eSTEP: Virtualization@Oracle (Part 4: Oracle Solaris Zones and Linux Containers)
By uwes on Mar 29, 2012
After the Oracle VM coverage in the previous two articles we will now cover the Operating System side by looking at the
Oracle Solaris Zones and Linux Containers
Oracle Solaris Zones or also Linux Containers are not a separate product, but a technology, a feature of an Operating System. Both technologies are in principle based on the same technologies. They are a virtualization at the application level, so “above” the OS kernel. Compared to the Hypervisor based virtualization, we do not have such an additional software layer here. We have one OS kernel that is shared by many zones or containers.
To put it into perspective, let’s reuse the image from the first articles, where we show the positioning of Oracle Solaris Zones, which can roughly be compared to Linux Containers. The difference between both technologies is more at the implementation level and on the way it is integrated into the OS.
Let’s first dive more into detail with the
Oracle Solaris Zones
This Solaris feature at first showed up in Solaris Express and Sun Solaris 10 3/05 as Solaris Containers, but has always been called Solaris Zones. With Oracle Solaris 11 we now officially call it Oracle Solaris Zones. Zones are a virtualization technology that create a virtualization layer for applications. We could say a zone is a “sandbox” that provides a playground for an application. Those zones are called non-global zones and are isolated from each other, but all share one global zone. The global zone holds the Solaris kernel, the device drivers and the devices, the memory management system, the filesystem and in many cases the network stack.
So the global zone sees all physical resources and provides common access to these resources to the non-global zones.
The non-global zones appear to applications like separate Solaris installations.
Zones have their own filesystems, their own process namespace, security boundaries, and own network addresses. Based on requirements, zones can also have their own network stack with separated network properties. And yes there also is a separated administrative login (root) for every non-global zone, but still even as a privileged user there is no way to break-out/in from one non-global zone into a neighborhood non-global zone. But looking from the global zone, such a non-global zone is just a bunch of processes grouped together by a tag, called zoneid.
This type of virtualization is often called lightweight virtualization, because we have nearly no overhead in which we have to invest for the virtualization layer and the applications, running in the non-global zones. Therefore we get native I/O-performance from the OS. Thus zones are a perfect choice, if many applications need to be virtualized and high performance is a requirement.
Due to the fact, that all non-global zones share one global zone, all zones run the same level of OS software – with one exception. Branded zones run non-native application environments. With that, for Oracle Solaris 10 we have the special case of being able to create Solaris 8 and Solaris 9 Legacy Containers, providing Solaris 8 and Solaris 9 runtime environments, but still sharing the Solaris 10 kernel in the global zone. With Oracle Solaris 11 it is possible to create Solaris 10 Zones.
Within Oracle Solaris 11, zones have been much more integrated with the OS, compared to zones in Solaris 10. It’s no longer just an additional feature of the OS. Zones are well integrated into the whole lifecycle management process of the OS when it comes to (automatic) installation or updates of zones. A big step forward is, once again, the better integration of zones with more kernel security features, which enables more delegated administration of Zones. Better integration into ZFS, consistent use of boot environments, network virtualization features and the Solaris resource management are additional improvements, made to the zones in Oracle Solaris 11. Oracle Solaris Zones have always been very easy to setup on the command line and easy to use. If you want to use a Graphical Tool to configure Zones, you can use Oracle Enterprise Manager OpsCenter (which we will cover later on in this series).
Now while we have discussed Oracle Solaris Zones, what are:
Linux Containers (LXC)
Is this the same technology like zones or if not, how do they differ ?
First of all, compared to Oracle Solaris Zones, it’s really a new technology in Linux starting with kernel 2.6.27 and provides the resource management through control groups (also called userspace process containers) and resource isolation through namespaces. The LXC project page at http://lxc.sourceforge.net/ has a very good explanation of Linux Containers: “Linux Containers take a completely different approach than system virtualization technologies such as KVM and Xen, which started by booting separate virtual systems on emulated hardware and then attempted to lower their overhead via paravirtualization and related mechanisms. Instead of retrofitting efficiency onto full isolation, LXC started out with an efficient mechanism (existing Linux process management) and added isolation, resulting in a system virtualization mechanism as scalable and portable as chroot, capable of simultaneously supporting thousands of emulated systems on a single server while also providing lightweight virtualization options to routers and smart phones.”
So we are talking here about chroot-environments, that can be created on various isolation levels, but also share as isolated group of processes one Linux kernel.
Oracle Solaris Zones and Linux Containers are offering a lightweight virtualized runtime environment for applications. Solaris Zones exist since Solaris 10 and are now highly integrated into Oracle Solaris 11. Linux Containers are available as BETA for Oracle Linux with the Unbreakable Enterprise Kernel only for testing and demonstration purposes.
With that we'd like to close this article on Oracle Solaris Zones and Linux Containers and hope we've kept you eager to read the ones coming in the following newsletters.
This series already had the following articles:
- December 2011: Introduction to Virtualization (Matthias Pfützner)
- January 2012: Oracle VM Server for SPARC (Matthias Pfützner)
- February 2012: Oracle VM Server for x86 (Matthias Pfützner)
The series will continue as follows (tentative):
- April 2012: Resource Management as Enabling Technology for Virtualization
- May 2012: Network Virtualization (Detlef Drewanz)
- June 2012: Oracle VM VirtualBox (Detlef Drewanz)
- July 2012: Oracle Virtual Desktop Infrastructure (VDI) (Matthias Pfützner)
- August 2012: OpsCenter as Management Tool for Virtualization (Matthias Pfützner)
If you have questions, feel free to contact me at: Detlef Drewanz
|<<< Part 3: Oracle VM Server for x86||>>>> Part 5: Resource Management as Enabling Technology for Virtualization