Zones

The installation of a zone in OpenSolaris is a bit different than in Solaris 10 (or SXCE) and it's due to IPS, which is unique to OpenSolaris. When you create a zone in Solaris 10, you get a native zone, which is very lightweight because it shares much of its system software with the base Solaris 10 installation. However, native zones presume you are using the SVR4 packing system (as opposed to IPS). Therefore, OpenSolaris uses a branded zone called ipkg.

The ipkg branded zone doesn't share any of its system information with base OpenSolaris installation. As a matter of fact, when installed, it's not even copied from the base installation, but rather downloaded from an IPS repository. Obviously this makes working with zones in OpenSolaris a bit more restrictive (it took about 10 minutes to download and install on my machine). Supposedly, work is underway to add IPS support to native zones. But until that happens, here's my guide to working with zones in OpenSolaris.

Setting up a zone involves 4 steps: create, install, boot and configure.

Step 1: Create the Zone

If you're not interested in zones, you should at least be aware that you're already running in one - the global zone:

bleonard@opensolaris:~$ zoneadm list -v
  ID NAME             STATUS     PATH                           BRAND    IP    
   0 global           running    /                              native   shared

Zones must be installed within a ZFS file system, otherwise the zone install command will generate the error "no zonepath dataset" (see defect 8468 for details). You can either use an existing ZFS file system, such as /export/home or create a new one, as I chose to do here:

pfexec zfs create -o mountpoint=/zones rpool/zones

Before we actually create the zone, let's pre-determine some information that will be required. I'm going to set the zone name to myzone. The zone needs a network interface, which can match that of the global zone. This is easiest to figure out by hovering over the connection properties icon in the top panel and noting the Network Connection:

In my case it's e1000g0.

Since we'll be using a shared IP stack with the global zone, the non-global zone is not at liberty to select its own IP address (or use DHCP). I may talk about exclusive IP stacks in another entry, but for now we need to choose a free IP address on the subnet (I'm running OpenSolaris in VirtualBox, which provides it's own subnet). I'll be using 10.0.2.25.

Once you have that information collected, you can begin to create the zone:

bleonard@opensolaris:~$ pfexec zonecfg -z myzone
myzone: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:myzone> create
zonecfg:myzone> set zonepath=/zones/myzone
zonecfg:myzone> add net 
zonecfg:myzone:net> set physical=e1000g0
zonecfg:myzone:net> set address=10.0.2.25
zonecfg:myzone:net> end
zonecfg:myzone> exit

To see your zone's current configuration, run:

bleonard@opensolaris:~$ zonecfg -z myzone info
zonename: myzone
zonepath: /zones/myzone
brand: ipkg
autoboot: false
bootargs: 
pool: 
limitpriv: 
scheduling-class: 
ip-type: shared
net:
	address: 10.0.2.25
	physical: e1000g0
	defrouter not specified  

List the zones again, using the -c option to show all zones (not just those installed):

bleonard@opensolaris:~$ zoneadm list -cv
  ID NAME             STATUS     PATH                           BRAND    IP    
   0 global           running    /                              native   shared
   - myzone           configured /zones/myzone                  ipkg     shared

Notice the brand is ipkg.

Step 2: Install the Zone

Now that the zone's configured, let's install it. Zone installation on OpenSolaris is a much different experience than on Solaris 10, as the zone must be downloaded from the package repository rather then simply copied from the global zone:

bleonard@opensolaris:~$ pfexec zoneadm -z myzone install
A ZFS file system has been created for this zone.
  Authority: Using http://pkg.opensolaris.org/release/.
      Image: Preparing at /zones/myzone/root ... done.
 Installing: (output follows)
DOWNLOAD                                    PKGS       FILES     XFER (MB)
Completed                                  52/52   7862/7862   72.41/72.41 

PHASE                                        ACTIONS
Install Phase                            12939/12939 
PHASE                                          ITEMS
Reading Existing Index                           9/9 
Indexing Packages                              52/52 

       Note: Man pages can be obtained by installing SUNWman
Postinstall: Copying SMF seed repository ... done.
Postinstall: Working around http://defect.opensolaris.org/bz/show_bug.cgi?id=741
       Done: Installation completed in 595.162 seconds.

 Next Steps: Boot the zone, then log into the zone console
             (zlogin -C) to complete the configuration process

We can verify the installation via it's status:

 bleonard@opensolaris:~$ zoneadm list -cv
  ID NAME             STATUS     PATH                           BRAND    IP    
   0 global           running    /                              native   shared
   - myzone           installed  /zones/myzone                  ipkg     shared

Steps 3 & 4: Boot and Configure

The next steps are to boot and configure the zone. When the zone boots for the first time, sysidtool is going to run to configure the system. We will boot the zone using two terminal windows: one to boot the system and the other to configure it. Note, it is possible to automate these system configuration steps, which I'll cover in a future blog.

