 2
Low physical resource use
Up to 8192 zones per system!

Differentiated file system
Multiple versions of an app installed and running on a given system

Inter-zone communication is only via network (but short-pathed
through the kernel

No application changes needed – no API or ABI

Can restrict disk use of a zone via the loopback file driver (lofi) using
a file as a file system

Can dedicate an Ethernet port to a zone

Allowing snooping, firewalling, managing that port by the zone



Other Virtualization Options
Many virtualization options to consider

Containers is just one of them

Xen (xVM) - being integrated into Solaris Nevada

Run other OSes (linux, win) with S10+ has the host

Industry semi-standard

Para-virtualization, x86 only

LDOMs - hard partitions, shipped in May 2007

Run multiple copies of Solaris on the same coolthreads chip
(Niagara, Rock in the future)

Some resource management - move CPUs and mem

VMWare - solaris as a guest, not a host so far, x86 only

Traditional Sun Domains - SPARC only, Enterprise servers only



!"#$%&'()"*+'
!"#$%"(8%!"(-*9:;0<&%%/=<&3,'9:<:>(9:?@AB@C@:C1
!"#$%"(8%!"(&%%#D(E( &'$(8%!" %++,*'-.'-(8%!" (%)%$%*'(8%!"
8%!"(&%%#D(E8%!"E/G2V6
8%!"(&%%#D(E8%!"E$"F 8%!"(&%%#D(E8%!"E355

2G2#"/(2"&*+,"2 $"F(2"&*+,"(5&%H",# H"2(5&%H",# /G2V6(5&%H",#

R!*+&%!/"!#
T556+,3#+%!
-53#&%61 -T53,."(9@=@::1 -H:2"1 -/G2V6)1

3N)+#(2"&*+,"2 ,&G5#%(5&%H",# 355(N2"&2(5&%H )F3(N2"&2(5&%H
-3N)+#)1 -2261 -2.M(F32.M(5&2#3#1 -2.M(F32.M(5&2#3#1

2",N&+#G(2"&*+,"2 5&%7G(5&%H",# 2G2#"/(5&%H",# 2G2#"/(5&%H",#
-6%4+!M(QIK1 -5&%7G1 -+!"#)M(22.)1 -+!"#)M(22.)1
,%!2%6"

./"0D:

./"0D=
./"0D9

L63#S%&/
8,%!2

8,%!2

8,%!2
./"0

,"0D:

,"0D=
,"0D9

U+&#N36
EN2&
EN2&

EN2&

EN2&
,"9
,"0

8%!"3)/) 8%!"3)/) 8%!"3)/)

8%!"(/3!34"/"!# ,%&"(2"&*+,"2 &"/%#"(3)/+!E/%!+#%&+!4 563#S%&/(3)/+!+2#&3#+%!
-8%!",S4M(8%!"3)/M(86%4+!1 -+!"#)M(&5,F+!)M(22.)M(@@@1 -IJKLM(IN!KOM(PQRK1 -2G2"*"!#)M()"*S23)/M(+S,%!S+4M@@@1

2#%&34"(,%/56"7
!"#$%&'()"*+," !"#$%&'()"*+," !"#$%&'()"*+,"
-./"01 -,"01 -,"91

!"#$%&'()*+*,-.*$/()0(&-,1(+$2$3)0+(&45,$6778



(From the Solaris 10 Sun Net Talk about Solaris 10 Security)


Zone Limits
Only one OS installed on a system

One set of OS patches

Only one /etc/system
Although Sun working to move as many settings as possible out of /etc/
system

System crash / OS crash -> all zones crash

Each (sparse) zone uses
~ 100MB of disk

some VM and physical memory (for processes and daemons running in the zone)
- ~40MB of physical memory



Sparse vs. Whole Root Zone
Sparse Whole-Root

Loop-back mount of system directories Full install of all system files
(/usr, etc)
Lots of disk space
Little disk space use

Each binary independent -> memory use
Each zone shares global-zone system-
binaries -> shared memory
Apps may not be supported (but more
likely)
Apps may not be supported

Cannot change system files
Can change system files

Inter-zone communication only via Inter-zone communication only via
network network


!"#$%&'($%)*+,$-+

!"#$%"&'##(&)

111&&&&1111&&&& )*#+,- ).-' )/,0&&&111&&&1111&&1111
1111

3#+,&'##(4&)*#+,-)*#+,7 . / 0 !"#$%"&02,5
3#+,&'##(4&) 3#+,&02,5

)$2+ ).-' )/,0 ,(6111
9)#-:

!"#$%&'()*+*,-.*$/()0(&-,1(+$2$3)0+(&45,$6778



!"#$%&'($%)*+,$-+.%)/01+$23"",

!"#$%"&'##(&)

444&&&&4444&&&& )8#-/+ )*+' )./0&&&444&&&4444&&4444
4444

1#-/&'##(7&)8#-/+)8#-/9 4 5 6 !"#$%"&0,/2
1#-/&'##(7&) 1#-/&0,/2

56
)$,- )*+' )./0 /(3444
9)#-$:

!"#$%&'()*+*,-.*$/()0(&-,1(+$2$3)0+(&45,$6778


Global Zone
Aka the usual system
Global Is assigned ID 0 by the system
Provides the single instance of the Solaris kernel
that is bootable and running on the system
Contains a complete installation of the Solaris
system software packages
Can contain additional software packages or
additional software, directories, ﬁles, and other
data not installed through packages



