Slashdot Mirror
Zones are in Solaris Express (Solaris 10)
snoofy writes "Zones, as people from SUN Microsystems have talked about for some time are now available in solaris express (the pre-release of Solaris 10). This will let you virtualize Solaris so that processes run in isolation from other activity on the system... A system can then be configured to run several zones which will make it look like different systems on the network
Some info from a posting to comp.unix.solaris. The cool stuff is that it works on both SPARC and x86."
This sounds like Xen for Linux...
Trusted Computing FAQ | Free Dawit Isaak!
UML here means User Mode Linux.
You are refering to UML as Unified Modelling Language
Don't forget Xen, VMWare, and Bochs (not as fast, but still cool).
There are already a ton of viable OS virtualizers out there. This news is seriously a real yawner.
From what I read in the newsgroup article, this sounds awfully like the "jail" feature in BSD. You can effectively set up entirely different machines using jails. You can reboot, configure, and manage individual jails just like zones.
Can anyone more knowledgeable comment on whether they use similar kinds of calls to set up a zone as opposed to a jail?
Disclaimer: I am not the author of the following post, I took it form here.
:(. Filesystem in filesystem is not very optimal too.
I believe this is not too far from what you can achieve with user mode linux. We've been using similiar technology in unix classess at school using uml.
There are however few differences:
1.) Solaris accesses host filesystem, while in user mode linux, you have to provide file or block device with disk image it will use. This is quite bad, because you have to preallocate space for zones. There is a project that aims to allow this, but I don't know how usable is this. You could of course overcome this by doing Root FS on NFS and dhcp and letting the guest os mount host's partition via NFS. This would probably have quite significant performance overhead though
2.) It is not that easy to setup. This could be done with few scripts. I would love Debian and possibly other distros to have scripts, which would instantly create the zone's filesystem. Preferably, it would allow for some sharing (f.e. creating hard links to original data and kernel would unlink, copy transparently if slave wants to write -- some equivalent of copy on write seen in memory management).
3.) The networking is not so easy to setup. Could be also part of the script
4.) Linux does not have so well done resource allocation as Solaris. So the guest kernel should be able to limit itself (f.e. not to use more than 30% of cpu time). Is it possible to do some precise resource allocation under Linux (maybe using some patch to kernel, or something like that?)
Sigged!
It seems to be similar to running VMware with multiple virtual machines (VMs) where each VM runs the same OS with different apps.
>Where have I seen this before... Oh that's right,
>the features Compaq/Hp have been shipping with
> their Tru64 Alpha Servers for _years_.
First I watched this movie, your comparsion is unfair; HP/Compaq/DEC partitions are more like Sun domains, i.e implemented in hardware. Domains have been around since say 1996 when E10K was introduced.
> Sorry people, but sun are pushing 20th century
> technology with some marketing spin to make it
> sound up to date.
While Solaris zones are similar to UML or other virtual OS instance technologies there are some innovative features which would be really useful say on multiprocessor Opteron that you want to consolidate some applications on:
1) Support: I can expect to run Oracle/websphere,
etc in this zone without having to say oh and this is UML (which I have seen many times on mailling lists) (I mean applications support the fact that a OS vendor is behind this is good news as well)
2) Integration with Global Zone. From the global zone you can control each zone and watch and cap resources within a zone. This means modications to ps/prstat(solaris's top) and other core OS utilities. How hard would this be under Linux? Is the UML patch even accepted by Linus yet?
3) Inteface bindings - can bind zone to specific NIC.
4) Greenline - init.d replacement becomes service aware and can stop/start zones at boot and monitor services within a zone.
5) Dtrace - the greatest thing even, dynamic tracing of the kernel. Fully integrated with Solaris Zones.
Solaris Express is a program that they are using to give people early access to sun software. Solaris 10 is not solaris express
Open Source Java DAO Generator
Well considering that alpha is a discontinued platform I doubt anyone would be smart to buy one. Furthermore, if this technology is the next evolution of containers (which I think it is) it's nothing like what you speak of. You don't need to maintain a seperate os image for each zone, making administration easy. The only problem I've had with containers is isolation, which I hear has improved with zones. Physical partitioning (domains) have been in the sun product line since the 10k. Try understanding the technology before you comment about it... or more likely, IHBT
Go away, or I will replace you with a very small shell script.
Essentially the same as what the linux-vserver project http://www.linux-vserver.org/ or BSD jail feature provided. It sets up different contexts for different processes so that they are isolated from each other with a different root directory. The effect is that they acts each context acts like a separate sever, but in fact they are all running on the same kernel.
Linux-vserver is a great project. We have been running different services under differnt "virtual" servers for a while and its performance is stellar.