Log into the zone and wait for it to boot:

bleonard@opensolaris:~$ pfexec zlogin -C myzone
[Connected to zone 'myzone' console]  

Open a 2nd terminal window and boot the zone. If you see the warning like I did, don't worry about it, I address this at the end of the entry.

bleonard@opensolaris:~$ pfexec zoneadm -z myzone boot
zone 'myzone': WARNING: e1000g0:1: no matching subnet found in netmasks(4) for 10.0.2.25; using default of 255.0.0.0.

Then back in the 1st terminal, proceed with system configuration:

[NOTICE: Zone booting up]


SunOS Release 5.11 Version snv_101b 32-bit
Copyright 1983-2008 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
Hostname: myzone
Loading smf(5) service descriptions: 68/68
Reading ZFS config: done.
Mounting ZFS filesystems: (5/5)

 

What type of terminal are you using? 1) ANSI Standard CRT 2) DEC VT100 3) PC Console 4) Sun Command Tool 5) Sun Workstation 6) X Terminal Emulator (xterms) 7) Other Type the number of your choice and press Return: 6 Creating new rsa public/private host key pair Creating new dsa public/private host key pair Configuring network interface addresses: e1000g0.

 
  

Give the zone a host name (or select the default):

─ Host Name for e1000g0:1 ─────────────────────────────────────────────────────

  Enter the host name which identifies this system on the network.  The name
  must be unique within your domain; creating a duplicate host name will cause
  problems on the network after you install Solaris.

  A host name must have at least one character; it can contain letters,
  digits, and minus signs (-).


    Host name for e1000g0:1 myzone                          











────────────────────────────────────────────────────────────────────────────────
    F2_Continue    F6_Help

Note, for some reason the "Continue" command switches from F2, as in the screen shot above, to Esc+2, as seen in the following screens.

Confirm the host name:

─ Confirm Information for e1000g0:1 ────────────────────────────────────────────

  > Confirm the following information.  If it is correct, press F2;
    to change any information, press F4.


    Host name: myzone















────────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-4_Change    Esc-6_Help

Configure the security policy:

─ Configure Security Policy: ───────────────────────────────────────────────────

  Specify Yes if the system will use the Kerberos security mechanism.

  Specify No if this system will use standard UNIX security.

      Configure Kerberos Security
      ───────────────────────────
      [ ] Yes
      [X] No












────────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-6_Help

Confirm the security policy:

 ─ Confirm Information ──────────────────────────────────────────────────────────

  > Confirm the following information.  If it is correct, press F2;
    to change any information, press F4.


    Configure Kerberos Security: No















────────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-4_Change    Esc-6_Help

Set the name service. I will be using DNS:

─ Name Service ─────────────────────────────────────────────────────────────────

  On this screen you must provide name service information.  Select the name
  service that will be used by this system, or None if your system will either
  not use a name service at all, or if it will use a name service not listed
  here.

  > To make a selection, use the arrow keys to highlight the option
    and press Return to mark it [X].


      Name service
      ────────────
      [ ] NIS+
      [ ] NIS
      [X] DNS
      [ ] LDAP
      [ ] None




────────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-6_Help

If you also selected DNS, set the domain name, DNS severs and search domains. I'm using the same settings as my global zone, which you can find in /etc/resolve.conf:

bleonard@opensolaris:~$ cat /etc/resolv.conf 
domain hsd1.ct.comcast.net.
nameserver 10.0.2.3
Set the domain name:
─ Domain Name ──────────────────────────────────────────────────────────────

  On this screen you must specify the domain where this system resides.  Make
  sure you enter the name correctly including capitalization and punctuation.


    Domain name: hsd1.ct.comcast.net             















────────────────────────────────────────────────────────────────────────────────

    Esc-2_Continue    Esc-6_Help

Add the DNS Server Addresses:

─ DNS Server Addresses ─────────────────────────────────────────────────────────

  On this screen you must enter the IP address of your DNS server(s).  You
  must enter at least one address.  IP addresses must contain four sets of
  numbers separated by periods (for example 129.200.9.1).



