How to Get Started Creating Oracle Solaris Zones in Oracle Solaris 11

November 2011

by Duncan Hardie

How to create an Oracle Solaris Zone, install an application in that zone, and clone the zone so you can roll out multiple, duplicate resource-controlled environments quickly and easily.


Introduction

This article will help you get familiar with the basic operations of Oracle Solaris Zone configuration and management in Oracle Solaris 11.

Want technical articles like this one delivered to your inbox?  Subscribe to the Systems Community Newsletter—only technical content for sysadmins and developers.

In Oracle Solaris 10, Oracle Solaris Zones technology gave you the ability to create different isolated environments to suit the needs of your particular applications, all on the same instance of Oracle Solaris. Instead of running and managing multiple operating systems to host multiple applications on multiple systems, you could run and manage only one OS and place each application inside a zone. So instead of having to spend time and resources managing multiple OSs, all you needed to do was manage multiple zones. Much simpler.

Oracle Solaris 11 places Oracle Solaris Zones technology at its core, integrating Oracle Solaris Zones with key Oracle Solaris 11 features. For example, tight integration with the new software management architecture makes deployment of Oracle Solaris 11 and Oracle Solaris Zones easy.

Oracle Solaris Zones let you isolate one application from others on the same OS, allowing you to create an isolated environment in which users can log in and do what they want from inside an Oracle Solaris Zone without affecting anything outside that zone. In addition, Oracle Solaris Zones also are secure from external attacks and internal malicious programs. Each Oracle Solaris Zone contains a complete resource-controlled environment that allows you to allocate resources such as CPU, memory, networking, and storage.

If you are the administrator who owns the system, you can choose to closely manage all the Oracle Solaris Zones or you can assign rights to other administrators for specific Oracle Solaris Zones. This flexibility lets you tailor an entire computing environment to the needs of a particular application, all within the same OS.

Overview of the Environment We Will Implement

In this how-to guide, we will set up three Oracle Solaris Zones, one to host a test environment for developers (testzone) and two to host our Web-facing applications (webzone-1 and webzone-2), all side by side on a single system.

Each zone will highlight a simple feature of getting started with zones:

  • With testzone, we'll see how to create a zone using the command line.
  • With webzone-1, we'll see how to add an application to a zone.
  • With webzone-2, we'll see how to clone a zone.

Our test zone will benefit from the isolation capabilities of Oracle Solaris Zones technology. You can quickly create the zone and then hand it over to the development group. That group's administrator can independently manage the environment, and the test engineers are free to install the packages they need, all in isolation from the rest of the system. We will also see how the Image Package System (IPS) in Oracle Solaris 11 enables Oracle Solaris Zones to be mean and lean, allowing system resources to be used for the applications rather than for the virtualization technologies.

Our first Web zone, webzone-1, will be used to install the Web environment where we run our online Point of Sales (POS) Web server. Here, we can make sure transactions are completed by assigning appropriate resources to guarantee levels of service. Oracle Solaris Zones technology allows you to control not only CPU and memory, but also network bandwidth and access to storage. This is enabled by tight integration with the rest of Oracle Solaris 11 core features, such as network virtualization and ZFS-based storage.

Our second Web zone, webzone-2, will be created in response to a spike in demand within our POS environment. An additional Web server is needed to handle the increased traffic as quickly as possible. We will do this using the cloning feature available in Oracle Solaris Zones. This is a commonly used technique in the industry where a golden master (or template) is created and new environments are rolled out based on the original. We will see how incredibly fast this is with Oracle Solaris Zones technology, and we will also see how we save on disk space. This cloning process can be used to rapidly roll out multiple, duplicate environments quickly and easily, on demand, which could be of great use in a cloud environment.

After following the procedures in this article, you will have three zone environments configured as shown in Figure 1. Each zone will have its file system placed on the /zones ZFS data set and will have an exclusive network connection through the physical data link (network port e1000g0). The Web zones will also have the Apache Web server application.

Figure 1

Figure 1. Three Zones Accessing a Network Port with Their File Systems on /zones

Note: "Global zone" refers to the default zone for the system, which is also used for system-wide administrative control.

Now that we understand what we are trying to do, we will go through the steps for achieving our goal.

Figure 2 shows the settings we will use.