Global Zone - 2
Provides a complete and consistent product
database that contains information about all
software components installed in the global
zone
Holds configuration information specific to the
global zone only, such as the global zone host
name and file system table
Is the only zone that is aware of all devices and
all file systems



Global Zone - 3
Is the only zone with knowledge of non-global
zone existence and configuration
Is the only zone from which a non-global zone
can be configured, installed, managed, or
uninstalled
Can see the file systems of the non-global
zones (i.e. can copy files into the non-global
zone roots for the non-global zones to see



Non-global Zones
Non-Global Is assigned a zone ID by the system when the
zone is booted
Shares operation under the Solaris kernel booted from the
global zone
Contains an installed subset of the complete Solaris
Operating System software packages
Contains Solaris software packages shared from the global
zone (“sparse zone”)
Can contain additional installed software packages not
shared from the global zone



Non-global Zones -2
Can contain additional software, directories, files, and other data
created on the non-global zone that are not installed through
packages or shared from the global zone
Has a complete and consistent product database that contains
information about all software components installed on the zone,
whether present on the non-global zone or shared read-only
from the global zone Is not aware of the existence of any other
zones
Cannot install, manage, or uninstall other zones, including itself
Has configuration information specific to that non-global zone
only, such as the non-global zone host name and file system table



“Sparse” and “Whole Root” Zones
By default /lib, /platform, /sbin, /usr are LOFS read-only mounted
from global zone into child zone
Ergo those can’t be modiﬁed by child zone
Packages installed in child zone only install non (/lib, /platform, /sbin, /usr)
components into the child zone’s ﬁle systems
Saves disk space
Saves memory

Whole root zone removes those mounts
Packages install entirely
Ergo child zone can modify its /lib, /platform, /sbin, /usr

Some apps not supported in zones, some only in whole root, some in
sparse root
Per app check with app vendor!
Note that ZFS clone use for zone builds may mean that sparse root is no
longer useful!



Non-global Zone States
Configured - The zone’s configuration is complete and committed to
stable storage, not initially booted
Incomplete - During an install or uninstall operation
Installed - The zone’s configuration is instantiated on the system but
no virtual platform. Files copied into zoneroot.
Ready - The virtual platform for the zone is established. The kernel
creates the zsched process, network interfaces are plumbed, file
systems are mounted, and devices are configured. A unique zone ID
is assigned by the system, no processes associated with the zone
have been started.
Running - User processes associated with the zone application
environment are running.
Shutting down and Down - These states are transitional states that
are visible while the zone is being halted. However, a zone that is
unable to shut down for any reason will stop in one of these states.


(From System Administration Guide: N1Grid Containers, Resource Management, and Solaris Zones)


Zone boot

Note that zoneadm allows “boot” “reboot”
“halt” and “shutdown”. Only “shutdown”
and “boot” execute the smf commands
Also note that there are many options to
these commands (such as zoneadm boot
-- - m verbose)



Zone Configuration
Data from the following are not referenced or copied when a zone is
installed:
Non-installed packages
Patches
Data on CDs and DVDs
Network installation images
Any prototype or other instance of a zone
In addition, the following types of information, if present in the global zone,
are not copied into a zone that is being installed:
New or changed users in the /etc/passwd file
New or changed groups in the /etc/group file
Configurations for networking services such as DHCP address assignment,
UUCP, or sendmail
Configurations for network services such as naming services
New or changed crontab, printer, and mail files
System log, message, and accounting files


Zone Conﬁguration
zlogin –C logs in to a just-boot virgin zone
Only root can zlogin – normal zone access is via network

The usual sysidconfig questions are asked
(hostname, name service, timezone, kerberos)
The zone root directory must exist prior to zone
installation
Zone reboots to put conﬁguration changes into effect (a
few seconds)
Messages look like a system reboot (within your window)



sysidcfg
Create to shorten ﬁrst boot questions
File gets copied into <zonehome>/root/etc
Sample contents:
name_service=DNS
{domain_name=petergalvin.info
name_server=63.240.76.19
search=arp.com}
network_interface=PRIMARY
{hostname=zone00.petergalvin.info}
timezone=US/Eastern
terminal=vt100
system_locale=C
timeserver=localhost
root_password=aMG0YPkgZQPqo <obviously change this>
security_policy=NONE
nfsv4_domain=dynamic


Zone Conﬁguration - 2
# zonecfg -z app1
app1: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:app1> create
zonecfg:app1> set zonepath=/opt/zone/app1
zonecfg:app1> set autoboot=false
zonecfg:app1> add net
zonecfg:app1:net> set physical=pnc0
zonecfg:app1:net> set address=192.168.118.140
zonecfg:app1:net> end
zonecfg:app1> add fs
zonecfg:app1:fs> set dir=/export/home
zonecfg:app1:fs> set special=/export/home
zonecfg:app1:fs> set type=lofs
zonecfg:app1:fs> end
zonecfg:app1> add inherit-pkg-dir
zonecfg:app1:inherit-pkg-dir> set dir=/opt/sfw
zonecfg:app1:inherit-pkg-dir> end
zonecfg:app1> verify
zonecfg:app1> commit
zonecfg:app1> exit



