Zones are a feature new in Solaris 10, and provide a useful mechanism to create a Solaris environment for testing, and containment (Apache server, etc.). No additional hardware is required for a zone, just some disk space. The impact of a zone on machine performance is minimal. as all zones use the same kernel, so some additional memory for extra processes is all that's required.
Resource allocation to a zone can be closely controlled, and this includes processor shares, resource pools and resource capping with rcapd.
Since update 4 of Solaris 10 (August 2007) dedicated network interfaces can be assigned to a zone; prior to this they have to be shared with the global zone.
Here is an example of zone creation, but for a fuller picture consider attending our Solaris 10 Administration Part 2 course
Create a suitable directory, to hold the zone copy of the OS:-
# mkdir -p /Zones/ApacheNow create the zone using zonecfg
# zonecfg -z apacheapache: No such zone configured
Use 'create' to begin configuring a new zone
zonecfg:apache> set zonepath=/Zones/Apache
zonecfg:apache> add net
zonecfg:apache:net> set address=192.168.200.117
zonecfg:apache:net> set physical=hme0
zonecfg:apache> set autoboot=true
(The above information is sufficient to configure a basic zone, with most software shared from the global zone.
Other options could have been used, for example to inherit parts of the Global zone's file system, mount directories (e.g. /software) from the Global zone, restrict the zone's resources (e.g. CPU, memory))
(Note that a full copy of Solaris can be installed, rather than sharing directories, by using the -b flag to the create option within zonecfg.)
Now we use zoneadm to install the zone:-
# zoneadm -z apache install/Zones/Apache must not be group readable.
/Zones/Apache must not be group executable.
/Zones/Apache must not be world readable.
/Zones/Apache must not be world executable.
could not verify zonepath /Zones/Apache because of the above errors.
zoneadm: zone apache failed to verify
Permissions problem - rectified as follows:-
# ls -ld /Zones/Apachedrwxr-xr-x 2 root root 512 Jul 5 07:08 /Zones/Apache
# chmod 700 /Zones/ApacheAbove sets correct permissions; now we can try again:-
# zoneadm -z apache installPreparing to install zone <apache>.
Creating list of files to copy from the global zone.
Copying <2574> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <914> packages on the zone.
Initializing package <535> of <914>: percent complete: 58%
(The install takes about 10-15 minutes.)
While this is going on, open another shell window, and have a look under /Zones/Apache:-
# cd /Zones/Apache
# ls rootbin etc home mnt platform sbin tmp var
dev export lib opt proc system usr
Meanwhile, back at the zone:-
Initialized <914> packages on zone.
Zone <apache> is initialized.
Installation of these packages generated warnings: <SUNWapchr>
The file </Zones/Apache/root/var/sadm/system/logs/install_log> contains a log of the zone installation.
The zone is now installed, and we can boot it:-
# zoneadm -z apache boot
Now login to the zone:- (-C option says we wish to login at the Console device):-
# zlogin -C apache[Connected to zone 'apache' console]
You may now have to wait a while to get a response.
Please make a choice (0 - 1), or press h or ? for help: 0
0. English (C - 7-bit ASCII)
1. Belgium-Flemish (ISO8859-1)
2. Belgium-Flemish (ISO8859-15 - Euro)
3. Great Britain (ISO8859-1)
4. Great Britain (ISO8859-15 - Euro)
5. Ireland (ISO8859-1)
6. Ireland (ISO8859-15 - Euro)
7. Netherlands (ISO8859-1)
8. Netherlands (ISO8859-15 - Euro)
9. Go Back to Previous Screen
Please make a choice (0 - 9), or press h or ? for help: 0
1) ANSI Standard CRT
10) Televideo 925
11) Wyse Model 50
12) X Terminal Emulator (xterms)
13) CDE Terminal Emulator (dtterm)
Type the number of your choice and press Return: 13
Creating new rsa public/private host key pair
Creating new dsa public/private host key pair
System identification is completed.
One more question:-
This system is configured with NFS version 4, which uses a domain
name that is automatically derived from the system's name services.
The derived domain name is sufficient for most configurations. In a
few cases, mounts that cross different domains might cause files to
be owned by "nobody" due to the lack of a common domain name.
Do you need to override the system's default NFS version 4 domain name (yes/no) ? [no] : no
rebooting system due to change(s) in /etc/default/init
[NOTICE: Zone rebooting]
SunOS Release 5.10 Version Generic 64-bit
Copyright 1983-2005 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
apache console login: root
Jul 5 07:54:31 apache login: ROOT LOGIN /dev/console
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
We have now created the zone, installed it, rebooted and logged in.
Use the usual commands to check things out (df, ifconfig, uname, etc).
Tips: (But make sure your site security allows this)
1. Edit /etc/default/login and comment out the "CONSOLE=/dev/console" line to permit remote root logins. (password needed of course..)
2. Edit /etc/ssh/sshd_config and set PermitRootLogin=yes if you want to login as root via ssh. Restart sshd with "svcadm restart ssh"
3. Current zone implementation allows graphical login as the zone runs "dtlogin -daemon" by default.
We hope this has been useful, see below for additional notes
Mick Hosegood - First Alternative.