Wednesday, June 2, 2010

How can I set up and configure a zone under Solaris 10?


Zones are a feature new in Solaris 10, and provide a useful mechanism to create a Solaris environment  for testing, and containment (Apache server, etc.). No additional hardware is required for a zone, just some disk space. The impact of a zone on machine performance is minimal. as all zones use the same kernel (not true any more - see the example for installing a Linux zone to run acroread here), so some additional memory for extra processes is all that's required.
Resource allocation to a zone can be closely controlled, and this includes processor shares, resource pools and resource capping with rcapd.
Since update 4 of Solaris 10 (August 2007) dedicated network interfaces can be assigned to a zone; prior to this they have to be shared with the global zone.
Here is an example of zone creation, but for a fuller picture consider attending our Solaris 10 Administration Part 2 course
Create a suitable directory, to hold the zone copy of the  OS:-

# mkdir -p  /Zones/Apache
Now create the zone using zonecfg
# zonecfg -z apache
apache: No such zone configured
Use 'create' to begin configuring a new zone
zonecfg:apache> create
zonecfg:apache> set zonepath=/Zones/Apache
zonecfg:apache> add net
zonecfg:apache:net> set address=192.168.200.117
zonecfg:apache:net> set physical=hme0
zonecfg:apache:net> end
zonecfg:apache> set autoboot=true
(The above information is sufficient to configure a basic zone, with most software shared from the global zone.
Other options could have been used, for example to inherit parts of the Global zone's file system, mount directories (e.g. /software) from the Global zone, restrict the zone's resources (e.g. CPU, memory))
zonecfg:apache> info
zonepath: /Zones/Apache
autoboot: true
pool:
inherit-pkg-dir:
        dir: /lib
inherit-pkg-dir:
        dir: /platform
inherit-pkg-dir:
        dir: /sbin
inherit-pkg-dir:
        dir: /usr
net:
        address: 192.168.200.117
        physical: hme0
zonecfg:apache> verify
 zonecfg:apache> commit
zonecfg:apache> exit
(Note that a full copy of Solaris can be installed, rather than sharing directories, by using the -b flag to the create option within zonecfg.)
Now we use zoneadm to install the zone:-
# zoneadm  -z  apache install
/Zones/Apache must not be group readable.
/Zones/Apache must not be group executable.
/Zones/Apache must not be world readable.
/Zones/Apache must not be world executable.
could not verify zonepath /Zones/Apache because of the above errors.
zoneadm: zone apache failed to verify

Permissions problem - rectified as follows:-
# ls  -ld  /Zones/Apache
drwxr-xr-x   2 root     root         512 Jul  5 07:08 /Zones/Apache
# chmod 700 /Zones/Apache
Above sets correct permissions; now we can try again:-

# zoneadm -z apache install
Preparing to install zone .
Creating list of files to copy from the global zone.
Copying <2574> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <914> packages on the zone.
Initializing package <535> of <914>: percent complete: 58%    
   
(The install takes about 10-15 minutes.)
While this is going on, open another shell window, and have a look under /Zones/Apache:-

# cd  /Zones/Apache
# ls
root
# ls  root
bin       etc       home      mnt       platform  sbin      tmp       var
dev       export    lib       opt       proc      system    usr

Meanwhile, back at the zone:-

Initialized <914> packages on zone.                               
Zone is initialized.
Installation of these packages generated warnings:
The file
contains a log of the zone installation.

The zone is now installed, and we can boot it:-
# zoneadm  -z  apache   boot

 Now login to the zone:-  (-C option says we wish to login at the Console device):-

# zlogin -C apache
[Connected to zone 'apache' console]
You may now have to wait a while to get a response.
95/117
  • After the above counter finishes (which is showing SMF manifest imports during initial boot), we have to go through some setup procedures:-
  Select a Language
  0. English
  1. fr
Please make a choice (0 - 1), or press h or ? for help: 0
  • This continues:-
Select a Locale
   0. English (C - 7-bit ASCII)
   1. Belgium-Flemish (ISO8859-1)
   2. Belgium-Flemish (ISO8859-15 - Euro)
   3. Great Britain (ISO8859-1)
   4. Great Britain (ISO8859-15 - Euro)
   5. Ireland (ISO8859-1)
   6. Ireland (ISO8859-15 - Euro)
   7. Netherlands (ISO8859-1)
   8. Netherlands (ISO8859-15 - Euro)
   9. Go Back to Previous Screen
Please make a choice (0 - 9), or press h or ? for help:  0
  • Then:-
What type of terminal are you using?
 1) ANSI Standard CRT
etc.etc.
 10) Televideo 925
 11) Wyse Model 50
 12) X Terminal Emulator (xterms)
 13) CDE Terminal Emulator (dtterm)
 14) Other
Type the number of your choice and press Return: 13

Creating new rsa public/private host key pair
Creating new dsa public/private host key pair

  • You are now asked some questions as though you were performing a boot after a sys-unconfig(1M), and when all information has been entered:-

System identification is completed.
One more question:-
        This system is configured with NFS version 4, which uses a domain
        name that is automatically derived from the system's name services.
        The derived domain name is sufficient for most configurations. In a
        few cases, mounts that cross different domains might cause files to
        be owned by "nobody" due to the lack of a common domain name.

        Do you need to override the system's default NFS version 4 domain name (yes/no) ? [no] : no
rebooting system due to change(s) in /etc/default/init
[NOTICE: Zone rebooting]
SunOS Release 5.10 Version Generic 64-bit
Copyright 1983-2005 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
Hostname: apache
apache console login: root
Password:
Jul  5 07:54:31 apache login: ROOT LOGIN /dev/console
Sun Microsystems Inc.   SunOS 5.10      Generic January 2005
#
We have now created the zone, installed it, rebooted and logged in.
Use the usual commands to check things out (df, ifconfig, uname, etc).
Tips:  (But make sure your site security allows this)
1. Edit /etc/default/login and comment out the "CONSOLE=/dev/console" line to permit remote root logins. (password needed of course..)
2. Edit /etc/ssh/sshd_config and set PermitRootLogin=yes if you want to login as root via ssh. Restart sshd with "svcadm restart ssh"
3. Current zone implementation allows graphical login as the zone runs "dtlogin  -daemon" by default.
We hope this has been useful, see below for additional notes
Mick Hosegood - First Alternative.
NOTES
  • A variety of additional options are available, including preparing zone pre-configuration data, controlling zones (booting, halting, etc) from the global zone, configuring zone resource controls, etc. Further, Solaris 10 updates 3 to 6 contain a number of enhancements, such as zone renaming, cloning and migration, plus the ability to run other operating systems - see here for an example of installing a Linux OS to run acroread on Solaris X86.
  • Solaris 8 and 9 zones can also be created with additional software downloaded from Sun - see here for an example.
  • All this is covered on the Solaris 10 Administration courses!
Post a Comment

You might also like :

Related Posts with Thumbnails