teacher's notes - lab chapter 8 - zones

7/25/2019 Teacher's Notes - Lab Chapter 8 - Zones

1/8

J.E.D.I.

1 Solaris Zones

1.1 ObjectivesIn this section, we will discuss Solaris Zones. We begin with a discussion of what Solaris Zonesare and what advantages zone usage has on a service providing syste. !his chapter then

provides a wal"through by showing what coands are needed to create a basic zone. #inallywe end this chapter with a discussion of soe of the coonly used options for zones.

$t the end of the lesson, the student should be able to%

e&plain what Solaris Zones are

create a basic zone

be failiar with soe advanced coands for zone creation

1.2 Introduction

1.2.1 Definition

$ zone is a virtualized operating syste environent created in a single instance of the Solaris'S. In essence, it creates a (coputer within in a coputer(, a totally coplete virtual

wor"ing syste that e&ists on top of the physical syste.

1.2.2 Typical use of Zones

Zones allow for ultiple separate instances of Solaris 'S e&isting independently of one another

on a single coputer, which can be very advantageous in certain situations. )onsider an officethat re*uires a web server, a database server, a developent server, a ail server and a file

server. !his copany usually has two options%

'ption +% 'ne coputer per service. $ copany running this option would have no

choice but to procure five coputers.

'ption % -ave all of these services on a single coputer or ore than one service per

coputer. With this option, theres bound to be soe configuration probles,particularly if soe of these services conflict with one another.

Zones allow for a third option. Services can be installed each in their own standalone Solarisinstances, all of the running on a single physical coputer. !his cobines the best of both

worlds. #irst, there is no longer any need to buy ultiple coputers as zones allow for virtualcoputers running on a single syste. Second, as each service e&ists on its own standalonesyste, there is no longer any need to worry about configuration conflicts. $ service can beinstalled on a zone that is configured precisely to that services needs.

1.2.3 Advantages

Zones provide the following advantages%

1.2.3.1 Security

If a networ" service is ade to run within a zone, attac"ers who anage to use that services

vulnerabilities to gain access to the syste will only be able to access that zone. $ny daagethey cause will be liited to that zone. $ccessing another zone ore or less eans brea"ing

'perating Systes +


2/8

J.E.D.I.

into a second coputer altogether, despite the fact that these zones actually run on a singlephysical coputer.

$ zone can have different users than other zones. !he global syste adinistrator could

choose to give users access only to specific services and not to the entire syste.

/sing zones allows a second level of adinistration, the zone superuser. !he zone superuserhas adinistration rights only to a specific zone. !his allows the global syste adinistrator0the superuser of the ain global zone1 to delegate zone adinistrative tas"s to other users

while still aintaining the ability to do systewide changes.

1.2.3.2 Isolation

Zones wor", in isolation , are not aware of the e&istence of other zones. !his way, processeswor"ing in a zone are unable to influence processes in other zones. Zone configuration isrelevant only to that zone and does not affect other zones. $n application running in a zonecan have the benefit of running in an environent designed specifically for the, without the

need to worry about configuration details.

1.2.3.3 Virtualization

!he configuration of the global syste is irrelevant to a zone. Zones can have their owncusto virtual environent. !his environent can even be copied on different achines, thus

allowing a zone to have the sae virtual environent even on achines with differentconfigurations.

1.2.3.4 Granularity

!here are any options available to set the isolation level of a zone. $ zone can have its own)2/, eory, hard dis" space, or have these resources shared aong different zones while

being unaware of any sharing being done.

1.2.3.5 Environent

$n application does not need to be recopiled to wor" in a zone. Solaris provides the saelibraries and interfaces for all zones. !here are only a few restrictions that prevent prograsfro perforing systewide changes while inside a zone.

In addition, an application is unaffected by the e&istence of other zones, and is practicallyunaware of these other zones. Zones are designed so that an application is running on astandalone basic install of Solaris all by itself.

1.2.4 Two types of zones!here are two types of zones in Solaris% global zones and non3global zones.

!he 4lobal Zone is the default installation and setup of Solaris. $ll systewide adinistrationis run fro this zone. !his is the only zone that is aware of all of the other zones running on

the syste. It is fro this zone that zone adinistration is done.

