Solaris Containers
Encyclopedia
Solaris Containers is an implementation of operating system-level virtualization
technology for x86 and SPARC systems, first released publicly in February 2004 in build 51 beta of Solaris 10, and subsequently in the first full release of Solaris 10, 2005.
It is present in newer OpenSolaris
based distributions, like OpenIndiana
and Solaris 11 Express.
A Solaris Container is the combination of system resource controls and the boundary separation provided by zones. Zones act as completely isolated virtual servers within a single operating system instance. By consolidating multiple sets of application services onto one system and by placing each into isolated virtual server containers, system administrators can reduce cost
and provide most of the same protections of separate machines on a single machine.
Each zone has a security boundary surrounding it which prevents a process associated with one zone from interacting with or observing processes in other zones. Each zone can be configured with its own separate user list. The system automatically manages user ID conflicts; that is, two zones on a system could have a user ID 10000 defined, and each would be mapped to its own unique global identifier.
A zone can be assigned to a resource pool (processor set plus scheduling class) to guarantee certain usage, or can be given shares via fair-share scheduling
. A zone can be in one of the following states:
Some programs cannot be executed from within a non-global zone; typically this is because the application requires privileges that cannot be granted within a container. As a zone does not have its own separate kernel (in contrast to a hardware virtual machine), applications that require direct manipulation of kernel features, such as the ability to directly read or alter kernel memory space, may not work inside of a container.
Even with Whole Root Zones, disk space requirements can be negligible if the zone's OS file system is a ZFS
clone of the global zone image, since only the blocks different from a snapshot image need to be stored on disk; this method also makes it possible to create new zones in a few seconds.
The brand for a zone is set at the time the zone is created. The second category is implemented with interposition points within the OS kernel that can be used to change the behavior of syscalls, process
loading, thread
creation, and other elements.
For the 'lx' brand, libraries from Red Hat 3 or an equivalent distribution such as CentOS
are required to complete the emulated environment.
The first published document and hands-on reference for Solaris Zones was written in February 2004 by Dennis Clarke at Blastwave.org, providing the essentials to getting started. This document was greatly expanded upon by Brendan Gregg in July 2005. The Solaris 8 and Solaris 9 Containers were documented in detail by Dennis Clarke at Blastwave(tm) again in April 2008 and this has become a simple How To style guide that can get people started with Solaris Containers in a production setting. The Blastwave Solaris 8 and Solaris 9 Containers document was very early in the release cycle of the Solaris Containers technology and the actions and implementation at Blastwave resulted in a followup by Sun Microsystems marketing. More extensive documentation may be found at the Sun Microsystems documentation site, the Sun BluePrints Archive, and the Sun Solaris Containers Learning Center.
server is implemented in the kernel, and cannot be used for exports within non-global zones. Third party NFS server software that is not implemented in the Solaris kernel may work.
Branded zones are not supported on the sun4us architecture (Fujitsu PRIMEPOWER servers).
Operating system-level virtualization
Operating system-level virtualization is a server virtualization method where the kernel of an operating system allows for multiple isolated user-space instances, instead of just one. Such instances may look and feel like a real server, from the point of view of its owner...
technology for x86 and SPARC systems, first released publicly in February 2004 in build 51 beta of Solaris 10, and subsequently in the first full release of Solaris 10, 2005.
It is present in newer OpenSolaris
OpenSolaris
OpenSolaris was an open source computer operating system based on Solaris created by Sun Microsystems. It was also the name of the project initiated by Sun to build a developer and user community around the software...
based distributions, like OpenIndiana
OpenIndiana
OpenIndiana is a Unix-like computer operating system released as free and open source software. It forked from OpenSolaris after the discontinuation of that project by Oracle and aims to continue development and distribution of the OpenSolaris codebase. The project operates under the umbrella of...
and Solaris 11 Express.
