The Zone Manager: Simplifying The Creation and Management of Solaris 10 Zones

The Zone Manager
Simplifying the Creation and Management

of Solaris 10 Zones
Brad Diggs
Senior Directory Architect
Sun Microsystems, Inc.
Purpose
The purpose of this presentation is to introduce

you to the Zone Manager (aka ZoneMgr) and
some of its many features.
To learn more see the resources slide at the

end of this presentation.
Now, sit back and enjoy the tour!
2
Agenda
1. Solaris Zones Today

2. A Simple Example
3. Sparse vs. Whole Root Zones
4. Necessity: The Mother of Invention
5. ZoneMgr by Examples
6. Complexity Simplified
7. ZoneMgr Resources
3
Solaris Zones Today
4
Solaris Zones Virtualization
A Solaris zone is a virtual semi-shared instance of the Solaris operating
system that in almost every way feels like an autonomous system. Unlike
other virtualization systems such as VMware, Xen and others, zones
share system resources (CPU, RAM, Disk, and Network) instead of
pre-allocating fixed portions of these resources for each virtual container.
Private Solaris 10 Global Zone
Network1
192.168.10.0/24 Sparse Root zfs1
Zone m1
Minimized and
Private Hardened /share
Network2 Whole Root (ro)
192.168.20.0/24 Zone m2
/data
DSEE (rw)
Public
Network apache zfs2
72.5.124.0/24
5
Sparse and Whole Root Zones
Sparse root zones are non-global zones that inherit in read-only mode the /lib,
/platform, /sbin, and /usr directories from the global zone.
Whole root zones are non-global zones that do not inherit any directories from the
global zone.
To create a whole root zone, you include the following lines in the zone configuration
file to force non-inheritance of the default directories.
remove inherit-pkg-dir dir=/usr

remove inherit-pkg-dir dir=/lib
remove inherit-pkg-dir dir=/platform
remove inherit-pkg-dir dir=/sbin
6
Sparse Root Zones
• Advantages of Sparse Root Zones
> Consumes less RAM and Disk
> Easier to manage software updates
• Disadvantages of Sparse Root Zones

> Less flexible for packages needing to be installed in read-only
mounted directories
> Can't be minimized
7
Whole Root Zones
• Advantages of Whole Root Zones
> Can control package list (add/remove) of non-global zone
> Can minimize non-global zone
> Can have truly minimized global zone
• Disadvantages of Whole Root Zones

> Consumes more RAM and Disk
> Can requires per-zone update management
> Can create conflicts between packages in global and non-
global zones
8
Sparse Zone Example
9
Sparse Zone Configuration File
create
set zonepath=/zone/zone1
set autoboot=true
add inherit-pkg-dir
set dir=/ds
end
add net
set address=192.168.1.11
set physical=hme0
end
add attr
set name=comment
set type=string
set value="Directory Service Zone"
end
verify
commit
10
Sparse Zone Installation
Installing the zone from zone configuration file (zone1.inf):
# zonecfg -z zone1 -f ./zone1.inf
# zoneadm -z zone1 install
Preparing to install zone <zone1>.
Creating list of files to copy from the global zone.
Copying <2502> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Initializing package <5> of <690>: percent complete: 0%
... continues until 100% complete and takes a while...
Initialized <690> packages on zone.
Successfully initialized zone <zone1>.
# zoneadm -z zone1 boot
# zoneadm list -vc
ID NAME STATUS PATH
0 global running /
1 zone1 running /zone/zone1
# zlogin -C -e\@ zone1
Manually answer the SysIdCfg questions to complete Solaris configuration.
11
Zones Today Can Get Complicated
Zone Configuration – sparse, whole root, fs, net, ...
Zones Administration – zonecfg, zoneadm, zlogin
Zone State Management – boot, reboot, shutdown, only X zones, ...
Minimization – pkgrm, pkgadd, ...
Hardening – svcadm, svcs, inetadm, /etc/rcX.d, ...
Filesystems – mount, newfs, zpool, zfs
Containment/Resource Management – pset, rcapd, ...
Privileges – Apply zone specific privilege constraints
brandZ – Linux binary compatible zone
Automated Software Installation – Blastwave (pkg-get)
12
Necessity: The Mother of Invention
Historical Context: Needed multi-zoned lab automation
Goal: Simplify zones creation and management
Strategy: A simple command line tool that can get you

