- 论坛徽章:
- 0
|
This page is a list of Questions, some Frequently Asked, some Not So. It also includes Frequently Requested Web Links. It is intended for use by anyone interested in learning more about Solaris 10 Zones/Containers.
If you would like to provide feedback on this FAQ, please send it to zones-discuss AT opensolaris DOT org.
A date appearing after an answer provides the most recent date the answer has been updated. Answers with 'old' dates, or no date at all, may not provide the most recent information. All answers without dates were current on June 14, 2005.
Topics in this FAQ
Questions:
Section 1: Basics
What is a zone?
What is a container?
What is a global zone? Sparse-root zone? Whole-root zone? Local zone?
How do I get zones or containers?
What hardware can utilize zones or containers?
Will my software run in a zone or container?
How can I test my software for use in a container?
What applications are certified to run in zones or containers?
How can I use the Solaris 'Explorer' program to collect information on my zone(s)?
What changes have happened to zones since it was first released?
Section 2: Configuration (non-I/O)
How "big" is a zone, i.e. how much space does it take?
How many containers can one copy of Solaris have?
Can each zone run a different Solaris version?
What types of re-configurations require a zone re-boot?
What types of re-configurations require a complete system re-boot?
Can containers be clustered?
Can I share memory between containers?
Can a zone include multiple zones (aka "is the containment model hierarchical?")
Can I automate the process of entering system information, e.g. with sysidcfg?
Can some non-global zones have different time zones?
Can some non-global zones have different date and/or time settings (i.e. different clocks)?
Can I label my terminal windows with the name of the zone I'm logged into?
Section 2B: I/O Configuration
How can I add a filesystem to an existing zone?
How can I make a writeable /usr/local in a sparse-root zone?
Can I assign an SVM meta-device, or a Veritas LUN, to a zone?
Can I, and should I, import raw devices into a non-global zone?
Can I share an I/O resource (e.g. NIC, HBA) between containers?
Can containers communicate via the network?
How do I modify the network configuration of a running zone?
Can IPMP be used with zones?
Can IPFilter be used with zones?
Can I prevent a zone from using the network?
How can I mount a filesystem into two different zones safely?
How can I create a zone with its own /usr?
or "how can I create a zone with its own root file system?"
or "how can I create a zone with a 'whole root file system?'"
How do I configure a default route in a container?
How can I restrict a zone (or a few zones) to one NIC (network connector)?
How can I restrict a zone (or a few zones) to one HBA (storage connector)?
Can a non-global zone mount an NFS file system from its own global zone?
Can a zone's root directory be on a ZFS file system?
Section 2C: What Services can a Zone Provide?
Can a zone be an NFS server?
Can a zone be a DHCP server?
Can a zone be a DNS server?
Can a zone be an NTP server?
Can a zone be a NIS (aka yp), NIS+, or LDAP server?
Can a zone provide network login via telnet, rlogin, rsh or ssh?
Can a zone be an ftp server?
Can a zone run sendmail?
Can I use X windows in a zone?
Section 3: Resource Management, Performance
How can I prevent one container from consuming all of the CPU power?
What is the resource granularity for CPU assignment to a container?
How can I limit (cap) the CPU usage of an application?
How can I limit the memory used by a container?
Can I dynamically change the quantity of a resource (CPU, memory, network bandwidth) assigned to a container?
Can swap space usage be managed?
Can I limit the network bandwidth used by a zone?
Do containers use up alot of CPU power?
Can the share value for a running project or zone be changed?
Can I bind a zone to a pool?
Can projects/zones be reassigned to a different resource pool while they are running?
Can you move processors between processor sets while the system is running?
How can I prevent one zone from using all the swap space by filling up /tmp?
Section 4: System Administration
How do I create a zone?
How do I remove a zone?
How do I patch zones?
Can each container be a different Solaris patch level, so I can test patches in a "test" container before applying them to a "production" container?
Can I move a zone from one computer/domain to another?
Is there a way to correlate audit records from multiple containers?
Can I add packages to just the global zone (like SRS netConnect)?
Can I add a package to one non-global zone without adding it to the global zone?
What commands don't work inside a zone?
Do containers boot automatically, or must I boot each one manually every time the system (re)boots?
Should I halt a system's zones before applying patches?
Where does a zone's syslog output go?
I removed a device from a zone, but it's still there. Why, and how do I get rid of it?
How do I upgrade a system with zones installed? Does Live Upgrade work?
Can I configure my zones on a ZFS filesystem?
What is the default networking service configuration of a non-global zone when it is installed?
Section 5: Security and Hardening
Can I access one container from another container?
Can I 'su' from one zone to another?
Can I prevent the root account in one container from affecting other containers?
Can one container impact another container?
How do I prevent a 'fork bomb' from affecting all of the zones?
Section 6: Applications
Can Oracle use shared memory in a Container?
Can I use the Solaris 10 FSS (Fair Share Scheduler) with Oracle in a Solaris Container?
Section 7: Other Server Virtualization Solutions
What are zone's strengths compared to most other server virtualization solutions?
Are containers like VMware?
Are containers like HP vPars?
Are containers like IBM Micro-Partitions?
Are containers like Linux vServers?
Section 8: Common but Non-Obvious Problems
I created a zone and booted it, but it doesn't work. What should I do?
I added some privileges to a user in a zone, and now the user can't login. What should I do?
I tried to upgrade to Solaris 10 11/06 and it told me the upgrade failed and I need to restore from backup. Now what?
Answers:
Section 1: BasicsQ: What is a zone?
A: A zone is a virtual operating system abstraction that provides a protected environment in which applications run. The applications are protected from each other to provide software fault isolation. To ease the labor of managing multiple applications and their environments, they co-exist within one operating system instance, and are usually managed as one entity.
Q: What is a container?
A: A zone which also uses the operating system's resource management facility is then called a container.
