Slashdot Mirror
Zones are in Solaris Express (Solaris 10)
snoofy writes "Zones, as people from SUN Microsystems have talked about for some time are now available in solaris express (the pre-release of Solaris 10). This will let you virtualize Solaris so that processes run in isolation from other activity on the system... A system can then be configured to run several zones which will make it look like different systems on the network
Some info from a posting to comp.unix.solaris. The cool stuff is that it works on both SPARC and x86."
Where have I seen this before... Oh that's right, the features Compaq/Hp have been shipping with their Tru64 Alpha Servers for _years_. Good job Sun. http://h18002.www1.hp.com/alphaserver/nextgen/part itions.wmv. ANyone who buys Sparc over Alpha is an idiot. Hell, you can even do this on Linux with UML..sun is playing catchup with just about everyone, but somehow manages to push enough spin on it to make every dumbass journo announce as an amazing technical innovation. http://user-mode-linux.sourceforge.net/. Sorry people, but sun are pushing 20th century technology with some marketing spin to make it sound up to date.
It would be cool to do something like the UML honeypots in Linux. You could run multiple systems, each insulated from each other and the host system, see what you get.
"You can never have too many elephants on your team."
That was a project of a cross-platform "virtual OS" to be run "on top of" other OSes (loaded like a normal process) designed with security in mind - building exploits in it was meant to be impossible. I'm not sure about progress, but launching 10 Argante processes on, say, plain Linux running nothing but "bare bones" was meant to be equal to creating 10 computers, each running Argante OS, to create, say, 10 super-secure servers.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Is this similar to running multiple instances of VMWare or Bochs?
This would be interesting to see if the installer actually worked. I tried downloading and installing the Solaris Express preview on my SunBlade 100, and the installer died halfway through the installation. When I was finally able to get the installatin finished, I couldn't even make it recognize the integrated network card.
I've always been surprised how Linux installers can easily support the large variety of OEM Network cards available, and yet Sun can't make an installer that recognises their own hardware.
This sounds like Xen for Linux...
Trusted Computing FAQ | Free Dawit Isaak!
UML here means User Mode Linux.
You are refering to UML as Unified Modelling Language
Don't forget Xen, VMWare, and Bochs (not as fast, but still cool).
There are already a ton of viable OS virtualizers out there. This news is seriously a real yawner.
From what I read in the newsgroup article, this sounds awfully like the "jail" feature in BSD. You can effectively set up entirely different machines using jails. You can reboot, configure, and manage individual jails just like zones.
Can anyone more knowledgeable comment on whether they use similar kinds of calls to set up a zone as opposed to a jail?
What makes zones so important in large systems is the ability to restart one, or totally reconfigure it, without taking down the other zones. This seems obvious, but it helps put a layer in between the hardware and the software. What surprises me is that if so many other platforms already supported this to a large degree, how come its deployment has not been extensive? It seems like a great feature.
stuff |
what kind of advantage does this have over say... a chroot jail? or are processes in different zones jailed off from one another?
Network security will now be called "Zone Defense."
What does that make man-to-man? P2P?
...it's just VMWare ESX Server for Solaris then ?
It's probably an interesting tool for hosting companies that wish to sell Solaris ('root')-servers...
Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
>Where have I seen this before... Oh that's right,
>the features Compaq/Hp have been shipping with
> their Tru64 Alpha Servers for _years_.
First I watched this movie, your comparsion is unfair; HP/Compaq/DEC partitions are more like Sun domains, i.e implemented in hardware. Domains have been around since say 1996 when E10K was introduced.
> Sorry people, but sun are pushing 20th century
> technology with some marketing spin to make it
> sound up to date.
While Solaris zones are similar to UML or other virtual OS instance technologies there are some innovative features which would be really useful say on multiprocessor Opteron that you want to consolidate some applications on:
1) Support: I can expect to run Oracle/websphere,
etc in this zone without having to say oh and this is UML (which I have seen many times on mailling lists) (I mean applications support the fact that a OS vendor is behind this is good news as well)
2) Integration with Global Zone. From the global zone you can control each zone and watch and cap resources within a zone. This means modications to ps/prstat(solaris's top) and other core OS utilities. How hard would this be under Linux? Is the UML patch even accepted by Linus yet?