# df -k
Filesystem kbytes used avail capacity Mounted on
/dev/dsk/c0d0s0 5678823 2689099 2932936 48% /
/devices 0 0 0 0% /devices
/dev/dsk/c0d0p0:boot 10296 1401 8895 14% /boot
proc 0 0 0 0% /proc
mnttab 0 0 0 0% /etc/mnttab
fd 0 0 0 0% /dev/fd
swap 600780 28 600752 1% /var/run
swap 600776 24 600752 1% /tmp
/dev/dsk/c0d0s7 4030684 32853 3957525 1% /export/home
# zoneadm -z app1 verify
WARNING: /opt/zone/app1 does not exist, so it cannot be verified.
When 'zoneadm install' is run, 'install' will try to create
/opt/zone/app1, and 'verify' will be tried again,
but the 'verify' may fail if:
the parent directory of /opt/zone/app1 is group- or other-writable
or
/opt/zone/app1 overlaps with any other installed zones.
could not verify net address=192.168.118.140 physical=pnc0: No such device or address
zoneadm: zone app1 failed to verify



# ls -l /opt/zone
total 2
drwx------ 4 root other 512 Aug 21 12:44 test
# mkdir /opt/zone/app1
# chmod 700 /opt/zone/app1
# ls -l /opt/zone
total 4
drwx------ 2 root other 512 Sep 16 15:14 app1
drwx------ 4 root other 512 Aug 21 12:44 test
# zonadm -z app1 verify
could not verify net address=192.168.118.140
physical=pnc0: No such device or address
zoneadm: zone app1 failed to verify
# zonecfg -z app1
zonecfg:app1> info
zonepath: /opt/zone/app1
autoboot: false


net:
address: 192.168.118.140
physical: pnc0
zonecfg:app1> remove physical=pnc0
zonecfg:app1> add net
zonecfg:app1:net> set physical=pcn0
zonecfg:app1:net> set address=192.168.118.140
zonecfg:app1:net> end
zonecfg:app1> exit
# zoneadm -z app1 verify
# zoneadm -z app1 install
Preparing to install zone <app1>.
Creating list of files to copy from the global zone.
Copying <2199> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <779> packages on the zone.
Initializing package <0> of <779>: percent complete: 0%
. . .


Zone Conﬁguration -6
Zone <app1> is initialized.
The file </opt/zone/app1/root/var/sadm/system/logs/install_log> contains a
log of the zone installation.

# zoneadm list -v
ID NAME STATUS PATH
0 global running /
1 test running /opt/zone/test

# df -k
/dev/dsk/c0d0s0 5678823 2766177 2855858 50% /
/devices 0 0 0 0% /devices
/dev/dsk/c0d0p0:boot 10296 1401 8895 14% /boot
proc 0 0 0 0% /proc
fd 0 0 0 0% /dev/fd
swap 594332 32 594300 1% /var/run
swap 594500 200 594300 1% /tmp
/dev/dsk/c0d0s7 4030684 32853 3957525 1% /export/home


# zoneadm -z app1 boot
zoneadm: zone 'app1': WARNING: pcn0:2: no matching subnet found in netmasks(4) for 192.168.118.131; using default of
192.168.118.131.
# zoneadm list -v
ID NAME STATUS PATH
0 global running /
2 app1 running /opt/zone/app1
# telnet 192.168.118.140
Trying 192.168.118.140...
telnet: Unable to connect to remote host: Connection refused

# zlogin -C app1
[Connected to zone 'app1' console]

Select a Locale

0. English (C - 7-bit ASCII)
1. U.S.A. (UTF-8)
2. Go Back to Previous Screen

Please make a choice (0 - 2), or press h or ? for help: 0

. . .



rebooting system due to change(s) in /etc/default/init

[NOTICE: Zone rebooting]

SunOS Release 5.10 Version s10_63 32-bit
Copyright 1983-2004 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
Hostname: zone-app1
The system is coming up. Please wait.
starting rpc services: rpcbind done.
syslog service starting.
Sep 16 15:48:24 zone-app1 sendmail[7567]: My unqualified host
name (zone-app1) unknown; sleeping for retry
Sep 16 15:49:24 zone-app1 sendmail[7567]: unable to qualify my
own domain name (zone-app1) -- using short name
WARNING: local host name (zone-app1) is not qualified; see cf/
README: WHO AM I?
/etc/mail/aliases: 12 aliases, longest 10 bytes, 138 bytes total


Creating new rsa public/private host key pair
Creating new dsa public/private host key pair
The system is ready.
zone-app1 console login: root
Password:
Sep 16 15:51:08 zone-app1 login: ROOT LOGIN /dev/console
Sun Microsystems Inc. SunOS 5.10 s10_63 May 2004
# cat /etc/passwd
root:x:0:1:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
. . .
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access
User:/:



# useradd -u 101 -g 14 -d /export/home/pbg -s /bin/bash
pbg
# passwd pbg
New Password:
Re-enter new Password:
passwd: password successfully changed for pbg
# zoneadm list -v
ID NAME STATUS PATH
3 app1 running /
# exit
zone-app1 console login: ~.
[Connection to zone 'app1' console closed]



# zoneadm list -v
ID NAME STATUS PATH
0 global running /
3 app1 running /opt/zone/app1
# uptime
3:53pm up 5:14, 1 user, load average: 0.23, 0.34, 0.43
# telnet 192.168.118.140
Trying 192.168.118.140…
Connected to 192.168.118.140.
Escape character is ‘^]’.
Login: pbg
Password:



Zones and ZFS
Installing a zone with its root on ZFS is not supported as
the system then lacks the ability to be upgraded.
Note that “add fs” can be used to add access to a ZFS file
system to a zone
Beyond that, “add dataset” delegates a ZFS file system to
a zone, removes it from the global zone
The zone can manage the file system, except where management
would effect other file systems / parent file system
Filesystem contents can still be seen from global zone via zonepath
+mountpoint (i.e. /zones/zone00/zfs/zonefs/zone00)
# zfs create zfs/zonefs/zone00
# zonecfg -z zone00
zonecfg:zone00> add dataset
zonecfg:zone00:dataset> set name=zfs/zonefs/zone00
zonecfg:zone00:dataset> end


Zone Script
create -b
set zonepath=/opt/zones/zone0
set autoboot=false
add inherit-pkg-dir
set dir=/lib
end
add inherit-pkg-dir
set dir=/platform
end
add inherit-pkg-dir
set dir=/sbin
end



Zone Script
add inherit-pkg-dir
set dir=/usr
end
add inherit-pkg-dir
set dir=/opt/sfw
end
add net
set address=192.168.128.200
set physical=pcn0
end
add rctl
set name=zone.cpu-shares
add value (priv=privileged,limit=1,action=none)
end



Life in a Zone
# ifconfig -a
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
lo0:1: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
zone test
lo0:2: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
zone app1
pcn0: flags=1004843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4> mtu 1500 index 2
inet 192.168.80.128 netmask ffffff00 broadcast 192.168.80.255
ether 0:c:29:44:a9:df
pcn0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
zone test
pcn0:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
zone app1



Life in a Zone - 2
$ telnet 192.168.80.140
. . .
$ df -k
/ 9515147 1894908 7525088 21% /
/dev 9515147 1894908 7525088 21% /dev
/export/home 10076926 10369 9965788 1% /export/home
/lib 9515147 1894908 7525088 21% /lib
/platform 9515147 1894908 7525088 21% /platform
/sbin 9515147 1894908 7525088 21% /sbin
/usr 9515147 1894908 7525088 21% /usr
proc 0 0 0 0% /proc
fd 0 0 0 0% /dev/fd
swap 1043072 16 1043056 1% /var/run
swap 1043056 0 1043056 0% /tmp
$ touch /usr/foo
touch: /usr/foo cannot create

Note that virtual memory (and therefore swap) are global
resources


Life in a Zone - 3
$ ps -ef
UID PID PPID C STIME TTY TIME CMD
root 11120 11120 0 11:00:35 ? 0:00 zsched
pbg 11377 11347 0 11:01:28 pts/8 0:00 ps -ef
root 11229 11120 0 11:00:40 ? 0:00 /usr/sbin/cron
root 11341 11120 0 11:00:46 ? 0:00 /usr/sfw/sbin/snmpd
root 11266 11120 0 11:00:41 ? 0:00 /usr/lib/im/htt -port 9010 -s
yslog -message_locale C
root 11339 11336 0 11:00:46 ? 0:00 /usr/lib/saf/ttymon
root 11250 11120 0 11:00:41 ? 0:00 /usr/lib/utmpd
root 11264 11261 0 11:00:41 ? 0:00 /usr/sadm/lib/smc/bin/smcboot
root 11227 11120 0 11:00:40 ? 0:00 /usr/sbin/nscd
root 11218 11120 0 11:00:40 ? 0:00 /usr/lib/autofs/automountd
root 11325 11120 0 11:00:45 ? 0:00 /usr/lib/dmi/snmpXdmid -s zon
e-app1
root 11239 11120 0 11:00:40 ? 0:00 /usr/lib/sendmail -bd -q15m
root 11230 11120 0 11:00:40 ? 0:00 /usr/sbin/inetd -s
root 11273 11266 0 11:00:42 ? 0:00 htt_server -port 9010 -syslog
-message_locale C
root 11129 11120 0 11:00:36 ? 0:00 init



Life in a Zone - 4
# mount -p
/ - / ufs - no rw,intr,largefiles,logging,xattr,onerror=panic
/dev - /dev lofs - no zonedevfs
/export/home - /export/home lofs - no
/lib - /lib lofs - no ro,nodevices,nosub
/platform - /platform lofs - no ro,nodevices,nosub
/sbin - /sbin lofs - no ro,nodevices,nosub
/usr - /usr lofs - no ro,nodevices,nosub
proc - /proc proc - no nodevices,zone=app1
mnttab - /etc/mnttab mntfs - no nodevices,zone=app1
fd - /dev/fd fd - no rw,nodevices,zone=app1
swap - /var/run tmpfs - no nodevices,xattr,zone=app1
swap - /tmp tmpfs - no nodevices,xattr,zone=app1
# hostname
zone-app1
# zonename
app1



Zone Clone
As of S10 8/07, zones are “cloneable”
Much faster than installing a zone

As of 10/08 zones on ZFS -> ZFS clone - instantaneous

Usable only if the zones of similar configs

Configure a zone i.e. zone00

Install the zone

Configure a new zone i.e. zone01

Then rather than zoneadm install, with zone00 halted, do
# zoneadm –z zone01 clone –m copy zone00



Zone Clone (cont)
A cloned zone is unconfigured and must be
configured
When ZFS used as clone file system
# zoneadm -z <newzone> clone <oldzone>
Can clone a zone’s previously-taken
snapshot via
# zoneadm -z <newzone> clone -s
<snapshot name> <oldzone>