Q: What is a global zone? Sparse-root zone? Whole-root zone? Local zone?
A: After installing Solaris 10 on a system, but before creating any zones, all processes run in the global zone. After you create a zone, it has processes which are associated with that zone and no other zone. Any process created by a process in a non-global zone is also associated with that non-global zone.
Any zone which is not the global zone is called a non-global zone. Some people call non-global zones simply "zones." Others call them "local zones" but this is discouraged.
The default zone filesystem model is called "sparse-root." This model emphasizes efficiency at the cost of some configuration flexibility. Sparse-root zones optimize physical memory and disk space usage by sharing some directories, like /usr and /lib. Sparse-root zones have their own private file areas for directories like /etc and /var. Whole-root zones increase configuration flexibility but increase resource usage. They do not use shared filesystems for /usr, /lib, and a few others.
Q: How do I get zones or containers?
A: Operating systems based on the OpenSolaris codebase may elect to include support for zones. Sun provides Solaris 10 and Solaris Express, each of which include complete support for Zones.
Q: What hardware can utilize zones or containers?
A: Zones and resource management are all software feature of OpenSolaris (and by extension, Solaris and other operating systems based on
OpenSolaris). As software features, they do not depend upon any specific hardware platform. Any hardware that runs OpenSolaris
(or Solaris) will be able to have these features.
Q: Will my software run in a zone or container?
A: Most Solaris software will run unmodified in a zone, without needing to re-compile. Unprivileged software (programs that do not run as root nor with specific priviliges) typically run unmodified in a zone once they can be successfully installed. Installers must not try to write into shared, readonly filesystems, e.g. /usr. This can be circumvented by adding a writable filesystem to the zone (e.g. at /usr/local) or using a whole-root zone.
However, there are a few applications which need certain privileges to run - privileges not available in a zone, such as the ability to set the system's time-of-day clock. The few applications which fall into this category may need modification to run properly in a zone.
Here are some guidelines:
- An application which accesses the network and files, and performs no other I/O, should work correctly.
- Applications which require direct access to certain devices, e.g. a disk partition, will usually work if the zone is configured correctly. However, in some cases this may increase security risks.
- Applications which require direct access to these devices must be modified to work correctly:
- /dev/kmem
- A network device (applications should instead use one of the many IP services)
For more details, read the white paper "
Bringing Your Application Into the Zone
". Note that changes have been made to privileges used with zones since this paper was published. For current privilege information, see the
administration guide
. [September 2006]
Q: How can I test my software for use in a container?
A: See the document
Qualification Best Practices for Application Support in Non-Global Zones."
[March 2006]
Q: What applications are certified to run in zones or containers?
A: Supportability of an application running in a container is evaluated by the ISV. Some software vendors treat Zones as just another feature set of Solaris, and do not feel a need to specifically certify their software to use zones. Others have specifically certified their software to use zones. Applications which have been reported to be officially supported include those in the following list. For more details see the section "
Application-specific Information
"
Q: How can I use the Solaris 'Explorer' program to collect information on my zone(s)?
A: Explorer 5.0 can be run on Solaris 10 in a global zone. It can be used to collect information on containers (non-global zones) with the -w option.
Q: What changes have happened to zones since it was first released?
A: See the OpenSolaris
project page
for changes made since the initial release. [September 2006]
Back to Top
Section 2: Configuration (non-I/O)
Q: How "big" is a zone?
A: If configured with default parameters, a zone requires about 85MB of free disk space per zone when the global zone has been installed with the "All" metacluster of Solaris packages. Additional packages installed in the global zone will require additional space in the non-global zones. SVM soft partitions can be used to divide disk slices and enforce per-zone disk space constraints. When performing capacity planning, 40MB of additional RAM per zone is suggested. Applications do not use any "extra" RAM because they are running in a zone.
A zone installed using the "full-root model" will take up as much space as the initial Solaris 10 installation, which will be more than 500MB in most cases.
Q: How many containers can one copy of Solaris have?
A: While the theoretical limit is over 8,000, the practical limit depends on:
- The amount of hardware resources used by the applications versus the amount available in the system. This includes the number and processing power of CPUs, memory size, NICs, HBAs, etc.
- What portion of the installed zones are actually in use. For example, you can create 100 zones, each ready to offer a web service, but only boot the 10 that you need this month. The unbooted zones
take up disk space
, but do not cause the use of any extra CPU power, RAM, or I/O.
Consider these examples which worked:
- 40 zones, each running five copies of the Apache web service, on an E250 with two 300MHz CPUs, 512MB RAM, and three hard disk drives totalling 40GB. With all zones running and a load consisting of multiple simultaneous HTTP requests to each zone, the overhead of using zones was so small it wasn't measurable (
Q: Can each zone run a different Solaris version?
A: No. All of the zones use a single underlying kernel. The version of the kernel determines the version of every container in that domain.
Q: What types of re-configurations require a non-global zone re-boot?
A:
- Adding a device to a non-global zone.
- Binding a zone to a pool.
Q: What types of re-configurations require a complete system re-boot?
A: We are not aware of any.
Q: Can containers be clustered?
A: Yes, but not without adding additional cluster management software. As of this writing, Sun is developing extensions to its Sun Cluster software, so that Resource Groups can be placed within non-global zones. has also announced support for Zones in the Veritas Cluster product.
Q: Can I use SysV shared memory between containers?
A: No. This would violate several security principles.
Q: Can a zone include multiple zones (aka "is the containment model hierarchical")?
A: No, the model is stricly two-level: one global zones and one or more non-global zones. Only the global zone can create non-global zones, and each non-global zone must be contained within the global zone.
Q: Can I automate the process of entering system information, e.g. with sysidcfg?
