Presentation: DataFax & Solaris ZonesPresenter: Darryl Pahl
DFUG 2009 | February 15 - 18, 2009 1
DataFax and Solaris Zones
Darryl PahlDF/Net Research, Inc.
An Introduction
• Once upon a time, I used tobe a UNIX systemsadministrator
• Now I’m the one who:– researches, procures, orders– installs, configures, patches– tests, validates– uses– and writes the check for all of
the hardware and software
Presentation: DataFax & Solaris ZonesPresenter: Darryl Pahl
DFUG 2009 | February 15 - 18, 2009 2
An Introduction
• I somehow just don’t seem to have muchtime anymore
I need to simplify!
• Need a solution that is simple, costeffective… and one that I can Google
Enter Solaris Zones
• Zones allow you to slice a single serverup into separate and protected virtualmachines
• Zones are the “meat” of the larger Solariscontainer technology
• A Solaris container is the combination ofa Solaris zone with resourcemanagement features
Presentation: DataFax & Solaris ZonesPresenter: Darryl Pahl
DFUG 2009 | February 15 - 18, 2009 3
Advanced Features
• Many advanced features and deploymentoptions:– “resource pools” to allocated resources like CPUs– Fair-share scheduler to distribute resources– Zones implemented with ZFS file systems– Zones can run selected operating systems (branded)– Solaris zones can even work within other
virtualization systems such as VMWare
• A lot of high-level design concepts andlow-level technical tweaks are possible
But that’s not this talk…
• Solution that is simple:– Want something that I can implement in less than ten steps
• Solution that is cost effective:– Don’t want to duplicate hardware or buy additional software
• Solution that I can Google:– No time for courses or books– “Solaris Zones” reports 98,800 hits– High quality information can be found on the first page from
reputable sources
Presentation: DataFax & Solaris ZonesPresenter: Darryl Pahl
DFUG 2009 | February 15 - 18, 2009 4
Not So Advanced Features
• Each zone can have:– its own node name, virtual network interfaces, and
storage assigned to it– a security boundary surrounding it which prevents a
process associated with one zone from interactingwith or observing processes in other zones
– its own separate user list
• A zone is either the global zone or a non-global zone
• Think of a regular Solaris install as havingone zone, the global zone
Solaris Zones Guidelines
• Applications that:– access the network and files, and performs no other
I/O, should work correctly– require direct access to certain devices, e.g., a disk
partition, will usually work, but may increase securityrisks
– require direct access to some devices may not work
• DataFax can fit all of these guidelines
Presentation: DataFax & Solaris ZonesPresenter: Darryl Pahl
DFUG 2009 | February 15 - 18, 2009 5
Why You Might Need Zones
• In the beginning there was only one…
• But there might be reasons to have morethan one server for DataFax
DataFax
• It might be nice to have a test server aswell…
• And then there were two
To Create Development or Test Servers
DataFax Production DataFax Development
Presentation: DataFax & Solaris ZonesPresenter: Darryl Pahl
DFUG 2009 | February 15 - 18, 2009 6
Development or Test Servers
• Not uncommon tohave a separateproduction anddevelopment server for DataFax
• Some organizations require this as part ofa regulatory standard process
• But keeping both servers in sync isdifficult
• At least doubles the initial hardware costs
Development or Test Servers
To Run Multiple DataFax Releases
• And then DataFax 3.8 came out…
• And then there were four
DataFax 3.7 Production DataFax 3.7 Development
DataFax 3.8 Production DataFax 3.8 Development
Presentation: DataFax & Solaris ZonesPresenter: Darryl Pahl
DFUG 2009 | February 15 - 18, 2009 7
Multiple DataFax Releases
• Maybe you want torun legacy studiesunder previous releases,and new studies under the new system
• Typically some form of validation processfor new releases
• May not be convenient to switch allstudies completely over to the newrelease all at the same time
3.7, 3.8, 3.9 Servers
• Maybe a project doesn’t want their datasomehow mixed up with that other data
• And then therewere five
To Separate Studies or Projects
That other data That other data
That other data That other data
My data
Presentation: DataFax & Solaris ZonesPresenter: Darryl Pahl
DFUG 2009 | February 15 - 18, 2009 8
Separate Studies or Projects
• Different studies orprojects may havedifferent security or otherneeds– Study numbers may overlap– Security needs, real or perceived– Remote access differences– Other issues such as usernames, processes, and
permissions
• May just want to compartmentalize bystudy or project
Study Servers
• Maybe it would be convenient if other serverswere closer to DataFax
• And then there were six
To Run Different Tasks
Web Server
Remote Access Server
DataFax Servers
Presentation: DataFax & Solaris ZonesPresenter: Darryl Pahl
DFUG 2009 | February 15 - 18, 2009 9
Different Servers for Different Tasks
• Not unusual to havevarious task-basedservers– Web/data portal server– SSH/SFTP server– Sun Global Desktop/remote access server
• Convenient to have these “close” toDataFax
• But still want them to be separate forsecurity and logical reasons
Task Servers
So where does this leave you?