A Solaris Container is the combination of system resource controls and the boundary separation provided by zones. Zones act as completely isolated virtual servers within a single operating system instance. By consolidating multiple sets of application services onto one system and by placing each into isolated virtual server containers, system administrators can reduce cost
Total cost of ownership
Total cost of ownership is a financial estimate whose purpose is to help consumers and enterprise managers determine direct and indirect costs of a product or system...
and provide most of the same protections of separate machines on a single machine.
Terminology
There is always one zone defined, named the "global" zone. Zones hosted by a global zone are known as "non-global zones" but are sometimes just called "zones". The term "local zone" is specifically discouraged, since in this usage "local" is not an antonym of "global". The global zone encompasses all processes running on the system, whether or not these processes are running within a non-global zone. Unless otherwise noted, "zone" will refer to non-global zones in this article.Description
Each zone has its own node name, virtual network interfaces, and storage assigned to it; there is no requirement for a zone to have any minimum amount of dedicated hardware other than the disk storage necessary for its unique configuration. Specifically, it does not require a dedicated CPU, memory, physical network interface or HBA, although any of these can be allocated specifically to one zone.Each zone has a security boundary surrounding it which prevents a process associated with one zone from interacting with or observing processes in other zones. Each zone can be configured with its own separate user list. The system automatically manages user ID conflicts; that is, two zones on a system could have a user ID 10000 defined, and each would be mapped to its own unique global identifier.
A zone can be assigned to a resource pool (processor set plus scheduling class) to guarantee certain usage, or can be given shares via fair-share scheduling
Fair-share scheduling
Fair-share scheduling is a scheduling strategy for computer operating systems in which the CPU usage is equally distributed among system users or groups, as opposed to equal distribution among processes....
. A zone can be in one of the following states:
- Configured: configuration was completed and committed
- Incomplete: Transition state during install or uninstall operation
- Installed: the packages have been successfully installed
- Ready: the virtual platform has been established
- Running: the zone booted successfully and is now running
- Shutting down: the zone is in the process of shutting down - this is a temporary state, leading to "Down"
- Down: the zone has completed the shut down process and is down - this is a temporary state, leading to "Installed"
Some programs cannot be executed from within a non-global zone; typically this is because the application requires privileges that cannot be granted within a container. As a zone does not have its own separate kernel (in contrast to a hardware virtual machine), applications that require direct manipulation of kernel features, such as the ability to directly read or alter kernel memory space, may not work inside of a container.
Resources needed
Zones induce a very low overhead on CPU and memory. Currently a maximum of 8191 non-global zones can be created within a single operating system instance. "Sparse Zones", in which most filesystem content is shared with the global zone, can take as little as 50MB of disk space. "Whole Root Zones", in which each zone has its own copy of its operating system files, may occupy anywhere from several hundred megabytes to several gigabytes, depending on installed software.Even with Whole Root Zones, disk space requirements can be negligible if the zone's OS file system is a ZFS
ZFS
In computing, ZFS is a combined file system and logical volume manager designed by Sun Microsystems. The features of ZFS include data integrity verification against data corruption modes , support for high storage capacities, integration of the concepts of filesystem and volume management,...
clone of the global zone image, since only the blocks different from a snapshot image need to be stored on disk; this method also makes it possible to create new zones in a few seconds.
Branded zones
Although all zones on the system share a common kernel, an additional feature set has been added called branded zones (BrandZ for short). This allows individual zones to behave in a manner other than the default brand of the global zone. The existing brands (October 2009) can be grouped into two categories:- brands which do not perform system call translation:
- 'native' is the default for Solaris 10
- 'ipkg' is the default for OpenSolarisOpenSolarisOpenSolaris was an open source computer operating system based on Solaris created by Sun Microsystems. It was also the name of the project initiated by Sun to build a developer and user community around the software...