A: Yes, after a zone has been installed, copy a sysidcfg(4) file to the zone's /etc/sysidcfg before the first boot of that zone. Also, execute the command
touch .NFS4inst_state.domain
Q: Can some local zones be in different time zones?
A: Yes. Each non-global zone has its own copy of /etc/default/init, which contains the timezone setting. You can change the line starting with "TZ=". The recognized names of timezones are in /usr/share/lib/zoneinfo. For example, Eastern Standard Time in the USA is defined in the file /usr/share/lib/zoneinfo/US/Eastern. To set a non-global zone's timezone to that timezone, the line in /etc/default/init would look like this:
TZ=US/Eastern
Q: Can some non-global zones have different date and/or time settings (i.e. different clocks)?
A: Although different zones can have 'be' in different time zones, each zone gets its date and time clock from the same source. This means that the time zone setting gets applied after the current time data is obtained from the kernel.
If you would like the ability to have different clock sources per zone, please add a call record to RFE 5033497. [August 2005]
Q: Can I label my terminal windows with the name of the zone I'm logged into?
A: Yes. After logging into the zone, enter this command: zone% /bin/echo "\033]0;Zone `/bin/zonename`\007\c"
[January 2006]
Back to Top
Section 2B: I/O ConfigurationQ: How can I add a filesystem to an existing zone?
A: There are four methods. The following list uses UFS examples, but other types of file systems, such as HSFS and VxFS, can be used in the zonecfg "fs" resource type property or attached by mount(1M).
Create and mount the filesystem in the global zone and use LOFS to mount it into the non-global zone (very safe)
Create the filesystem in the global zone and use zonecfg to mount the filesystem into the zone as a UFS filesystem (very safe)
Export the device associated with the disk partition to the non-global zone, create the filesystem in the non-global zone and mount it. Security consideration: If a _block_ device is present in the zone, a malicious user could create a corrupt filesystem image on that device, and mount a filesystem. This might cause the system to panic. The problem is less acute with raw (character) devices. Disk devices should only be placed into a zone that is part of a relatively trusted infrastructure.
Mount a UFS filesystem directly into the non-global zone's directory structure (allows dynamic modifications to the mount without rebooting the non-global zone)
See the
administration guide
for instructions to use these methods. [September 2006]
Q: How can I make a writeable /usr/local in a sparse-root zone?
A: Use one of the methods above, for example:global# mkdir -p /path/to/some/storage/local/twilight
global# zonecfg -z twilight
zonecfg:twilight> add fs
zonecfg:twilight:fs> set dir=/usr/local
zonecfg:twilight:fs> set special=/path/to/some/storage/local/twilight
zonecfg:twilight:fs> set type=lofs
zonecfg:twilight:fs> end
zonecfg:twilight> commit
zonecfg:twilight> exit
global#
Q: Can I assign an SVM meta-device, or a Veritas LUN, to a non-global zone?
A: With Solaris 10 1/06, you can directly assign an SVM meta-device into a non-global zone, using the same method you would with most other devices.
Symantec does not yet support the assignment of a Veritas LUN into a non-global zone. [January 2006]
Q: Can I, and should I, import raw devices into a non-global zone?
A: The Solaris 10 Zones feature set provides the global zone administrator with the ability to allow a non-global zone to access a raw device. There are many situations where this will be the best approach to solve a problem. There are even situations which require such use.
First, however, it is important to stress that there are usually other solutions that do not require direct device access. Let's discuss this first.
One FAQ is "
Can I import VxVM devices into a zone?
" Since this is not possible at this time [January 2006], we look for another solution. If the goal is to make a filesystem available in the zone, the solution is obvious: create the filesystem in the global zone, and use LOFS to make the filesystem available in the zone. On the other hand, if the goal is to make a mirrored block device available in the zone, another solution must be found.
In any situation, if direct device access is required within a zone, you must perform careful failure analysis and evaluation of the possible outcomes of "catastrophic application failure. If the non-global zone will use COTS software, and will be managed by trustworthy people, then the risks will be small. Fortunately, in most cases there are also other solutions which do not use direct device access from a zone.
Here are two extreme examples:
A zone will be created for the purpose of training students on basic Unix commands. The root account will only be used by the global zone administrator. The system will be attached to a LAN which is not connected to any other networks. The instructor needs access to the sound device. There are very few risks associated with such access - it would be very difficult for the sound device to suffer a failure, and even if it did it would be unlikely to affect other zones.
The zone can be given access to this via the zonecfg sub-commands: global# zonecfg -z zonename
zonecfg:zonename> add device
zonecfg:zonename:device> set match=/dev/sound/*
zonecfg:zonename:device> end
zonecfg:zonename> exit
The zone will have access to sound devices, but will not have access to any other devices.
A zone will be created for the purpose of teaching students about a database program that requires access to raw disk partitions. The instructor knows how to use Unix, but does not have a background in Unix system administration. Further, the instructor will require use of the root account to assist students. It is possible that the instructor could make a mistake, or a malicious student could abuse the raw disk access, leading to a crash of the kernel. This would also stop all of the other non-global zones, as well as the global zone. If the other zones are running production software, this request for raw disk access in a zone should not be fulfilled. Other solutions should be pursued, such as creating an RBAC role for the instructor which only gives the necessary privileges to the isntructor's Unix account. Other examples must be judged by their particulars, e.g. a production database program which needs raw access. Factors to consider include:
- Who will login to the zone? How trustworthy are they?
- Is this system protected from unauthorized access by a firewall?
- What level of availability is required by applications running in this zone and in other zones?
For even more information on this topic, see the section "SECURITY AND DATA INTEGRITY" of the man page for sgen(7d).
[September 2005]
Q: Can I share an I/O resource (e.g. NIC, HBA) between containers?
A: Yes, in fact, that is the default model. Each container is assigned its own IP address, but usually multiple containers will share one NIC. Further, multiple zones may be assigned separate filesystems accessed through one HBA.
