X

Tips on deploying and managing Oracle Solaris, especially in clouds

Using Solaris Zones on Oracle Cloud Infrastructure

Dave Miner
Sr. Principal Software Engineer

Continuing my series of posts on how to use Oracle Solaris in Oracle Cloud Infrastructure (OCI), I'll next explore using Solaris Zones in OCI.  In this post I assume you're somewhat familiar with zones already, as they've been around since we released Solaris 10 in 2005.

Before diving in, there's a little terminology to review.  The original zones introduced in Solaris 10 are known as non-global zones, which share a kernel with the global zone but otherwise appear to applications as a separate instance of Solaris.  More recently, we introduced kernel zones in Solaris 11.2.  These run a separate kernel, with specialized network and I/O paths that behave more like a paravirtualized virtual machine.  There are also Solaris 10 branded zones, which emulate a Solaris 10 environment on a Solaris 11 kernel. All of the brands of zones provide a Solaris-native virtualization environment with minimal overhead that can help you get more out of your OCI compute resources.  The image at the start of this post from the Solaris 11.4 documentation shows a complex zones environment that might be built anywhere, including in OCI, but this post provides a basic how-to for getting started with non-global and kernel zones in the OCI environment.

Setup

As a first step, you need to deploy Solaris 11.4 as a bare metal or virtual machine instance in OCI.  See my earlier post on how to import the Solaris 11.4 images into your tenancy if you haven't already done so.  As you create the instance, I'd recommend customizing the boot volume size to a larger value than its default 50 GB in order to accommodate the extra storage required for the zones.  After the instance is booted, you'll need to ssh in as the opc user and toggle the root pool's autoexpand property to allow ZFS to see the extra space beyond 50 GB (this is a workaround for an issue with autoexpand on the root pool):

# zpool set autoexpand=off rpool;sleep 15;zpool set autoexpand=on rpool

Next, you'll need to use the OCI console or CLI add a second VNIC to the instance that we'll use for the zone's network access.  When you're done, the instance's Attached VNICs section in the OCI console should look something like this:

 

Configuring a Non-Global Zone on Bare Metal

Start by setting the default vlan tag on net0 to ensure its traffic is tagged correctly:

# dladm set-linkprop -p default-tag=0 net0

Now it's time to configure the zone.  The key requirement is to configure the anet resource to use the VLAN tag, IP and MAC addresses assigned to the VNIC by OCI, otherwise there won't be any network traffic allowed to or from the zone.  Note that you need the prefix length from the VCN configuration. We also set the default router in the zone configuration to ensure it can reach resources outside its local link (by convention the router is the first address on the network).

# zonecfg -z ngz1
Use 'create' to begin configuring a new zone.
zonecfg:ngz1> create
create: Using system default template 'SYSdefault'
zonecfg:ngz1> info
zonename: ngz1
brand: solaris
anet 0:
	linkname: net0
	configure-allowed-address: true
zonecfg:ngz1> select anet 0
zonecfg:ngz1:anet> set allowed-address=100.106.200.4/23
zonecfg:ngz1:anet> set mac-address=00:00:17:00:BA:64
zonecfg:ngz1:anet> set vlan-id=1
zonecfg:ngz1:anet> set defrouter=100.106.200.1
zonecfg:ngz1:anet> end
zonecfg:ngz1> info
zonename: ngz1
brand: solaris
anet 0:
	linkname: net0
	allowed-address: 100.106.200.4/23
	configure-allowed-address: true
        defrouter: 100.106.200.1
	link-protection: "mac-nospoof, ip-nospoof"
	mac-address: 00:00:17:00:ba:64
	vlan-id: 1
zonecfg:ngz1> commit
zonecfg:ngz1> exit

Configuring a Non-Global Zone on a Virtual Machine

When using a VM as the global zone, the process is slightly different as the hypervisor exposes the VNIC to the guest automatically.  This makes the zone configuration somewhat simpler as we don't have to worry about VLAN tags (the hypervisor handles that) and can just delegate that physical link as a net resource and configure the allowed address and router.  First, here's the OCI VNIC configuration for our VM:

To configure the zone:

# zonecfg -z ngz1
Use 'create' to begin configuring a new zone.
zonecfg:ngz1> create
create: Using system default template 'SYSdefault'
zonecfg:ngz1> info
zonename: ngz1
brand: solaris
anet 0:
	linkname: net0
	configure-allowed-address: true
zonecfg:ngz1> remove anet 0
zonecfg:ngz1> add net
zonecfg:ngz1:net> set physical=net1
zonecfg:ngz1:net> set allowed-address=100.106.196.11/23
zonecfg:ngz1:net> set defrouter=100.106.196.1
zonecfg:ngz1:net> end
zonecfg:ngz1> info
zonename: ngz1
brand: solaris
net 0:
	allowed-address: 100.106.196.11/23
	physical: net1
	defrouter: 100.106.196.1
zonecfg:ngz1> commit
zonecfg:ngz1> exit

Once the zone is configured, install it as usual with zoneadm -z ngz1 install, then boot it, login via zlogin, and verify the network works.

Configuring a Kernel Zone

Kernel zones are not supported by OCI's virtual machines, so you'll need a bare metal host to run them. First ensure that you've installed the kernel zone brand package, which isn't included in the Solaris image for OCI:

# pkg install brand-solaris-kz

In this example, we're reusing the same VNIC for the kernel zone as was used for the non-global zone example above.  Kernel zones don't support setting the IP configuration in the zone configuration, so we only set the MAC address and VLAN tag here.  The correct IP address, network prefix, and router must be provided either in the SMF profile used to configure the kernel zone or interactively to the system configuration tool that will run at first boot of the kernel zone.  Here's the zone configuration:

# zonecfg -z kz1
Use 'create' to begin configuring a new zone.
zonecfg:kz1> create -t SYSsolaris-kz
zonecfg:kz1> info
zonename: kz1
brand: solaris-kz
hostid: 0x2bab3170
anet 0:
	configure-allowed-address: true
	id: 0
device 0:
	storage.template: dev:/dev/zvol/dsk/%{global-rootzpool}/VARSHARE/zones/%{zonename}/disk%{id}
	storage: dev:/dev/zvol/dsk/rpool/VARSHARE/zones/kz1/disk0
	id: 0
	bootpri: 0
virtual-cpu:
	ncpus: 4
capped-memory:
	physical: 4G
	pagesize-policy: largest-available
zonecfg:kz1> select anet 0
zonecfg:kz1:anet> set mac-address=00:00:17:00:BA:64
zonecfg:kz1:anet> set vlan-id=1
zonecfg:kz1:anet> end
zonecfg:kz1> commit
zonecfg:kz1> exit

As before, proceed to install the zone and boot it using the zoneadm command.

There's plenty more to explore in using zones with OCI, consult the zones documentation for more details on their capabilities.

Join the discussion

Comments ( 1 )
  • Ralf Ramge Thursday, November 29, 2018
    Thanks a lot, Dave!

    I still have a PoC with Zones on my own todo list, and I look forward to cross-checking with your article when I do it.

    Cheers,

    Ralf
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha
Oracle

Integrated Cloud Applications & Platform Services