Zones are in Solaris Express

snoofy writes "Zones, as people from SUN Microsystems have talked about for some time are now available in solaris express (the pre-release of Solaris 10). This will let you virtualize Solaris so that processes run in isolation from other activity on the system... A system can then be configured to run several zones which will make it look like different systems on the network Some info from a posting to comp.unix.solaris. The cool stuff is that it works on both SPARC and x86."

Re:Can this be used for honeypots?

If I am understanding the technology correctly, then I don't think you would want to run a honeypot/net in this configuration. The processes are isolated, but the kernel/core components are not.

Most compromises break/modify some kernel/core components to achieve the compromise. If a honeypot/net were run using this configuration then, it seems, that once the honeypot/net were compromised, then the WHOLE system (read: the part you wanted to keep safe) would be compromised.

Technology, like VMWare, uses a completely virtualized OS from a seperate installation and running instance of its kernel/core files. A compromise on a VMWare honeypot is much easier to recover from using the Snapshot/Revert features.

Then again, I may not completely understand the technology.

Solaris is for real users

[mveloso]

After reading the comments, it seems blatantly obvious that most /. readers don't work in the industry.

Zones fix some really important, real world problems. The main problem that it will solve for organizations is migration of apps from development to production boxes.

In Real Life (and in the well run organizations) there's a separation between dev, production, and sometimes test. There are a number of implications for this, the main one being this: there are usually two sets of hardware (or three, if there's a separate test area).

Now with a few moments of thought, you can see the problem. By moving the software from place to place you introduce changes. Change is bad, because change causes software to break. How many times have you had problems with your apps because you forgot to change some config file, or a machine name, or whatever?

With zones you don't need to change the machine to change the machine. You just copy your zone from one machine to another. Ta-da! You have no problem with changes impacting your app. If the app worked in test, it'll work in production. Do you need to mirror production in a test environment? Just create a bunch of zones and do it. You don't have to change the IP addresses or anything.

Need to migrate your app to a bigger box? Heck, just move your zone. No need to reinstall your app, synchronize and adjust all the configs, and repoint everyone and everything to the new box. Move it from that ultra 5 in the basement to the big cat in the data center.

I suppose you'll be able to auto-migrate zones between machines in later releases, in a form of cross data-center load balancing. Hey, that E450 is unused, let's move the web server there on the fly.

Just another step on the road to virtualization...