Figure 2

Figure 2. Three Zones and Their Configuration Details

Creating Your First Zone: testzone

This article concentrates on the tasks that are necessary to get Oracle Solaris Zone instances up and running quickly. For a full discussion on all the steps involved in creating an Oracle Solaris Zone and how you can configure its attributes, please see Oracle Solaris Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource Management.

Before We Start

Check the status of both the ZFS file system and the network:

root@global:~# zfs list | grep zones
root@global:~# dladm show-link
LINK                CLASS     MTU    STATE    OVER
e1000g0             phys      1500   up       --
e1000g1             phys      1500   unknown  --

Note that there are no ZFS data sets associated with any zones and no virtual NIC devices.

Step 1: Configure an Oracle Solaris Zone

Let's start by creating a simple test zone using the command line, as shown in Listing 1.

Listing 1: Creating a Zone
root@global:~# zonecfg -z testzone
testzone: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:testzone> create
create: Using system default template 'SYSdefault'
zonecfg:testzone> set zonepath=/zones/testzone
zonecfg:testzone> set autoboot=true
zonecfg:testzone> set bootargs="-m verbose"
zonecfg:testzone> verify
zonecfg:testzone> commit
zonecfg:testzone> exit

If you get any configuration errors at this stage, refer to Oracle Solaris Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource Management.

Tip: If your zonepath includes the zone's name, it's much easier to track your zone's files.

In this case, we have named the zone testzone and we have chosen /zones/testzone as the location under which the zone will be installed. Also, the zone will automatically start on boot in a verbose manner. We do this so that we don't have to start the zone manually after a system reboot and so we can see all the services start up.

By default, all Oracle Solaris Zones are configured to have an automatic VNIC called anet, which gives us a network device automatically. (We will discuss more details for this network device's configuration later.) We cannot see this network device yet, because it is automatically created when the zone is booted and also automatically destroyed on shutdown. We can check this with the dladm command:

root@global:~# dladm show-link
LINK                CLASS     MTU    STATE    OVER
e1000g0             phys      1500   up       --
e1000g1             phys      1500   unknown  --

We can verify that the zone is now in the configured state using the zoneadm command:

root@global:~# zoneadm list -cv
  ID NAME             STATUS     PATH                           BRAND    IP    
   0 global           running    /                              solaris  shared
   - testzone         configured /zones/testzone                solaris  excl  

Step 2: Install the Zone

Now that the zone has been configured, we need to install it, as shown in Listing 2.

It is important to understand that Oracle Solaris Zones in Oracle Solaris 11 are created by using the IPS feature. You will need to ensure you have access to your IPS repository. In this case, we have network access to our IPS repository. For more details on IPS see Introducing the Basics of Image Packaging System (IPS) on Oracle Solaris 11.

Listing 2: Installing a Zone
root@global:~# zoneadm -z testzone install
 A ZFS file system has been created for this zone.
Progress being logged to /var/log/zones/zoneadm.20111016T114436Z.testzone.install
       Image: Preparing at /zones/testzone/root.

 Install Log: /system/volatile/install.6677/install_log
 AI Manifest: /tmp/manifest.xml.zVaybn
  SC Profile: /usr/share/auto_install/sc_profiles/enable_sci.xml
    Zonename: testzone
Installation: Starting ...

              Creating IPS image
              Installing packages from:
                  solaris
                      origin:  http://pkg.oracle.com/solaris/release/
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                              167/167 32062/32062  175.8/175.8

PHASE                                        ACTIONS
Install Phase                            44311/44311 

PHASE                                          ITEMS
Package State Update Phase                   167/167 
Image State Update Phase                         2/2 
Installation: Succeeded


        Note: Man pages can be obtained by installing pkg:/system/manual

 done.

        Done: Installation completed in 110.519 seconds.


  Next Steps: Boot the zone, then log into the zone console (zlogin -C)

              to complete the configuration process.

Log saved in non-global zone as /zones/testzone/root/var/log/zones/zoneadm.20111016T114436Z.testzone.install

The zone was installed in just 110 seconds. This is very quick when compared with other virtualization technologies and reflects the lightweight nature of Oracle Solaris Zones.

We can check on the status of our zone using the zoneadm command:

root@global:~# zoneadm list -iv
  ID NAME             STATUS     PATH                           BRAND    IP    
   0 global           running    /                              solaris  shared
   - testzone         installed  /zones/testzone                solaris  excl  

The zonepath must live on a ZFS data set, and it is created automatically when the zone is installed. You can check that by using the zfs command, as shown in Listing 3.

