So, what makes Solaris Zones so cool?
By Karoly Vegh on Aug 30, 2013
How do you virtualize? Do you emulate virtual machines? Do you partition your servers' hardware? Or do you run a container technology?
This post is about the third option, a container technology built right into Solaris: Solaris Zones. They are pretty awesome, especially on Solaris 11 - they're like vacation: once you go Zones, you won't want to leave them :)
But what exactly makes Zones so cool?
There are a number of reasons, allow me to list my favourite top 10:
Pro primo: Solaris Zones are performance overheadless. That is, you will not lose any CPU capacity due to virtualization. The reason for this container feature is that there is no additional emulation/virtualization layer between the bare-metal serverinstallation and the Zone instances - because all the kernel-level services (resource mgmt, I/O, scheduling, etc.) are provided by the kernel running as part of the global zone (=="bare metal" installation) and the Zones themselves are userspace containers only!
Pro secundo: Resource Management. Resource management has been around since (IIRC) Solaris 9 with projects, but it turned out to be immensely useful with Zones. You can of course create static CPU pools, bind some zones to each, but my favourite method was using the FairShareScheduler (FSS), that allows definining a guaranteed minimum amount of CPU time portion per zone, but allowing the zone to consume way more as long as the CPU pool isn't 100% utilised.
Also, see Stefan's post about memory DR for zones.
Pro tertio: the Golden Image cloning: It makes a lot of sense putting the zones to ZFS due to ZFS's natural cloning capabilities. What I usually demo to customers is cloning zones. That is, I have a prepared zone that serves as a golden image (the source of cloning) and instead of installing the next zone from the IPS repository, I clone the existing one with zoneadm's built-in cloning capabilities. In a matter of seconds. And that's differential within the zpool, that is, it uses hardly any space on the disks at all.
Pro quatro: Zone independence: Zones are (especially since Solaris 11) pretty much independent, they [can] have their own:
- users (including a separate root user per zone)
- process space that isn't visible to other nonglobal zones
- filesystems and mounts
- software packages
- SMF services
- exclusive IP stack
Pro quinto: Branded Zones. Yes, you can run a complete Solaris 10 zone on top of Solaris 11. Within the zone you will have complete Solaris 10 userspace archived from an existing system that was either a Solaris 10 global zone or a non-global one. Just like that.
Pro sexto: Cluster integration: Solaris Zones can be moved around between nodes of a Solaris Cluster as "moving zones" with the built-in clusteragent delivered by Solaris Cluster (former SunCluster). But with Solaris Cluster you also can create ZoneClusters, that is, clusterinstances on the zone level. A zonecluster includes a non-global-zone created and managed by the Global Cluster on each clusternode, while the clustercommands are available within those zonecluster-nodes. That is, you can have several zoneclusters on top of the "bare metal" Solaris Cluster installations, having separate, independent, multitenant, virtual clusterenvironments. For more details see this post: "Zones? Clusters? Clustering zones? Zoneclusters?".
You can even have Solaris-10-branded-zoneclusters!
Pro septimo: Immutable Zones: there are different predefined levels of setting parts of a zone read-only from the inside. The filesystems are read-only from the nonglobal zone, but writeable from the global zone - hence providing an additional line of defense for the global zone's administrator in case the zones are managed by other zoneroot-users (see the documentation for details, or see Darren's blogpost about an encrypted immutable zone on iSCSI).
Pro octavo: Exclusive IP stack with VNICs: on Solaris 11 you can have your cake and eat it too: All your zones are by default exclusive-IP-stack zones, that is, they own a separate Level3 stack, that only belongs to that zone, eliminating shared network spaces between zones. And you don't even need to dedicate HW NICs to the zones for that, since in Solaris 11 thanks to project Crossbow you can create virtual NICs (vnics) and dedicate those L2 elements to the zones. The zone can even manage it's own network configuration - and yes, there is network spoofing protection built right into zones and vnics. You can even run an NFS server in a zone now! For details, see Jeff Victor's excellent Solaris-10-Zones-compared-to-Solaris-11-Zones post.
Pro nono: zonestat: Zonestat is a tool that provides a good overview about what resources and to what extent your zones are utilizing, in a readable/parseable way. By default it shows CPU, memory and network utilization, just try "zonestat 5 3" on a system with busy zones before you'd dive into additional parameters.
Pro decimo: Per-zone fstype statistics: as discussed in the post "What's new in Solaris 11.1?" zones got quite an update in Solaris 11.1 (and development does not stop!), but one of the main features was to be able to print filesystem statistics with "fsstat" on a per-zone basis.
Of course there are more than 10 mentionworthy features we haven't mentioned, these were my top 10. We didn't talk about Zones on Shared Storage, Parallell updates, etc. What are your favourite features?
As usual, should you have questions: do not hesitate to ask in the comments.