:. Ultimate Control Dedicated/VM Servers
This is not true; I have run several copies of Solaris Express (b42, b44, b51) on several Sun Blade 100/ Sun Blade 150s. Install was fine. There are some bugs; yes. Which is why this is a beta. But basic support for networking and install are not one of these bugs. Nice try.
This sounds like a small part of vmware. With vmware you can install multiple different OSes and run them concurrently. Also you have the ability to pause a vm (save the running vm state to disk) and also snapshot/restore. This later feature is great if you are testing. Being able to back up to a known machine state at a press of a button is very handy.
SYS 49152
It sounds to me more like a Java Servlet container model than a VM. There's even a "global zone" that can see all the others.
Here's a post about it.
Here's Sun's page on it
User Mode Linux provides a hostfs driver for accessing the host's filesystem.
/etc/security/limits.conf. This is a per-user setting, unfortunately.
You're right about not being as easy to setup, I suspect that Solaris has made it very easy to do - but this is speculation at this point.
Linux has such resource allocations. Checkout
The UNL patch is in the -AC kernel and thus comes with RedHat, Mandrake and probably others as well.
Just install the kernel-uml rpm which is included with the standard installation media.
As of Postgres v6.2, time travel is no longer supported.
Or one can go (e.g.) to the original from IBM (first introduced in 1967).
Great minds think alike; fools seldom differ.
This looks just like the Virtual Server project that Jacques Gelinas started a number of years ago. Possibly with some neat configuration utilities, but much the same. I'm not sure whether VServers can be allocated a dedicated CPU, or certain hardware exclusively, etc, but I think it can.
Xen, on the other hand is a much "heavier" approach, similar to VMWare, which virtualises the hardware, and emulates certain peripherals.
It has been! Notice the huge growth of "virtual colocation" services? Those are usually run with BSD jails or UML. They are a middle ground between consumer shared hosting and full-on managed servers.
This technology has already created a successful and useful market. I think we can only expect more.
"fixes it for you before you've finished typing the mail."
no need to exaggerate here.
the differences between jails and zones should be quite clear, but I can see how someone not having a Sun engineer on the clock to explain it to them might not get it.
zones should be used for a completely different purpose than jails. chrooted 'jails' are for restricting the runtime and filesystems environments for a particular process. in most cases, chrooted jails have nothing but the bare minimum libs and binaries, but it spawned from the original kernel which the parent machines runs.
zones are more like vmware in the way that it is a self-contained runtime environment that has its own protected memory space and kernel...these can then be restricted and allowed for full destruction, since the parent OS is not ifluenced in the same way as a chrooted jail.
in my opinion, Sun's support has never been worse or better than SGI's, HP's or DEC's...and that is still true today. the guy asked a question about the differences between jails and zones, not which is better from a support standpoint. it's a digression, and somewhat of a trolling one at that.
It actually sounds just like a feature that Sun already has on their servers. The Sunfires and Enterprise models can be split into multiple domains, each of which is configured to look like a different machine on the network.
It's good to use your head, but not as a battering ram.
Actually this is Sun's implementation of BSD jails with their "Resource Manager" software for resoruce allocation.
It seems a lot closer to VMWare ESX than VMWare workstation, from the quick blurb.
I've had this sig for three days.
Sun has had the ability to do multiple system images on the same box for a while, but they've always been hardware partitioning only. The 4800/6800/12k/15k allowed you to run different domains on the same system, so long as you had the right combo of CPU and I/O boards. This was great if you had one of those systems, but not so hot it you had a workgroup level system (e.g. E450 or V880). I'm glad to see they've put software partitioning in the O/S so I can take a mid range system and chop it up into separate pieces. AIX and HP-UX have been able to do the software side thing for a while (but not the dedicated hardware piece, I believe).
This will help with consolidation and utilisation on existing machines, I think.
This is quite similar to vPar's in HP/UX (forgive me but I stopped paying attention to HP's ugly stepchildren Alpha & Tru64 a long time ago, it's too bad 'cause it was a great chip but its moribund, you would be wise to do the same pretty soon).
Hard partitions, like Sun Domains, HP's nPARs and IBM's LPARs slice up a physical machine and run an OS image on each slice. As far as I can tell here there is still just one OS image but applications running in these Zones can be isolated from each other. A malicous root user in the global zone is still able to make mischief in the zones if they want to.
The nice thing here unlike on HP is that you can slice up a uniprocessor machine if you have many tiny workloads that need to be isolated. IBM will too be able to do this soon with the next crank of their LPAR technology but a better implmentation with no issues with a global root user.
The corresponding technology in Linux is called "vservers". It has been around for a number of years now, as an external kernel patch.
You can find more info about it on linux-vserver.org.
