Print-friendly Version

Spotlight on Solaris Zones Feature

By Amy Rich

Last Updated September 07, 2004

A new and interesting feature in the Solaris 10 Operating System (which first appeared in Software Express for Solaris 6/04) is Solaris Containers technology, a way to virtualize system resources and use multiple software partitions with one instance of the OS. The Solaris Containers functionality comprises two main components, Solaris Zones partitioning technology and Resource Management tools. The Solaris Zones feature enables the administrator to create separate environments for running applications, while the Resource Management framework allows for the allocation, management, and accounting of system resources such as CPU and memory.

Solaris Containers functionality is hardware independent and is available on any machine that will support the Solaris 10 OS. Development on Solaris Containers is ongoing, so expect to see additional flexibility and functionality in future builds of the Solaris 10 OS. For more complete information, refer to the System Administration Guide: Solaris Containers -- Resource Management and Solaris Zones on docs.sun.com and also BigAdmin's Solaris Zones section.

Introduction to Solaris Zones Software

The Solaris Zones feature is based on the same basic concepts as FreeBSD Jails. In both FreeBSD Jails and Solaris Zones, each virtual view of the runtime environment is completely segregated, and processes from one environment cannot send signals to or even see processes in another. Both Jails and Zones share only one instance of the operating system, though, so multiple runtime environments can coexist on a machine with only one CPU.

Two types of zones exist: global and non-global. A machine with the Solaris Zones feature enabled has one global zone and up to 8191 non-global zones. The maximum number of zones that a machine supports is dependent on the hardware resources available to the machine. Each zone has an ID assigned by the system when it's booted with the global zone, always listed as zone ID 0. Only the global zone contains a bootable Solaris kernel and is aware of all devices, file systems, and other zones. The global zone is also the only zone from which non-global zone configuration, installation, and management are possible.

Non-global zones contain a subset of the Solaris OS installed in the global zone and possibly additional packages not installed in the global zone. Each non-global zone has its own package database listing each software package installed relative to the zone and does not share package information with the global or other non-global zones. Non-global zones also contain localized configuration information and other zone-specific files and directories.

Configuring a Non-Global Zone

Non-global zones are created by the administrator of the global zone using the zonecfg and zoneadm commands. The zonecfg command allows the administrator to build a zone configuration specification from the template of the global zone. For complete information on the zonecfg and zoneadm commands, see their respective man pages on BigAdmin. The syntax of the zonecfg command is:

zonecfg -z zonename
zonecfg -z zonename subcommand
zonecfg -z zonename -f command_file
zonecfg help

Subcommands to the zonecfg command are:

add <resource-type>
	(global scope)
add <property-name> <property-value>
	(resource scope)
cancel
commit
create [-F] [ -b | -t <template> ]
delete [-F]
end
exit [-F]
export [-f output-file]
help [commands] [syntax] [usage] [<command-name>]
info [<resource-type> [property-name=property-value]*]
remove <resource-type> { <property-name>=<property-value> }
	(global scope)
remove <property-name>=<property-value>
	(resource scope)
revert [-F]
select <resource-type> { <property-name>=<property-value> }
set <property-name>=<property-value>
verify

To set up a basic zone, run zonecfg in interactive mode and issue the create and set zonepath directives. The export directive prints out the current configuration information in a form suitable for saving to a file. Since no modifications have been made at this point, the export directive lists the default configuration:

zonecfg -z myzone
zonecfg:myzone> create
zonecfg:myzone> export
create -b
set autoboot=false
add inherit-pkg-dir
set dir=/lib
end
add inherit-pkg-dir
set dir=/platform
end
add inherit-pkg-dir
set dir=/sbin
end
add inherit-pkg-dir
set dir=/usr
end

Make any modifications to the default template at this point. This example configures the zone myzone to autoboot, associates the IP address 192.168.1.7 and netmask 255.255.255.0 (/24) with the physical interface hme0, mounts /opt/sfw as a read-only file system, and copies the corresponding packaging metadata into the zone. Using a writable loopback mount, this example exports the global zone directory /data into the zone under the name /usr/local.