3) Inteface bindings - can bind zone to specific NIC.
4) Greenline - init.d replacement becomes service aware and can stop/start zones at boot and monitor services within a zone.
5) Dtrace - the greatest thing even, dynamic tracing of the kernel. Fully integrated with Solaris Zones.
Solaris Express is a program that they are using to give people early access to sun software. Solaris 10 is not solaris express
Open Source Java DAO Generator
Essentially the same as what the linux-vserver project http://www.linux-vserver.org/ or BSD jail feature provided. It sets up different contexts for different processes so that they are isolated from each other with a different root directory. The effect is that they acts each context acts like a separate sever, but in fact they are all running on the same kernel.
Linux-vserver is a great project. We have been running different services under differnt "virtual" servers for a while and its performance is stellar.
:. Ultimate Control Dedicated/VM Servers
This is not true; I have run several copies of Solaris Express (b42, b44, b51) on several Sun Blade 100/ Sun Blade 150s. Install was fine. There are some bugs; yes. Which is why this is a beta. But basic support for networking and install are not one of these bugs. Nice try.
Well if this is SO common in other flavors of UNIX, then why hasn't Linux copied it yet, hmmm?
If it were that ubiquitous, Linux would have knocked it off already and claimed that it's some major step forward.
What sysadmin with any brains runs NIS in this day and age? Thats so 1995. I mean come on, you might as well post your passwords on the wall for all to see.
NIS+ or LDAP, folks....
Ita erat quando hic adveni.
What part of 'beta' do you not understand?
It sounds to me more like a Java Servlet container model than a VM. There's even a "global zone" that can see all the others.
Here's a post about it.
Here's Sun's page on it
This looks just like the Virtual Server project that Jacques Gelinas started a number of years ago. Possibly with some neat configuration utilities, but much the same. I'm not sure whether VServers can be allocated a dedicated CPU, or certain hardware exclusively, etc, but I think it can.
Xen, on the other hand is a much "heavier" approach, similar to VMWare, which virtualises the hardware, and emulates certain peripherals.
Mod parent up!
Thanks for the clarification. As an basic unix user I was having a hard time following these threads until I realised UML was not what I was thinking it was!
John Maynard Keynes: "When the facts change, I change my mind. What do you do?"
I guess the smartass answer is to say that Unified Modeling Language is a honeypot for trapping managers.
It's good to use your head, but not as a battering ram.
Actually this is Sun's implementation of BSD jails with their "Resource Manager" software for resoruce allocation.
Sun has had the ability to do multiple system images on the same box for a while, but they've always been hardware partitioning only. The 4800/6800/12k/15k allowed you to run different domains on the same system, so long as you had the right combo of CPU and I/O boards. This was great if you had one of those systems, but not so hot it you had a workgroup level system (e.g. E450 or V880). I'm glad to see they've put software partitioning in the O/S so I can take a mid range system and chop it up into separate pieces. AIX and HP-UX have been able to do the software side thing for a while (but not the dedicated hardware piece, I believe).
This will help with consolidation and utilisation on existing machines, I think.
I believe this is not too far from what you can achieve with user mode linux. We've been using similiar technology in unix classes at school using uml.
There are however few differences:
1.) Solaris accesses host filesystem, while in user mode linux, you have to provide file or block device with disk image it will use. This is quite bad, because you have to preallocate space for zones. There is a project that aims to allow this, but I don't know how usable is this. You could of course overcome this by doing Root FS on NFS and dhcp and letting the guest os mount host's partition via NFS. This would probably have quite significant performance overhead though :(. Filesystem in filesystem is not very optimal too.