    Server's IP address: 10.0.2.3        
    Server's IP address:
    Server's IP address:











───────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-6_Help

And any search domains:

─ DNS Search List ──────────────────────────────────────────────────────────────

  On this screen you can enter a list of domains that will be searched when a
  DNS query is made.  If you do not enter any domains, DNS will only search
  the DNS domain chosen for this system.  The domains entered, when
  concatenated, may not be longer than 250 characters.



    Search domain:                                 
    Search domain:
    Search domain:
    Search domain:
    Search domain:
    Search domain:







────────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-6_Help

Confirm the network information:

─ Confirm Information ──────────────────────────────────────────────────────────

  > Confirm the following information.  If it is correct, press F2;
    to change any information, press F4.


          Name service: DNS
           Domain name: hsd1.ct.comcast.net
    Server address(es): 10.0.2.3













────────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-4_Change    Esc-6_Help

Ignore the Name Service Error (i.e., do not enter new name service information):

─ Name Service Error ───────────────────────────────────────────────────────────

  Unable to find an address entry for myzone with the specified DNS
  configuration.


      Enter new name service information?
      ───────────────────────────────────
      [ ] Yes
      [X] No












────────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-6_Help

NFSv4 Domain Name:

─ NFSv4 Domain Name ────────────────────────────────────────────────────────────

  NFS version 4 uses a domain name that is automatically derived from the
  system's naming services. The derived domain name is sufficient for most
  configurations. In a few cases, mounts that cross domain boundaries might
  cause files to appear to be owned by "nobody" due to the lack of a common
  domain name.

  The current NFSv4 default domain is: "hsd1.ct.comcast.net"


      NFSv4 Domain Configuration
      ──────────────────────────────────────────────
      [X] Use the NFSv4 domain derived by the system
      [ ] Specify a different NFSv4 domain







────────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-6_Help

Confirm:

─ Confirm Information for NFSv4 Domain ─────────────────────────────────────────

  > Confirm the following information.  If it is correct, press F2;
    to change any information, press F4.



    NFSv4 Domain Name:  << Value to be derived dynamically >>















────────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-4_Change    Esc-6_Help

Select your time zone:

─ Time Zone ────────────────────────────────────────────────────────────────────

  On this screen you must specify your default time zone.  You can specify a
  time zone in three ways:  select one of the continents or oceans from the
  list, select other - offset from GMT, or other - specify time zone file.

  > To make a selection, use the arrow keys to highlight the option and
    press Return to mark it [X].


      Continents and Oceans
      ──────────────────────────────────
  -   [ ] Africa
  │   [X] Americas
  │   [ ] Antarctica
  │   [ ] Arctic Ocean
  │   [ ] Asia
  │   [ ] Atlantic Ocean
  │   [ ] Australia
  │   [ ] Europe
  v   [ ] Indian Ocean

──────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-6_Help

Country:

─ Country or Region ────────────────────────────────────────────────────────────

  > To make a selection, use the arrow keys to highlight the option and
    press Return to mark it [X].


      Countries and Regions
      ───────────────────────────
  -   [X] United States
  │   [ ] Anguilla
  │   [ ] Antigua & Barbuda
  │   [ ] Argentina
  │   [ ] Aruba
  │   [ ] Bahamas
  │   [ ] Barbados
  │   [ ] Belize
  │   [ ] Bolivia
  │   [ ] Brazil
  │   [ ] Canada
  │   [ ] Cayman Islands
  v   [ ] Chile

──────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-6_Help

Time Zone:

─ Time Zone ───────────────────────────────────────────────────────────────────

  > To make a selection, use the arrow keys to highlight the option and
    press Return to mark it [X].


      Time zones
      ──────────────────────────────────────────────────────────────────────────
  -   [X] Eastern Time
  │   [ ] Eastern Time - Michigan - most locations
  │   [ ] Eastern Time - Kentucky - Louisville area
  │   [ ] Eastern Time - Kentucky - Wayne County
  │   [ ] Eastern Time - Indiana - most locations
  │   [ ] Eastern Time - Indiana - Daviess, Dubois, Knox & Martin Counties
  │   [ ] Eastern Time - Indiana - Starke County
  │   [ ] Eastern Time - Indiana - Pulaski County
  │   [ ] Eastern Time - Indiana - Crawford County
  │   [ ] Eastern Time - Indiana - Switzerland County
  │   [ ] Central Time
  │   [ ] Central Time - Indiana - Perry County
  v   [ ] Central Time - Indiana - Pike County

────────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-6_Help

Confirm Time Zone:

─ Confirm Information ─────────────────────────────────────────────────────────

  > Confirm the following information.  If it is correct, press F2;
    to change any information, press F4.