Listing 3: Checking the Zonepath
root@global:~# zfs list | grep zones
rpool/zones                                   368M   844G    32K  /zones
rpool/zones/testzone                          368M   844G    32K  /zones/testzone
rpool/zones/testzone/rpool                    368M   844G    31K  /rpool
rpool/zones/testzone/rpool/ROOT               368M   844G    31K  legacy
rpool/zones/testzone/rpool/ROOT/solaris       367M   844G   310M  /zones/testzone/root
rpool/zones/testzone/rpool/ROOT/solaris/var  57.3M   844G  56.4M  /zones/testzone/root/var
rpool/zones/testzone/rpool/export              62K   844G    31K  /export
rpool/zones/testzone/rpool/export/home         31K   844G    31K  /export/home

You can see the /zones and /zones/testzone data sets have been created automatically for you. Having Oracle Solaris Zones on a ZFS data set enables functionality, such as cloning and snapshots, and allows Oracle Solaris Zones to take full advantage of ZFS.

Note: The size of testzone is only 368 MB. Oracle Solaris Zones have a minimal footprint, reflecting how lightweight Oracle Solaris Zones are as a virtualization technology.

Step 3: Boot and Complete the System Configuration

The final step in getting testzone up and running is to boot it and set up the system configuration.

  1. Run the following command to boot the zone and then access its console:

    root@global:~# zoneadm -z testzone boot; zlogin -C testzone
    

    Note: The -C option to zlogin lets us access the zone console, that is, it takes us into the zone and lets us work within the zone.

    Because no system configuration files are available, the System Configuration Tool starts up, as shown in Figure 3.

    Figure 3

    Figure 3. System Configuration Tool

  2. Press F2 to continue.
  3. Enter testzone as the computer name, as shown in Figure 4, highlight Manually to manually configure the network, and then press F2 to continue.

    Note: We do not select "Automatically" in this example, but if you were to select it, you would not have to enter any network information at all, because the configuration would be done for you.

    Figure 4

    Figure 4. Selecting Manual Configuration

  4. Enter the network settings appropriate for your network, as shown in Figure 5, and then press F2.

    Figure 5

    Figure 5. Entering Network Settings

  5. We will not configure DNS at this time (see Figure 6), so press F2.

    Figure 6

    Figure 6. Selecting Not to Configure DNS

  6. We will not set up a name service at this time, so press F2.

    Figure 7

    Figure 7. Selecting Not to Set Up a Name Service

  7. Select the time zone region appropriate for your location, as shown in Figure 8, and press F2.

    Figure 8

    Figure 8. Selecting Time Zone Region

  8. Select the appropriate location, as shown in Figure 9, and then press F2.

    Figure 9

    Figure 9. Selecting Location

  9. Select the appropriate time zone, as shown in Figure 10, and then press F2.

    Figure 10

    Figure 10. Selecting Time Zone

  10. Complete your configuration by entering a root password, your name, a user name, and a user password, as shown in Figure 11. Then press F2.

    Figure 11

    Figure 11. Completing the Configuration

  11. Verify that the configuration you have chosen is correct and apply the settings by pressing F2.

    Figure 12

    Figure 12. Verifying the Configuration

The zone will continue booting and soon you will see the console login, as shown in Listing 4.

Listing 4: Output from Zone Booting Process
[ system/system-log:default starting (system log) ]
[ system/auditd:default starting (Solaris audit daemon) ]
[ network/smtp:sendmail starting (sendmail SMTP mail transfer agent) ]
[ network/sendmail-client:default starting (sendmail SMTP client queue runner) ]
Oct 16 13:13:15 testzone sendmail[8911]: My unqualified host name (testzone) unknown; sleeping for retry
Oct 16 13:13:15 testzone sendmail[8913]: My unqualified host name (testzone) unknown; sleeping for retry
[ system/console-login:default starting (Console login) ]

testzone console login: 

The zone is now ready to be logged into. For this example, we will now exit the console using the "~." escape sequence.