2.) It is not that easy to setup. This could be done with few scripts. I would love Debian and possibly other distros to have scripts, which would instantly create the zone's filesystem. Preferably, it would allow for some sharing (f.e. creating hard links to original data and kernel would unlink, copy transparently if slave wants to write -- some equivalent of copy on write seen in memory management).
3.) The networking is not so easy to setup. Could be also part of the script
4.) Linux does not have so well done resource allocation as Solaris. So the guest kernel should be able to limit itself (f.e. not to use more than 30% of cpu time). Is it possible to do some precise resource allocation under Linux (maybe using some patch to kernel, or something like that?)
http://user-mode-linux.sourceforge.net/
... or bochs for that case.
Seems to me it's just a fancy name for an already existing product.
Buy all your crazy japanese videogames from
So how is that relavent to existing Solaris users?
The point is "It's available to Solaris users"!
It doesn't matter whether VMWare, User-Mode Linux, SGI, HP, Digital or whoever came up with this. The point is it's available in SOLARIS NOW! (well soon)
AIX and HPUX have been able to do similar-ish stuff for a while, but with severe restrictions. IBM's LPARs require a mix of hardware and software and IBM recommend a minimum of three cpus. There are other restrictions regarding sharing I/O boards, etc, etc. You can't dynamically resize an LPAR without a reboot, for example.
With the mix of software 'zones' and Sun's hardware oriented dynamic system domains, you have something that's a lot more powerful than IBM's LPARs.
HP can do what I believe they call VPARS, which are like Sun's system domains - carving a server up into separate hardware separated servers. They have no dynamic capability though - if you want to allocate more cpu and memory to your Oracle batch job overnight, you have to make the adjustments and reboot the server for the changes to take effect. A Sun box with domains will take care of the changes on the fly.
I don't know if they can do a sofwtare only zone-type thing. I believe they can't.
Is a zone just a stripped-down virtual machine? This doesn't seem to be answered too well, but that's what it looks like.
VMs are bad, if only because the I/O performance takes an obvious hit. Any attacker worth his/her salt would be able to tell that they're logged into a VM with a little experimentation...so this thing's use as an effective honeypot is pretty much (against a smart attacker).
The Right Reverend K. Reid Wightman,
I had NO problems doing just that on my Sunblade
100. Must be a user error.
Yes, FreeBSD forever, till the boss says, the budget is half a million for the next year, then it's "Good morning Sunshine!"
I've got a fairly standard Sun Ultra2 Creator3D workstation. Solaris 9 was a complete horror show... I've got many years experience noodling around with Solaris, from it's old SunOS 4 days as "Solaris 1" right up to Solaris 7 (2.7, for those on the inside.) I know what the hell I'm doing, but I was completely baffled and defeated by Solaris 9. Nothing worked, from the installer to the administration utilities (command line and GUI) to the SunScreen firewall software. I spent a week trying to get this basic web server/NAT firewall up and running. It's lack of attention to basic detail is inexcuseable, and goes a long way toward explainging why Sun has lost so much market share in the past two years. IBM's a PITA to work with, but it's well documented and works out of the box with only a bit of tinkering.
For grins, I popped out the extra processor, and loaded, configured and deployed OpenBSD in all of three hours, NAT and Apache and DJBDNS and all.
I tried an earlier build of Solaris 10, and it didn't go at all well. I'll try this one (which purportedly has a Sun-comissioned version of IPfilter), and if I can't get it to do what I want in an afternoon, I'll slap SuSe on it instead. Or Gentoo... Gentoo might be fun, even if does take forever to compile.
SoupIsGood Food
I am sorry but isn't this more or less the same as CPU partitioning like the Xeon hyperthreading.
Sun needs to lower the prices of sparc systems so that a 400mhz sparc doesn't cost $1000 in the year 2004. If it wasn't for Ebay sun would have disappeared in more places than just datacenters.
Who watches the zones? I see virant ridden mutant zones slipping around unssen within the system.
idea and sticks it into Linux distros. Open source == useless leeches of the OS world...
