Slashdot Mirror
Zones are in Solaris Express (Solaris 10)
snoofy writes "Zones, as people from SUN Microsystems have talked about for some time are now available in solaris express (the pre-release of Solaris 10). This will let you virtualize Solaris so that processes run in isolation from other activity on the system... A system can then be configured to run several zones which will make it look like different systems on the network
Some info from a posting to comp.unix.solaris. The cool stuff is that it works on both SPARC and x86."
It would be cool to do something like the UML honeypots in Linux. You could run multiple systems, each insulated from each other and the host system, see what you get.
"You can never have too many elephants on your team."
That may be so but instead of buying an Alpha, you can run Solaris on x86 hardware. You're also right about UML, but that is probably not as easily configured and certainly not shipped in a ready-made form with a distribution, compared to Sun's solution. Of course, for all the people already commited to Sun, this is a great thing.
That was a project of a cross-platform "virtual OS" to be run "on top of" other OSes (loaded like a normal process) designed with security in mind - building exploits in it was meant to be impossible. I'm not sure about progress, but launching 10 Argante processes on, say, plain Linux running nothing but "bare bones" was meant to be equal to creating 10 computers, each running Argante OS, to create, say, 10 super-secure servers.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Is this similar to running multiple instances of VMWare or Bochs?
This would be interesting to see if the installer actually worked. I tried downloading and installing the Solaris Express preview on my SunBlade 100, and the installer died halfway through the installation. When I was finally able to get the installatin finished, I couldn't even make it recognize the integrated network card.
I've always been surprised how Linux installers can easily support the large variety of OEM Network cards available, and yet Sun can't make an installer that recognises their own hardware.
This sounds like Xen for Linux...
Trusted Computing FAQ | Free Dawit Isaak!
UML here means User Mode Linux.
You are refering to UML as Unified Modelling Language
Don't forget Xen, VMWare, and Bochs (not as fast, but still cool).
There are already a ton of viable OS virtualizers out there. This news is seriously a real yawner.
From what I read in the newsgroup article, this sounds awfully like the "jail" feature in BSD. You can effectively set up entirely different machines using jails. You can reboot, configure, and manage individual jails just like zones.
Can anyone more knowledgeable comment on whether they use similar kinds of calls to set up a zone as opposed to a jail?
Disclaimer: I am not the author of the following post, I took it form here.
:(. Filesystem in filesystem is not very optimal too.
I believe this is not too far from what you can achieve with user mode linux. We've been using similiar technology in unix classess at school using uml.
There are however few differences:
1.) Solaris accesses host filesystem, while in user mode linux, you have to provide file or block device with disk image it will use. This is quite bad, because you have to preallocate space for zones. There is a project that aims to allow this, but I don't know how usable is this. You could of course overcome this by doing Root FS on NFS and dhcp and letting the guest os mount host's partition via NFS. This would probably have quite significant performance overhead though
2.) It is not that easy to setup. This could be done with few scripts. I would love Debian and possibly other distros to have scripts, which would instantly create the zone's filesystem. Preferably, it would allow for some sharing (f.e. creating hard links to original data and kernel would unlink, copy transparently if slave wants to write -- some equivalent of copy on write seen in memory management).
3.) The networking is not so easy to setup. Could be also part of the script
4.) Linux does not have so well done resource allocation as Solaris. So the guest kernel should be able to limit itself (f.e. not to use more than 30% of cpu time). Is it possible to do some precise resource allocation under Linux (maybe using some patch to kernel, or something like that?)
Sigged!
What makes zones so important in large systems is the ability to restart one, or totally reconfigure it, without taking down the other zones. This seems obvious, but it helps put a layer in between the hardware and the software. What surprises me is that if so many other platforms already supported this to a large degree, how come its deployment has not been extensive? It seems like a great feature.
stuff |
You have pointed out a critical thing. Marketing. For many year Sun has been succesful in the market because is a reliable brand and quite good.(at least in Chile, of course) its like being "mercedes" or something like that. They have a name and a reputation that helps them a lot. If windows came with a better command line(like xterm) it would be news too!!, and they of course would make shure its news for everyone.