    Time zone: Eastern Time
               (US/Eastern)














──────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-4_Change    Esc-6_Help

And finally, set the root password:

─ Root Password ────────────────────────────────────────────────────────────────

  Please enter the root password for this system.

  The root password may contain alphanumeric and special characters.  For
  security, the password will not be displayed on the screen as you type it.

  > If you do not want a root password, leave both entries blank.


    Root password:  \*\*\*\*\*\*\*\*\*
    Root password:  \*\*\*\*\*\*\*\*\*       










────────────────────────────────────────────────────────────────────────────────
    Esc-2_Continue    Esc-6_Help

Zone configuration is complete. You can now log into the zone:

System identification is completed.

myzone console login: root
Password: 
Apr  1 21:48:04 myzone login: ROOT LOGIN /dev/console
Sun Microsystems Inc.   SunOS 5.11      snv_101b        November 2008
root@myzone:~# 

From the other terminal, the zone's status now shows as running:

bleonard@opensolaris:~$ zoneadm list -v
  ID NAME             STATUS     PATH                           BRAND    IP    
   0 global           running    /                              native   shared
   1 myzone           running    /zones/myzone                  ipkg     shared

Working with the Zone

To drop off the zone console, exit the shell prompt and then type ~. at the console login prompt:

root@myzone:~# exit
logout

myzone console login: ~.
[Connection to zone 'myzone' console closed]
bleonard@opensolaris:~$ 

The zone is still running. Log in again:

bleonard@opensolaris:~$ pfexec zlogin -C myzone
[Connected to zone 'myzone' console]

Hit return to get the login prompt:

myzone console login: root
Password: 
Last login: Wed Apr  1 22:00:12 on console
Sun Microsystems Inc.   SunOS 5.11      snv_101b        November 2008
root@myzone:~# 

The zone can be shutdown, halted or rebooted from within the zone (here's a reboot example):

root@myzone:~# reboot
Apr  2 01:18:50 myzone reboot: initiated by root on /dev/console

[NOTICE: Zone rebooting]


SunOS Release 5.11 Version snv_101b 32-bit
Copyright 1983-2008 Sun Microsystems, Inc.  All rights reserved.
Use is subject to license terms.
Hostname: myzone
Reading ZFS config: done.
Mounting ZFS filesystems: (5/5)

myzone console login: 

Or from the global zone:

pfexec zoneadm -z myzone reboot

Now that we have a zone, there's plenty of opportunity to experiment...

Deleteing the Zone

pfexec zoneadm -z myzone uninstall 
pfexec zonecfg -z myzone delete -F

Fixing the netmask Warnings

If you're getting the netmask warning as I did when the zone boots:

zone 'myzone': WARNING: e1000g0:1: no matching subnet found in netmasks(4) for 10.0.2.25;⁞ using default of 255.0.0.0.
You can eliminate it by adding the zone's IP subnet into /etc/inet/netmasks. However, before we can edit the netmasks file, we need to make it writable:
pfexec chmod u+w /etc/inet/netmasks

Then add the proper subnet for you network. For example:

10.0.2.0 255.255.255.0

Now the zone will boot cleanly. For more information see netmasks Warning Displayed When Booting Zone.

Comments:

Netmask can be specified when configuring zone's ip with zonecfg (ip/netmask - ex: 10.0.0.1/27 would give netmask of 255.255.255.224)

Posted by edogawaconan on May 19, 2009 at 08:36 PM GMT #

"However, native zones presume you are using the SVR4 packing system (as opposed to IPS). Therefore, OpenSolaris uses a branded zone called ipkg."

This is just the tip of the iceberg with regard to all the architectural and technology issues that developers of IPS are facing. As if it isn't bad enough that they had to go and reinvent the wheel (could have bought or implemented inst(1M) from IRIX 6.5), use python to write IPS, supply poor or no documentation, no packaging tools (ala pkgmk), no Flash(TM), and now on top of everything, they are facing serious architectural issues with zones.

Oh, and let's not forget my absolute "favorite" - IPS - "a no scripting zone", because Mr. Hahn things a software management subsystem shouldn't be able to execute code to finishing or beginning package installation / removal.

Nevermind that there are customers out there with tons and tons of configuration packages doing exactly that, and \*doing it right\*.

And yet, IPS is being touted as the best thing since sliced bread! Now if that's not enough to make one angry at OpenSolaris and technology and architectural choices, then I really don't know what is.

Oh, and you should be able to automate all the zone configuration responses by supplying a sysidcfg(4) file.

Unless they did away with that too. It works in Solaris 10 and Solaris Express community edition, at least.