I've read about chroot, and even set one up a while ago, but more or less just using the howto. Are Solaris Zones similar to the chroot setup in Linux?
You've been able to grow the AIX LPARS dynamically in various ways for a couple of years now, adding CPU and memory is just a case of clicking an arrow in the Java management gui used.
AIX5.2 does require the allocation of an entire CPU, hard drive, and network adapter to each partition though, and this is the real problem - there's no hardware virtualisation.
The AIX5.3 update and the soon to be released Power5 hardware supports 10 partitions per CPU, and virtual disks and ethernet adapters.
Ewan
Nice feature, but hardly a big breakthrough. HP-UX has had the same capability for years, except HP calls it "partitioning".
Too Little, Too Late to help save Solaris and Sun....
Only 30 years to catch up with IBM. Have they even caught up? Sorry if I don't get over excited about this.
Government of the people, by corporate executives, for corporate profits.
Zones kind of sound like IBM's VM (Virtual Machine) OS, except that with VM, you could run a different operating system in each "zone".
-- SKYKING, SKYKING, DO NOT ANSWER.
After reading the comments, it seems blatantly obvious that most /. readers don't work in the industry.
Zones fix some really important, real world problems. The main problem that it will solve for organizations is migration of apps from development to production boxes.
In Real Life (and in the well run organizations) there's a separation between dev, production, and sometimes test. There are a number of implications for this, the main one being this: there are usually two sets of hardware (or three, if there's a separate test area).
Now with a few moments of thought, you can see the problem. By moving the software from place to place you introduce changes. Change is bad, because change causes software to break. How many times have you had problems with your apps because you forgot to change some config file, or a machine name, or whatever?
With zones you don't need to change the machine to change the machine. You just copy your zone from one machine to another. Ta-da! You have no problem with changes impacting your app. If the app worked in test, it'll work in production. Do you need to mirror production in a test environment? Just create a bunch of zones and do it. You don't have to change the IP addresses or anything.
Need to migrate your app to a bigger box? Heck, just move your zone. No need to reinstall your app, synchronize and adjust all the configs, and repoint everyone and everything to the new box. Move it from that ultra 5 in the basement to the big cat in the data center.
I suppose you'll be able to auto-migrate zones between machines in later releases, in a form of cross data-center load balancing. Hey, that E450 is unused, let's move the web server there on the fly.
Just another step on the road to virtualization...
Is anyone else tired of Sun's copycat software development? Sun, go home, your development efforts aren't interesting to those who think outside of the box anymore. FreeBSD has had jails since March 2000. Sure jail(8) never had a marketing department come along to spiff up the name, but your software is of no interest anymore.
Now, what Sun can do with an Opteron, on the other hand, is of interest.
T SUN PLZ BE SHIPPINK ME A 32 WAY OPTERON TEST BOX K PLZ THX
-- Sean Chittenden
As far as I know can you only partition the SUN boxes named here before, into board partitions so most of the time 4 CPU's minimum and the rest that is on the removable system board. While on IBM boxes you can partition on CPU level. However what CPU is powerfull enough to run 10 partitions and still perform well on all of these. The future will bring them and I like these new baby that IBM is cribbing... I'm happy I can work with both systems at the moment and type this on a MAC. Do I miss Microsoft these days? eeeh no not really are they still in Business these days?? Someone please tell me.
I have the DVD-ROM version, you insensitive clod!
Actually, I have both CD and DVD media; I'd like to use the latter (no need to swap CDs in the middle of the installation), but I was foiled:
At this point, I cut my losses and went back to the traditional CD1 installation. >:-|
If you know how to boot the DVD into CD1 mode, please let me (and others) know in a reply to this thread - thanks!
IBM said to be reeling after this 30-year late counterpuch. News at eleven.
That is all.
you can do hardware partitioning on hpux machines as well, depending on the model.
On a long enough timeline, the survival rate for everyone drops to zero.
If you know how to boot the DVD into CD1 mode...