If we want to make OS software more succesful in the market, we have to come up with marketing schemes for it, they can be as important as good coding.
"The quality of life is inversely proportional to the number of keys on your keyring."
Network security will now be called "Zone Defense."
What does that make man-to-man? P2P?
>Where have I seen this before... Oh that's right,
>the features Compaq/Hp have been shipping with
> their Tru64 Alpha Servers for _years_.
First I watched this movie, your comparsion is unfair; HP/Compaq/DEC partitions are more like Sun domains, i.e implemented in hardware. Domains have been around since say 1996 when E10K was introduced.
> Sorry people, but sun are pushing 20th century
> technology with some marketing spin to make it
> sound up to date.
While Solaris zones are similar to UML or other virtual OS instance technologies there are some innovative features which would be really useful say on multiprocessor Opteron that you want to consolidate some applications on:
1) Support: I can expect to run Oracle/websphere,
etc in this zone without having to say oh and this is UML (which I have seen many times on mailling lists) (I mean applications support the fact that a OS vendor is behind this is good news as well)
2) Integration with Global Zone. From the global zone you can control each zone and watch and cap resources within a zone. This means modications to ps/prstat(solaris's top) and other core OS utilities. How hard would this be under Linux? Is the UML patch even accepted by Linus yet?
3) Inteface bindings - can bind zone to specific NIC.
4) Greenline - init.d replacement becomes service aware and can stop/start zones at boot and monitor services within a zone.
5) Dtrace - the greatest thing even, dynamic tracing of the kernel. Fully integrated with Solaris Zones.
Solaris Express is a program that they are using to give people early access to sun software. Solaris 10 is not solaris express
Open Source Java DAO Generator
Well considering that alpha is a discontinued platform I doubt anyone would be smart to buy one. Furthermore, if this technology is the next evolution of containers (which I think it is) it's nothing like what you speak of. You don't need to maintain a seperate os image for each zone, making administration easy. The only problem I've had with containers is isolation, which I hear has improved with zones. Physical partitioning (domains) have been in the sun product line since the 10k. Try understanding the technology before you comment about it... or more likely, IHBT
Go away, or I will replace you with a very small shell script.
Essentially the same as what the linux-vserver project http://www.linux-vserver.org/ or BSD jail feature provided. It sets up different contexts for different processes so that they are isolated from each other with a different root directory. The effect is that they acts each context acts like a separate sever, but in fact they are all running on the same kernel.
Linux-vserver is a great project. We have been running different services under differnt "virtual" servers for a while and its performance is stellar.
:. Ultimate Control Dedicated/VM Servers
This is not true; I have run several copies of Solaris Express (b42, b44, b51) on several Sun Blade 100/ Sun Blade 150s. Install was fine. There are some bugs; yes. Which is why this is a beta. But basic support for networking and install are not one of these bugs. Nice try.
Ita erat quando hic adveni.
It sounds to me more like a Java Servlet container model than a VM. There's even a "global zone" that can see all the others.
Here's a post about it.
Here's Sun's page on it
User Mode Linux provides a hostfs driver for accessing the host's filesystem.
/etc/security/limits.conf. This is a per-user setting, unfortunately.
You're right about not being as easy to setup, I suspect that Solaris has made it very easy to do - but this is speculation at this point.
Linux has such resource allocations. Checkout
If your LinBSD chroot experiment screws up, you can get told to RTFM by the resident "expert" on your favourite mailing list. If your Sun box goes tits up, Mr. Sun engineer comes round and fixes it for you before you've finished typing the mail.
I'm not saying one method is better than the other for all people, but when you're betting a zillion pounds an hour on it working, it's nice to have backup :)
The UNL patch is in the -AC kernel and thus comes with RedHat, Mandrake and probably others as well.
Just install the kernel-uml rpm which is included with the standard installation media.
As of Postgres v6.2, time travel is no longer supported.
Or one can go (e.g.) to the original from IBM (first introduced in 1967).
Great minds think alike; fools seldom differ.