Q: Can containers in one computer communicate via the network?
A: Containers in one computer can communicate using IP networking, but the packets don't actually leave the system. This has advantages and disadvantages:
- Inter-container network latency is extremely small, and bandwidth is extremely high
Solaris IPFilter
doesn't yet work between containers [July 2006]
It is possible to configure routing to
block traffic between specific containers completely
.
Q: How do I modify the network configuration of a running zone?
A: The ifconfig(1M) command can be used in the global zone to modify a zone's existing network configuration or to add new logical interfaces to a zone. Here are some examples that add, and then delete a logical interface assigned to a zone:
global# ifconfig bge0 addif 192.168.200.202 zone myzone
global# ifconfig bge0 removeif 192.168.200.202
Q: Can IP Multipathing (IPMP) be used with zones?
A: Yes,
IPMP
can be configured in the global zone. Failover of a network link (e.g. hme0) that is protected by IPMP will bring the associated logical interfaces (e.g. hme0:3) for the zones over to the secondary link (e.g. bge0).
For more information, see
admin guide
.
[September 2006]
Q: Can IPFilter be used with zones?
A: The
IPFilter
features in Solaris 10 can be used to filter traffic passing between one non-global zone and other computers on the network. This includes the ability to use NAT features, i.e. redirect traffic destined for the global zone to non-global zones.
However, currently IPFilter cannot be used to filter traffic passing between two zones on the same system. This will be addressed in the future. See
RFE 4950897
. [July 2006]
Q: Can I prevent a zone from using the network?
A: Yes. A zone does not need a network interface in order to operate. If you don't specify a network interface when you create the zone, it will still boot correctly. If an existing zone has been given access to a network interface, you can use zonecfg(1M) to remove that access, but if the zone is running you must also either re-boot the zone or use ifconfig(1M) to remove access until the next re-boot.
It is also possible to allow a zone to access the network, but not communicate with other zones on the same system. One method is to set up a pair of routes using the "-reject" argument to the route(1) command. For example, if one zone has an IP address of and the second zone has an address of , then the following commands will prevent network traffic from passing between the two zones. [July 2006]
global# route add -interface -reject
global# route add -interface -reject
Q: Are VLANs supported in zones?
A: Yes, but the VLAN interface must be plumbed in the global zone.
Q: How can I mount a filesystem into two different zones safely?
A: Create a directory in the global zone, and remount it into each non-global zone using lofs. This will allow reading and writing from both zones without corrupting. It's the same mechanism used by the automounter in certain cases.
Q: How can I create a zone with its own /usr or root file system (a 'whole root file system')?
A: By default a zone shares /usr and a few other directories with the global zone. If a zone needs its own separate copy of /usr, et al., you must tell zonecfg to not use the default configuration. To do this, use the "-b" option on the "create" sub-command of the zonecfg(2) command.
If you do this, you must specify each existing file system that you do want to share with this new zone.
Q: How do I configure a default route in a container?
A: All routes, including default routes, must be configured by the global zone administrator. Although a default route cannot be assigned directly to a Container, a default route can be assigned to each subnet. All zones on one subnet will then use the same default route. [July 2006]
Q: How can I restrict a zone (or a few zones) to one NIC (network connector)?
A: Restricting NIC usage is very easy: when the zone is configured, you must assign it an IP address and a physical port, e.g. hme0. You can assign one zone per network port and/or assign multiple zones to a port. [August 2005]
Q: How can I restrict a zone (or a few zones) to one HBA (storage connector)?
Each zone uses space in at least one disk partition - its root directory and several others (e.g. /etc) live there. All of these files are part of Solaris. In addition, each zone can be given access to one or more file systems and/or one or more raw disks. By planning carefully, you can configure one zone so that all of its files and devices are accessible through one HBA, and all of the storage of another zone is accessible through a different HBA. [August 2005]
Q: Can a non-global zone NFS-mount a file system that has been shared from its own global zone?
A: No. This may be addressed in the future. However, the filesystem can be LOFS-mounted into the local zone, and, if necessary, the global zone can export the same filesystem via NFS so that other computers can also access those files. [August 2005]
Q: Can a zone's root directory be on a ZFS file system?
A: A zone's root directory (i.e. it's PATHNAME) can be on a ZFS file system, but this is not recommended at this time if you plan to upgrade the system to a future release of Solaris 10. This is because the software that installs and upgrades Solaris 10 does not yet understand ZFS, and would not be able to upgrade those zones.
This situation leaves you with three choices:
Do not put zones on ZFS file systems yet
Put zones on ZFS file systems and uninstall them before upgrading to a new Solaris 10 release
Put zones on ZFS file systems and re-install the system when you need to use a new Solaris 10 release Sun is improving the installation software to understand ZFS. A date for release of this has not been set, but is expected in late 2007 or early 2008. At that time, a system with zones on ZFS file systems will be upgradeable. [April 2007]
Back to Top
Section 2C: What Services can a Zone Provide?
Q: Can a zone be an NFS server?
A: A global zone can be an NFS server. A non-global zone cannot be an NFS server. This issue may be addressed in the future. See
RFE 5102011
. [August 2005]
Q: Can a zone be a DHCP server?
A: A global zone can be a DHCP server. A non-global zone cannot be a DHCP server. This issue may be addressed in the future. [August 2005]
Q: Can a zone be a DNS server?
A: Yes.
Q: Can a zone be an NTP server?
A: Because the NTP server software also sets the time clock, which a non-global zone cannot be allowed to do, a zone cannot be an NTP server. (June 2005)
Q: Can a zone be a NIS (aka yp), NIS+, or LDAP server?
A: Yes, yes, and yes.
Q: Can a zone provide network login via telnet, rlogin, rsh or ssh?
A: Yes, yes, and yes.
Q: Can a zone be an ftp server?
