Tag Archives: zones

How to Network Solaris 11 Zones Under VMware or VirtualBox

Whilst playing around with the changes in zone virtualisation technology between Solaris 10 and Solaris 11, I found that all zones now use exclusive IP, not shared. There is a new anet interface type configured via zonecfg that handles this.

This will all be covered in detail in a future article, but for now take a look at this:

root@sol11lab:~# zoneadm -z testzone boot
root@sol11lab:~# dladm show-link
LINK                CLASS     MTU    STATE    OVER
net0                phys      1500   up       --
testzone/net0       vnic      1500   up       net0

root@sol11lab:~# zoneadm -z testzone boot

root@sol11lab:~# dladm show-link

LINK CLASS MTU STATE OVER

net0 phys 1500 up --

testzone/net0 vnic 1500 up net0

I boot my new testzone, and the vnic is automatically created over net0. But net0 is itself a virtual NIC (i.e. VMware or VirtualBox is virtualising this for us in the first place), whilst Solaris obviously sees it as a physical interface.

Inside the new zone, I was unable to ping anything. The zone was not on the network. The fix? Place net0 into promiscuous mode using snoop inside the global zone. This makes sense when you think about it, and will fix your zone networking allowing you to virtualise within your VM:

# snoop -d net0
# ping testzone
testzone is alive

# snoop -d net0

# ping testzone

testzone is alive

An Introduction to Solaris 11 Zones

Solaris Zones (or Containers) were first introduced in Solaris 10. I wrote about them a while back in How to Get Started with Solaris Containers, but a lot has changed in Solaris 11. Solaris Zones provide an easy way to either provide a sparse chroot-like environment so that applications can run in an environment that will not be detrimental to global system resources, or a full branded environment (running a Solaris 10 branded zone, for example). Delegated administration can be configured so that a zone can be managed by someone other than the global sysadmin. Zones provide an excellent way to split a system into several logical units, each with their own filesystem resources, system resources and management. Most of what I wrote about previously is still very pertinent, but Solaris 11 has built upon zone technology, placing it at its very core.

In Solaris 10, the default IP type for zones was shared, which meant that the zone shared the IP stack with the global zone. Within a zone on Solaris 10, an administrator was unable to configure network settings, unless exclusive IP was used, in which case the zone would be bound to a physical NIC in the global zone, and that NIC would only be available for exclusive use by that zone. With Solaris 11, and virtual networking, all zones can be created with an exclusive IP type. A Virtual NIC (VNIC) is created for each zone, over some physical NIC on the global zone. This network virtualisation allows each zone to maintain its own TCP/IP stack, and the zone administrator can change the zone’s network configuration from within the zone itself. A new anet interface type has been introduced within zonecfg to handle this.

Solaris 11 zones are now provisioned using the new Image Packaging System (IPS) and in a default configuration, packages will be installed from the repository configured (http://pkg.oracle.com, for example) in the global zone. It would make sense to have a local repository if you were rolling out large numbers of systems or zones, but for our testing purposes, downloading a couple of hundred megabytes of packages is no big issue.

This article will walk through the creation of a simple Solaris 11 zone, and introduce a method of installing zones without operator intervention using System Profiles.

Continue reading →

How to Update a File on All Zones at the Same Time

I recently modified /etc/resolv.conf on all of my global zones after building new nameservers. I wanted a quick way to copy this updated configuration to all child zones. A simple one-liner does the trick on each global zone (assuming all your zones are in the /var/zones zonepath):

# zoneadm list | grep -v global | while read zone; do cp -p /etc/resolv.conf /var/zones/${zone}/root/etc; done

1	# zoneadm list \| grep -v global \| while read zone; do cp -p /etc/resolv.conf /var/zones/${zone}/root/etc; done

How to Get Started with Solaris Containers

Disclaimer: This post was originally posted in 2008 as an article on the now-defunct website zazzybob.com. While the software version and actual commands used may vary, the concepts are still similar and give a general idea of how to approach a given problem.

Solaris Containers, available starting with Solaris 10, allow us to portion a physical server into one or more logical units. Whilst Containers are a form of virtualisation, they are not in the traditional sense (multiple OS instances with VMware, or hardware partitioning with LDoms).

The container can be thought of more like a “chroot” environment (in the case of sparse zones) where system resources are also in effect “chrooted” so that processes cannot run away and consume all of the resources of physical parent (the global zone), thus rendering the system inoperable. Only a single instance of Solaris 10 is ever installed (in the global zone) making package and patch management simple. Just apply the patch to the global zone, and all child zones will use the same binary set.

Some, or all, of the parent’s filesystems can be mounted read-write or read-only within the zone. Special care must be taken when mounting a global zone filesystem read-write, as the child zone may be able to cause a denial of service to the global zone by filling a disk.

Up until recently, Solaris Containers could only inherit the global (i.e. physical parent) zones TCP/IP stack. Now, we can assign exclusive phyical interfaces to the Container, but in this article I’ll be creating a dynamic link aggregation of three NICs in the global zone, and then allowing the zones to create virtual interfaces on this aggregation.

There are many more features of Solaris Containers I’ve not had time to mention - Sun do a perfectly good job of this over at docs.sun.com - as can other elimentary topics that have not been covered in this discussion.