Posted by UX-admin on May 19, 2009 at 11:15 PM GMT #

So are you telling me that:

set brand=ipkg
set autoboot=false
set ip-type=shared
add inherit-pkg-dir
set dir=/platform
end
add inherit-pkg-dir
set dir=/sbin
end
add inherit-pkg-dir
set dir=/usr
end
add inherit-pkg-dir
set dir=/lib
end

That zonecfg doesn't result in a "sparse" zone because I have to tell you unless I am imagining all these loopback mounts that my zone seems to be inheriting all the software installed in the global zone......

2009.06 b111a

Posted by Zachary Schneider on May 20, 2009 at 05:16 AM GMT #

Brian, thanks a lot for the great introduction to zones under OpenSolaris! I believe it will be very helpful for OpenSolaris newbies.

I was trying zones a few weeks ago. I remember that I was doing the same things like you, but I had to read many docs to understand that subject. My learning of zones would be easier with your post :)

Posted by ptecza on May 21, 2009 at 02:11 AM GMT #

Hi,
I tried your instructions on the latest release, 2009.06, and I am running into an error on installation:

fridder@beast:~$ pfexec zoneadm -z test install
A ZFS file system has been created for this zone.
Publisher: Using opensolaris.org (http://pkg.opensolaris.org/release/).
Image: Preparing at /zones/test/root ... done.
Cache: Using /var/pkg/download.
Sanity Check: Looking for 'entire' incorporation.
ERROR: Unable to locate the incorporation 'entire@0.5.11,5.11-0.111:20090331T092149Z' in the preferred publisher 'opensolaris.org'.
Use -P to supply a publisher which contains this package.

Any ideas as to why this is happening and how to fix it?

Posted by Francis Ridder on June 10, 2009 at 12:57 PM GMT #

Hi Francis. Are you still experiencing the problem? I just did a quick test on 2009.06 and it appears to be working fine now.

/Brian

Posted by Brian Leonard on June 15, 2009 at 11:09 AM GMT #

Thanks for such great tutorial. I have setup the zones on Opensolaris.
I need your help in knowing how can I work further with Resource Management under Opensolaris Zones?
Any Link or further blog for the same?

Posted by Ajeet S Raina on June 28, 2009 at 10:54 PM GMT #

Thanks, this is a great tutorial. I am reposting because I did nor mark the previous post with notify on comments. I just created a zone on Solaris 11. The problem is that the zone has a very small set of packages even though I did not specify any inherited directory. There was no /export/home folder. More specifically for my purpose, there was no /etc/ipf/ipf.conf and no man pages for ipf. The child zone is only 550MB whereas the global zone in almost 2GB (installed from the NetInstall CD downloaded from Oracle). My question is: how can I create a zone in Solaris 11 that has all the packages in the global zone. # zoneadm list -civ ID NAME STATUS PATH BRAND IP 0 global running / ipkg shared 2 g01 running /export/zones/g01 ipkg excl # zonecfg -z g01 info zonename: g01 zonepath: /export/zones/g01 brand: ipkg autoboot: true bootargs: pool: limitpriv: scheduling-class: ip-type: exclusive hostid: fs-allowed: net: address not specified allowed-address not specified physical: vnic1 defrouter not specified root@g01:/# man ipf No manual entry for ipf. # zfs list NAME USED AVAIL REFER MOUNTPOINT rpool 4.68G 105G 92.5K /rpool rpool/ROOT 2.07G 105G 31K legacy rpool/ROOT/solaris 2.07G 105G 2.07G / rpool/dump 1023M 105G 1023M - rpool/export 2.29M 105G 33K /export rpool/export/home 2.26M 105G 2.26M /export/home rpool/swap 1.06G 105G 164M - rpool/zones 550M 105G 32K /export/zones rpool/zones/g01 550M 105G 33K /export/zones/g01 rpool/zones/g01/ROOT 550M 105G 31K legacy rpool/zones/g01/ROOT/zbe 550M 105G 550M legacy Thanks Manish

Posted by guest on June 05, 2011 at 08:35 PM GMT #

Manish, to add ipfilter to a zone, "#pkg install ipfilter". To add the man pages (this will install all 35 MB of the manual), "# pkg install manual". I'll look at writing something up comparing what's installed in the global versus non-global zone.

Posted by W Brian Leonard on June 06, 2011 at 07:57 AM GMT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

The Observatory is a blog for users of Oracle Solaris. Tune in here for tips, tricks and more as we explore the Solaris operating system from Oracle.

Connect with Oracle Solaris:


Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
20
21
22
23
24
25
26
27
28
29
30
   
       
Today