Wednesday Dec 10, 2014

Which Oracle Solaris Virtualization?

From time to time as the product manager for Oracle Solaris Virtualization I get asked by customers which virtualization technology they should choose. This is probably because of two main reasons.

  1. Choice: Oracle Solaris provides a choice of virtualization technologies so you can tailor your virtual infrastructure to best fit your application, not to have force (and hence compromise) your application to fit a single option 
  2. No way back: There is the perception, once you make your choice if you get it wrong there is no way back (or a very difficult way back), so it is really important to make the right choice

Understandably there is occasionally a lot of angst around this decision but, as always, with Oracle Solaris there is good news. First the choice isn't as complex as it first seems and below is a diagram that can help you get a feel for that choice. We now have many many customers that are discovering that the combination of Oracle Solaris Zones inside OVM Server for SPARC instances (Logical Domains) gives them the best of both worlds.

Second with Unified Archives in Oracle Solaris 11.2 you always have a way back. With a Unified Archive you can move from a Native Zone to a Kernel Zone to a Logical Domain to Bare Metal and any and all combinations in-between. You can test which is the best type of virtualization for your applications and infrastructure and if you don't like it change to another type in a few minutes. 

BTW if you want a more in-depth discussion of virtualization and how to best utilize it for consolidation, check out the Consolidation Using Oracle's SPARC Virtualization Technologies white paper.  

Friday Mar 16, 2012

Great Solaris 10 features paving the way to Solaris 11

Karoly Vegh writes on the Oracle Systems Blog Austria about what you can do with Solaris 10 today that will get you ready for Solaris 11.

Even today, many people still use Solaris 10 as if it were a patch update to Solaris 8 or 9, missing out on the power behind Live Upgrade, Zones, resource management, and ZFS. Learning more about these will help set your feet on the road to the even more sophisticated capabilities of Oracle Solaris 11.

[Read More]

Monday Aug 29, 2011

Running GNOME Terminal From a Zone

As I've mentioned before, I VPN into the Oracle Intranet from within a zone. Once I establish the VPN connection, I'm no longer able to SSH into the zone, which is a slight drag if I'd like to open a new terminal window. The solution is to launch a new GNOME terminal window from within the zone. However, this wasn't without some minor hurdles to clear, so I'm documenting the process for future reference.

I'm assuming your zone already has a user account and the X authority file utility installed so you can launch X applications. If not, follow Steps 2 and 3 from the entry Running Firefox From a Zone.

Of course, GNOME Terminal needs to be installed:

bleonard@myzone:~$ sudo pkg install gnome-terminal
               Packages to install:     1
           Create boot environment:    No
               Services to restart:     2
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                                  1/1       80/80      2.1/2.1

PHASE                                        ACTIONS
Install Phase                                160/160 

PHASE                                          ITEMS
Package State Update Phase                       1/1 
Image State Update Phase                         2/2  

At this point, you'd like to think you could just launch gnome-terminal, but alas:

bleonard@myzone:~$ gnome-terminal
ERROR:terminal-app.c:1450:terminal_app_init: assertion failed: (app->default_profile_id != NULL)
Abort (core dumped)

It turns out you also need to install the SMF services responsible for updating the GNOME desktop caches (I've already filed an issue for this):

bleonard@myzone:~$ sudo pkg install desktop-cache
               Packages to install:     8
           Create boot environment:    No
               Services to restart:     5
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                                  8/8   3125/3125    13.5/13.5

PHASE                                        ACTIONS
Install Phase                              3566/3566 

PHASE                                          ITEMS
Package State Update Phase                       8/8 
Image State Update Phase                         2/2 

After installing the package, wait a few seconds while the cache is built. You can verify it's complete when the GNOME Gconf Cache Builder service state changes to online:

bleonard@myzone:~$ svcs -l gconf-cache
fmri         svc:/application/desktop-cache/gconf-cache:default
name         GNOME Gconf Cache Builder
enabled      true
state        online
next_state   none
state_time   August 29, 2011 04:50:45 PM EDT
logfile      /var/svc/log/application-desktop-cache-gconf-cache:default.log
restarter    svc:/system/svc/restarter:default
dependency   require_all/none svc:/system/filesystem/local (online)

After which, gnome-terminal should start successfully:

bleonard@myzone:~$ gnome-terminal &

If for some reason you still run into a problem, try refreshing the GNOME Gconf Cache Service:

bleonard@myzone:~$ sudo svcadm refresh gconf-cache

Thursday Jun 23, 2011

Giving a Zone "More Power"

In addition to the traditional virtualization benefits that Solaris zones offer, applications running in zones are also running in a more secure environment. One way to quantify this is compare the privileges available to the global zone with those of a local zone.

For example, there a 82 distinct privileges available to the global zone:

bleonard@solaris:~$ ppriv -l | wc -l 

You can view the descriptions for each of those privileges as follows:

bleonard@solaris:~$ ppriv -lv
	Allows a process to request critical events without limitation.
	Allows a process to request reliable delivery of all events on
	any event queue.
	Allows a process to set the service FMRI value of a process
	contract template.

