Shall I use Zones or LDOMs?


Recently (especially since the SPARC T4 release) I got this question a couple of times - "We are running/migrating to T2/T3/T4 servers, and considering for our setup the virtualization possibilities. What shall we go for, zones or ldoms?"

Of course one can't answer this question without talking about the platform requirements and the reasons to pick the right technologies, but before we'd go into details, let me get the most important statement straight:

Zones and LDOMs are not rivalling, but complementary technologies. If you need kernelspace separation, use ldoms. But run your applications in zones within those ldoms anyway!

Let's get some terminology clear first:

  • LDOMs are now called Oracle VM for SPARC. I will use these terms interchangably. 
  • Zones have started their lives as project Kevlar, then named zones, then marketed as containers, we are now back to zones again.  
  • LDOMs are the HW-Virtualization technology of the SPARC-T (CMT, ChipMultiThreading, Coolthread, sun4v, etc) server series, it is their ability to carve up the server into Logical DOMains, running on a hypervisor that runs in the firmware. 
  • Zones are the featherweight OS-Virtualization technology of Solaris on all of the platforms (Sparc-T, Sparc-M and x86 too)
  • Every T server is running ldoms. If you don't partition your box into domains, you are still running one single large ldom, called the primary domain, encapsulating the complete server. 
  • Every Solaris 10+ OS installation has one zone, the global zone (GZ). This is where the [shared] kernel[space] runs, and the non-global zones (NGZ) are the containers separating applications in the userspace. 
Now, why would you want to run zones? 

  1. Container principle: They cleanly separate your applications from each other, by maintaining for them a separate set of Solaris packages, their dedicated CPU resources, their IP-stack, their filesystems, etc. 
  2. Clean architecture: You won't poison your OS installation in the GZ running on the HW with additional packages/settings. The GZ manages the resources between the zones, runs the kernel, does the scheduling, runs the cluster, manages the devices, etc. The NGZs run the applications.
  3. Flexibility: You can simply detach a zone from the GZ and attach it to another GZ on another box, including the application. You can easily clone zones too. 
  4. Security: Should a NGZ ever get compromised, the attacker can't bother the GZ, or applications running  in other NGZs.
  5. Resource Management: You can dedicate the guaranteed amount of CPU shares a zone should get (using the FairShareScheduler), but as long as your CPU pool isn't 100% utilized, every zone can use more than the amount dedicated to it - that is, you can overcommit your resources
And what are the reasons to run LDOMs? 

  1. Kernel level separation
    • You might want to run different updates of Solaris 10 within a box. 
    • You might want to run Solaris 10 and Solaris 11 right next to each other within a box. 
  2. Live migration: You can't livemigrate zones, but you can livemigrate ldoms. 
  3. Some of your applications might require to run in the GZ, and you don't like the idea of running applications both in the GZ and its NGZ at the same time, hence you separate them into ldoms. 
  4. You need to reduce the number of vCPUs in a box for licensing issues. LDOMs are now recognized as hardpartitions by Oracle, license boundaries. 
  5. You don't want your I/O to depend on a single service domain - you can build multipathgroups of devices between two I/O device providing service domains. 


As you see these two technologies fulfill different requirements, they are in different levels of your operation-stack, ldoms being a HW-virtualization - a host for kernels to run, and zones being an OS-virtualization, to provide containers for your application to run in: 

OVM for SPARC with native and branded zones

 to give you an idea: run S10 and S11 in ldoms next to eachother within the same box, run branded and native zones on top of them

To summarize: The question shouldn't be about zones vs. ldoms. Use zones, they are your friends. The question is, if you partition your T-SPARC server into ldoms below your global zones to run your NGZs in.
Especially with Solaris 11, with Crossbow, the new network virtualization technology (that enables all your NGZs to have a dedicated IP stack) and the possibility to run Solaris 11 native zones and Solaris10 branded zones on top of Solaris 11, you have two quite powerful technologies to really get your server's worth - and by that I mean having a high server utilization. The higher that utilization is, the more you get for your costs. 

Additional Information:

LDOMs Wiki
Oracle VM for SPARC Documentation
White Paper: Best Practices For Network Availability with OVM for SPARC
White Paper: Best Practices For Data Availability with OVM for SPARC

HOWTO: Getting started with Solaris Zones
Oracle Solaris Zones Documentation
Best Practices running Oracle DB in Zones
Running RAC in ZoneClusters

    Comments:

    This entry is well organized and helpful! Frequently, our customers ask the difference of LDoms / Zones.

