Wednesday, June 2, 2010

How can I set up and configure a zone under Solaris 10?

Zones are a feature new in Solaris 10, and provide a useful mechanism to create a Solaris environment  for testing, and containment (Apache server, etc.). No additional hardware is required for a zone, just some disk space. The impact of a zone on machine performance is minimal. as all zones use the same kernel (not true any more - see the example for installing a Linux zone to run acroread here), so some additional memory for extra processes is all that's required.
Resource allocation to a zone can be closely controlled, and this includes processor shares, resource pools and resource capping with rcapd.
Since update 4 of Solaris 10 (August 2007) dedicated network interfaces can be assigned to a zone; prior to this they have to be shared with the global zone.
Here is an example of zone creation, but for a fuller picture consider attending our Solaris 10 Administration Part 2 course
Create a suitable directory, to hold the zone copy of the  OS:-

# mkdir -p  /Zones/Apache
Now create the zone using zonecfg
# zonecfg -z apache
apache: No such zone configured
Use 'create' to begin configuring a new zone
zonecfg:apache> create
zonecfg:apache> set zonepath=/Zones/Apache
zonecfg:apache> add net
zonecfg:apache:net> set address=
zonecfg:apache:net> set physical=hme0
zonecfg:apache:net> end
zonecfg:apache> set autoboot=true
(The above information is sufficient to configure a basic zone, with most software shared from the global zone.
Other options could have been used, for example to inherit parts of the Global zone's file system, mount directories (e.g. /software) from the Global zone, restrict the zone's resources (e.g. CPU, memory))
zonecfg:apache> info
zonepath: /Zones/Apache
autoboot: true
        dir: /lib
        dir: /platform
        dir: /sbin
        dir: /usr
        physical: hme0
zonecfg:apache> verify
 zonecfg:apache> commit
zonecfg:apache> exit
(Note that a full copy of Solaris can be installed, rather than sharing directories, by using the -b flag to the create option within zonecfg.)
Now we use zoneadm to install the zone:-
# zoneadm  -z  apache install
/Zones/Apache must not be group readable.
/Zones/Apache must not be group executable.
/Zones/Apache must not be world readable.
/Zones/Apache must not be world executable.
could not verify zonepath /Zones/Apache because of the above errors.
zoneadm: zone apache failed to verify

Permissions problem - rectified as follows:-
# ls  -ld  /Zones/Apache
drwxr-xr-x   2 root     root         512 Jul  5 07:08 /Zones/Apache
# chmod 700 /Zones/Apache
Above sets correct permissions; now we can try again:-

# zoneadm -z apache install
Preparing to install zone .
Creating list of files to copy from the global zone.
Copying <2574> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <914> packages on the zone.
Initializing package <535> of <914>: percent complete: 58%    
(The install takes about 10-15 minutes.)
While this is going on, open another shell window, and have a look under /Zones/Apache:-

# cd  /Zones/Apache
# ls
# ls  root
bin       etc       home      mnt       platform  sbin      tmp       var
dev       export    lib       opt       proc      system    usr

Meanwhile, back at the zone:-

Initialized <914> packages on zone.                               
Zone is initialized.
Installation of these packages generated warnings:
The file
contains a log of the zone installation.

The zone is now installed, and we can boot it:-
# zoneadm  -z  apache   boot

 Now login to the zone:-  (-C option says we wish to login at the Console device):-

# zlogin -C apache
[Connected to zone 'apache' console]
You may now have to wait a while to get a response.
  • After the above counter finishes (which is showing SMF manifest imports during initial boot), we have to go through some setup procedures:-
  Select a Language
  0. English
  1. fr
Please make a choice (0 - 1), or press h or ? for help: 0
  • This continues:-
Select a Locale
   0. English (C - 7-bit ASCII)
   1. Belgium-Flemish (ISO8859-1)
   2. Belgium-Flemish (ISO8859-15 - Euro)
   3. Great Britain (ISO8859-1)
   4. Great Britain (ISO8859-15 - Euro)
   5. Ireland (ISO8859-1)
   6. Ireland (ISO8859-15 - Euro)
   7. Netherlands (ISO8859-1)
   8. Netherlands (ISO8859-15 - Euro)
   9. Go Back to Previous Screen
Please make a choice (0 - 9), or press h or ? for help:  0
  • Then:-
What type of terminal are you using?
 1) ANSI Standard CRT
 10) Televideo 925
 11) Wyse Model 50
 12) X Terminal Emulator (xterms)
 13) CDE Terminal Emulator (dtterm)
 14) Other
Type the number of your choice and press Return: 13

Creating new rsa public/private host key pair
Creating new dsa public/private host key pair

  • You are now asked some questions as though you were performing a boot after a sys-unconfig(1M), and when all information has been entered:-

System identification is completed.
One more question:-
        This system is configured with NFS version 4, which uses a domain
        name that is automatically derived from the system's name services.
        The derived domain name is sufficient for most configurations. In a
        few cases, mounts that cross different domains might cause files to
        be owned by "nobody" due to the lack of a common domain name.

        Do you need to override the system's default NFS version 4 domain name (yes/no) ? [no] : no
rebooting system due to change(s) in /etc/default/init
[NOTICE: Zone rebooting]
SunOS Release 5.10 Version Generic 64-bit
Copyright 1983-2005 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
Hostname: apache
apache console login: root
Jul  5 07:54:31 apache login: ROOT LOGIN /dev/console
Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
We have now created the zone, installed it, rebooted and logged in.
Use the usual commands to check things out (df, ifconfig, uname, etc).
Tips:  (But make sure your site security allows this)
1. Edit /etc/default/login and comment out the "CONSOLE=/dev/console" line to permit remote root logins. (password needed of course..)
2. Edit /etc/ssh/sshd_config and set PermitRootLogin=yes if you want to login as root via ssh. Restart sshd with "svcadm restart ssh"
3. Current zone implementation allows graphical login as the zone runs "dtlogin  -daemon" by default.
We hope this has been useful, see below for additional notes
Mick Hosegood - First Alternative.
  • A variety of additional options are available, including preparing zone pre-configuration data, controlling zones (booting, halting, etc) from the global zone, configuring zone resource controls, etc. Further, Solaris 10 updates 3 to 6 contain a number of enhancements, such as zone renaming, cloning and migration, plus the ability to run other operating systems - see here for an example of installing a Linux OS to run acroread on Solaris X86.
  • Solaris 8 and 9 zones can also be created with additional software downloaded from Sun - see here for an example.
  • All this is covered on the Solaris 10 Administration courses!
Post a Comment

You might also like :

Related Posts with Thumbnails