Or for just one or more privileges:

bleonard@solaris:~$ ppriv -lv file_dac_read file_dac_write
	Allows a process to read a file or directory whose permission
	bits or ACL do not allow the process read permission.
	Allows a process to write a file or directory whose permission
	bits or ACL do not allow the process write permission.
	In order to write files owned by uid 0 in the absence of an
	effective uid of 0 ALL privileges are required.

However, in a non-global zone, only 43 of the 83 privileges are available by default:

root@myzone:~# ppriv -l zone | wc -l      

The missing privileges are:


However, just like Tim Taylor, it is possible to give your zones more power. For example, a zone by default doesn't have the privileges to support DTrace:

root@myzone:~# dtrace -l
   ID   PROVIDER            MODULE                          FUNCTION NAME

The DTrace privileges can be added, however, as follows:

bleonard@solaris:~$ sudo zonecfg -z myzone
zonecfg:myzone> set limitpriv="default,dtrace_proc,dtrace_user"
zonecfg:myzone> verify
zonecfg:myzone> exit
bleonard@solaris:~$ sudo zoneadm -z myzone reboot

Now I can run DTrace from within the zone:

root@myzone:~# dtrace -l | more
   ID   PROVIDER            MODULE                          FUNCTION NAME
    1     dtrace                                                     BEGIN
    2     dtrace                                                     END
    3     dtrace                                                     ERROR
 7115    syscall                                               nosys entry
 7116    syscall                                               nosys return

Note, certain privileges are never allowed to be assigned to a zone. You'll be notified on boot if you attempt to assign a prohibited privilege to a zone:

bleonard@solaris:~$ sudo zoneadm -z myzone reboot
privilege "dtrace_kernel" is not permitted within the zone's privilege set
zoneadm: zone myzone failed to verify

Here's a nice listing of all the privileges and their zone status (default, optional, prohibited): Privileges in a Non-Global Zone.

Tuesday Jun 01, 2010

Zones and the Package Manager GUI

After getting a basic GUI to run from a zone, of course I was curious if I could run something more substantial. I don't normally use the Package Manager GUI, but I thought it would be a nice visual way to see what limited packages are installed in a zone.[Read More]

Thursday May 27, 2010

Zones, X and Roles

My last two blog entries were actually written to set up this entry. What if I'm logged into the zone, assumed a role and need to run a GUI? An example use case here would be assuming the role of oracle and wanting to run something like the Oracle Database Configuration Assistant (DBCA). For the purposes of this entry, however, I'll stick to the simple Python GUI I used in my previous entry.[Read More]

Friday Jul 17, 2009

Cloning Zones

Installing a zone in OpenSolaris requires a network connection and some patience as a little over 70MB of data is downloaded. Fortunately, after you've got the first zone installed, future zones can be cloned.[Read More]

Tuesday Jul 14, 2009

Zones and Network Virtualization

If you're like me and working with zones on your laptop and/or desktop, you probably only have one network interface card to work with. Therefore, the zones I've created share the single network interface with the global zone (ip-type=shared).

Behind the scenes, Solaris creates a logical interface for the zone to use. The logical interface appears in ifconfig as your physical interface with an instance number. For example:

bleonard@solaris:~$ ifconfig -au4
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
	inet netmask ff000000 
lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
	zone myzone
	inet netmask ff000000 
e1000g0: flags=1004843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4> mtu 1500 index 2
	inet netmask ffffff00 broadcast
e1000g0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
	zone myzone
	inet netmask ffffff00 broadcast

You can see both the loopback (loO) and physical (e1000g0) have an instance (lo0:1 and e1000g0:1) that was created for the zone myzone. These logical interfaces only exist when the zone is running. If you halt the zone, they disappear.

From inside the zone, I only see the logical interfaces:

root@myzone:~# ifconfig -au4
lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet netmask ff000000 
e1000g0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        inet netmask ffffff00 broadcast

However, I have no control over them. For example, if I try to bring down e1000g0:1:

root@myzone:~# ifconfig e1000g0:1 inet down
ifconfig: setifflags: SIOCSLIFFLAGS: e1000g0:1: permission denied 

The global zone is responsible for managing the local zone's network configuration.

Network Virtualization

Oracle Solaris 11 introduces network virtualization technology. For example, I can create a virtual network interface card (vnic) that has all the properties of a physical nic.

bleonard@solaris:~$ sudo dladm create-vnic -l e1000g0 myzone0
bleonard@solaris:~$ dladm show-link 
e1000g0     phys     1500   up       --
iwh0        phys     1500   down     --
vboxnet0    phys     1500   unknown  --
myzone0     vnic     1500   up       e1000g0

Now it's as if my laptop has 2 physical network interface cards. Using this "new" card, I can create a zone with an exclusive IP stack. My zone config would look something like follows:

bleonard@solaris:~$ cat myzone.config
set zonepath=/zones/myzone
set ip-type=exclusive	
add net
set physical=myzone0

Note there's no longer an IP address associated with the zone configuration. With a dedicated IP stack the zone will be able to manage its own IP.