AIX and HPUX have been able to do similar-ish stuff for a while, but with severe restrictions. IBM's LPARs require a mix of hardware and software and IBM recommend a minimum of three cpus. There are other restrictions regarding sharing I/O boards, etc, etc. You can't dynamically resize an LPAR without a reboot, for example.
With the mix of software 'zones' and Sun's hardware oriented dynamic system domains, you have something that's a lot more powerful than IBM's LPARs.
HP can do what I believe they call VPARS, which are like Sun's system domains - carving a server up into separate hardware separated servers. They have no dynamic capability though - if you want to allocate more cpu and memory to your Oracle batch job overnight, you have to make the adjustments and reboot the server for the changes to take effect. A Sun box with domains will take care of the changes on the fly.
I don't know if they can do a sofwtare only zone-type thing. I believe they can't.
The Zones mentioned here are sun's software partitions. Dynamic system domains are Sun's hardware equivalent of what you're talking about. You can adjust them on the fly, no reboot required, which I believe you can't do with Tru64. You certainly can't with HPUX.
This is based on Trusted solaris as the underlining of the virtual system, but it doesn't share kernel/core as far as the SUN engineer explained it. So in the future you can have different versions of Solaris that support this technology running on the same machine. Everything is separated, FS,Kernel,Core,etc.. AFAIK :)
Almost everything written under "Features:" can be also said about jails: Security, Isolation, Virtualization, Granularity, Transparency. For instance, you can put one single binary in a jail (if it works) or you can put there an entire system. Or, if you want to run a service in a jail (isolation, security), you can build the entire system with make buildworld targetting a jail,and you can optimize that system for running a single service, by stripping out most parts in make.conf:
Jailed processes/systems are so isolated, that even if you root one jailed system, you won't have access to the others/host system (unless admin was stupid enough to have the same passwords). Jails have their own ip addresses and firewall rules as well. I guess (if I read this correctly) we can say there is nothing new under the Sun
This feature has been compared to BSD jails, and it's logical to say that it grew from that feature, but the functionality isn't exactly the same.
A Solaris zone can be rebooted independant of the other zones on the machine; it can have resources added or removed from the zone (CPUs, for example) dynamically, etc.
I'm still installing my copy of SolExp, so I haven't played with the feature just yet. But it looks to be located somewhere between FreeBSD jails and a completely emulated machine like VMWare.
Brandon Hume
hume -> BOFH.Halifax.NS.Ca, http://WWW.BOFH.Halifax.NS.Ca/
Sorry but that is wrong. Both in Trusted Solaris and in Zones there is a single Solaris kernel that is responsbile for the isolation. This is separate userlands with their own nameservice their own filesystems and their own root account.
Zones can't load kernel modules (except indirectly as protocol modules (eg telmod, rlmod), Zones can't (by default) access any raw devices and can't add new network interfaces by themselves.
Nope it is nothing what so ever like that. It looks to the applications like a totally separate machine, with its own network interfaces, its own filesystems and its own CPUs.
Unlike LPARS or Sun Fire Domains this does NOT require any additional hardware for a Zone. You could hosts hundreds of Zones on a single CPU machine with a single disk and single network interface, you are limited only by what they do.
Chroot is not secure, all it really does it change the location of what the application thinks is the root of the filesystem. root in a choot is the same root as the rest of the system. You can break out of chroot environments.
Zones are full application environments with their own network addresses, their own filesystems, etc etc. They look to users and applications like separate machines, but their are acutally all running on a single Solaris kernel that ensures resource and security isolation between them. They can be independantly administered, (re)installed and rebooted.
Then I was wrong, it wasn't explained like that to me by the SUN engineer, he said that the underline of the isolation is one kernel, but it doesn't sure kernels. He also mention that the underlining kernel is based on trusted solaris. Also pointed out that in later releases of Solaris, you will have the ability to upgrade one zone separately, away from all others. But you are correct the underlining kernel is the controller of the hardware, like HAL in Windoze.
AIX does have DLPAR, but the problem with this is that it is only partitioning on a CPU boundary which means despite the fact it is supported on lower-end AIX boxes kind of limits it's use. However with AIX 5.3 and Power-5, DLPARing will be at a sub-CPU partition, up to 100 partitions per CPU is what I've heard. The Power-5 machines will ship with the lower end first before the replacement to the p690, certainly less than $100k per box. It will also support virtual networking etc, so that the LPARs will not have to go out onto the network and the traffic will stay within the box (much goodness). So although Zones sound good, I think that genuine virtual machines ala LPAR are better.
FWIW: LPARs were introduced by IBM in 1987 (plus or minus a year), and it was imitating Amdahl's MDF feature.