Zone Clone (cont)
So to clone zone1 to make zone2
# zonecfg -z zone1 export -f configfile
Edit conﬁgﬁle to change zonepath and address (at
least)
Create zone2 via zonecfg -z zone2 -f
configfile
Halt zone1 via zoneadm -z zone1 halt
Clone zone1 via zoneadm -z zone2 clone zone1
Use “-m copy” if zone1 on UFS
Boot up both zones
Check status via zoneadm list -iv


Zone Migration
Zones can be moved between like systems
Available S10 8/07
Separate the zone from its current system
# zoneadm –z <zone> detach
Note zone must be halted first
Attach a detached zone to a different system (assuming its
file system is now visible there, send a tarball, etc)
# zoneadm –z <zone> attach [-F]
Note zone must be configured before this can work
Note new system is validated to assure the zone can function there
To create a config for a zone that is detached rather than
having to zonecfg it from scratch
# zonecfg –z <zone> create -a zonepath


Zone Migration (cont)
Can dry-run an attach / detach via the “-n” option to
see if the attach will work
Can upgrade the attaching zone on the attaching
system via “-u” but only if all packages on the
attaching system are as new or newer than the
detaching system
Can force an attach if a detach could not be done
(dead system for example)
Best to save your zone cfg ﬁles for use on the
attach system (or you have to recreate them)


Other Cool Zone Stuff

ps –Z shows zone in which each process is running
Can use resource manager with zones
Zones can use global naming services
Use features to enable or disable accounts per zone
Interzone networking executed via loopback for
performance



Labs
Create a “simple” zone
Install it
Boot it
Conﬁgure it
Look around in it - ﬁle systems, processes,
resource use, users, etc
Halt it



Zones and DTrace

Zones can get some DTrace privileges (starting 11/06)
# zonecfg -z my-zone
zonecfg:my-zone> set
limitpriv="default,dtrace_proc,dtrace_user"
zonecfg:my-zone> exit

DTrace can use zonenames are predicates to ﬁlter
results
# dtrace -n 'syscall:::/zonename==”zone1”/
{@[probefunc]=count()}'



Fair-share Scheduling
Solaris has many scheduler classes available

A thread has priority 0-169, user threads are 0-59

The higher the priority, the sooner scheduled on CPU

Scheduler class decides how the priority is modiﬁed over time

Default user-land is Time-sharing

Time-sharing dynamically changes the priority of each thread
based on its activity

If a thread used it time quantum, its priority decreases

(The quantum is the scheduling interval)

Kernel uses “sys” class

Have a look via ps -elfc



!"#$%&'"$(%&)'(*+,($
Fair-share Scheduling
!"#$%&'"$(%&)'(*+,($
!"#$%&'"$(%&)'(*+,($
2
22 1 Bac up
k
AppSer er
v
3 1 Bac up
k
Bac up abas
k Dat e
3 1 AppSer er
Dat e
v
abas Web
AppSer er
v
3 Web Dat e
abas
Web

Database gets
4 / 4+3+2+1= 40% of all CPU
! !! 5
4 ! $ $!%
4 $!% $
time available to container
!""#"!"$# "%
!""#"!"$# ! "%
!
4
!"#$%&'())*+#,%-',*'.*/,#0/%$&
$ $!%5
!""#"!"$# "%
!"#$%&'())*+#,%-',*'.*/,#0/%$&
!"#$%&'()*+*,-.*$/()0(&-,1(+$2$3)0+(&45,$6778

!"#$%&'())*+#,%-',*'.*/,#0/%$&
!"#$%&'()*+*,-.*$/()0(&-,1(+$2$3)0+(&45,$6778


!"#$%&'()*+*,-.*$/()0(&-,1(+$2$3)0+(&45,$6778


Zones and Fair Share Scheduling
FSS allows all CPU to be used if needed, but overuse to
be limited based on “shares” given to CPU users
Shares give to projects et al, and/or to containers
Load the fair share schedule as the default schedule
class
dispadmin –d FSS
Move all processes into the FSS class
priocntl -s -c FSS -i class TS
Give the global zone some (2) shares
Note this is not persistent across reboots!
prctl -n zone.cpu-shares -v 2 -r -i zone
global



Zones and Fair-share scheduling (2)

Check the shares of the global zone
prctl -n zone.cpu-shares -i zone global
Add a zone-wide resource control (1 share) to a zone
(within zonecfg) (before S10U5)
zonecfg:my-zone> add rctl
zonecfg:my-zone:rctl> set name=zone.cpu-
shares
zonecfg:my-zone:rctl> add value
(priv=privileged,limit=1,action=none)
zonecfg:my-zone:rctl> end
How many total shares are given out on a given
machine?



FX Scheduler
Time-share is heavy weight scheduler
Has to calculate for every thread that ran
in the last quantum, every quantum
Plus decreases priority on CPU hogs
Instead consider “FX” - ﬁxed scheduler class
All priorities stay the same
Light weight schedule can gain back a few
percent of CPU