A: A zone can be an ftp server, but it is not possible to use ftpconfig(1M) to set up a zone to be an anonymous ftp server. This is because ftpconfig attempts to set up certain device special files, and a zone does not have the necessary privileges. [December 2005]
Can a zone run sendmail?
A: Yes.
Can I use X windows in a zone?
A: There are a few different methods to use X windows with zones:
On the system console: at the login screen, you can choose "Remote Host" and enter the hostname of the zone. The X windows login screen should be replaced with an X windows remote login screen.
At the console, logged into the global zone: you can tell X to allow remote connections from the non-global zone, telnet to that zone, and set the appropriate environment variable so that X sessions go to the global zone's X windows session, e.g. "setenv DISPLAY my-global-zone".
At another system, you can login directly to the non-global zone, and perform steps similar to the previous method.
Back to Top
Section 3: Resource Management, Performance
Q: How can I prevent one container from consuming all of the CPU power?
A: Use the resource management features of Containers. This requires using Resource Pools and/or the Fair Share Scheduler features and assigning related parameters to each container.
Web Links:
Using RM in Solaris Express
Fair Share Scheduler (Overview)
Dynamic Resource Pools (Overview)
Syntax
Using FSS on a Solaris System With Zones Installed
[September 2006]
Q: What is the resource granularity for CPU assignment to a container?
A: Resource Pools: Single CPU core
Fair Share Scheduler: Arbitrary. CPU utilization limits are specified by "shares" and enforced by the Fair Share Scheduler. For example, CPU limit assignments could be 1, 1000, 999, resulting in utilization limits of 0.05%, 50%, and (practically speaking) 50%.
Q: How can I limit (cap) the CPU usage of an application?
A: Create a processor set with one or more CPUs and bind it to a resource pool. Then create a zone and bind it to the same resource pool. Run the application in that zone. The application will only "see" that set of processors.
Web Links:
Resource Pools Sections
12
and
13
Processor Sets Sections
12
and
13
[September 2006]
Q: How can I limit the memory used by a container?
A: With the first release of Solaris 10 and Solaris Express you can use the Resource Capping Daemon. An update to Solaris 10 will include Memory Set features to limit memory usage.
Web Links:
Administering the Resource Capping Daemon
Sections 10 and 11
Q: Can I dynamically change the quantity of a resource (CPU, memory, network bandwidth) assigned to a container?
A: To change the number of CPU shares associated with a container without re-booting it, use the prctl command, e.g.
prctl -n zone.cpu-shares -r -v $SHARES `pgrep -z $ZONENAME init`
where $SHARES is the new number of shares and $ZONENAME is the name of the zone.
Web Links:
Resource Controls
Using the prctl Command
prctl(1M)
Using the Fair Share Scheduler in a Zones Environment
Q: Can swap space usage be managed?
A: The entire swap partition is treated as a single global resource to processes running in both global and non-global zones. With Solaris 10 GA, you can't limit the amount of swap used by a zone on a per-zone basis. You can globally limit the size of the swap-based filesystems (e.g. /tmp) by using the "size" mount option in the container's /etc/vfstab file, e.g. "size=200m". This allows you to decrease the effect of many and/or large files created in /tmp.
A future enhancement is being planned for resource pools to implement a resource control called a swap set. Swap sets will allow swap to be limited within a pool bound to a zone on a per-zone basis.
Q: Can I limit the network bandwidth used by a zone?
A: Yes, use the IPQoS features in Solaris 10. You must manage this from the global zone for the containers.
Q: Do containers use up alot of CPU power?
A: CPU overhead of containers is hardly measurable (i.e. Q: Can the share value for a running project or zone be changed?
A: Yes. Here is an example:
prctl -n project.cpu-shares -v 10 -r -i project group.staff
The prctl utility allows the examination and modification of the resource controls associated with an active process, task or project on the system. It allows access to the basic and privileged limits on the specified entity.
-n specifies the name of the resource to get or set
-r specifies a replace operation
-v specifies the new value for the resource
-i specifies the owning process, task or project of the resource.
Q: Can I bind a zone to a pool?
A: Yes. First create the pool, then use zonecfg(1M) to bind a zone to it.
1. Enable resource pools on your system using either svcadm or pooladm -e.
2. Use pooladm -s to create the pool configuration.
3. Use pooladm -c to commit the configuration at /etc/pooladm.conf.
4. Use poolcfg -c to modify the configuration.
poolcfg -c 'create pset pset_zone (uint pset.min = 3; uint pset.max = 3)'
poolcfg -c 'create pool pool_zone (string pool.scheduler="FSS")'
poolcfg -c 'associate pool pool_zone (pset pset_zone)'
5. Use pooladm -c to commit the configuration at /etc/pooladm.conf.
See the
administration guide.
The command to perform the binding, from the global zone, would be:
zonecfg -z zone1 set pool=pool_zone
If the zone was running, you must re-boot it for the binding to take effect, unless you also dynamically assign the zone to the pool, as described in the question
"Can projects/zones be reassigned to a different resource pool while they are running?"
. [September 2006]
Q: Can projects/zones be reassigned to a different resource pool while they are running?
A: Yes. Here is an example:
poolbind -p web_app -i zoneid myzone
The poolbind command binds zones, projects, tasks and processes to a pool.
-p is the name of the pool to bind
-i specifies the process id, zone id, task id or project id to be bound to the pool.
Q: Can you move processors between processor sets while the system is running?
A: Yes you can. Here is the command(s) you would use:
- If you don't care which CPUs you move from a processor set the command would be:
poolcfg -dc "transfer 2 from pset pset1 to pset2"
which will move any two processors from pset1 to pset2
-d operate directly on the kernel state
-c this signifies the command
If you want to move a specific CPU(s) here is the command:
poolcfg -dc "transfer to pset pset2 (CPU 0, CPU 1)"
which will move CPUs 0 and 1 to pset2.