This looks just like the Virtual Server project that Jacques Gelinas started a number of years ago. Possibly with some neat configuration utilities, but much the same. I'm not sure whether VServers can be allocated a dedicated CPU, or certain hardware exclusively, etc, but I think it can.
Xen, on the other hand is a much "heavier" approach, similar to VMWare, which virtualises the hardware, and emulates certain peripherals.
"fixes it for you before you've finished typing the mail."
no need to exaggerate here.
the differences between jails and zones should be quite clear, but I can see how someone not having a Sun engineer on the clock to explain it to them might not get it.
zones should be used for a completely different purpose than jails. chrooted 'jails' are for restricting the runtime and filesystems environments for a particular process. in most cases, chrooted jails have nothing but the bare minimum libs and binaries, but it spawned from the original kernel which the parent machines runs.
zones are more like vmware in the way that it is a self-contained runtime environment that has its own protected memory space and kernel...these can then be restricted and allowed for full destruction, since the parent OS is not ifluenced in the same way as a chrooted jail.
in my opinion, Sun's support has never been worse or better than SGI's, HP's or DEC's...and that is still true today. the guy asked a question about the differences between jails and zones, not which is better from a support standpoint. it's a digression, and somewhat of a trolling one at that.
It actually sounds just like a feature that Sun already has on their servers. The Sunfires and Enterprise models can be split into multiple domains, each of which is configured to look like a different machine on the network.
It's good to use your head, but not as a battering ram.
I guess the smartass answer is to say that Unified Modeling Language is a honeypot for trapping managers.
It's good to use your head, but not as a battering ram.
Sun has had the ability to do multiple system images on the same box for a while, but they've always been hardware partitioning only. The 4800/6800/12k/15k allowed you to run different domains on the same system, so long as you had the right combo of CPU and I/O boards. This was great if you had one of those systems, but not so hot it you had a workgroup level system (e.g. E450 or V880). I'm glad to see they've put software partitioning in the O/S so I can take a mid range system and chop it up into separate pieces. AIX and HP-UX have been able to do the software side thing for a while (but not the dedicated hardware piece, I believe).
This will help with consolidation and utilisation on existing machines, I think.
This is quite similar to vPar's in HP/UX (forgive me but I stopped paying attention to HP's ugly stepchildren Alpha & Tru64 a long time ago, it's too bad 'cause it was a great chip but its moribund, you would be wise to do the same pretty soon).
Hard partitions, like Sun Domains, HP's nPARs and IBM's LPARs slice up a physical machine and run an OS image on each slice. As far as I can tell here there is still just one OS image but applications running in these Zones can be isolated from each other. A malicous root user in the global zone is still able to make mischief in the zones if they want to.
The nice thing here unlike on HP is that you can slice up a uniprocessor machine if you have many tiny workloads that need to be isolated. IBM will too be able to do this soon with the next crank of their LPAR technology but a better implmentation with no issues with a global root user.
AIX and HPUX have been able to do similar-ish stuff for a while, but with severe restrictions. IBM's LPARs require a mix of hardware and software and IBM recommend a minimum of three cpus. There are other restrictions regarding sharing I/O boards, etc, etc. You can't dynamically resize an LPAR without a reboot, for example.
With the mix of software 'zones' and Sun's hardware oriented dynamic system domains, you have something that's a lot more powerful than IBM's LPARs.
HP can do what I believe they call VPARS, which are like Sun's system domains - carving a server up into separate hardware separated servers. They have no dynamic capability though - if you want to allocate more cpu and memory to your Oracle batch job overnight, you have to make the adjustments and reboot the server for the changes to take effect. A Sun box with domains will take care of the changes on the fly.
I don't know if they can do a sofwtare only zone-type thing. I believe they can't.
The Zones mentioned here are sun's software partitions. Dynamic system domains are Sun's hardware equivalent of what you're talking about. You can adjust them on the fly, no reboot required, which I believe you can't do with Tru64. You certainly can't with HPUX.
