Friday Nov 04, 2016

Non-reboot immutable zone (as of 11.3 SRU 12)

Immutable Zones

In Solaris 11 we introduced Immutable Zones.  In Solaris 11.2 we added the Immutable Global Zone.  Please read my earlier blog if you are unfamiliar with Immutable Zones.

What is new: Why was a reboot required?

When a Solaris system reboots after the system was just installed or upgraded, self assembly is performed.  This phase requires the system to be read-write, even when it is an immutable (global) zone.  All services which require self-assembly specify that the self-assembly-complete milestone is dependent on them. When the self-assembly-complete milestone is reached, the system reboots immutable.

As the self-assembly-complete milestone isn't reached until man-index and several other service have run their course, the second boot may come quite a bit later.  Use: the following command to list all the services:

# svcs -d self-assembly-complete

The self-assembly-service itself reboots the system; for non-global zones this is pretty quick but for global zones this can be pretty slow.  We have always found this a bug rather than a feature so we decided to fix that for the next Solaris release.  Of course, if self-assembly needs to wait for man-index and other services to complete, not requiring a reboot was only a small part of the puzzle we needed to solve.

In Solaris 11.2 with the design of the immutable global zone, we created the Trusted Path.  Processes which run under the Trusted Path can modify files which are normally read-only in immutable zones.  While this feature was invented to allow modification and updates of an Immutable Global Zone as well as modifications to non-global Immutable Zones using the zlogin -T or -U options, we realized that this could be used to do certain self-assembly operations asynchronously. Asynchronous updates would be interrupted if we rebooted so we needed to fix both problems at the same time.

We implemented this in the next Solaris release and one of our customers who got earlier access to that release filed a service request for a back port of that feature and the rest is history.

What is new in Solaris 11.3 SRU 12?

We introduce a new milestone. immutable-setup, which is reached early during boot and sets the zone's file-mac-profile.  Services which need to know whether the system is immutable need to wait until that milestone is reached.  For native zones this is already done by zoneadmd before starting the zone.

When the self-assembly-complete milestone is reached, the zone will become immutable at that time.  In earlier releases of Solaris a reboot would happen:

[NOTICE: This read-only system transiently booted read/write] [NOTICE: Now that self assembly has been completed, the system is rebooting]

as of Solaris 11.3 SRU 12 you will see:

[NOTICE: switching to read-only mode]

and the system will continue while man-index asynchronously continues to format manual pages.

But that is not all!  It is now much easier to configure an immutable global zone and, again, without requiring a reboot:

# zonecfg -z global set file-mac-profile=<profile>

# zoneadm -z global apply

You will see the same message on /dev/console

Tuesday Jul 07, 2015

Solaris 11.3: New Immutable Global Zone file-mac-profile: dynamic-zones

In Solaris 11.2 we introduced the Immutable Global Zone.  Just like the Immutable Zones introduced in Solaris 11/11, it supports three different file-mac-profiles: strict, fixed-configuration and flexible-configuration.

To refresh your memory, these three file-mac-profiles as well as the default value, "none",  are described in zonecfg(1m) as follows:

           There are currently four supported values for this property:  none,
           strict, fixed-configuration, and flexible-configuration.

           none  makes the zone exactly the same as a normal, r/w zone. strict
           allows no exceptions to the read-only  policy.  fixed-configuration
           allows  the zone to write to files in and below /var, except direc-
           tories containing configuration files:


           flexible-configuration is equal to fixed-configuration, but  allows
           writing to files in /etc in addition.

In Solaris 11.3 we are adding fourth file-mac-profile: dynamic-zones.  It should be seen as sitting between fixed-configuration and flexible-configuration.

This particular profile is only valid for the global zone; it allows the administrator to create and destroy non-global zones, kernel zones, etc.

While this is already possible with the flexible-configuration, that file-mac-profile allows the ability to change much of the system configuration; but with the other profiles, creating or destroying a zone requires using the Trusted Path.  The dynamic-zones profile is a compromise: it allows to restrict the configuration of the system, yet it does allow a user with proper authorizations to create and destroy zones.

The dynamic-zones profile was targeted specifically at using an immutable global zone on the OpenStack Nova compute nodes.




« April 2017