Q: How can I prevent one zone from using all the swap space by filling up /tmp?
A: For manual mounts, use the option "-o size=sz" where sz is the size limit you want. Ending the size in 'k' means kilobytes, ending it in 'm' means megabytes. Example: "-o size=500m". This option can also be added into /etc/vfstab. For more details, view the man pages for mount_tmpfs(1M) and vfstab(4).
Also, note that
RFE 1177209
will give the global zone administrator the ability to control the amount of swap space used by one zone.
Back to Top
Section 4: System AdministrationQ: How do I create a zone?
A: First gather some information, then use the Solaris Container Manager GUI or the commands shown below. This is the simplest possible creation of a zone that has network access. You will need this information (example values in parentheses:
Name that you choose for the zone (my-zone)
Hostname that choose for the zone (my-zone)
Name of the directory in the global zone where all of the zone's operating system files will be (/zones/zone_roots/my-zone)
IP address of the zone (10.1.1.1)
Name of the network device that the zone should use (hme0) Using the sample information in the appropriate commands, which will take about 10 minutes on a small system with a new installation of OpenSolaris or Solaris 10: global# zonecfg -z my-zone
zonecfg:my-zone> create
zonecfg:my-zone> set zonepath=/zones/zone_roots/my-zone
zonecfg:my-zone> add net
zonecfg:my-zone:net> set address=10.1.1.1
zonecfg:my-zone:net> set physical=hm0
zonecfg:my-zone:net> end
zonecfg:my-zone> commit
zonecfg:my-zone> exit
global# zoneadm -z my-zone install
global# zoneadm -z my-zone boot
Also, see
the two chapters on installing and uninstalling zones at docs.sun.com
. [September 2005]
Q: How do I remove a zone?
A: Use these commands, substituting the correct names for text. global# zoneadm -z uninstall
global# zonecfg -z delete
Also, see
the two chapters on installing and uninstalling zones at docs.sun.com
. [September 2005]
Q: How do I patch zones?
A: See the
Patching and Packaging sections at docs.sun.com
.
Q: Can each container be a different Solaris patch level, so I can test patches in a "test" container before applying them to a "production" container?
A: There are two parts to the answer: 1) There is only one kernel running on the system, so all zones must be at the same patch level with respect to the kernel and core system components. Such patches can only be applied from the global zone, and they affect the global and all local zones equally. The KU is an example of such a patch.
2) Middleware such as Java Enterprise System can be patched on a per-zone basis. If the software can be installed in the local zone then it must be patchable from the local zone as well, regardless of the zone type, whole-root or sparse-root.
Q: Can I move a zone from one computer/domain to another?
A: Yes. See
Migrating a Non-Global Zone to a Different Machine
[September 2006]
Q: Is there a way to correlate audit records from multiple containers?
A: Yes, the global zone sees all audit records. Each non-global zone only sees its own audit records.
Q: Can I add packages to just the global zone (for example, SRS netConnect)?
A: Yes, use pgkadd -G. Note that if the SUNW_PKG_THISZONE package parameter is set to true, you do not have to use the -G option. See
documentation
[September 2006]
Q: Can I add a package to one local zone without adding it to the global zone?
A: That depends on the settings used when the package was created. See the
Packaging sections at docs.sun.com
.
Q: What commands don't work, or behave differently, inside a zone?
A: Most Unix commands and programs work correctly, without alteration or re-compilation.
However, the implementation of the security isolation boundary limits the functionality of several system calls and libraries. That, in turn, limits the functionality of several system commands. In other words, some Solaris commands behave differently when run inside a zone, or do not work at all inside a zone.
See the sections 6.1 System Calls, 6.2 Library Functions, 6.3 Commands, and 6.4 Device and Interface Special Files in
http://www.sun.com/bigadmin/features/articles/zones_partition.html#limitations
.
For information on the status of privileges in zones, see Table 26-1
Status of Privileges in Zones
[November 2006]
Q: Do zones boot automatically, or must I boot each one manually every time the system (re)boots?
A: The zones autoboot property determines whether the zone is booted when the system boots. The global zone adminstrator can set the autoboot property to "true" or "false." The zones service svc:/system/zones:default must also be enabled. [September 2006]
Q: Should I halt a system's zones before applying patches?
A: There is no need to do this. In fact, the package and patch tools will perform their operations on all zones that are running, as well as all zones that are not currently running but are capable of being booted (e.g. they are at least in the "installed" state). The running zones are operated on first, and then for each zone that is not running but can be booted, the zone is booted, the operation is performed, and the zone is then halted.
Q: Where does a zone's syslog output go?
A: By default the syslog output from a zone goes only into the zone's syslog file. If you would like the output to also appear in the global zone's log files, configure the local zone's loghost to be the global zone.
Q: I removed a device from a zone, but it's still there. Why, and how do I get rid of it?
A: This is bug 4963368. The current (Feb 2005) workaround is: after using zonecfg to remove the device, manually remove the corresponding entry in {ZONEPATH}/dev.
If you're running Solaris Express, this bug is corrected in builds 46 and higher.
Q: How do I upgrade a system with zones installed? Does Live Upgrade work?
A: Information about how to upgrade your Solaris 10 system to a later release if you are running zones is available in the System Administration Guide: Solaris Containers--Resource Management and Solaris Zones,
Chapter 27 Upgrading a Solaris 10 System That Has Installed Non-Global Zones
.
At this time, you cannot upgrade a Solaris Express system that has zones installed. To upgrade the system, you must save all application data, uninstall the existing non-global zones, and upgrade the Solaris operating system. You must then reinstall all of the non-global zones.
At this time, Solaris(TM) Live Upgrade cannot be used to upgrade a system with zones installed. Support for Live Upgrade is under development.