Presentation: DataFax & Solaris ZonesPresenter: Darryl Pahl
DFUG 2009 | February 15 - 18, 2009 10
And what does this cost you?
Server Cost Implications
Multiple Servers– Procurement cost
(research, purchase)– Installation cost
(setup, configuration,testing, validation)
– Overhead costs(rack, power, cooling)
– Maintenance(upgrades, security,administration, patches)
• X each server
Multiple Zones– All of the items to
the left
• X one server
+ Minimal extraadministrationcosts
Presentation: DataFax & Solaris ZonesPresenter: Darryl Pahl
DFUG 2009 | February 15 - 18, 2009 11
DataFax Cost Implications
Multiple Servers• DataFax license
X each server
Multiple Zones• DataFax license
X each zone
• For licensing purposes, each zone is itsown computer
• Consistent with other applications (e.g.SAS, Oracle)
Building a Very Simple Zone
• Gather information:– Hostname for the zone (datafax-test)– Directory in the global zone where all of the zone's operating
system files will be (/datafax-test)– IP address of the zone (192.168.1.149)– Name of the network device that the zone should use (ipge0)
• Use the zonecfg(1M) command to configure thezone
• Then the zoneadm(1M) to install and boot thezone
Presentation: DataFax & Solaris ZonesPresenter: Darryl Pahl
DFUG 2009 | February 15 - 18, 2009 12
Configuring the Zone# zonecfg -z datafax-testdatafax-test: No such zone configuredUse 'create' to begin configuring a new zone.
zonecfg:datafax-test> createzonecfg:datafax-test> set zonepath=/datafax-testzonecfg:datafax-test> add netzonecfg:datafax-test:net> set address=192.168.1.149zonecfg:datafax-test:net> set physical=ipge0zonecfg:datafax-test:net> endzonecfg:datafax-test> commitzonecfg:datafax-test> exit#
Installing the Zone# zoneadm -z datafax-test installPreparing to install zone <datafax-test>.Creating list of files to copy from the global zone.Copying <9123> files to the zone.Initializing zone product registry.Determining zone package initialization order.
Preparing to initialize <1048> packages on the zone.Initialized <1048> packages on zone.
Zone <datafax-test> is initialized.The file
</datafax-test/root/var/sadm/system/logs/install_log>contains a log of the zone installation.
#
Presentation: DataFax & Solaris ZonesPresenter: Darryl Pahl
DFUG 2009 | February 15 - 18, 2009 13
Booting the Zone# zoneadm -z datafax-test boot
# zoneadm listglobaldatafax-test
# zlogin datafax-testConnected to zone 'datafax-test' pts/2]Sun Microsystems Inc. SunOS 5.10 Generic January 2005
#
Using the Zone
• Use the zlogin(1M) command to login tothe zone as root from the global zone
• Configure the system as you would anyother system– Create local users, groups, or use various name
services– NFS mount directories (datafax, home directories)
from the global zone– Install DataFax or other applications
Presentation: DataFax & Solaris ZonesPresenter: Darryl Pahl
DFUG 2009 | February 15 - 18, 2009 14
Deleting the Zone# zoneadm -z datafax-test halt
# zoneadm -z datafax-test uninstallAre you sure you want to uninstall zone datafax-test
(y/[n])? y
# zonecfg -z datafax-testzonecfg:datafax-test> deleteAre you sure you want to delete zone datafax-test
(y/[n])? yzonecfg:datafax-test> exit#
Limitations of Solaris Zones
• Provides some software fault tolerance,but no additional hardware redundancy
• May have issues with local DataFaxmodems– Control modems via global zone, direct email to
[email protected]– Use fax service like Protus
• Most OS patches get applied to all zones,not specific zones
Presentation: DataFax & Solaris ZonesPresenter: Darryl Pahl
DFUG 2009 | February 15 - 18, 2009 15
Limitations of Solaris Zones
• Must be careful when sharing/not sharingdirectories for studies and DataFaxacross zones
• User “datafax” might be different on eachzone
Online Resources
• OpenSolaris FAQ– http://www.sun.com/blueprints/0505/819-2679.pdf
• Solaris online documentation:– http://dlc.sun.com/pdf/817-1592/817-1592.pdf
• Wikipedia– http://en.wikipedia.org/wiki/Solaris_Zones
• Sun BluePrints– http://www.sun.com/blueprints/0505/819-2679.pdf
And about 97,998 more places
Presentation: DataFax & Solaris ZonesPresenter: Darryl Pahl
DFUG 2009 | February 15 - 18, 2009 16
Questions?
Darryl PahlVice President,DF/Net Research, Inc.