You can check that your zone is booted and running by using the zoneadm command:

root@global:~# zoneadm list -v
  ID NAME             STATUS     PATH                           BRAND    IP    
   0 global           running    /                              solaris  shared
   2 testzone         running    /zones/testzone                solaris  excl  

As promised, a VNIC was automatically created for us when the zone was booted. We can check this by using the dladm command:

root@global:~# dladm show-link
LINK                CLASS     MTU    STATE    OVER
e1000g0             phys      1500   up       --
e1000g1        phys      1500   unknown  --
testzone/net0       vnic      1500   up   e1000g0

We can see the VNIC listed as testzone/net0.

Step 4: Log In to Your Zone

The last step is to log in to your zone and have a look about. You can do this from the global zone using the zlogin command, as shown in Listing 5.

Listing 5: Logging In to Your Zone
root@global:~# zlogin testzone
[Connected to zone 'testzone' pts/3]
Oracle Corporation	SunOS 5.11	11.0 November 2011
root@testzone:~# uname -a
SunOS testzone 5.11 11.0 i86pc i386 i86pc
root@testzone:~# ipadm show-addr
ADDROBJ           TYPE     STATE        ADDR
lo0/v4            static   ok  127.0.0.1/8
net0/v4           static   ok           10.134.79.241/24
lo0/v6            static   ok           ::1/128
net0/v6           addrconf ok           fe80::8:20ff:fe6f:9645/10
root@testzone:~# dladm show-link
LINK                CLASS     MTU    STATE    OVER
net0                vnic      1500   up       ?
root@testzone:~# zfs list
NAME                     USED  AVAIL  REFER  MOUNTPOINT
rpool                    400M   843G    31K  /rpool
rpool/ROOT               400M   843G    31K  legacy
rpool/ROOT/solaris       400M   843G   341M  /
rpool/ROOT/solaris/var  58.1M   843G  57.1M  /var
rpool/export            96.5K   843G    32K  /export
rpool/export/home       64.5K   843G    32K  /export/home
rpool/export/home/fred  32.5K   843G  32.5K  /export/home/fred
root@testzone:~# exit
logout

[Connection to zone 'testzone' pts/3 closed]

Note: We did not use the -C option for the zlogin command, which means we are not accessing the zone via its console. This is why we can simply exit the shell at the end to leave the zone.

Let's look at what we found:

  • The uname command shows that we are running on Oracle Solaris 11.
  • The ipadm command shows the IP addresses for testzone. There are four entries, two loopback devices (IPv4 and IPv6), our IPv4 net0 device with an IP address of 10.134.79.241, and finally an IPv6 net0 device.
  • The dladm command shows our automatically created net0 VNIC.
  • The zfs list command shows us our ZFS data set.

Note: From within testzone, we cannot see any information about the global zone. We can see only the attributes of our own zone.

You have now verified that testzone is up and running. You can give the user logins and passwords to the development team's administrator, allowing that administrator to complete the setup of the team's zone as if it were a single system.

Oracle Solaris Zones and Networking

New in Oracle Solaris 11, Oracle Solaris Zones are now automatically created with an exclusive IP network resource by default. This means that an Oracle Solaris Zone has access to a complete network stack, allowing zone administrators to do such things as set their own IP address and routing.

When we used zonecfg to create testzone (in Step1: Configure an Oracle Solaris Zone) using the default template, a network resource called anet with the following properties was automatically included in the zone configuration:

  • linkname is net0
  • lower-link is auto
  • mac-address is random
  • link-protection is mac-nospoof

We can see this by using the zonecfg command, as shown in Listing 6.

Listing 6: Viewing the Properties of the Network Resource
root@global:~# zonecfg -z testzone info
zonename: testzone
zonepath: /zones/testzone
brand: solaris
autoboot: true
bootargs: -m verbose
file-mac-profile: 
pool: 
limitpriv: 
scheduling-class: 
ip-type: exclusive
hostid: 
fs-allowed: 
anet:
	linkname: net0
	lower-link: auto
	allowed-address not specified
	configure-allowed-address: true
	defrouter not specified
	allowed-dhcp-cids not specified
	link-protection: mac-nospoof
	mac-address: random
	mac-prefix not specified
	mac-slot not specified
	vlan-id not specified
	priority not specified
	rxrings not specified
	txrings not specified
	mtu not specified
	maxbw not specified
	rxfanout not specified

You can see that the anet network device has been automatically configured. As discussed earlier, this resource is created and destroyed automatically when the zone is booted and shut down, respectively. You can see this as follows.