Solaris Release
Traditional Upgrade w/ Zones
Live Upgrade w/ Zones
Solaris 10 3/05
N/A
N/A
Solaris 10 1/06
Yes
No
Solaris 10 6/06
Yes
No
Solaris 10 11/06
Yes*
No
Solaris Express
No
No* Note, however, that there are two limitations regarding the process of upgrading Solaris 10 if there are zones that use ZFS or LOFS. Fixes for these two issues are under development, or already exist but could not be integrated into Solaris 10 11/06 in time for release.
Solaris 10 6/06 supports the use of ZFS file systems. It is possible to install a zone into a ZFS fs, but the installer/upgrader program does not yet understand ZFS well enough to upgrade zones that 'live' on a ZFS file system. Because of this, upgrading a system that has a zone installed on a ZFS file system is not yet supported.
If all non-global zones that are configured with "lofs" fs resources are mounting directories that exist in the miniroot, the system can be upgraded from a previous release of Solaris 10 to the Solaris 10 11/06 release using standard upgrade. For example, a lofs mounted /opt directory presents no issues for upgrade.
However, if any of your non-global zones are configured with a non-standard lofs mount, such as a lofs mounted /usr/local directory, the following error message is displayed: The zones upgrade failed and the system needs to be restored
from backup. More details can be found in the file
/var/sadm/install_data/upgrade_log on the upgrade root file
system.
The error message is incorrect: although this error message states that the system must be restored from backup, the system is actually fine, and it can be upgraded successfully using the workaround. Workaround:
1. Reboot your system with the installed OS.
2. Reconfigure the zones, removing the "fs" resources defined with a
type of "lofs."
3. After removing these resources, upgrade the system to Solaris 10 11/06.
4. Following the upgrade, you can again reconfigure your zones to
restore the additional "fs" resources that you removed.
This problem is being tracked as CR 6454140: "Zones With an "fs" Resource Defined With a Type of "lofs" Cannot Be Upgraded to Solaris 10 11/06" and is also described in the Solaris 10 11/06 Release Notes.
[November 2006]
Q: Can I configure my zones on a ZFS filesystem?
A: Solaris 10 Update Release:
It is possible to install a zone on a ZFS file system. However, at this time, we do not recommend putting the zonepath of a non-global zone on ZFS due to possible problems with upgrading the system to a later Solaris 10 update release. Support for zonepaths on ZFS is under development. [September 2006]
Solaris Express Release:
You can place the zonepath of a non-global zone on ZFS. However, see the question
"How do I upgrade a system with zones installed? Does Live Upgrade work?"
for related issues. [September 2006]
Q: What is the default networking service configuration of a non-global zone when it is installed?
A: On Solaris 10 systems, the traditional open configuration is installed. On SX systems, the limited networking configuration is installed.
You can switch the zone to either networking configuration by using the netservices command, or enable and disable specific services by using SMF commands. [September 2006]
Back to Top
Section 5: Security
Q: Can I access one zone from another zone?
A: Only through IP connections, e.g. telnet, rlogin.
Q: Can I 'su' from one zone to another?
A: No, this would violate the security implementation of zones. In this context, think of zones as separate computers - you can't 'su' from one Unix computer to another.
You can use the
zlogin(1)
command to login to a non-global zone from the global zone. You must have all
privileges(5)
to use zlogin.
Q: Can I prevent the root account in one zone from affecting other zones?
A: Because each container has its own namespace, each container has its own root account. Each zone's root account is unable to access other containers in any way.
Q: Can programs running in one zone change the operation of programs running in another container?
A: A great deal of design work was done to prevent containers from affecting each other. By default it is very difficult for one local zone to affect another zone, but it is possible. It is also easy for the global zone administer to configure containers unsafely. Consider these factors:
- First, there are no known methods for one user (even root) in one local zone to 'break into' another zone (global or non-global).
However, a modern computer has many resources, some of them real, some virtual. Denial of Service attacks often attempt to use all of the instances of a virtual resource. One early attack on Unix systems was creating so many processes that all of the PIDs were in use, preventing the creation of new processes. There are now methods to prevent those attacks, and those methods automatically apply, or have been applied to, zones. In some cases the method of prevention includes the manual use of Solaris features, e.g. projects.
- By default it is difficult to disrupt operation of zones. However, the global zone administrator can make it easier for a non-global zone user to impact operation of one or more other zones, even the global zone. Try to avoid assigning disk devices directly to non-global zones: the root user of that zone might be able to take advantage of this to cause a SCSI bus reset or even panic the kernel. Also, avoid assigning the same device or file system to multiple zones unless needed to achieve a specific goal. If that is necessary, ensure that all of the software in those two zones will obey a synchronization mechanism when using the device or file system.
Q: How do I prevent a 'fork bomb' from affecting all of the zones?
A: A 'fork bomb' is a process which creates (forks) as many child processes as possible, attempting to use up all of the virtual memory or PIDs in a system, resulting in a Denial of Service to other users. If you would like to prevent someone from doing this in a non-global zone, add this to a zone's configuration, using zonecfg(1M): add rctl
set name=zone.max-lwps
add value (priv=privileged,limit=1000,action=deny)
end
That will prevent a zone's processes from having a total of more than 1000 LWPs simultaneously. [December 2005]
Back to Top
Section 6: Application-specific InformationQ: Can Oracle use shared memory in a Container?
A: Because we keep improving Containers, there are two different answers to this question.
Solaris 10 11/06 and later: Yes, Oracle can use ISM or DISM in a Container. To enable the use of DISM, the global zone administrator must add the privilege "proc_lock_memory" to the Container. To do this, use zonecfg(1M) to add the line set limitpriv=default,proc_lock_memory
to the Container's configuration.[January 2007]
Solaris 10, Releases 3/05, 1/06, 6/06: Yes, however Oracle can only use ISM (Intimate Shared Memory) in a zone. It cannot use DISM (Dynamic ISM) in a zone. This is a side-effect of the implementation of the security boundary which protects zones from each other. [June 2006]
Q: Can I use the Solaris 10 FSS (Fair Share Scheduler) with Oracle in a Solaris Container?