If the vendors are not selling any Alpha software for what you need to run your business, buy Alpha over Sparc would make you an idiot. You buy whatever fits your business, not for some overzealous philosophy or the l33test stats. For those who are running Sparc, this is one less thing that Tru64 has over Sparc. Yes, I have a beef with Sun over how they have pretty much sat on their laurels for the past couple of years while being passed by Intel, AMD, and anyone else scribing on silicon. While Intel and friends are talking about 4Hz and 5GHz systems, Sun is getting excited about their 3GHz stuff. Woohoo, big friggin deal. Frankly at this point I move as much stuff over to Linux on Intel as I can. The EDA vendors that have Sparc software are releasing their stuff for Linux and Hz vs Hz it is many times faster than Sun's products. Sun cannot compete in the small server market unless they pull a 4GHz system out of their wazoo.
Of course, since clustering systems and grid computing are becoming more commonplace, the large server market may just not be as unapproachable as it once was either.
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
Should have added that if you want to get all the OSS stuff installed easily on Solaris, you can easily download it from Sun.com, or better still use pkg-get, an apt-get style tool for Solaris. Do a search on Google for pkg-get and it'll pop up. It's excellent.
Welcome to the 21st century, where Sun Micro sells their own x86 and x86-64 servers, and Solaris x86 isn't just a portability demonstration.
Nope it is nothing what so ever like that. It looks to the applications like a totally separate machine, with its own network interfaces, its own filesystems and its own CPUs.
Unlike LPARS or Sun Fire Domains this does NOT require any additional hardware for a Zone. You could hosts hundreds of Zones on a single CPU machine with a single disk and single network interface, you are limited only by what they do.
Chroot is not secure, all it really does it change the location of what the application thinks is the root of the filesystem. root in a choot is the same root as the rest of the system. You can break out of chroot environments.
Zones are full application environments with their own network addresses, their own filesystems, etc etc. They look to users and applications like separate machines, but their are acutally all running on a single Solaris kernel that ensures resource and security isolation between them. They can be independantly administered, (re)installed and rebooted.
After reading the comments, it seems blatantly obvious that most /. readers don't work in the industry.
Zones fix some really important, real world problems. The main problem that it will solve for organizations is migration of apps from development to production boxes.
In Real Life (and in the well run organizations) there's a separation between dev, production, and sometimes test. There are a number of implications for this, the main one being this: there are usually two sets of hardware (or three, if there's a separate test area).
Now with a few moments of thought, you can see the problem. By moving the software from place to place you introduce changes. Change is bad, because change causes software to break. How many times have you had problems with your apps because you forgot to change some config file, or a machine name, or whatever?
With zones you don't need to change the machine to change the machine. You just copy your zone from one machine to another. Ta-da! You have no problem with changes impacting your app. If the app worked in test, it'll work in production. Do you need to mirror production in a test environment? Just create a bunch of zones and do it. You don't have to change the IP addresses or anything.
Need to migrate your app to a bigger box? Heck, just move your zone. No need to reinstall your app, synchronize and adjust all the configs, and repoint everyone and everything to the new box. Move it from that ultra 5 in the basement to the big cat in the data center.
I suppose you'll be able to auto-migrate zones between machines in later releases, in a form of cross data-center load balancing. Hey, that E450 is unused, let's move the web server there on the fly.
Just another step on the road to virtualization...
IBM said to be reeling after this 30-year late counterpuch. News at eleven.
That is all.
It would be interesting to virtualize the machine down to the IP level. You could run separate instances of routed (or whatever) in each virtualized machine's space, then have a router cloud-in-a-box. Now you can play games like changing the data or error rate on certain links, bring routers up or down, etc.
Yes, I know you could use NISTnet but this would allow you to do other things. Besides, with a virtualized machine you get (?) more assurance that things are correct down to the Nth level.
I tried running four instances of UML on a 2400XP+ machine and it's usable, though not necessarily for 100Mb/s traffic. Doesn't give you much in the way of network depth though. Tried four instances of VMware+NetBSD on a P-III/500 and it's painful. Am currently struggling with Xen now, but I'm ready to try a userland VM instead.