!"#$%&'()*+,-.'*(/,,0+
! 9-*&4#-:$,)$4()"0$'5)*-#$(-*)"('-*$*"'5$1*$3/;*<$
.-.)(+<$=>?$')##-',&)#*
! @$0))A$'1#$B-$1**)'&1,-:$C&,5$3/;*$1#:$1$*'5-:"A-(
! 3/;*$'1#$B-$1**&4#-:D
" :+#1.&'1AA+<$B+$')#E&4"(&#4$1$.&#&.".$1#:$.1F&.".$
#".B-($)E$3/;*$,51,$1$G)#-$)($0))A$*5)"A:$"*-
" B+$!)A1(&*$C5-#$&,$:-'&:-*$,)$,(1#*E-($3/;*$1.)#4$
-F&*,&#4$0))A*$C&,5$H,5(-*5)A:H$1#:$H&.0)(,1#'-H$
01(1.-,-(*
" *,1,&'1AA+<$B+$H0&##&#4H$1$3/;$,)$1$0))A$2$"*-E"A$,)$
-#*"(-$,51,$1$0()'-**$*,1+*$)#$1$3/;$1#:$:)-*#H,$
*51(-$,5-$3/;H*$'1'5-
" @$3/;$&*$.)I-:$B-,C--#$0))A*$C5-#$1#$H&.0)(,1#,H$
C)(JA)1:$*"(01**-*$&,*$",&A&G1,&)#$,5(-*5)A:$E)($1$
*"EE&'&-#,$0-(&):$)E$,&.-
!"#$%&'()*+*,-.*$/()0(&-,1(+$2$3)0+(&45,$6778


!"#$%&'()*+,-.'*(/,,0+
! 95-(-$&*$)#-$0)):$')#;&4"(1,&)#$0-($!):1(&*$&#*,1#'-
! <+$=-;1":,>$)#-$0)):$-?&*,*>$@0)):A=-;1":,B
! 95-*-$'1#$C-$C)"#=$,)$1$0)):D
" /()'-**>$,1*E>$0()F-',>$3)#,1&#-(
! G$3)#,1&#-($'1#$C-$*,1,&'1::+$1**&4#-=$,)$1#$
-?&*,&#4$H*51(-=I$0)):$J5-#$,5-$3)#,1&#-($C)),*
" %":,&0:-$3)#,1&#-(*$'1#$*51(-$,51,$0)):
" !"'5$1$3)#,1&#-($)#:+$"*-*$(-*)"('-*$J5-#$&,$&*$
("##&#4
! G$3)#,1&#-($'1#$C-$1**&4#-=$,)$1$,-.0)(1(+$0)):
" /)):$)#:+$-?&*,*$J5&:-$3)#,1&#-($("#*
" 951,$0)):$'1##),$C-$*51(-=$J&,5$),5-($3)#,1&#-(*

!"#$%&'()*+*,-.*$/()0(&-,1(+$2$3)0+(&45,$6778


DRPs
You can make “DRP”s non-dynamic by not including
a variation in the range (i.e. 2 to 2 rather than 1 to 2)
Probably preferred rather than real dynamic
With pools, interrupts and I/O only occur in the
default pool
This can help pin a process to a set of CPUS
Cache stays hot, less context switching
So consider a DRP conﬁg with the kernel in the
default pool and all apps in another pool



Zones and Dynamic Resource Pools
Assign zones to dedicated CPU resources
Used to assign zone to processor set
Can be dynamically created, deleted, modiﬁed

Can be used with FSS
Can be used to reduce Oracle (and other?) costs!
Consider two DRPs, one with an email container
and one with 2 X web server containers (and
global) (from http://www.sun.com/software/solaris/
howtoguides/containersLowRes.jsp):



Zones and DRPs (cont)



Create a pool (from global zone) via
# # enable DRPs
# pooladm –e
# # save current config
# pooladm –s
# # show current state, at start only pool_default exists
global# pooladm
system my_system
string system.comment
int system.version 1
boolean system.bind-default true
int system.poold.pid 638
pool pool_default
int pool.sys_id 0
boolean pool.active true
boolean pool.default true
int pool.importance 1
string pool.comment
pset pset_default



pset pset_default
int pset.sys_id -1
boolean pset.default true
uint pset.min 1
uint pset.max 65536
string pset.units population
uint pset.load 7
uint pset.size 8
string pset.comment
cpu
int cpu.sys_id 1
string cpu.comment
string cpu.status on-line
cpu
int cpu.sys_id 0
string cpu.comment
cpu
int cpu.sys_id 3
string cpu.comment
cpu
int cpu.sys_id 2
string cpu.comment



Create a new one-CPU processor set called email-pset
# poolcfg -c 'create pset email-pset (uint
pset.min=1; uint pset.max=1)'

Create a resource pool for the processor set
# poolcfg -c 'create pool email-pool'

Link the pool to the processor set
# poolcfg -c 'associate pool email-pool (pset
email-pset)'

Set an objective (if including a range of processors (i.e. min <> max)
# poolcfg -c 'modify pset email-pool (string
pset.poold.objectives="wt-load")'
Activate the conﬁguration
# pooladm -c



Check the conﬁg
# pooladm
system my_system
string system.comment
int system.version 1
boolean system.bind-default true
int system.poold.pid 638
pool email-pool
int pool.sys_id 1
boolean pool.default false
string pool.comment
pset email
pool pool_default
int pool.sys_id 0
boolean pool.default true
string pool.comment
pset pset_default
pset email-pset
int pset.sys_id 1
boolean pset.default false
uint pset.min 1
uint pset.max 1
uint pset.load 0
uint pset.size 1
string pset.comment
cpu
int cpu.sys_id 0
string cpu.comment



Check the conﬁg

pset pset_default
int pset.sys_id -1
boolean pset.default true
uint pset.min 1
uint pset.max 65536
uint pset.load 7
uint pset.size 7
string pset.comment
cpu
int cpu.sys_id 1
string cpu.comment
cpu
int cpu.sys_id 3
string cpu.comment
cpu
int cpu.sys_id 2
string cpu.comment


DRPs
Note that you can give ranges of CPUs to
be used in DRPs
If you do be sure to set an “objective” else
nothing will be dynamic
Note that some software licenses allow
licensing of the app for only those CPUs in
the DRP that the zone is attached to (i.e.
only pay for your DRP CPUs, not all
CPUs)(!)