90% of the way there
The Result: The Zone Manager (aka ZoneMgr)
13
ZoneMgr Actions
add – Add a zone
modify – Modify an existing zone
del – Delete a zone
info – Show zone configuration
move – Move a zone from one dir to another
detach/attach – Move a zone from one server to another
clone – Clone the configuration and contents of a zone
boot/reboot/shutdown/halt – Start/Restart/Stop a zone
only – Manage multi-zone state
runcmd – Run a command within a zone
zcontainer – Apply containment to a zone
14
ZoneMgr by Examples
15
ZoneMgr by Example 1:
add, delete, and list
16
Add a zone:
Create zone config file file: zcfgfile
zonecfg -z m1 -f zcfgfile
zoneadm -z m1 install
zoneadm -z m1 boot
zlogin -C m1 # Manually answer the SysIdCfg questions
Delete a zone:
zoneadm -z m1 halt
zoneadm -z m1 uninstall -F
zonecfg -z m1 delete -F
List all zones:

zoneadm list -cv
17
Add a zone:
zonemgr -a add -n m1 -z /zones -P pw
Delete a zone:
zonemgr -a del -n m1
List all zones:

zonemgr -a list
18
boot, reboot, shutdown, and halt
19
Boot a zone:
zoneadm -z m1 boot
Reboot a zone:
zoneadm -z m1 reboot
Shutdown a zone:
zlogin m1 “shutdown -y -g 0 -i 5”
Halt a zone:
zoneadm -z m1 halt
20
Boot a zone:
zonemgr -a boot -n m1
Reboot a zone:
zonemgr -a reboot -n m1
Shutdown a zone:
zonemgr -a shutdown -n m1
Halt a zone:
zonemgr -a halt -n m1
21
Multi-zone state management
22
only – Multi-zone state management
Boot all zones:
for z in `zoneadm list -c | grep -v “^global$”`
do zoneadm -z $z boot; done
Halt all zones:

for z in `zoneadm list -c | grep -v “^global$”`
do zoneadm -z $z halt; done
Make sure only zones m1 and m2 are running:

for z in `zoneadm list -c | egrep -v “^global$|^m1$|^m2$”`
do zoneadm -z $z halt; done
for z in m1 m2
do zoneadm -z $z boot; done
23
only – Multi-zone state management
Boot all zones:
zonemgr -a only -n bootall
Halt all zones:

zonemgr -a only -n haltall
Make sure only zones m1 and m2 are running:

zonemgr -a only -n “m1 m2”
24
modify network
25
modify network
Add a network address:
zonecfg -z m1
zonecfg:m1> add net
zonecfg:m1:net> set address=192.168.0.11/24
zonecfg:m1:net> set physical=hme0
zonecfg:m1:net> end; verify; commit; exit
Modify the network address:
zonecfg -z m1
zonecfg:m1> select net address=192.168.0.11/24
zonecfg:m1:net> set address=192.168.0.12/24
zonecfg:m1:net> end; verify; commit; exit
Delete the network address:
zonecfg -z m1
zonecfg:m1> remove net address=192.168.0.12/24
zonecfg:m1:net> verify; commit; exit
26
modify network
Add a network address:
zonemgr -a modify -n m1 -I “192.168.0.11|hme0|24|m1a”
Modify the network address:

zonemgr -a modify -n m1 -m “net:192.168.0.11/24|address:192.168.0.12/24”
Delete the network address:

zonemgr -a modify -n m1 -m "del:net:192.168.0.12/24"
27
modify filesystem
28
modify filesystem
Add directory from the global zone in read-only mode:
zonecfg -z m1
zonecfg:m1> add fs
zonecfg:m1:fs> set dir=/tmp
zonecfg:m1:fs> set special=/bob
zonecfg:m1:fs> set type=lofs
zonecfg:m1:fs> add options [ro,nodevices]
zonecfg:m1:fs> end; verify; commit; exit
Modify read-only directory:
zonecfg -z m1
zonecfg:m1> select fs special=/bob
zonecfg:m1:fs> set special=/frank
Delete the read-only directory:
zonecfg -z m1
zonecfg:m1> remove fs special=/frank
zonecfg:m1:fs> end; verify; commit; exit29
modify filesystem
Add readonly directory from global zone in read-only mode:
zonemgr -a modify -n m1 -r “/tmp|/bob”
Modify read-only directory:

zonemgr -a modify -n m1 -m “fs:/bob|dir:/frank”
Delete the read-only directory:

zonemgr -a modify -n m1 -m “del:fs:/frank”
30
minimize zone
31
minimize zone
Minimize an existing zone:
Figure out what packages to remove.
Make file containing list of those packages: pkgs_to_remove_file
for pkg in `cat pkgs_to_remove_file`
do
zlogin m1 “yes | pkgrm $pkg”
done
32
minimize zone
Add a minimized zone:
zoneadm -z m2 boot
Figure out what packages to remove.
Make file containing list of those packages: pkgs_to_remove_file
for pkg in `cat pkgs_to_remove_file`
do
done
33
minimize zone
Minimize a zone with a specific package list:
Make file containing list of those packages: /pkglist.txt
for pkg in `cat /pkglist.txt`
do
done
34
minimize zone
Minimize an existing zone:
zonemgr -a modify -n m1 -M basic
Add a minimized zone:

zonemgr -a add -n m2 -z /zones -P pw -M basic
Minimize a zone with a specific package list:

zonemgr -a modify -n m1 -M /pkglist.txt
35
harden zone
36
harden zone
Harden an existing zone with the basic mode:
Figure out what services to disable.
Make file containing list of those packages: svcs_to_disable
for svc in `cat svcs_to_disable`
do
zlogin m1 “svcadm disable $svc”
done
Un-harden an existing zone with the basic mode:

do
zlogin m1 “svcadm enable $svc”
done
37
harden zone
Add a hardened zone:
zoneadm -z m2 boot
Figure out what services to disable.
Make file containing list of those packages: svcs_to_disable
do
done
38
harden zone
Harden an existing zone with a specific list of services to disable:
for svc in `cat /svcs.file`
do
done
Harden an existing zone with using Secure By Default:

zlogin m1 “netservices limited”
39
harden zone
Harden an existing zone with the basic mode:
zonemgr -a modify -n m1 -s “basic|lock”
Un-harden an existing zone with the basic mode:

zonemgr -a modify -n m1 -s “basic|unlock”
Add a hardened zone:

zonemgr -a add -n m2 -z /zones -P pw -I “192.168.0.20|hme0|24|m2” -s disable
Harden an existing zone with a specific list of services to disable:

zonemgr -a modify -n m1 -s “disable|/svcs.file”
Harden an existing zone with using Secure By Default:

zonemgr -a modify -n m1 -s “sbd|limited”
40
ZFS filesystem
41
ZFS filesystem
Add ZFS filesystem to a zone:
Assuming ZFS pool myzfspool already exists:
zfs create myzfspool/zfsdata
zfs set mountpoint=legacy myzfspool/zfsdata
zfs set zoned=on myzfspool/zfsdata
zonecfg -z m1
zonecfg:m1> add fs
zonecfg:m1:fs> set dir=/zfsdata
zonecfg:m1:fs> set special=backup/zfsdata
zonecfg:m1:fs> set type=zfs
42
ZFS filesystem
Add a zone and add a ZFS filesystem:
Assuming ZFS pool myzfspool already exists:
zfs create myzfspool/zfsdata
zfs set mountpoint=legacy myzfspool/zfsdata
zfs set zoned=on myzfspool/zfsdata
Create zone config file file that includes the following zfs config: zcfgfile
zonecfg:m2> add fs
zonecfg:m2:fs> set dir=/zfsdata
zonecfg:m2:fs> set special=backup/zfsdata
zonecfg:m2:fs> set type=zfs
zoneadm -z m2 boot
43
ZFS filesystem
Add ZFS filesystem to a zone:
zonemgr -a modify -n m1 -w "zfs|/zfsdata|myzfspool"
Add a zone and add a ZFS filesystem:

zonemgr -a add -n m2 -z /zones -P pw -w "zfs|/zfsdata2|myzfspool2"
44
automated software installation
45
Install MySQL5 on existing zone from Blastwave:
zlogin m1 “wget http://www.blastwave.org/pkg_get-3.7.1-all-CSW.pkg”
zlogin m1 “yes | pkgadd -d. ./pkg_get-3.7.1-all-CSW.pkg”
zlogin m1 “yes | /opt/csw/bin/pkg-get install mysql5”
Add a zone and install multiple Blastwave packages:
zoneadm -z m2 boot
zlogin m2 “wget http://www.blastwave.org/pkg_get-3.7.1-all-CSW.pkg”
zlogin m2 “yes | pkgadd -d. ./pkg_get-3.7.1-all-CSW.pkg”
zlogin m2 “yes | /opt/csw/bin/pkg-get install mysql5”
zlogin m2 “yes | /opt/csw/bin/pkg-get install apache2”
zlogin m2 “yes | /opt/csw/bin/pkg-get install dss”
46
Install MySQL5 on existing zone from Blastwave:
zonemgr -a modify -n m1 -G mysql5
Add a zone and install multiple Blastwave packages:

zonemgr -a add -n m2 -z /zones -P pw -I “192.168.0.20|hme0|24|m2” \
-C /etc/nsswitch.conf -C /etc/resolv.conf -G mysql5 -G apache2 -G dss
See http://blastwave.org/packages for full list of available packages from Blastwave.
47
complexity simplified
Warning: The following relatively complex example
could very well take 20 or more steps if performing
manually without the simplification of the Zone Manager.
Fortunately with the Zone Manager you only have to type
in a single (although somewhat long) command.
Proceed with great delight. ;-)
48
Lets consider what it would take to
create a non-global zone with the Network Global Zone
following features: 192.168.0.0/24
Whole Zone Zed
• Set home directory and shell of root user Minimized & Hardened
• Add network address mysql5 sshd
• Add read-only and read-write mounted /zfs(rw)
/zshare(ro) /zdata(rw)
directories from the global zone
• Add zfs filesystem
• Minimize: Un-install all un-necessary packages /share zfs /data
• Harden: Disable all un-necessary services
• Apply custom configuration files
• Install MySQL5 from network package
repository
• Apply specific privileges to the zone
• Add a user to the zone
49
The following command will perform the details stated in the following
slides.
Global Zone
zonemgr -a add -n zed -t w -z /zones \
-P "pw" -R “/root|/bin/bash” \ Whole Root
-I "192.168.0.10|hme0|24|zed" \ Zone Zed
root user:
-M basic -s "basic|lock" \ password=pw
-r "/share|/zshare" -w "/data|/zdata" \ home=/root
shell=/bin/bash
-w "zfs|/zfs|mypool" \
-C /etc/ssh/sshd_config -S ssh \ Zone Zed Base Dir:
-C /etc/resolv.conf \ /zones/zed
-C “/etc/nsswitch.dns|/etc/nsswitch.conf” \
-G mysql5 -L default,dtrace_proc,dtrace_user \
-X “useradd -m myuser”
1. Create a whole root zone named zed in /zones/zed.
2. Set the root user password of zone zed to pw.
3. Set the root user home directory of zone zed to /root.
4. Set the root user shell of zone zed to /bin/bash.
50
slides.
Network Global Zone
zonemgr -a add -n zed -t w -z /zones \ 192.168.0.0/24
-P "pw" -R “/root|/bin/bash” \ Zone Zed
Minimize:
-I "192.168.0.10|hme0|24|zed" \ pkgrm <pkgs>
-M basic -s "basic|lock" \
Harden:
-r "/share|/zshare" -w /data \ svcadm disable <svcs>
-C /etc/ssh/sshd_config -S ssh \
-C /etc/resolv.conf \
5. Set the IP address of zone zed to 192.168.0.10, the
netmask to 255.255.255.0, assign it to interface hme0, and
assign it a host name of zed in /etc/hosts.
6. Uninstall all un-necessary packages from zone zed and disable all
un-necessary services using the basic hardening method.
51
slides.
Network Global Zone
-P "pw" -R “/root|/bin/bash” \ Whole Zone Zed
Minimized & Hardened
-I "192.168.0.10|hme0|24|zed" \
-M basic -s "basic|lock" \
-r "/share|/zshare" -w "/data|/zdata" \ /zfs(rw)
-C /etc/resolv.conf \ /share zfs /data
7. Read only mount directory /share from the global zone to /zshare
in non-global zone zed.
8. Read write mount directory /data from the global zone to /data
in non-global zone zed.
9. Create legacy mode zfs filesystem and mount it exclusively in zone zed.
52
slides.
Network Global Zone
-I "192.168.0.10|hme0|24|zed" \
-M basic -s "basic|lock" \ sshd
10. Copy sshd_config and resolv.conf from global zone to zone zed.
11. Replace resolv.conf in zone zed with the contents of resolv.dns from
the global zone.
12. Once the zone has completed being created and the configuration
file copies are complete, restart the ssh service.
53
slides.
Network Global Zone
-I "192.168.0.10|hme0|24|zed" \
-M basic -s "basic|lock" \ mysql5 sshd
13. Install mysql5 from the Blastwave.org package repository into
zone zed.
14. Set default, dtrace_proc, and dtrace_user privileges for zone zed.
15. Add user “myuser” to zone zed.
54
ZoneMgr Resources
OpenSolaris Project Page (Downloads, Docs, Bugs, RFEs,...):
http://opensolaris.org/os/project/zonemgr/
Discuss Zones and the Zone Manager:

http://www.opensolaris.org/jive/forum.jspa?forumID=6
Contact Me:
ZoneMgr@Sun.COM
Thank You
Brad Diggs
Senior Directory Architect
Sun Microsystems, Inc.
ZoneMgr@Sun.COM

The Zone Manager: Simplifying The Creation and Management of Solaris 10 Zones

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The Zone Manager: Simplifying The Creation and Management of Solaris 10 Zones

Uploaded by

Copyright:

Available Formats

The Zone Manager

Simplifying the Creation and Management

The purpose of this presentation is to introduce

To learn more see the resources slide at the

Now, sit back and enjoy the tour!

1. Solaris Zones Today

remove inherit-pkg-dir dir=/usr

• Disadvantages of Sparse Root Zones

• Disadvantages of Whole Root Zones

Manually answer the SysIdCfg questions to complete Solaris configuration.

Historical Context: Needed multi-zoned lab automation

Goal: Simplify zones creation and management

Strategy: A simple command line tool that can get you

The Result: The Zone Manager (aka ZoneMgr)

List all zones:

List all zones:

Halt all zones:

Make sure only zones m1 and m2 are running:

Halt all zones:

Make sure only zones m1 and m2 are running:

Modify the network address:

Delete the network address:

Modify read-only directory:

Delete the read-only directory:

Add a minimized zone:

Minimize a zone with a specific package list:

Un-harden an existing zone with the basic mode:

Harden an existing zone with using Secure By Default:

Un-harden an existing zone with the basic mode:

Add a hardened zone:

Harden an existing zone with a specific list of services to disable:

Harden an existing zone with using Secure By Default:

Add a zone and add a ZFS filesystem:

Add a zone and install multiple Blastwave packages:

See http://blastwave.org/packages for full list of available packages from Blastwave.

Proceed with great delight. ;-)

Discuss Zones and the Zone Manager:

You might also like