5on3global zones are the additional zones that are setup fro the global zone. !hese are thezones that run on top of the global zone. 5on3global zones are unaware that they are zones,and are unaware of the e&istence of other zones. !hus, zone anageent is not possible froa non3global zone.

!he superuser in the global zone can be considered the global superuser, which is able toenact systewide changes, including changes that affect other zones. !he superuser in a non3global zone can only adinister that specific zone .

'perating Systes


3/8

J.E.D.I.

1.2.5 Zoning Taskmap

If you want to setup zones for your coputer, you need to do the following tas"s%

+. Identify the applications you want to run in a zone

. Deterine how any zones to configure 0you can have a a&iu of 6+7 zones butfewer is better1

8. Deterine if a zone re*uires advanced resource anageent features.

9. 2erfor pre3configuration steps such as deterining a zones I2 address, hostnae,users for that zone, etc.

:. Write the zone configuration using the zonecfg coand.

;. Setup and install the zone.

ogin to the zone using zlogin and custoize each according to your initial setup plan.

1.3 !on"i#urin# a $asic Zone!his section provides a wal"through on how to configure a basic Solaris zone. We will show thecoands necessary to do this as well as provide ore inforation about zones as the setupproceeds.

1.3.1 ta!ing up zonecfg

Zone configuration involves running the zonecfg coand. !o run the zonecfg coand, you

first have to login as the superuser and run it with the following options%

# zonecfg -z myfirstzone

!he 3z option indicates the nae of the zone you want to configure 0in this case, yfirstzone1

$fter running this coand, the screen will now show the zonecfg propt

zonecfg:myfirstzone>

!his eans that zonecfg is now running and is now ready to accept coands. )onfiguring azone eans running zonecfg coands. $s the propt indicates, these coands will beused to setup yfirstzone.

!here are two zonecfg odes%

+. 4lobal ode ? Zonecfg coands that are run in global ode are coands which set

zone attributes such as where the zone is to be installed or whether or not a zone is tobe autoatically booted on startup.

. @esource ode ? eans that the ne&t coands are used to describe a resource in thezone, such as the filesyste or networ"

Setting up a zone eans switching between these two odes, running coands that indicatezone attributes and running coands that describe zone resources. When zonecfg starts, it isautoatically in global ode.

1.3.2 "asic zone configu!ation

!he following figure shows the different coands needed in order to setup yfirstzone. !he

succeeding sections will discuss these coands part by part.

'perating Systes 8


4/8

J.E.D.I.

zonecfg:myfirstzone> create

zonecfg:myfirstzone> set zonepath=/export/home/myfirstzone

zonecfg:myfirstzone> set autoboot=true

zonecfg:myfirstzone> add fs

zonecfg:myfirstzone:fs> set dir=/usr/local

zonecfg:myfirstzone:fs> set special=/opt/localzonecfg:myfirstzone:fs> set type=lofs

zonecfg:myfirstzone:fs> end

zonecfg:myfirstzone> add net

zonecfg:myfirstzone:net> set address=1921!"1/2$

zonecfg:myfirstzone:net> set physical=hme

zonecfg:myfirstzone:net> end

zonecfg:myfirstzone> add attr

zonecfg:myfirstzone:attr> set type=string

zonecfg:myfirstzone:attr> set %alue=&my first zone&

zonecfg:myfirstzone:attr> end

zonecfg:myfirstzone> %erify

zonecfg:myfirstzone> commit

zonecfg:myfirstzone> exit

1.3.3 #!eating a zone configu!ation

Aou start creating a zone configuration with the create coand%

zonecfg:myfirstzone> create

If you have entered a non3e&istent zone nae in zonecfg, you would be propted by thesyste to run the create coand.

1.3.4 etting t$e zone%s !oot di!ecto!y!he root directory of a zone e&ists in a subfolder of the global zones file syste. Aou canspecify this via the set zonepath coand

zonecfg:myfirstzone> set zonepath=/export/home/myfirstzone

!he above coand tells zonecfg that the root directory of yfirstzone will be placed inBe&portBhoeByfirstzone. 5ote that this directory should be an e&isting directory.