First, check the IP address of your global zone:

root@global:~# ipadm show-addr
ADDROBJ           TYPE     STATE        ADDR
lo0/v4            static   ok           127.0.0.1/8
e1000g0/_a        static   ok           10.134.79.168/24
lo0/v6            static   ok           ::1/128

Use dladm to look at the data link status:

root@global:~# dladm show-link
LINK                CLASS     MTU    STATE    OVER
e1000g0             phys      1500   up       --
e1000g1             phys      1500   unknown  --
testzone/net0       vnic      1500   up       e1000g0

Note how a VNIC attached to e1000g0 (testzone/net0) has been automatically created for testzone.

Log in to testzone, checking the link status and IP address and then ping the global zone, as shown in Listing 7.

Listing 7: Checking the Link Status and IP Address
root@testzone:~# zlogin testzone
root@testzone:~# dladm show-link
LINK                CLASS     MTU    STATE    OVER
net0                vnic      1500   up       ?
root@testzone:~# ipadm show-addr
ADDROBJ           TYPE     STATE        ADDR
lo0/v4            static   ok           127.0.0.1/8
net0/v4           static   ok           10.134.79.241/24
lo0/v6            static   ok           ::1/128
net0/v6           addrconf ok           fe80::8:20ff:fec4:32bb/10
root@testzone:~# ping 10.134.79.168
10.134.79.168 is alive
root@testzone:~# exit
logout

[Connection to zone 'testzone' pts/3 closed]

Creating webzone-1 and Adding an Application

Now let's create our second zone, webzone-1, for our Web-facing applications and add an application to it.

Step 1: Create webzone-1 with Minimum Information

Again we start by creating webzone-1 using zonecfg. However, this time, to demonstrate how quick and easy it is to set up a zone, we will supply the minimum required information, the zonepath:

root@global:~# zonecfg -z webzone-1 "create ; set zonepath=/zones/webzone-1"

You can see the zone configuration by using the zonecfg command, as shown in Listing 8.

Listing 8: Checking the New Zone's Configuration
root@global:~# zonecfg -z webzone-1 info
zonename: webzone-1
zonepath: /zones/webzone-1
brand: solaris
autoboot: false
bootargs: 
file-mac-profile: 
pool: 
limitpriv: 
scheduling-class: 
ip-type: exclusive
hostid: 
fs-allowed: 
anet:
	linkname: net0
	lower-link: auto
	allowed-address not specified
	configure-allowed-address: true
	defrouter not specified
	allowed-dhcp-cids not specified
	link-protection: mac-nospoof
	mac-address: random
	mac-prefix not specified
	mac-slot not specified
	vlan-id not specified
	priority not specified
	rxrings not specified
	txrings not specified
	mtu not specified
	maxbw not specified
	rxfanout not specified

That's it. As far as configuration, we are done.

Step 2: Install webzone-1

Next we install the zone, as shown in Listing 9.

Listing 9: Installing the Zone
root@global:~# zoneadm -z webzone-1 install
A ZFS file system has been created for this zone.
Progress being logged to /var/log/zones/zoneadm.20111016T143052Z.webzone-1.install
       Image: Preparing at /zones/webzone-1/root.

 Install Log: /system/volatile/install.10393/install_log
 AI Manifest: /tmp/manifest.xml.Iza4ru
  SC Profile: /usr/share/auto_install/sc_profiles/enable_sci.xml
    Zonename: webzone-1
Installation: Starting ...

              Creating IPS image
              Installing packages from:
                  solaris
                      origin:  http://pkg.oracle.com/solaris/release/
DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                              167/167 32062/32062  175.8/175.8

PHASE                                        ACTIONS
Install Phase                            44311/44311 

PHASE                                          ITEMS
Package State Update Phase                   167/167 
Image State Update Phase                         2/2 
Installation: Succeeded

        Note: Man pages can be obtained by installing pkg:/system/manual

 done.

        Done: Installation completed in 108.257 seconds.


  Next Steps: Boot the zone, then log into the zone console (zlogin -C)

              to complete the configuration process.

Log saved in non-global zone as /zones/webzone-1/root/var/log/zones/zoneadm.20111016T143052Z.webzone-1.install

Step 3: Boot and Configure webzone-1

Boot webzone-1, log in to the console, and enter the same settings as we did for testzone except for the IP address. Set the IP address to 10.134.79.242.

root@global:~# zoneadm -z webzone-1 boot; zlogin -C webzone-1

Refer back to Step 3: Boot and Complete the System Configuration if you are unsure of the steps. At the end, remember to exit from the console using the "~." escape sequence.