zonecfg:myzone> set zonepath=/zones/myzone
zonecfg:myzone> set autoboot=true
zonecfg:myzone> add net
zonecfg:myzone:net> set address=192.168.1.7/24
zonecfg:myzone:net> set physical=hme0
zonecfg:myzone:net> end
zonecfg:myzone> add inherit-pkg-dir
zonecfg:myzone:inherit-pkg-dir> set dir=/opt/sfw
zonecfg:myzone:inherit-pkg-dir> end
zonecfg:myzone> add fs
zonecfg:myzone:fs> set dir=/usr/local
zonecfg:myzone:fs> set special=/data
zonecfg:myzone:fs> set type=lofs
zonecfg:myzone:fs> add options [nodevices]
zonecfg:myzone:fs> end
zonecfg:myzone> verify
zonecfg:myzone> export
create -b
set zonepath=/zones/myzone
set autoboot=true
add inherit-pkg-dir
set dir=/lib
end
add inherit-pkg-dir
set dir=/platform
end
add inherit-pkg-dir
set dir=/sbin
end
add inherit-pkg-dir
set dir=/usr
end
add inherit-pkg-dir
set dir=/opt/sfw
end
add fs
set dir=/usr/local
set special=/data
set type=lofs
add options nodevices
end
add net
set address=192.168.1.7/24
set physical=hme0
end
zonecfg:myzone> commit
zonecfg:myzone> export -f /tmp/myzone-zone.cfg
zonecfg:myzone> exit

The zone is now configured and the template used to do so is saved to /tmp/myzone-zone.cfg. This file can later be used to configure the same zone, or slight modifications can be made (such as the IP address) so it can be used to configure a similar zone using zonecfg -z secondzone -f /tmp/myzone-zone.cfg. Now it's time to install the zone with the zoneadm command. The zoneadm command has the following syntax:

zoneadm -z zonename subcommand [options]
zoneadm [-z zonename] list [options]
zoneadm help

And the zoneadm command has the following subcommands:

boot
halt
help [subcommand]
install
list [-cipv]
ready
reboot
uninstall [-F]
verify

Installing and Booting a Non-Global Zone

To install the zone, simply issue the command:

zoneadm -z myzone install
Preparing to install zone <myzone>.
Creating list of files to copy from the global zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <779> packages on the zone.
Initialized <779> packages on zone.
Successfully initialized zone <myzone>.

Now boot the zone to bring up the zone's runtime environment, and log into the zone's console with zlogin. To log out of the zone's console, press the key sequence ~. (tilde-dot).

zoneadm -z myzone boot
zlogin -C myzone

Since this is the initial boot for the zone after its installation, it has no internal naming configuration and will prompt for the necessary information via the console. The hostname of the zone defaults to the zone name. The chosen name should resolve to one of the zone's IPv4 addresses based on the zone's internal naming services (DNS, LDAP, files, NIS, NIS+, and others). The zone can use completely separate naming services from the global zone, and even where identical naming services are configured, they are run completely independently.

The zone uses sysidcfg to perform the configuration, so the screens should look like those encountered after a sys-unconfig or during an initial install of the OS. Most of the information required at this point can be preconfigured by creating the file sysidcfg in the zone's /etc directory prior to booting the zone for the first time. The zone can also be unconfigured with the sys-unconfig command. See the man pages on sysidtool(1M) and sysidcfg(4) for more information.

The state of each running zone can be seen from the global zone by executing:

zoneadm list -v
   ID NAME             STATUS         PATH
    0 global           running        /
    2 myzone           running        /zones/myzone

This verifies that the new zone is now booted and ready for use. If the zoneadm list -v command is run from within the non-global zone, it will only show the non-global zone. The zonename command can be run from within a zone to display the name of the currently running zone.

A newly booted zone is similar to a newly installed machine. There are no user accounts or configuration settings other than the system defaults, so the first step in preparing the new zone for production use is to create accounts, add additional software, and customize the zone's configuration. The administrator of the global zone can then log in as a normal user in the non-global zone by specifying the -l flag to zlogin:

zlogin -l user zonename

The zlogin command can also be run from the global zone in non-interactive mode to run commands inside a specified zone. To execute an ls -al / in myzone, one would do the following as the administrator from the global zone:

zlogin myzone ls -al /
total 126
drwxr-xr-x  19 root  other  512 Mar  8 12:45 .
drwxr-xr-x  19 root  other  512 Mar  8 12:45 ..
lrwxrwxrwx   1 root  root     9 Mar  8 12:03 bin -> ./usr/bin
drwxr-xr-x   2 root  other  512 Mar  8 12:02 data
drwxr-xr-x  10 root  other 1024 Mar  8 12:45 dev
drwxr-xr-x  51 root  sys   3584 Mar  8 13:36 etc
drwxr-xr-x   2 root  sys    512 Feb 12 11:42 export
dr-xr-xr-x   1 root  root     1 Mar  8 12:45 home
drwxr-xr-x   5 root  sys    512 Mar  8 12:03 kernel
drwxr-xr-x   4 root  bin   4608 Feb 12 12:17 lib
drwxr-xr-x   2 root  sys    512 Mar  8 12:04 mnt
dr-xr-xr-x   1 root  root     1 Mar  8 12:45 net
drwxr-xr-x   5 root  sys    512 Mar  8 12:03 opt
drwxr-xr-x  43 root  sys   1536 Feb 12 11:52 platform
dr-xr-xr-x  64 root  root 30400 Mar  8 16:27 proc
drwxr-xr-x   2 root  sys   1024 Feb 12 11:48 sbin
drwxrwxrwt   4 root  sys    314 Mar  8 16:19 tmp
drwxr-xr-x  38 root  other 1024 Jul 18  2003 usr
drwxr-xr-x  33 root  sys    512 Mar  8 12:45 var

The non-interactive mode of zlogin is especially useful in running scripts to administer non-global zones. The zlogin command also provides a failsafe mode (-S) to connect to a non-global zone in the event that a zone becomes damaged and will not accept logins.

To delete the zone myzone, shut it down, remove the root file system with zoneadm uninstall, and issue the zonecfg with the delete argument:

zlogin myzone shutdown -y -i0 -g0
zoneadm -z myzone uninstall -F
zonecfg -z myzone delete -F

Obtaining and Setting Non-Global Zone Information from the Global Zone

Process Controls

The ps command now has formatting options, -o zone and -o zoneid, that print out the zone name or zone ID of a process. One can then grep for the zone name or zone ID to get a listing of only those processes in the specified zone(s):

/bin/ps -efo user,zone,pid,ppid,c,stime,tty,time,comm |grep myzone
  root myzone 18386     1  0 12:45:24 ?      00:00 /usr/sbin/syslogd
  root myzone 18527     1  0 12:47:04 ?      00:00 /usr/lib/ssh/sshd
  root myzone 18630 18527  0 13:38:26 ?      00:03 /usr/lib/ssh/sshd
  root myzone 18300     1  0 12:45:22 ?      00:00 init
  root myzone 18512     1  0 12:45:33 ?      00:01 /usr/sfw/sbin/snmpd
  root myzone 18399     1  0 12:45:24 ?      00:00 /usr/sbin/cron
  root myzone 18638 18634  0 13:38:31 pts/2  00:00 -sh
  root myzone 18523 18300  0 12:47:03 ?      00:00 /usr/lib/saf/sac
  root myzone 18401     1  0 12:45:25 ?      00:00 /usr/lib/autofs/automountd
daemon myzone 18324     1  0 12:45:23 ?      00:00 /usr/lib/crypto/kcfd
  root myzone 18656 18638  0 13:44:26 pts/2  00:00 tcsh
daemon myzone 18349     1  0 12:45:23 ?      00:00 /usr/sbin/rpcbind
  root myzone 18400     1  0 12:45:24 ?      00:00 /usr/sbin/nscd
  root myzone 18402     1  0 12:45:25 ?      00:00 /usr/sbin/inetd
 smmsp myzone 18435     1  0 12:45:29 ?      00:00 /usr/lib/sendmail
  root myzone 18434     1  0 12:45:29 ?      00:00 /usr/lib/sendmail
  root myzone 18442     1  0 12:45:29 ?      00:00 /usr/lib/utmpd
  root myzone 18297     1  0 12:45:09 ?      00:00 zsched
  root myzone 18618 18300  0 13:37:58 zoneconsole \
                                             00:00 /usr/lib/saf/ttymon
  root myzone 18496     1  0 12:45:31 ?      00:00 /usr/dt/bin/dtlogin
  root myzone 18526 18523  0 12:47:03 ?      00:00 /usr/lib/saf/ttymon

A number of commands have been enhanced to filter the information they print by zone or to include in their input the zone that a process belongs to. The commands ipcs, pgrep, pkill, ptree, and prstat now include a -z flag to specify a zone. Additionally, prstat has a -Z flag to list all processes but also a summary by zone ID. This helps quickly identify which zone is using the most resources. The truss program has also been modified to know about Zone-specific calls but is not yet Zone-aware.

