Transcript What is a global zone?

Solaris 가상화 기술
이강산
What is a zone?

A zone is a virtual operating system
abstraction that



provides a protected environment in which
applications run.
The applications are protected from each other
to provide software fault isolation.
To ease the labor of managing multiple
applications and their environments,

they co-exist within one operating system instance,
and are usually managed as one entity.
What is a container?


A zone which also uses the operating
system's resource management
facility is then called a container.
Many people use the two words
'zone' and 'container'
interchangeably.
What types of zones are
available?

Native



The default non-global zone is the native zone.
It has the same characteristics as the Solaris 10
Operating System or later release that is running in the
global zone.
Branded Zones



It is also possible to run a different operating
environment inside of a non-global zone.
The branded zone (BrandZ) framework extends the
Solaris Zones infrastructure to include the creation of
brands, or alternative sets of runtime behaviors.
"Brand" can refer to a wide range of operating
environments.
What is a global zone? Sparse-root
zone? Whole-root zone? Local zone?





After installing Solaris 10 on a system, but before creating any
zones, all processes run in the global zone.
After you create a zone, it has processes which are associated
with that zone and no other zone.
Any process created by a process in a non-global zone is also
associated with that non-global zone.
Any zone which is not the global zone is called a non-global zone.
Some people call non-global zones simply "zones."
Others call them "local zones" but this is discouraged.
Install OS
Global
Zone
Global
Zone
Create a zone
Non-Global
Zone
(zone or
local zone)

The default zone filesystem model is called "sparse-root."




This model emphasizes efficiency at the cost of some
configuration flexibility.
Sparse-root zones optimize physical memory and disk space
usage by sharing some directories, like /usr and /lib.
Sparse-root zones have their own private file areas for
directories like /etc and /var.
Whole-root zones increase configuration flexibility but
increase resource usage.

They do not use shared filesystems for /usr, /lib, and a few
others.
Will my software run in a
zone or container?




Most Solaris software will run unmodified in a zone, without
needing to re-compile.
Unprivileged software (programs that do not run as root nor
with specific privileges) typically run unmodified in a zone
once they can be successfully installed.
Installation software must not assume that it can write into
shared, read-only filesystems, e.g. /usr.
This can be circumvented by adding a writable filesystem to
the zone (e.g. at /usr/local) or using a whole-root zone.

However, there are a few applications which need nondefault privileges to run - privileges not normally available in
a zone, such as the ability to set the system's time-of-day
clock.




For these situations, the feature named "configurable
privileges" has been added.
This feature allows the global zone administrator - the person
who manages zones on a system - to assign additional, nondefault privileges to a zone.
The zone's administrator can then allow individual users to use
those non-default privileges.
An applications which requires privileges which cannot be
added to a zone may need modification to run properly in a
zone.

Here are some guidelines


An application which accesses the network and files, and
performs no other I/O, should work correctly.
Applications which require direct access to certain devices, e.g.
a disk partition, will usually work if the zone is configured
correctly.


However, in some cases this may increase security risks.
Applications which require direct access to these devices must
be modified to work correctly


/dev/kmem
a network device


Starting with OpenSolaris build 37 and Solaris 10 8/07, a zone can be
configured as an "exclusive-IP zone" which gives it exclusive access to
the NIC(s) that the zone has been assigned. Applications in such a
zone can communicate directly with the NIC(s) available to the zone.
Applications running in shared-IP zones should instead use one of the
many IP services.
How "big" is a zone?






If configured with default parameters, a zone requires about 85MB
of free disk space per zone when the global zone has been
installed with the "All" metacluster of Solaris packages.
Additional packages installed in the global zone will require
additional space in the non-global zones.
SVM soft partitions can be used to divide disk slices and enforce
per-zone disk space constraints.
When performing capacity planning, 40MB of additional RAM per
zone is suggested.
Applications do not use any "extra" RAM because they are running
in a zone.
A zone installed using the "full-root model" will take up as much
space as the initial Solaris 10 installation, which will be more than
500MB in most cases.
Can each zone run a different
Solaris version?



No.
All of the zones use a single underlying kernel.
The version of the kernel determines the version of every container
in that domain.
What types of re-configurations require
a non-global zone re-boot?


Adding a device to a non-global zone.
Binding a zone to a pool.