Create the zone:

bleonard@solaris:~$ sudo zonecfg -z myzone -f myzone.config

Install the zone:

bleonard@solaris:~$ sudo zoneadm -z myzone install
A ZFS file system has been created for this zone.
   Publisher: Using solaris ( ).
       Image: Preparing at /zones/myzone/root.
 Credentials: Propagating Oracle_Solaris_11_Express_Support.key.pem
 Credentials: Propagating Oracle_Solaris_11_Express_Support.certificate.pem
       Cache: Using /var/pkg/download.
Sanity Check: Looking for 'entire' incorporation.
  Installing: Core System (output follows)
               Packages to install:     1
           Create boot environment:    No
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                                  1/1         1/1      0.0/0.0

PHASE                                        ACTIONS
Install Phase                                  11/11 

PHASE                                          ITEMS
Package State Update Phase                       1/1 
Image State Update Phase                         2/2 
               Packages to install:    45
           Create boot environment:    No
               Services to restart:     3
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                                45/45 12511/12511    89.1/89.1

PHASE                                        ACTIONS
Install Phase                            17958/17958 

PHASE                                          ITEMS
Package State Update Phase                     45/45 
Image State Update Phase                         2/2 
  Installing: Additional Packages (output follows)
               Packages to install:    46
           Create boot environment:    No
               Services to restart:     2
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                                46/46   4498/4498    26.5/26.5

PHASE                                        ACTIONS
Install Phase                              6143/6143 

PHASE                                          ITEMS
Package State Update Phase                     46/46 
Image State Update Phase                         2/2 

        Note: Man pages can be obtained by installing SUNWman
 Postinstall: Copying SMF seed repository ... done.
 Postinstall: Applying workarounds.
        Done: Installation completed in 486.420 seconds.

  Next Steps: Boot the zone, then log into the zone console (zlogin -C)
              to complete the configuration process.

Create a configuration file for the zone. Note, here we can define the zone's IP configuration (or we could do it later):

bleonard@solaris:~$ cat sysidcfg
network_interface=myzone0 {

Copy the sysidcfg file to the zone:

bleonard@solaris:~$ sudo cp sysidcfg /zones/myzone/root/etc/.

Boot the zone:

bleonard@solaris:~$ sudo zoneadm -z myzone boot

Log into zone. The first login will take some time as the zone completes it's system configuration:

bleonard@solaris:~$ sudo zlogin -C myzone
[Connected to zone 'myzone' console]
Hostname: myzone
Loading smf(5) service descriptions: 3/3
 network_interface=myzone0 {
myzone0 is not a valid network interface  line 3 position 19
Creating new rsa public/private host key pair
Creating new dsa public/private host key pair
Configuring network interface addresses: myzone0.
Note the message about myzone0 being an invalid network interface. This appears to be benign as a few lines down we see myzone0 getting configured. If you used the root_password setting from above, you can log in as root/abc123:
myzone console login: root
Password: abc123
May 31 08:30:02 myzone login: ROOT LOGIN /dev/console
Oracle Corporation      SunOS 5.11      snv_151a        April 2011

As with shared IP, you can see the interface using ifconfig:

root@myzone:~# ifconfig -au4
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet netmask ff000000 
myzone0: flags=1000863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        inet netmask ffffff00 broadcast
        ether 2:8:20:59:0:b5 

However, now you can also manage it. For example:

root@myzone:~# ifconfig myzone0 down
root@myzone:~# ifconfig -au4
lo0: flags=2001000849<⁞UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet netmask ff000000 

And back in the global zone, there's no more logical interfaces cluttering up the ifconfig output:

bleonard@solaris:~$ ifconfig -au4
lo0: flags=2001000849<UP,LOOPBACK,⁞RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
	inet netmask ff000000 
e1000g0: flags=1004843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4> mtu 1500 index 2
	inet netmask ffffff00 broadcast
In addtion to this, virtual nics provide a whole bunch of control over the data passing through the network interface. For a brief introduction to that see Fun with Crossbow.

Monday Jul 13, 2009

Zones and DNS

If you've preconfigured your zone as I did, you will probably be frustrated that there's no DNS. This is easy enough to fix.

[Read More]

Preconfiguring Zones

In the Zones blog I posted a few weeks back, a couple of the steps required interactive configuration. In this entry I'm going to create the same zone, however in a much streamlined manner.[Read More]

Tuesday May 19, 2009


The installation of a zone in OpenSolaris is a bit different than in Solaris 10 (or SXCE) and it's due to IPS, which is unique to OpenSolaris.[Read More]

The Observatory is a blog for users of Oracle Solaris. Tune in here for tips, tricks and more as we explore the Solaris operating system from Oracle.


« October 2015