- 'cluster' is used for Solaris Cluster zones
- 'labeled' is used for zones in a Solaris Trusted ExtensionsSolaris Trusted ExtensionsSolaris Trusted Extensions is a set of security extensions incorporated in the Solaris 10 operating system by Sun Microsystems, featuring a mandatory access control model...
environment
- brands which perform system call translation:
- 'solaris8' provides a Solaris 8 environment on a Solaris 10 system, including translation from Solaris 8 system calls to Solaris 10 system calls (available only on SPARCSPARCSPARC is a RISC instruction set architecture developed by Sun Microsystems and introduced in mid-1987....
systems) - 'solaris9' provides a Solaris 9 environment on a Solaris 10 system, including translation from Solaris 9 system calls to Solaris 10 system calls (available only on SPARC systems)
- 'lx' provides a Red Hat Enterprise Linux 3 environment on a Solaris 10 system, including translation from RHEL 3 system calls to Solaris 10 system calls (available only on x86 systems)
- 's10brand' provides a Solaris 10 environment on an OpenSolaris or Oracle Solaris 11 system, including translation from Solaris 10 system calls to OpenSolaris/Oracle Solaris 11 system calls
- 'solaris8' provides a Solaris 8 environment on a Solaris 10 system, including translation from Solaris 8 system calls to Solaris 10 system calls (available only on SPARC
The brand for a zone is set at the time the zone is created. The second category is implemented with interposition points within the OS kernel that can be used to change the behavior of syscalls, process
Process (computing)
In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...
loading, thread
Thread (computer science)
In computer science, a thread of execution is the smallest unit of processing that can be scheduled by an operating system. The implementation of threads and processes differs from one operating system to another, but in most cases, a thread is contained inside a process...
creation, and other elements.
For the 'lx' brand, libraries from Red Hat 3 or an equivalent distribution such as CentOS
CentOS
CentOS is a free operating system based on Red Hat Enterprise Linux . It exists to provide a free enterprise class computing platform and strives to maintain 100% binary compatibility with its upstream distribution...
are required to complete the emulated environment.
Documentation
The Solaris operating system provides man pages for Solaris Containers by default; more detailed documentation can be found at various on-line technical resources.The first published document and hands-on reference for Solaris Zones was written in February 2004 by Dennis Clarke at Blastwave.org, providing the essentials to getting started. This document was greatly expanded upon by Brendan Gregg in July 2005. The Solaris 8 and Solaris 9 Containers were documented in detail by Dennis Clarke at Blastwave(tm) again in April 2008 and this has become a simple How To style guide that can get people started with Solaris Containers in a production setting. The Blastwave Solaris 8 and Solaris 9 Containers document was very early in the release cycle of the Solaris Containers technology and the actions and implementation at Blastwave resulted in a followup by Sun Microsystems marketing. More extensive documentation may be found at the Sun Microsystems documentation site, the Sun BluePrints Archive, and the Sun Solaris Containers Learning Center.
Implementation issues
The standard Solaris NFSNetwork File System
Network File System is a network file system protocol originally developed by Sun Microsystems in 1984, allowing a user on a client computer to access files over a network in a manner similar to how local storage is accessed. NFS, like many other protocols, builds on the Open Network Computing...
server is implemented in the kernel, and cannot be used for exports within non-global zones. Third party NFS server software that is not implemented in the Solaris kernel may work.
Branded zones are not supported on the sun4us architecture (Fujitsu PRIMEPOWER servers).
Similar technologies
- Other implementations of operating system-level virtualization technology
See also
- Operating system-level virtualizationOperating system-level virtualizationOperating system-level virtualization is a server virtualization method where the kernel of an operating system allows for multiple isolated user-space instances, instead of just one. Such instances may look and feel like a real server, from the point of view of its owner...
- Comparison of platform virtual machines
- Virtual machines
- OpenSolarisOpenSolarisOpenSolaris was an open source computer operating system based on Solaris created by Sun Microsystems. It was also the name of the project initiated by Sun to build a developer and user community around the software...
- OpenIndianaOpenIndianaOpenIndiana is a Unix-like computer operating system released as free and open source software. It forked from OpenSolaris after the discontinuation of that project by Oracle and aims to continue development and distribution of the OpenSolaris codebase. The project operates under the umbrella of...