Zones are in Solaris Express

snoofy writes "Zones, as people from SUN Microsystems have talked about for some time are now available in solaris express (the pre-release of Solaris 10). This will let you virtualize Solaris so that processes run in isolation from other activity on the system... A system can then be configured to run several zones which will make it look like different systems on the network Some info from a posting to comp.unix.solaris. The cool stuff is that it works on both SPARC and x86."

Can this be used for honeypots?

[El+Volio]

It would be cool to do something like the UML honeypots in Linux. You could run multiple systems, each insulated from each other and the host system, see what you get.

Re:Can this be used for honeypots?

If I am understanding the technology correctly, then I don't think you would want to run a honeypot/net in this configuration. The processes are isolated, but the kernel/core components are not.

Most compromises break/modify some kernel/core components to achieve the compromise. If a honeypot/net were run using this configuration then, it seems, that once the honeypot/net were compromised, then the WHOLE system (read: the part you wanted to keep safe) would be compromised.

Technology, like VMWare, uses a completely virtualized OS from a seperate installation and running instance of its kernel/core files. A compromise on a VMWare honeypot is much easier to recover from using the Snapshot/Revert features.

Then again, I may not completely understand the technology.

Re:Can this be used for honeypots?

[Rik+van+Riel]

The corresponding technology in Linux is called "vservers". It has been around for a number of years now, as an external kernel patch.

You can find more info about it on linux-vserver.org.

Re:Can this be used for honeypots?

[molnarcs]

It is more like FreeBSD jails I think (but then, I may not completely understand these technologies as well :))

Almost everything written under "Features:" can be also said about jails: Security, Isolation, Virtualization, Granularity, Transparency. For instance, you can put one single binary in a jail (if it works) or you can put there an entire system. Or, if you want to run a service in a jail (isolation, security), you can build the entire system with make buildworld targetting a jail,and you can optimize that system for running a single service, by stripping out most parts in make.conf:

NO_SENDMAIL=true
NO_SENDMAIL=true
NO_OPENSSH=tru e
NO_OPENSSL=true
NO_KERBEROS=true
WITH_LIBMAP= yes
NO_VINUM=true
NO_WHATEVER=true
# and leave bind there if you want to run only DNS in jail

Jailed processes/systems are so isolated, that even if you root one jailed system, you won't have access to the others/host system (unless admin was stupid enough to have the same passwords). Jails have their own ip addresses and firewall rules as well. I guess (if I read this correctly) we can say there is nothing new under the Sun :))

Only if it works...

[RunAmuk]

This would be interesting to see if the installer actually worked. I tried downloading and installing the Solaris Express preview on my SunBlade 100, and the installer died halfway through the installation. When I was finally able to get the installatin finished, I couldn't even make it recognize the integrated network card.

I've always been surprised how Linux installers can easily support the large variety of OEM Network cards available, and yet Sun can't make an installer that recognises their own hardware.

Re:UML honeypot? what does Fowler's book have here

[oglueck]

UML here means User Mode Linux.
You are refering to UML as Unified Modelling Language

But... does "rebooting" a zone fix issues?

[192939495969798999]

What makes zones so important in large systems is the ability to restart one, or totally reconfigure it, without taking down the other zones. This seems obvious, but it helps put a layer in between the hardware and the software. What surprises me is that if so many other platforms already supported this to a large degree, how come its deployment has not been extensive? It seems like a great feature.

Re:But... does "rebooting" a zone fix issues?

[nemaispuke]

Yes there are other platforms that have similar features (AIX LPAR and DLPAR, HP-UX VPAR, Solaris Dynamic Domains). The problems are (1) you have to be using recent versions of the OS for the software virtualization (AIX 5L 5.2, HP-UX 11 and 11i) or (2) have the specific hardware necessary to use the hardware virtualization (AIX, HP-UX, and Solaris). And this hardware is costly (minimum cost for a Sun Sun Fire midrange to support dynamic domains is $100,000.00).

The other reason could be that management (particularly in DoD) won't allow the use of hardware or software virtualization despite the benefits. Management could see this as a "toy" rather than a feature. Of all the documentation I have read concerning DoD, implementation, security, etc., I have never read anything about setting up or using virtualization. Not to say that some DoD activities aren't using it, but they are not well "advertised". The last Navy project I worked on we tried to deploy an Open Source monitoring solution and was basically told "we will not the first in doing anything!"

Not Quite !

>Where have I seen this before... Oh that's right,
>the features Compaq/Hp have been shipping with
> their Tru64 Alpha Servers for _years_.

First I watched this movie, your comparsion is unfair; HP/Compaq/DEC partitions are more like Sun domains, i.e implemented in hardware. Domains have been around since say 1996 when E10K was introduced.

> Sorry people, but sun are pushing 20th century
> technology with some marketing spin to make it
> sound up to date.