A: There are currently (June 2006) two distinct concerns regarding the use of FSS in a Container when running Oracle databases:
In testing - Oracle processes use internal methods to prioritize themselves to improve inefficiency. It is possible that these methods might not work well in conjunction with the Solaris FSS. Although there are no known problems with non-RAC configurations, Sun and Oracle are testing this type of configuration to discover any negative interactions. This testing should be completed soon.
It is not possible to use the Solaris FSS with Oracle RAC in a Container. A Solaris patch is being tested that fixes this problem.
Back to Top
Section 7: Other Server Virtualization SolutionsQ: What are zone's strengths compared to other server virtualization solutions?
A: Solaris Zones have many strengths relative to other server virtualization solutions, including:
- Cost: zones are a feature of the operating system. There is no extra charge for using them.
- Integration: Zones are integrated into the operating system, providing seamless functionality and a smooth upgrade path.
- Portability: Zones are not tied to any one hardware platform. As a device-independent feature set of OpenSolaris, their functionality is exactly the same on all hardware to which OpenSolaris has been ported.
- Observability: The Global Zone has visibility into all activity in all zones, including viewing process and network activity, system-wide accounting and auditing, etc. This makes it possible to find performance problems and resolve inter-zone conflicts, both of which are extremely difficult problems on most other SV solutions. It is even possible to re-host applications typically found on different systems (e.g. web server and app server) on different zones in the same system, and then use DTrace to analyze their interactions.
- Manageability: You can manage all of the zones on one system as one collection, rather than as separate servers. This includes adding packages and patches once per system, not once per zone.
- Sun Dynamic System Domains
Q: Are containers like VMware?
A: They are only vaguely similar. Both technologies are very useful for consolidating servers. However, the basic model is different: Containers form isolated application environments that share one OS instance, while VMware hosts multiple OS instances. The differences also include:
- Containers are only available for Solaris 10. VMware supports Solaris, Microsoft Windows and Linux clients, simultaneously.
- VMware uses a great deal of CPU capacity managing the multiple environments. CPU overhead of containers is hardly measurable (typically
Q: Are containers like HP vPars or nPars?
A: Containers are not similar to either except in purpose: server consolidation. However, the differences include:
- HP nPars and Sun's Dynamic System Domains are similar in that both provide complete isolation of data, applications, and programs. A complete comparison of Domains and nPars is outside the scope of this document.
- vPars are HP's "soft" partitioning technology. vPars and Containers each enable multiple applications to co-exist in a set of hardware resources with some degree of isolation.
- Each vPar is its own instance of an operating system, and must be managed separately. Each container is a virtual instance of Solaris, but there is only one copy of Solaris to maintain.
- Containers are only available for Solaris 10. vPars only support HP-UX (versions ??).
- All vPars share the same root password. Someone who gains root access in one vPar can do anything to any vPar. Conversely, each Solaris Container has its own namespace, including its own root account. Someone who gains root access in one container can damage that container (unless privileges have been removed) but cannot cause any damage to any other container, including the global container. However, keep in mind that if a vPar or Container is configured poorly, the potential for inter-partition damage is increased.
Q: Are containers like IBM Micro-Partitions?
A: They are only vaguely similar. Both technologies are very useful for consolidating servers. However, the differences include:
- Containers are only available for Solaris 10. MicroPars only support AIX 5.3, RH.
- Each MicroPartition requires a separate license to run an operating system. There is a cost associated with each AIX license.
- Containers have almost no overhead, i.e. running 10 applications in 10 Containers is only slightly less efficient than running those 10 applications in a non-zoned system. The difference is typically in addition to the application workload.
- Containers and MicroPartitions can share I/O resources, but the implementation is different. MicroPars that want to share an I/O connector must use an LPAR dedicated to the multiplexing of I/O. This LPAR has extra costs associated with it: one or more additional Power processors, another AIX license, etc. [Updated July 2005]
Q: Are containers like Linux vServers?
A: The basic model used to implement the Solaris 10 Containers feature set and the Linux vServers project are fairly similar. However, the implementation is different. (More coming soon!) [Updated August 2005]
Back to Top
Section 8: Common but Non-Obvious ProblemsQ: I created a zone and booted it, but it doesn't work. What should I do?
A: The most common problem is that the zone doesn't have its system identification information yet. You can determine if this is the problem by running "ps -fz " in the global zone. If the output only shows zsched, init, and a (3-6) processes related to SMF (/lib/svc/..., /usr/sbin/svccfg) then system identification is not complete. To complete this, attach to the zone's console by running "zlogin -C " in the global zone, pressing once, and following the instructions. [March 2006]
Q: I added some privileges to a user in a zone, and now the user can't login. What should I do?
A: This resulted from a bug that was fixed in Solaris Express 4/06. It will be corrected in Solaris 10 11/06 as well.
Updated information on privileges and zones has been added to the System Administration Guide: Solaris Containers--Resource Management and Solaris Zones. See
documentation
for a list of the Solaris privileges and the status of each privilege with respect to zones. To alter privileges in zones, use the limitpriv property in zonecfg. [September 2006]
Q: I tried to upgrade to Solaris 10 11/06 and it told me the upgrade failed and I need to restore from backup. Now what?
A: Although this error message states that the system must be restored from backup, the system is actually fine, and it can be upgraded successfully. See
"How do I upgrade a system with zones installed? Does Live Upgrade work?"
for more information and a workaround you can use to upgrade your system.
Back to Top
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/26090/showart_326645.html |
|
免费注册
发表于 2007-06-22 19:35