1.3.5 Auto&oot

!he set autoboot coand specifies whether or not the zone is to autoatically start when

the global zone starts.zonecfg:myfirstzone> set autoboot=true

If this option is not set, then the zone would have to be anually booted using the zoneadcoand which will be discussed later.

1.3.' Zone filesystem

=y default, certain directories of the global zone are inherited by the non3global zones in orderto provide a wor"ing syste to the zone. !he inherit3p"g3dir directories 0Blib, Bplatfor, Bsbin,and Busr1 are not copied into the zone. What the zone gets is a read3only lin" to thesedirectories in the global zone. !his allows the zone to save filespace. $lso, any changes to the

global zone particularly to these directories will also be reflected in the non3global zones

'perating Systes 9


5/8

J.E.D.I.

filesyste.

!o add additional file systes, you can use the add fs coand%


!he add fs coand switches ode fro global ode to resource ode. $s was statedbefore, resource ode eans that additional coands specified here are used to describe aresource for the zone. !he zonecfg propt also changes to show that you are currently editing

a file syste resource.


zonecfg:myfirstzone:fs>

1.3.( Add filesystem

!he following are the coands to set a filesyste resource for yfirstzone%


zonecfg:myfirstzone:fs> set dir=/usr/local

zonecfg:myfirstzone:fs> set special=/opt/local

zonecfg:myfirstzone:fs> set type=lofs


!he set special coand specifies what directory in the global zone is to be added. !hisdirectory is placed in the zones filesyste in the directory specified by set dir. In our

e&aple, BoptBlocal, located in the global zone, is placed in BusrBlocal in yfirstzone.

!he set type coand indicates what file syste type the directory is to be ounted. !he file

syste type tells how the "ernel is to handle this directory. !he loopbac" virtual file syste0lofs1 indicates that the ounted directory is the sae directory as in the global file systebut accessed via a different path. !his is siilar to the inherit3p"g3directories.

=ecause of this, any changes ade to the global directory also reflect in the zone directory. #orour e&aple, if a file were added to BoptBlocal in the global zone, then BusrBlocal in yfirstzonewould also change.

5ote that BoptBlocal in the global zone ust be an e&isting directory.

!o end the file syste configuration, we have the end coand%


zonecfg:myfirstzone>

!his changes zonecfg bac" to global ode as indicated by the propt change. Aou can now setadditional configurations. Aou can even add additional file systes via ore add fs coands.

1.3.) Adding a netwo!k

$ zone can have its own individual I2 $ddress. !here is no need for additional networ"

interfaces for every new I2 $ddress you setC the global zone autoatically handles routing.Aou can set this via the add net coand.

!he following is the se*uence of instructions to setup yfirstzones networ".

'perating Systes :


6/8

J.E.D.I.

zonecfg:myfirstzone> add net

zonecfg:myfirstzone:net> set address=1921!"1/2$

zonecfg:myfirstzone:net> set physical=hme

zonecfg:myfirstzone:net> end

'ur e&aple sets yfirstzones I2 $ddress to +7.+;6..+ with a B9 netas"

0::.::.::.1. !his I2 $ddress is bound to the firat networ" card he 0this could bedifferent on certain systes1.

1.3.* Zone Desc!iption

!he last resource specification we have is the add attr coand, which we use to add acoent to our zone.

zonecfg:myfirstzone> add attr

zonecfg:myfirstzone:attr> set type=string

zonecfg:myfirstzone:attr> set %alue=&my first zone&

zonecfg:myfirstzone:attr> end

1.3.1+ ,inalizing ou! configu!ation

!he last coands are used to finish our configuration.

zonecfg:myfirstzone> %erify

zonecfg:myfirstzone> commit

zonecfg:myfirstzone> exit

!he verify coand chec"s if our zone configuration was entered correctly. !his coand

ay output errors. !he coit coand saves the zone configuration. 5ote that the zone isstill not installed, only the configuration is stored. #inally the e&it coand e&its zonecfg.

