This page is about Solaris and OpenSolaris Zones.
 What is a Zone?
- Virtual instance of Solaris
- Software partition for the OS
A large SunFire server with hardware domains allows many isolated systems to be created. Zones achieve this in software and is far more flexible - it is easy to move individual CPUs between zones as needed, or to configure a more sophisticated way to share CPUs and memory.
 Zone Installs
There are two general zone types to pick from during zone creation. They are,
- Small zone - (also known as a "Sparse Root zone")
- The default. This consumes the least disk space, has the best performance and the best security.
- Big zone - (also known as a "Whole Root zone")
- The zone has its own /usr files, which can be modified independently.
If you aren't sure which to choose, pick the small zone. Below are examples of installing each zone type as a starting point for Zone Resource Controls.
This demonstrates creating a simple zone that uses the default settings which share most of the operating system with the global zone. The final layout will be like the following,
To create such a zone involves letting the system pick default settings, which includes the loopback filesystem (lofs) read only mounts that share most of the OS. The following commands were used,
# zonecfg -z small-zone small-zone: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:small-zone> create zonecfg:small-zone> set autoboot=true zonecfg:small-zone> set zonepath=/export/small-zone zonecfg:small-zone> add net zonecfg:small-zone:net> set address=192.168.2.101 zonecfg:small-zone:net> set physical=hme0 zonecfg:small-zone:net> end zonecfg:small-zone> info zonepath: /export/small-zone autoboot: true pool: inherit-pkg-dir: dir: /lib inherit-pkg-dir: dir: /platform inherit-pkg-dir: dir: /sbin inherit-pkg-dir: dir: /usr net: address: 192.168.2.101 physical: hme0 zonecfg:small-zone> verify zonecfg:small-zone> commit zonecfg:small-zone> exit # # zoneadm list -cv ID NAME STATUS PATH 0 global running / - small-zone configured /export/small-zone
The new zone is in a configured state. Those inherited-pkg-dir's are filesystems that will be shared lofs (loopback filesystem) readonly from the global; this saves copying the entire operating system over during install, but can make adding packages to the small-zone difficult as /usr is readonly. (See the big-zone example that uses a different approach).
We can see the zonecfg command has saved the info to an XML file in /etc/zones,
# cat /etc/zones/small-zone.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE zone PUBLIC "-//Sun Microsystems Inc//DTD Zones//EN" "file:///usr/share/lib/xml/dtd/zonecfg.dtd.1"> <!-- DO NOT EDIT THIS FILE. Use zonecfg(1M) instead. --> <zone name="small-zone" zonepath="/export/small-zone" autoboot="true"> <inherited-pkg-dir directory="/lib"/> <inherited-pkg-dir directory="/platform"/> <inherited-pkg-dir directory="/sbin"/> <inherited-pkg-dir directory="/usr"/> <network address="192.168.2.101" physical="hme0"/> </zone>
Next we begin the zone install, it takes around 10 minutes to initialise the packages it needs for the new zone. A verify is run first to check our zone config is ok, then we run the install, then boot the zone,
# mkdir /export/small-zone # chmod 700 /export/small-zone # # zoneadm -z small-zone verify # # zoneadm -z small-zone install Preparing to install zone <small-zone>. Creating list of files to copy from the global zone. Copying <2574> files to the zone. Initializing zone product registry. Determining zone package initialization order. Preparing to initialize <987> packages on the zone. Initialized <987> packages on zone. Zone <small-zone> is initialized. Installation of these packages generated warnings: <SUNWcsr SUNWdtdte> The file </export/small-zone/root/var/sadm/system/logs/install_log> contains a log of the zone installation. # # zoneadm list -cv ID NAME STATUS PATH 0 global running / - small-zone installed /export/small-zone # # zoneadm -z small-zone boot # # zoneadm list -cv ID NAME STATUS PATH 0 global running / 1 small-zone running /export/small-zone
We can see small-zone is up and running. Now we login for the first time to the console, so we can answer system identification questions such as timezone,
# zlogin -C small-zone [Connected to zone 'small-zone' console] 100/100 What type of terminal are you using? 1) ANSI Standard CRT 2) DEC VT52 3) DEC VT100 4) Heathkit 19 5) Lear Siegler ADM31 6) PC Console 7) Sun Command Tool 8) Sun Workstation 9) Televideo 910 10) Televideo 925 11) Wyse Model 50 12) X Terminal Emulator (xterms) 13) CDE Terminal Emulator (dtterm) 14) Other Type the number of your choice and press Return: 13 ...standard questions...