Sorry, the only DVD drive I own is my PlayStation. Sun generally provides decent documentation, so I'm sure there is a way, somewhere (e.g., docs.sun.com, sunsolve.sun.com, google groups, etc.).
Vote in November. You won't regret it.
Why this is considered as a big deal? With the presence of such technologies as VMWare, Bochs, UML and especially Virtuozzo/Linux I'm really not understanding such a hype about Zones.
What are the differences between the 3?
I am curious if I could write some assembly level programs in a virtual state or isolated area that will be bullet proof. As you all know you can screw up and freeze your system if you make a mistake in assembly.
I would love a way to write assembly level programs for computer science virtualized so if it freezes it wont take down the whole system.
I multitask alot and use FreeBSD which unfortunatly does not have a journaling filesystem.
User mode Linux seems promising and I was wondering if Solaris Zones or BSD jails had this type of functionality? They seem great for security but if there were VMware like would be a plus for development work as well.
http://saveie6.com/
This new feature ought to be called a "twilight zone".
On HP you have hard partitions (NPARS) (on rp8400, rp7410 and Superdome) and VPARS (virtual partitions) on any machine running 11i+ The VPARS do have some dynamic reconfigurables - the last time I used them which was just over a year ago you could reassign CPUs on the fly but playing with RAM required a reboot.
We used this technology to enable us to use one Superdome for both QA and DR. We had three hard partitions and split each of these into two VPARS. We could assign most CPUs and most of the RAM to the QA VPARS but if we needed to invoke DR then we could switch it over so that most of the resources were in the DR VPAR (this would of course require a reboot). A bit mind boggling but very cool and it worked flawlesly!
It's very weird have two sessions on two VPARS which are on the same machine (a machine without harware partioning like an N-class) and rebooting one partition in one session whilst Oracle runs flawlessly on the other!!!!
It would be interesting to virtualize the machine down to the IP level. You could run separate instances of routed (or whatever) in each virtualized machine's space, then have a router cloud-in-a-box. Now you can play games like changing the data or error rate on certain links, bring routers up or down, etc.
Yes, I know you could use NISTnet but this would allow you to do other things. Besides, with a virtualized machine you get (?) more assurance that things are correct down to the Nth level.
I tried running four instances of UML on a 2400XP+ machine and it's usable, though not necessarily for 100Mb/s traffic. Doesn't give you much in the way of network depth though. Tried four instances of VMware+NetBSD on a P-III/500 and it's painful. Am currently struggling with Xen now, but I'm ready to try a userland VM instead.
>I multitask alot and use FreeBSD which unfortunatly does not have a journaling filesystem.
A lot of people screw up unfortunately and think that FreeBSD needs a journaling filesystem. FreeBSD has a reworked UFS (dubbed UFS2) and soft-updates which is functionally equivalent to what most people think of as journaling (it guarantees ordered writing of metadata). (Please don't give me shit about ext3 doing data journaling either because I've never found someone that actually uses that because of the insane penalties.)
Check out softupdates, you can enable them with softdep in the options to mount the UFS slice.
Brandon
--I'm an AC, been that way for 4 years, and PROUD OF IT!
Are you still using Windows 9x/Me?
Any other recent operating system has proper memory and resource protection. The worst your assembly program will do is cause the operating system to terminate it.
The assembly language is not a gateway to rampant system destruction.
You can only add existing CPU's to the LPAR. You have to take the system down to add the h/w.
Not only can zones allow you to consolidate the dev, test, training, and staging environments that usually needed to be on several boxes, but, now you can have additional uptime with your s/w application on the production server. If the app crashes or locks up another zone can take over. Its not HA because you are still relying on a single box, but, it is a way to provide more uptime for an app. BTW, don't consolidate production with those other non-production functions. It really is never a good practice to place too many variables and potentials for OE onto the production server.
SW soft has a commercial product that creates zones for linux. they are called virtual environemnts - VEs - and they all share the same kernel - check it out http://www.sw-soft.com/. it is light weight.