While Solaris zones are similar to UML or other virtual OS instance technologies there are some innovative features which would be really useful say on multiprocessor Opteron that you want to consolidate some applications on:

1) Support: I can expect to run Oracle/websphere,
etc in this zone without having to say oh and this is UML (which I have seen many times on mailling lists) (I mean applications support the fact that a OS vendor is behind this is good news as well)

2) Integration with Global Zone. From the global zone you can control each zone and watch and cap resources within a zone. This means modications to ps/prstat(solaris's top) and other core OS utilities. How hard would this be under Linux? Is the UML patch even accepted by Linus yet?

3) Inteface bindings - can bind zone to specific NIC.

4) Greenline - init.d replacement becomes service aware and can stop/start zones at boot and monitor services within a zone.

5) Dtrace - the greatest thing even, dynamic tracing of the kernel. Fully integrated with Solaris Zones.

Solaris Express

[njcoder]

"available in solaris express (the pre-release of Solaris 10). "

Solaris Express is a program that they are using to give people early access to sun software. Solaris 10 is not solaris express

linux-vserver/BSD jail

[iserlohn]

Essentially the same as what the linux-vserver project http://www.linux-vserver.org/ or BSD jail feature provided. It sets up different contexts for different processes so that they are isolated from each other with a different root directory. The effect is that they acts each context acts like a separate sever, but in fact they are all running on the same kernel.

Linux-vserver is a great project. We have been running different services under differnt "virtual" servers for a while and its performance is stellar.

Sun says this isn't like a VM thing

[dukerobillard]

I've been prowling around Sun's site on this, and apparently it isn't like the old IBM 360 VM thing (or VMWare, or any of the many other Virtual Machine stuff people have mentioned). Zones aren't a VM that you run different kernels in, they're "application containers" running under a given kernel.

It sounds to me more like a Java Servlet container model than a VM. There's even a "global zone" that can see all the others.

Here's a post about it.

Here's Sun's page on it

Re:don't forget...

[iserlohn]

and also Linux-vserver. Great performance. Just like BSD jail.

Jacques Gelinas' VServer

[Gollum]

This looks just like the Virtual Server project that Jacques Gelinas started a number of years ago. Possibly with some neat configuration utilities, but much the same. I'm not sure whether VServers can be allocated a dedicated CPU, or certain hardware exclusively, etc, but I think it can.

Xen, on the other hand is a much "heavier" approach, similar to VMWare, which virtualises the hardware, and emulates certain peripherals.

Re:Hmmm....

[sapbasisnerd]

Not the same thing. In point of fact Sun has had roughly equivilant hard partitions through domains for years as well, before HP.

This is quite similar to vPar's in HP/UX (forgive me but I stopped paying attention to HP's ugly stepchildren Alpha & Tru64 a long time ago, it's too bad 'cause it was a great chip but its moribund, you would be wise to do the same pretty soon).

Hard partitions, like Sun Domains, HP's nPARs and IBM's LPARs slice up a physical machine and run an OS image on each slice. As far as I can tell here there is still just one OS image but applications running in these Zones can be isolated from each other. A malicous root user in the global zone is still able to make mischief in the zones if they want to.

The nice thing here unlike on HP is that you can slice up a uniprocessor machine if you have many tiny workloads that need to be isolated. IBM will too be able to do this soon with the next crank of their LPAR technology but a better implmentation with no issues with a global root user.

Re:Jails vs. Zones

[chilled]

Very sure.
The zones routines, just re-read the zone config and re-initialise it. From the outside it can appear as an OS, but from another perspective (and this is gross over simplification but works for this point) it's just like loading an instance of an application.

Solaris is for real users

[mveloso]

After reading the comments, it seems blatantly obvious that most /. readers don't work in the industry.

Zones fix some really important, real world problems. The main problem that it will solve for organizations is migration of apps from development to production boxes.

In Real Life (and in the well run organizations) there's a separation between dev, production, and sometimes test. There are a number of implications for this, the main one being this: there are usually two sets of hardware (or three, if there's a separate test area).

Now with a few moments of thought, you can see the problem. By moving the software from place to place you introduce changes. Change is bad, because change causes software to break. How many times have you had problems with your apps because you forgot to change some config file, or a machine name, or whatever?

With zones you don't need to change the machine to change the machine. You just copy your zone from one machine to another. Ta-da! You have no problem with changes impacting your app. If the app worked in test, it'll work in production. Do you need to mirror production in a test environment? Just create a bunch of zones and do it. You don't have to change the IP addresses or anything.

Need to migrate your app to a bigger box? Heck, just move your zone. No need to reinstall your app, synchronize and adjust all the configs, and repoint everyone and everything to the new box. Move it from that ultra 5 in the basement to the big cat in the data center.

I suppose you'll be able to auto-migrate zones between machines in later releases, in a form of cross data-center load balancing. Hey, that E450 is unused, let's move the web server there on the fly.

Just another step on the road to virtualization...