In the Solaris OS, coreadm can be used to set the core file name pattern. The pattern now includes %z for zone name. For example, if the core file name pattern were set to /var/core/core.%f.%p.%z in the global zone, the core for a program named foo with the PID of 123 running in the zone myzone would be: /var/core/core.foo.123.myzone. The zone administrator can also run coreadm inside a non-global zone to control settings for that specific zone.

File Systems

When run from the global zone, the -Z flag to df displays mounts in all zones. By default, df only displays mounts located within the current zone.

df -Z
/                  (/dev/dsk/c0t1d0s0 ):      1881482 blocks   247016 files
/devices           (/devices          ):            0 blocks        0 files
/usr               (/dev/dsk/c0t1d0s3 ):       859490 blocks   271499 files
/proc              (proc              ):            0 blocks     1837 files
/etc/mnttab        (mnttab            ):            0 blocks        0 files
/dev/fd            (fd                ):            0 blocks        0 files
/var               (/dev/dsk/c0t1d0s4 ):      1889810 blocks   239530 files
/var/run           (swap              ):      2111168 blocks    15280 files
/tmp               (swap              ):      2111168 blocks    15280 files
/zones             (/dev/dsk/c0t1d0s5 ):     60468666 blocks  3681959 files
/zones/myzone/root/dev(/zones/myzone/dev  ): 60468666 blocks  3681959 files
/zones/myzone/root/lib(/lib               ):  1881482 blocks   247016 files
/zones/myzone/root/opt/sfw(/opt/sfw       ): 60468666 blocks  3681959 files
/zones/myzone/root/platform(/platform     ):  1881482 blocks   247016 files
/zones/myzone/root/sbin(/sbin             ):  1881482 blocks   247016 files
/zones/myzone/root/usr(/usr               ):   859490 blocks   271499 files
/zones/myzone/root/usr/local(/data        ):  1881482 blocks   247016 files
/zones/myzone/root/proc(proc              ):        0 blocks     1837 files
/zones/myzone/root/etc/mnttab(mnttab      ):        0 blocks        0 files
/zones/myzone/root/dev/fd(fd              ):        0 blocks        0 files
/zones/myzone/root/var/run(swap           ):  2111168 blocks    15280 files
/zones/myzone/root/tmp(swap               ):  2111168 blocks    15280 files

Networking

The ifconfig utility has been modified in order to configure and view interfaces based on zone granularity as well, but interfaces can only be plumbed or unplumbed from the global zone. To place an IP interface inside a zone from the global zone:

ifconfig <interface> zone {<name> | <number>}
ifconfig hme0:3 plumb 192.168.1.8 netmask 255.255.255.0 zone myzone up

To print the list of IP interfaces limited to the global zone from the global zone, use ifconfig -aZ. Using ifconfig -a shows network interfaces for all zones.

ifconfig -a
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> 
         mtu 8232 index 1 
         inet 192.168.1.7 netmask ff000000
lo0:1: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> 
         mtu 8232 index 1
         zone myzone
         inet 127.0.0.1 netmask ff000000
hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> 
         mtu 1500 index 2
         inet 192.168.1.4 netmask ffffff00 broadcast 192.168.1.255
         ether 8:0:20:9e:b5:40
hme0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> 
         mtu 1500 index 2
         zone myzone
         inet 192.168.1.7 netmask ffffff00 broadcast 192.168.1.255

ifconfig -aZ
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> 
         mtu 8232 index 1
         inet 192.168.1.7 netmask ff000000
hme0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> 
         mtu 1500 index 2
         inet 192.168.1.4 netmask ffffff00 broadcast 192.168.1.255
         ether 8:0:20:9e:b5:40

Accounting

When using extended accounting (exacct), each zone is configured separately. Records are written to both the global zone's accounting files as well as the individual zones' accounting files. Both task and process accounting records now have a new field named zonename. This identifies the zone to which the process or task belongs.

Resources

• Sun's Solaris 10 OS announcement page
• BigAdmin's Solaris Zones section, which includes man pages and a discussion forum. The discussion forum is read by actual Sun employees, so it's a good place to discuss features, bugs, and other technical points.
• System Administration Guide: Solaris Containers -- Resource Management and Solaris Zones on docs.sun.com
• FreeBSD documentation on Jails

Unless otherwise licensed, code in all technical manuals herein (including articles, FAQs, samples) is provided under this License.