    Posted by Koshiro Kane on March 10, 2012 at 06:24 AM CET #

    Remember that Oracle Solaris Zones when configured as "capped" are also recognised a valid hard partitions when it comes to licensing.

    Posted by Duncan Hardie on June 12, 2012 at 09:46 AM CEST #

    That's right, I guess I just wanted to emphasize that for a while now LDoms are recognized as well, just like zones, if configured correctly.

    btw, the hard partitioning document can be found here: http://www.oracle.com/us/corporate/pricing/partitioning-070609.pdf

    Posted by Karoly Vegh on June 12, 2012 at 10:25 AM CEST #

    actualy that picture is misleading and wrong, you can't run a Solaris 10 (branded zone) inside Solaris 11, if that Solaris 11 is hosted on a Logical Domain

    Posted by guest on June 21, 2012 at 12:53 AM CEST #

    Hi,

    As far as I knew, you could run Solaris10 branded zones very much in S11 running LDoms, but just double checked it internally, and got in confirmed, it is supported. In LDoms, in OVM for x86, even in VirtualBox, since the S10 brand layer is unaware of the virtualization technology the Solaris 11 installation is running in.

    Maybe you got it confused with branded Solaris 8 or Solaris 9 zones? Those are supported only on Solaris 10 installations. For Solaris 10 branded zones you need S11 in the global zone.

    Posted by Karoly Vegh on June 21, 2012 at 01:53 PM CEST #

    Hi Karoly,

    Great article !

    Just my 2 cents about the zone naming changes across Solaris 10 and Solaris 11.

    Once upon a time Solaris 10 rised from Sun's lab. The gods engineers said :

    -1 Shall it be possible to run OSes within the OS. We shall call it a *zone*

    -2 Shall it be possible to restrict the resources used by the almighty zone. We shall call it *container*

    -3 Shall it be possible to run different OS versions with the almighty zone. We shall call it *branded zone*

    -4 When the new offspring of the godlike Solaris 10 arised. The Gods among the Gods said : As it is even better as its powerful father and is still one and only true OS we shall call it Solaris 11

    -5 Shall the Solaris 11 mighty zones be called *zones* whatever resource control they use or not

    -6 Shall we named the father Solaris 10 zones in Solaris 11 a *container*

    -7 shall it be now no mistake on the spelling or wording of these process of godlike creation.

    -8 Shall all the angels of heaven sing these truths or blog about it

    So be it

    Posted by guest on June 21, 2012 at 02:29 PM CEST #

    I know it's completely possible to run a Solaris 10 branded zone inside Solaris 11 running in a logical domain - that's one of the first things I did with Solaris 11. -- Jeff

    Posted by Jeff Savit on June 21, 2012 at 06:44 PM CEST #

    Excellent article.

    Very thanks Karoly!

    Posted by Leopoldo Otero on September 20, 2012 at 06:16 PM CEST #

    Great Article. But to be clear, there would be no problem live migrating a Solaris 8 branded zone within a Solaris 10 LDOM as long as you were migrating to the exact same CPU architecture, correct? Same for Solaris 10 zone inside a Solaris 11 LDOM, but the cpu restriction would go away, correct?

    Posted by guest on November 14, 2012 at 05:52 PM CET #

    Hi
    My questions here is :Which type of zones we should use and What is the best practice for Global Zone in terms of OS installation.

    Posted by guest on September 03, 2013 at 07:48 AM CEST #

    I don't really get the question. What do you mean which type of zones? If you can, run Solaris 11.1, with the latest SRU, with S11 zones or zoneclusters on top.
    If you need Solaris 10 userspace then you either run Solaris 10 branded zones on top of Solaris 11, or you run them as S10 zones on top of S10.
    If you need HA with S10, then you can run S10-branded zoneclusters on top of S11 with Solaris Cluster 4.1, or as native zoneclusters on top of S10, or zonenodes, or flying zones...
    IF you need Solaris 8 or 9 userspace, then you can run those on top of S10 on SPARC.
    If you use S11, consider immutable zones if necessary. If you run Solaris 10, the best is probably if you run whole-root zones.
    I could go on.
    What information are you looking for?

    Posted by Karoly Vegh on September 05, 2013 at 02:02 PM CEST #

    Post a Comment:
    • HTML Syntax: NOT allowed
    About

    This is the Technology Blog of the Oracle Hardware Presales Consultant Team in Vienna, Austria. We post about our technology fields: server- and storage hardware, operating system technologies, virtualization, clustering, datacenter management and performance tuning possibilities.

    Search

    Categories
    Archives
    « April 2014
    SunMonTueWedThuFriSat
      
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
       
           
    Today