1.3.11 -emoving att!i&utes

If you ade ista"es in the configuration of a zone, you can use the reove coand. It hastwo odes depending on the current zonecfg ode.

'n the global ode, reove resource3typeF specifies that you will reove a particularresource. #or e&aple, the following coand reoves our coent%

zonecfg:myfirstzone> remo%e attr

In the resource ode, reove property3naeF property3valueF reoves an eleent ofthat resource description.

#or e&aple, we can reove our I2 address with the following coand. 5ote that you have

to be in the net resource to do this.

zonecfg:myfirstzone:net> remo%e address=1921!"1/2$

!his is the sae forat for reove when you want to reove any of the global attributes. !hefollowing e&aple reoves the autoboot attribute%

zonecfg:myfirstzone> remo%e autoboot=true

$ny changes ade to the configuration have to be recoitted.

'perating Systes ;


7/8

J.E.D.I.

1.3.12 Additional zonecfg commands

!o view the configuration of a zone, you can use the e&port coand.Zonecfg includes a help coand, which you can use to as" for additional inforation aboutthe coand. !yping help displays all the coands, while typing help coandF displayshelp inforation about the specified coand.

1.4 Zonead!he zonead coand is used to adinister zones. Zonead coes with subcoandswhich are used to indicate what to do with the specified zone 0via the 3z option1. !his sectiondiscusses these coands, and what coands to use to continue our basic zone setup.

1.4.1 nstalling and &ooting

'nce a zone has been properly configured, we can now install the zone via the zoneadcoand%

# zoneadm -z myfirstzone install

!he syste will now begin to install yfirstzone. !he screen will show what pac"ages arebeing copied into the new zone.

$fter the install has finished, you can now boot the zone via the following zonead coand%

# zoneadm -z myfirstzone boot

If you did not set the zone property to autoboot, this is the sae coand you use to boot azone.

1.4.2 /isting zones

>isting zones is done with the list subcoand of zonead%

#zoneadm list -%

'( )*+, .*.

global running

1 myfirstzone installed

Status can be one of the following values%

)onfigured ? Zone has been properly configured with zonecfg but has not been installed

yet.

Incoplete ? Zone during installation process.

Installed ? Zone has been installed but is not running 0no virtual platfor assigned to

the zone1.

@eady ? Zone has been assigned a virtual platfor and is ready to accept user

processes.

@unning ? Zone is running with user processes.

Shutting down ? Zone is currently being shut down.

'perating Systes


8/8

J.E.D.I.

1.4.3 Additional zoneadm commands

zonead 3z yfirstzone halt ? stops the zone fro running 0puts it in the ready state1

zonead 3z yfirstzone reboot ? reboots the zone

zonead 3z yfirstzone uninstall ? reoves installation of zone

zonead 3z yfirstzone delete ? reoves zone configuration

1.5 %o##in# in$t this stage, yfirstzones installation is still not coplete. !o coplete the installation, loginto the zone with the coand

# zlogin -0 myfirstzone

3) is the only way to login into a zone that is not in the running state. >ater on, onceinstallation has been copleted, you can reove the 3) option.

'n your first tie login, you will be as"ed to enter inforation about the syste, siilar to thedialog bo&es you encountered during Solaris installation. Guestions such as syste language,

zone host nae, root password 0for the zone adinistrator1 are as"ed. 'nce this dialog hasbeen copleted, the zone will now enter the running state and can accept user processes.

$t this stage, you should logon into the zone and allow for additional custoization of thezone. Aou ight want to add zone users, install additional progras, and setup the re*uired

services for that zone.

1.& 'eovin# a zoneAou would have to run the following coands in se*uence to totally delete a zone.

Shutdown the zone%

# zlogin myfirstzone shutdon

@eove the zone installation 03# stands for force uninstallation1%

# zoneadm -z myfirstzone uninstall -

#inally, delete the zone configuration%

# zoneadm -z myfirstzone delete -

'perating Systes 6

teacher's notes - lab chapter 8 - zones

Documents