Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zones are in Solaris Express (Solaris 10)

Posted by CmdrTaco on from the i-want-my-processes-in-the-danger-zone dept.

snoofy writes "Zones, as people from SUN Microsystems have talked about for some time are now available in solaris express (the pre-release of Solaris 10). This will let you virtualize Solaris so that processes run in isolation from other activity on the system... A system can then be configured to run several zones which will make it look like different systems on the network Some info from a posting to comp.unix.solaris. The cool stuff is that it works on both SPARC and x86."

14 of 164 comments (clear)

  1. Hmmm.... by Anonymous Coward · · Score: 1, Interesting

    Where have I seen this before... Oh that's right, the features Compaq/Hp have been shipping with their Tru64 Alpha Servers for _years_. Good job Sun. http://h18002.www1.hp.com/alphaserver/nextgen/part itions.wmv. ANyone who buys Sparc over Alpha is an idiot. Hell, you can even do this on Linux with UML..sun is playing catchup with just about everyone, but somehow manages to push enough spin on it to make every dumbass journo announce as an amazing technical innovation. http://user-mode-linux.sourceforge.net/. Sorry people, but sun are pushing 20th century technology with some marketing spin to make it sound up to date.

    1. Re:Hmmm.... by Anonymous Coward · · Score: 1, Interesting

      The difference between Alpha Tru64 partitions and Sun Solaris zones is that Tru64 requires dedicated I/O/CPU/Mem resources on per instance basis. This Alpha feature, which quite neat, works for OpenVMS too. But I think I like the Sun's solution better - no hardware resources pre-allocation is required.

      For instance, you can configure two partitions on Alpha, run an OpenVMS image on each of them and to even create a cluster on these two images. In this case if the first image fails for some reason, the second image will still be running cluster processes (given that the quorum is adequate).

      In Sun's case would be interesting to see what happens if one of the zones triggers a kernel panic...

  2. Can this be used for honeypots? by El+Volio · · Score: 5, Interesting

    It would be cool to do something like the UML honeypots in Linux. You could run multiple systems, each insulated from each other and the host system, see what you get.

    --

    "You can never have too many elephants on your team."

    1. Re:Can this be used for honeypots? by molnarcs · · Score: 2, Interesting

      Ooops, made a mistake: WITH_LIBMAP shouldn't be there (I copied my own make.conf, and forget to remove that line). That's for choosing between different threading libraries for your applications. (FreeBSD has three: libc_r - old one, libthr - 1:1 threading like linux, libkse - M:N threading).

  3. Look up Argante by SharpFang · · Score: 4, Interesting

    That was a project of a cross-platform "virtual OS" to be run "on top of" other OSes (loaded like a normal process) designed with security in mind - building exploits in it was meant to be impossible. I'm not sure about progress, but launching 10 Argante processes on, say, plain Linux running nothing but "bare bones" was meant to be equal to creating 10 computers, each running Argante OS, to create, say, 10 super-secure servers.

    --
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  4. Question by mikeophile · · Score: 2, Interesting

    Is this similar to running multiple instances of VMWare or Bochs?

  5. Only if it works... by RunAmuk · · Score: 5, Interesting

    This would be interesting to see if the installer actually worked. I tried downloading and installing the Solaris Express preview on my SunBlade 100, and the installer died halfway through the installation. When I was finally able to get the installatin finished, I couldn't even make it recognize the integrated network card.

    I've always been surprised how Linux installers can easily support the large variety of OEM Network cards available, and yet Sun can't make an installer that recognises their own hardware.

  6. But... does "rebooting" a zone fix issues? by 192939495969798999 · · Score: 5, Interesting

    What makes zones so important in large systems is the ability to restart one, or totally reconfigure it, without taking down the other zones. This seems obvious, but it helps put a layer in between the hardware and the software. What surprises me is that if so many other platforms already supported this to a large degree, how come its deployment has not been extensive? It seems like a great feature.

    --
    stuff |
    1. Re:But... does "rebooting" a zone fix issues? by nemaispuke · · Score: 5, Interesting

      Yes there are other platforms that have similar features (AIX LPAR and DLPAR, HP-UX VPAR, Solaris Dynamic Domains). The problems are (1) you have to be using recent versions of the OS for the software virtualization (AIX 5L 5.2, HP-UX 11 and 11i) or (2) have the specific hardware necessary to use the hardware virtualization (AIX, HP-UX, and Solaris). And this hardware is costly (minimum cost for a Sun Sun Fire midrange to support dynamic domains is $100,000.00).

      The other reason could be that management (particularly in DoD) won't allow the use of hardware or software virtualization despite the benefits. Management could see this as a "toy" rather than a feature. Of all the documentation I have read concerning DoD, implementation, security, etc., I have never read anything about setting up or using virtualization. Not to say that some DoD activities aren't using it, but they are not well "advertised". The last Navy project I worked on we tried to deploy an Open Source monitoring solution and was basically told "we will not the first in doing anything!"

  7. So... by thrill12 · · Score: 0, Interesting

    ...it's just VMWare ESX Server for Solaris then ?

    It's probably an interesting tool for hosting companies that wish to sell Solaris ('root')-servers...

    --
    Slashdot: stuff for news, nerds that matter, matter for news, stuff that nerd
  8. looking at the bootup of his system.... by Anonymous Coward · · Score: 1, Interesting

    What sysadmin with any brains runs NIS in this day and age? Thats so 1995. I mean come on, you might as well post your passwords on the wall for all to see.

    NIS+ or LDAP, folks....

  9. Questions by giminy · · Score: 1, Interesting

    Is a zone just a stripped-down virtual machine? This doesn't seem to be answered too well, but that's what it looks like.

    VMs are bad, if only because the I/O performance takes an obvious hit. Any attacker worth his/her salt would be able to tell that they're logged into a VM with a little experimentation...so this thing's use as an effective honeypot is pretty much (against a smart attacker).

    --
    The Right Reverend K. Reid Wightman,
  10. Re:Solaris Needs to Pay More Attention to Detail by christophersaul · · Score: 2, Interesting

    Should have added that if you want to get all the OSS stuff installed easily on Solaris, you can easily download it from Sun.com, or better still use pkg-get, an apt-get style tool for Solaris. Do a search on Google for pkg-get and it'll pop up. It's excellent.

  11. Virtual routers anyone? by sd3 · · Score: 2, Interesting

    It would be interesting to virtualize the machine down to the IP level. You could run separate instances of routed (or whatever) in each virtualized machine's space, then have a router cloud-in-a-box. Now you can play games like changing the data or error rate on certain links, bring routers up or down, etc.

    Yes, I know you could use NISTnet but this would allow you to do other things. Besides, with a virtualized machine you get (?) more assurance that things are correct down to the Nth level.

    I tried running four instances of UML on a 2400XP+ machine and it's usable, though not necessarily for 100Mb/s traffic. Doesn't give you much in the way of network depth though. Tried four instances of VMware+NetBSD on a P-III/500 and it's painful. Am currently struggling with Xen now, but I'm ready to try a userland VM instead.