The system then reboots. To get an idea of what this zone actually is, lets poke around it's zonepath from the global zone,
/> cd /export/small-zone /export/small-zone> ls dev root /export/small-zone> cd root /export/small-zone/root> ls bin etc home mnt opt proc system usr dev export lib net platform sbin tmp var /export/small-zone/root> grep lofs /etc/mnttab /export/small-zone/dev /export/small-zone/root/dev lofs zonedevfs,dev=4e40002 1110446770 /lib /export/small-zone/root/lib lofs ro,nodevices,nosub,dev=2200008 1110446770 /platform /export/small-zone/root/platform lofs ro,nodevices,nosub,dev=2200008 1110446770 /sbin /export/small-zone/root/sbin lofs ro,nodevices,nosub,dev=2200008 1110446770 /usr /export/small-zone/root/usr lofs ro,nodevices,nosub,dev=2200008 1110446770 /export/small-zone/root> du -hs etc var 38M etc 30M var /export/small-zone/root>
From the directories that are not lofs shared from the global zone, the main ones are /etc and /var. They add up to around 70Mb, which is roughly how much extra disk space was required to create this small-zone.
This demonstrates creating a zone that resides on it's own slice, which has it's own copy of the operating system. The final layout will be like the following,
First we create the slice,
# newfs /dev/dsk/c0t1d0s0 newfs: construct a new file system /dev/rdsk/c0t1d0s0: (y/n)? y /dev/rdsk/c0t1d0s0: 16567488 sectors in 16436 cylinders of 16 tracks, 63 sectors 8089.6MB in 187 cyl groups (88 c/g, 43.31MB/g, 5504 i/g) super-block backups (for fsck -F ufs -o b=#) at: 32, 88800, 177568, 266336, 355104, 443872, 532640, 621408, 710176, 798944, 15700704, 15789472, 15878240, 15967008, 16055776, 16144544, 16233312, 16322080, 16410848, 16499616, # # ed /etc/vfstab 362 $a /dev/dsk/c0t1d0s0 /dev/rdsk/c0t1d0s0 /export/big-zone ufs 1 yes - . w 455 q # # mkdir /export/big-zone # mountall checking ufs filesystems /dev/rdsk/c0t1d0s0: is clean. mount: /tmp is already mounted or swap is busy #
Now we configure the zone to not use any inherit-pkg-dir's by using the "-b" option.
# zonecfg -z big-zone big-zone: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:big-zone> create -b zonecfg:big-zone> set autoboot=true zonecfg:big-zone> set zonepath=/export/big-zone zonecfg:big-zone> add net zonecfg:big-zone:net> set address=192.168.2.201 zonecfg:big-zone:net> set physical=hme0 zonecfg:big-zone:net> end zonecfg:big-zone> info zonepath: /export/big-zone autoboot: true pool: net: address: 192.168.2.201 physical: hme0 zonecfg:big-zone> verify zonecfg:big-zone> commit zonecfg:big-zone> exit # # cat /etc/zones/big-zone.xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE zone PUBLIC "-//Sun Microsystems Inc//DTD Zones//EN" "file:///usr/share/lib/xml/dtd/zonecfg.dtd.1"> <zone name="big-zone" zonepath="/export/big-zone" autoboot="true"> <network address="192.168.2.201" physical="hme0"/> </zone> # # chmod 700 /export/big-zone # # df -h /export/big-zone Filesystem size used avail capacity Mounted on /dev/dsk/c0t1d0s0 7.8G 7.9M 7.7G 1% /export/big-zone # # zoneadm -z big-zone verify # zoneadm -z big-zone install Preparing to install zone . Creating list of files to copy from the global zone. Copying <118457> files to the zone. ...
After the zone has been installed and booted, we now check the size of the dedicated zone slice,
# df -h /export/big-zone Filesystem size used avail capacity Mounted on /dev/dsk/c0t1d0s0 7.8G 2.9G 4.8G 39% /export/big-zone
Wow! 2.9Gb, pretty much most of Solaris 10. This zone resides on it's own slice, and can add many packages as though it was a separate system. Using inherit-pkg-dir as happened with small-zone can be great, but it's good to know we can do this as well.
The following are some scripts to make life with zones easier.
zonerun can be used to run a command in all non global zones in one blow. For example,
# zonerun uname -a SunOS workzone1 5.10 Generic sun4u sparc SUNW,Ultra-5_10 SunOS workzone2 5.10 Generic sun4u sparc SUNW,Ultra-5_10 SunOS workzone3 5.10 Generic sun4u sparc SUNW,Ultra-5_10 SunOS workzone4 5.10 Generic sun4u sparc SUNW,Ultra-5_10 # # zonerun -v uptime workzone1, 11:18pm up 2:40, 0 users, load average: 0.24, 0.22, 0.40 workzone2, 11:18pm up 2:38, 0 users, load average: 0.24, 0.22, 0.40 workzone3, 11:18pm up 2:39, 1 user, load average: 0.24, 0.22, 0.40 workzone4, 11:18pm up 2:39, 0 users, load average: 0.24, 0.22, 0.40
so above we can see the boot times for all the zones by running uptime in each of them. The load averages are the same as they are for the overall system, not per zone (Kstat currently has system wide avenrun's only).
 Best Practices
See the Zones_Best_Practices page.
 Resource Controls
See the Zones_Resource_Controls page.
See the following for other resources on Solaris Zones,