Virtualization: Zones
Talk about the Solaris Zones technology (On Linux these are called containers) in 2007 by Brendan Gregg.next prev 1/22 | |
next prev 2/22 | |
next prev 3/22 | |
next prev 4/22 | |
next prev 5/22 | |
next prev 6/22 | |
next prev 7/22 | |
next prev 8/22 | |
next prev 9/22 | |
next prev 10/22 | |
next prev 11/22 | |
next prev 12/22 | |
next prev 13/22 | |
next prev 14/22 | |
next prev 15/22 | |
next prev 16/22 | |
next prev 17/22 | |
next prev 18/22 | |
next prev 19/22 | |
next prev 20/22 | |
next prev 21/22 | |
next prev 22/22 |
PDF: Sun2007_Zones_Intro.pdf
Keywords (from pdftotext):
slide 1:
# zonecfg -z small-zone small-zone: No such zone configured Use 'create' to begin configuring a new zonecfg:small-zone>gt; create zonecfg:small-zone>gt; set autoboot=true zonecfg:small-zone>gt; set zonepath=/export zonecfg:small-zone>gt; add net zonecfg:small-zone:net>gt; set address=192. zonecfg:small-zone:net>gt; set physical=hme zonecfg:small-zone:net>gt; end zonecfg:small-zone>gt; info zonepath: /export/small-zone autoboot: true pool: inherit-pkg-dir: Virtualisation: Zones dir: /lib inherit-pkg-dir: dir: /platform inherit-pkg-dir: dir: /sbin Brendan Gregg Sun Microsystems May 2007 inherit-pkg-dir: dir: /usr net: address: 192.168.2.101 physical: hme0 zonecfg:small-zone>gt; verify zonecfg:small-zone>gt; commitslide 2:
Virtualisation: Zones • This presentation is about Solaris 10 Zones and Containers. • These slides cover: >gt; What are Zones? Containers? >gt; Zone Features >gt; Zone Types >gt; Maintenance >gt; Security >gt; Resource Management >gt; Monitoringslide 3:
What are Zones? • Virtual instance of Solaris • Software Partition of the OS • A virtualisation solution (along with LDoms, Xen, ...) Solaris 10 Zone 1 Zone 2 Zone 3 Kernelslide 4:
Zone Features • Great Performance • Easy Administration • Resource Controls • Observability • Security • Low on-disk footprint • Supported since Solaris 10 3/05slide 5:
Not Zone Features • Since there is only one kernel, the following cannot currently be achieved using Zones: >gt; Zones for testing kernel patches – There are no separate “test kernels” to try patches on >gt; Zones for different OSes and Solaris versions – BrandZ for creating Linux zones is one exception (so far)slide 6:
What is best: Zones or VM? • Performance: Zones >gt; No doubling of syscall and kernel overheads • Observability: Zones >gt; Sysadmins can see inside all zones at once • Security: Zones >gt; Read-only /usr by default, and secure monitoring • Administration: Zones >gt; Zones have easy and fast creation/destruction • Different OSes: VM >gt; There is BrandZ for Zones; but can't do different kernelsslide 7:
What are Containers • Zones + Resource Controls • Guide to History, >gt; 1998 - Sun creates Solaris Resource Manager (SRM) as a software package >gt; 2002 - SRM features added to Solaris 9, and additional features added to Solaris 9 updates >gt; 2005 - Resource Control features applied to Solaris 10 Zones, then improved in Solaris 10 updates Solaris Container Resource Controls Zoneslide 8:
Zone Types • Global Zone >gt; A default Solaris 10 system >gt; Can access raw devices >gt; Has direct access to the kernel – mdb -k – patching >gt; Exists whether you use zones or notslide 9:
Zone Types • Sparse Root Zone >gt; This “small zone” shares binaries with the global zone Global Zone /dev/dsk/c0t0d0s0 Small Zone lofs (ro) /usr /lib /sbin /platform /var /etc /opt ~ 4 Gbytesslide 10:gt; gt; gt; gt; /var /etc /opt ~ 100 Mbytes
Zone Types • Whole Root Zone >gt; This “big zone” has its own OS files Global Zone /dev/dsk/c0t0d0s0 /usr /lib /sbin /platform /var /etc /opt ~ 4 Gbytes Big Zone /dev/dsk/c0t1d0s0 /usr /lib /sbin /platform /var /etc /opt ~ 4 Gbytesslide 11:
Zone Types • BrandZ >gt; A “Branded Zone”, allows a zone to run non-native operating environments >gt; lx brand - for Linux zone, provides syscall translation >gt; Can run CentOS 3.x, Red Hat Enterprise Linux 3.x – Versions 3.5 to 3.8 for both >gt; DTrace can trace Linux applications using the lxsyscall provider from the global zoneslide 12:
Zone Types • Sparse Root Zone is default • Sparse Root Zone advantages >gt; Low disk overhead >gt; Faster creation, destruction, boot >gt; Better performance (higher OS file cache hit rate) >gt; Secure - read-only binary files • When to use the Whole Root Zone >gt; When OS binaries need to be modified, customised.slide 13:
Zone Example • Creating a sparse root zone, # zonecfg -z small-zone small-zone: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:small-zone>gt; create zonecfg:small-zone>gt; set autoboot=true zonecfg:small-zone>gt; set zonepath=/export/small-zone zonecfg:small-zone>gt; add net zonecfg:small-zone:net>gt; set address=192.168.2.101 zonecfg:small-zone:net>gt; set physical=hme0 zonecfg:small-zone:net>gt; end zonecfg:small-zone>gt; verify zonecfg:small-zone>gt; commit zonecfg:small-zone>gt; exit # zoneadm list -cv ID NAME STATUS PATH 0 global running - small-zone configured /export/small-zoneslide 14:
Zone Example • Installing a sparse root zone, # zoneadm -z small-zone verify # zoneadm -z small-zone install Preparing to install zoneslide 15:gt;. Creating list of files to copy from the global zone. Copying gt; files to the zone. Initializing zone product registry. Determining zone package initialization order. Preparing to initialize gt; packages on the zone. Initialized gt; packages on zone. Zone gt; is initialized. Installation of these packages generated warnings: gt; The file gt; contains a log of the zone installation. # zoneadm -z small-zone boot # zoneadm list -cv ID NAME STATUS PATH 0 global running 1 small-zone running /export/small-zone
Maintenance • Packages >gt; pkgadd is zone aware – from global will attempt installing to all zones, unless -G • Patching >gt; patchadd is zone aware – from global will attempt installing to all zones if needed • Upgrading >gt; Upgrades on the global zone will upgrade all zones (Solaris 10 1/06); live upgrade, check for support (soon) • Cloning >gt; fast zone creation, especially on ZFSslide 16:
Security • Zones are ideal as security containers • Some applications have a high risk of attack, such as public facing web servers hosting cgi scripts • What happens if you think your server may be compromised? >gt; Your Intrusion Response Plan may involve booting from “known to be good” CDROMs for analysis. Imagine the down time. Picture making that call if you suspect an attack but have no hard proof (it is tough!) >gt; Zones can be examined live from a “known to be good” global Zone, which runs no risky software but ssh.slide 17:
Resource Management • Many resource management features are available, depending on the version of Solaris 10 >gt; features in italic are in development Resource CPU Memory Disk Size Disk Throughput Network Swap Fine Control FSS rcapd ZFS, SVM soft partitions IPQoS swap-max Course Control Processor Sets Memory Sets volumes, disks disks, controllers Seperate NICs Swap Setsslide 18:
FSS • Fair Share Scheduler >gt; Fine grained CPU resource control >gt; Allocate each zone a share value >gt; Each zone gets a CPU ration of its shares divided by total busy shares >gt; If only one zone is busy, it gets 100% CPU >gt; Good for CPU utilisation - ROI Global Zone Zone 1 Zone 2 Zone 3 50 shares 10 shares 10 shares 20 sharesslide 19:
Pools • CPU Resource Pools >gt; Allows fixed CPU allocation – useful for by-CPU licensing >gt; Allows min/max CPU configs – CPU allocation can be tweaked manually – CPU allocation can change during dynamic reconfiguration (add/remove system boards) – CPU allocation can move based on configured objectives Global Zone Zone 1 Zone 2 Zone 3 1 - 3 CPUs 1 CPU 2 CPUs 2 - 4 CPUsslide 20:
Monitoring • Many Solaris observability tools are zone aware >gt; some are only zone aware with psets (this will get better) • ps -Z, df -hZ • prstat -Z - by-zone status # prstat -Z PID USERNAME SIZE RSS STATE PRI NICE TIME CPU PROCESS/NLWP 2008 root 4000K 1168K cpu513 28 0:02:11 3.7% cpuhog.pl/1 [...] ZONEID NPROC SIZE RSS MEMORY TIME CPU ZONE 51 182M 93M 0.5% 0:37:27 59% workzone1 51 182M 92M 0.5% 0:16:25 30% workzone2 51 183M 93M 0.5% 0:16:30 10% workzone3 61 359M 194M 1.1% 0:00:11 0.1% global 34 116M 72M 0.4% 0:00:12 0.0% workzone4 Total: 248 processes, 659 lwps, load averages: 51.19, 40.28, 20.52slide 21:
References • http://www.opensolaris.org/os/community/zones • http://docs.sun.com >gt; Zones and Containers System Administration Guide • http://www.solarisinternals.com/wiki/index.php/Zones >gt; Community wikislide 22:
Ctrl-D Brendan Gregg brendan@sun.com