Now enable FSS, make it default for pool_default

# poolcfg -c 'modify pool pool_default (string pool.scheduler="FSS")'

Create an instance of the conﬁguration

# pooladm -c

Move all the processes in the default pool and its associated zones under the FSS.

# priocntl -s -c FSS -i class TS

# priocntl -s -c FSS -i pid 1

Now have the zones use the DRPs
# zonecfg –z email-zone
zonecfg:email-zone> set pool=email-pool
# zonecfg –z Web1-zone
zonecfg: Web1-zone> set pool=pool_default
zonecfg:Web1-zone> add rctl
zonecfg:Web1-zone:rctl> set name=zone.cpu-shares
zonecfg:Web1-zone:rctl> add value (priv=privileged,limit=3,action=none)
zonecfg:Web1-zone:rctl> end
# zonecfg -z Web2-zone
zonecfg:Web2-zone> set pool=pool_default
zonecfg:Web2-zone> add rctl
zonecfg:Web2-zone:rctl> set name=zone.cpu-shares
zonecfg:Web2-zone:rctl> add value (priv=privileged,limit=2,action=none)
zonecfg:Web2-zone:rtcl> end



Zones, Resources, and S10 8/07
Much simpler now if you just want a zone to have dedicated
CPUs, memory limits

(From http://blogs.sun.com/jerrysblog/feed/entries/atom?cat=%2FSolaris)
zonecfg:my-zone> set scheduling-class=FSS
zonecfg:my-zone> add dedicated-cpu
zonecfg:my-zone:dedicated-cpu> set ncpus=1-4
zonecfg:my-zone:dedicated-cpu> set importance=10
zonecfg:my-zone:dedicated-cpu> end

zonecfg:my-zone> add capped-memory
zonecfg:my-zone:capped-memory> set physical=50m
zonecfg:my-zone:capped-memory> set swap=128m
zonecfg:my-zone:capped-memory> set locked=10m
zonecfg:my-zone:capped-memory> end

You have to enable poold via svcadm if “importance”used

Still use dispadmin to set system-wide scheduling


Zones, Resources, and S10 8/07 (cont)

Can use zonecfg for the global zone to persistently
set resource management settings in global
Now can set other zone-wide resource limits easily
zone.cpu-shares
zone.max-locked-memory (locked property of the capped-memory
resource is preferred)
zone.max-lwps
zone.max-msg-ids
zone.max-sem-ids
zone.max-shm-ids
zone.max-shm-memory
zone.max-swap (The swap property of the capped-memory resource
is the preferred way to set this control)



Zones and Networking S10 8/07
Can now create exclusive-IP zones (i.e. dedicate an HBA port to a zone) known as
“IP Instances”

Need this if you want advanced networking features in a zone (ﬁrewalls, snooping,
DHCP client, trafﬁc shaping)

Each zone get its own IP stack (and soon xVM will too)
zonecfg:my-zone>set ip-type=exclusive
zonecfg:my-zone> add net
zonecfg:my-zone:net> set physical=e1000g1
zonecfg:my-zone:net> end
Now the zone can set its own IP address et al, can do IPMP within a zone

“zonecfg set physical=” to one of the interfaces in an IPMP group

Project Crossbow will allow virtual NICs to be IP instance entity (no longer tying up
Ethernet port)
Limited to Ethernet devices that use GLDv3 drivers (dladm show-link not reporting
“legacy”)



Zones, Resources and 5/08
CPU Caps Can limit the aggregated amount of CPU that a container’s CPUs can
accumulate
Although it is possible to use prctl(1M) command to manage CPU caps, the capctl
Perl script that simpliﬁes it
# capctl <-P project> <-p pid> <-Z zone> <-n name> <-v value>
* -P proj: Specify project id
* -p pid: Specify pid
* -Z zone: Specify zone name
* -n name: Specify resource name
* -v value: Specify resource value
For example, to set a cap for project foo to 50% you can say:
# capctl -P foo -v 50
To change the cap to 80%:
To see the cap value:
# capctl -P foo
To remove the cap:



prctl vs zonecfg

prctl can read resource settings in the
global or child zones
Not persistent for setting variables
Can’t set variables in the child zone
zonecfg is persistent, but only runs in
global zone



Zone Issues
Zone cannot reside on NFS
But zone can be NFS client
Each zone normally has a “sparse” installation of a
package, if package is from “inherit-package-dir” directory
tree
By default, a package installed in global zone is installed in
all existing non-global zones
Unless the pkgadd –G or –Z options are used
See also SUNW_PKG_ALLZONES and SUNW_PKG_HOLLOW
package parameters
Patches installed in global zone is installed in all non-global
zones
If any zone does not match patch dependencies, patch not
installed


Zone issues - cont
Upgrading the global zone to a new Solaris release
upgrades the non-global zones but depends on which
upgrade method is used (hint - use live upgrade)
Best practice is to keep packages and patches synced
between global and all non-global zones
Watch out for giving users root in a zone – could
violate policy or regulations
Flash Archive (ﬂar) can be used to capture system
containing zones and clone it, but only if zones are
halted.
Details at http://www.opensolaris.org/os/community/zones/
faq/flar_zones


Zones and Packages
# pkgadd -d screen*

The following packages are available:
1 SMCscreen screen
(intel) 4.0.2

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]:
## Not processing zone <zone10>: the zone is not running and cannot be booted
## Booting non-running zone <zone0> into administrative state
## waiting for zone <zone0> to enter single user mode...
## Verifying package <SMCscreen> dependencies in zone <zone0>
## Restoring state of global zone <zone0>
. . .
## Installing package <SMCscreen> in zone <zone0>



Sparse Zones vs. Whole Root Zones
When should you use “sparse”, when should you use
“whole root”
Check per-application support and/or requirements
sparse zones don’t allow writes into /, /usr, etc by default, some apps
don’t like that
Can intermix sparse and whole-root on the same system

Make a sparse root into a whole root
# zonecfg create -b
In the future, likely that the world will use whole root
zones and ZFS cloning
But zone roots on ZFS not supported until U6
because not upgradeable


Upgrading a System Containing Containers

Supported methods vary, depending on
OS release being upgraded from
Generally liveupgrade is best, but many
details to consider
Well documented at http://docs.sun.com/app/docs/
doc/820-4041/gdzlc?a=view



Zone Best Practices
Note that global zone root can copy ﬁles directly into zones via their
zonepath directory

Consider building at least one container per system
Put all users and apps in there

Fast to copy for testing

Fast reboot

Put it on shared storage for future attach / detach
But watch out for limits

dtrace

app support in a zone
Surprisingly, a global-zone mount within the zone ﬁle system is
immediately seen in the zone


Zone Best Practices (2)
Use zonecfg export to save each zone’s
conﬁg settings - store on a different system
For every zone created, in its “virgin state”,
create a clone of it and store it on a
different system
Put zones on ZFS for best feature set
Consider conﬁguring child zones to send
syslog output to central syslog server


Zones and /etc/system
For variables no longer in /etc/system they can be set via the rctladm command,
but only per project. This example is from the Sun installation guide for Weblogic
on Solaris 10…
Modify /etc/project in each zone the app will run in to contain the following
additions to the resource controls for user.root (assuming the application will run
as root):
bash-3.00# cat /etc/project
system:0::::
user.root:1::::
process.max-file-descriptor=(privileged,1024,deny);
process.max-sem-ops=(privileged,512,deny);
process.max-sem-nsems=(privileged,512,deny);
project.max-sem-ids=(privileged,1024,deny);
project.max-shm-ids=(privileged,1024,deny);
project.max-shm-memory=(privileged,4294967296,deny)
noproject:2::::
default:3::::
group.staff:10::::


Zones and /etc/system (cont)

Note that /etc/project is read at login
Also to enable warnings via syslog if the resource limits
are approached execute the following commands once
in each zone the app will run in (they update the /etc/
rctladm.conf ﬁle)
Do this in the global zone, not persistent so script it:
#rctladm -e syslog process.max-file-descriptor
#rctladm -e syslog process.max-sem-ops
#rctladm -e syslog process.max-sem-nsems
#rctladm -e syslog process.max-sem-ids
#rctladm -e syslog process.max-shm-ids
#rctladm -e syslog process.max-shm-memory


Branded Zones
Shipped in S10 8/07
Allows native binary execution of bins from other
operating systems
Centos ﬁrst
Install a brandz zone, install the “guest” OS, then install
binaries (RPMs et al) and run them
Currently limited to centos and other 2.4-based distros
Result - can use DTrace to analyze Linux perf problems
See man pages for brands(5), lx(5)



brandz
Example install given at http://milek.blogspot.com/2006/10/brandz-
integrated-into-snv49.html
# zonecfg -z linux
linux: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:linux> create -t SUNWlx
zonecfg:linux> set zonepath=/home/zones/linux
zonecfg:linux> add net
zonecfg:linux:net> set address=192.168.1.10/24
zonecfg:linux:net> set physical=bge0
zonecfg:linux:net> end
zonecfg:linux> add attr
zonecfg:linux:attr> set name="audio"
zonecfg:linux:attr> set type=boolean
zonecfg:linux:attr> set value=true
zonecfg:linux:attr> end
zonecfg:linux> exit



brandz (cont)
# zoneadm -z linux install -d /mnt/iso/
centos_fs_image.tar.bz2
A ZFS file system has been created for this zone.
Installing zone 'linux' at root directory '/home/zones/
linux'
from archive '/mnt/iso/centos_fs_image.tar.bz2'

This process may take several minutes.

Setting up the initial lx brand environment.
System configuration modifications complete!
Setting up the initial lx brand environment.
System configuration modifications complete!
Installation of zone 'linux' completed successfully.
Details saved to log file:
"/home/zones/linux/root/var/log/linux.install.10064.log"



Solaris 8 and 9 Containers
Now available as a commercial product ($) from Sun
Uses brandz
Capture a Solaris 8 or Solaris 9 system via Archiver (aka
P2V)
Updater Tool, processes Solaris 8 image and prepares it
for new, virtualized environment
Create it as a container under S10
Apps think they are on S8 or S9
Sun “guarantees” compatibility
SPARC only


2009 04.s10-admin-topics2

Recomendados

Recomendados

Más contenido relacionado

Destacado

Destacado (7)

Más de Desmond Devendran

Más de Desmond Devendran (20)

Último

Último (20)

2009 04.s10-admin-topics2