Adding an Application to webzone-1

Now that we have a running zone that is connected to the network, we want to put an application in it. In this case, because this is going to be a zone that serves our Web content, let's add the Apache Web server.

From the global zone, log in to webzone-1 and check the status of the Apache Web server package:

root@global:~# zlogin webzone-1
[Connected to zone 'webzone-1' pts/3]
Oracle Corporation      SunOS 5.11      11.0    November 2011
root@webzone-1:~# pkg info /web/server/apache-22
pkg: info: no packages matching the following patterns you specified are
installed on the system.  Try specifying -r to query remotely:

        /web/server/apache-22

The package is not installed. Let's double-check by querying remotely against the IPS repository using the -r option, as shown in Listing 10.

Listing 10: Checking for the Apache Web Server Package
root@webzone-1:~# pkg info -r /web/server/apache-22
          Name: web/server/apache-22
       Summary: Apache Web Server V2.2
   Description: The Apache HTTP Server Version 2.2
      Category: Web Services/Application and Web Servers
         State: Not installed
     Publisher: solaris
       Version: 2.2.20
 Build Release: 5.11
        Branch: 0.175.0.0.0.1.530
Packaging Date: Wed Oct 12 14:13:31 2011
          Size: 9.24 MB
          FMRI: pkg://solaris/web/server/apache-22@2.2.20,5.11-0.175.0.0.0.1.530:20111012T141331Z

The state is shown as Not installed. So let's install the Apache Web server into our zone, as shown in Listing 11.

Listing 11: Installing the Apache Web Server Package
root@webzone-1:~# pkg install /web/server/apache-22
           Packages to install:  3
       Create boot environment: No
Create backup boot environment: No
            Services to change:  1

DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                                  3/3     636/636      4.2/4.2

PHASE                                        ACTIONS
Install Phase                                800/800 

PHASE                                          ITEMS
Package State Update Phase                       3/3 
Image State Update Phase                         2/2 

We see that IPS downloads all the related files we need. There is no need to figure out the dependencies. In this case, three packages were installed. We can check the status of the Apache Web server by using the pkg info command again, as shown in Listing 12.

Listing 12: Checking for the Apache Web Server Package Again
root@webzone-1:~# pkg info /web/server/apache-22
          Name: web/server/apache-22
       Summary: Apache Web Server V2.2
   Description: The Apache HTTP Server Version 2.2
      Category: Web Services/Application and Web Servers
         State: Installed
     Publisher: solaris
       Version: 2.2.20
 Build Release: 5.11
        Branch: 0.175.0.0.0.1.530
Packaging Date: Wed Oct 12 14:13:31 2011
          Size: 9.24 MB
          FMRI: pkg://solaris/web/server/apache-22@2.2.20,5.11-0.175.0.0.0.1.530:20111012T141331Z

This time, the state is shown as Installed. Congratulations; you have added your first package to a zone.

Creating webzone-2 Using a Clone

Now let's create the final zone, webzone-2. We could just repeat the process that we used to create the other zones, but in this case, we simply want another Web server environment just like webzone-1. Instead of having to duplicate the configuration process, let's make a clone of webzone-1. We are effectively using webzone-1 as a global master for zone creation.

Step 1: Create a Zone System Configuration Template

To avoid having to manually configure the system properties of our cloned zone, let's first create a system ID template for webzone-2. We can do this by using the sysconfig tool from within webzone-1:

root@global:~# zlogin webzone-1
root@webzone-1:~# sysconfig create-profile -o /root/webzone-2-template.xml

Note: When using the sysconfig tool to create a profile, make sure you use the .xml extension in your output file name.

Go through the screens entering the correct information for webzone-2 (remember to use 10.134.79.243 as the IP address this time). As in the Step 3: Boot and Complete the System Configuration section, when the configuration has been completed, you will see that your configuration file has been created. Finally, log out back to the global zone.

Exiting System Configuration Tool. Log is available at:
/var/tmp/install/sysconfig.log
root@webzone-1:~# ls
webzone-2-template.xml
root@webzone-1:~# exit
logout

[Connection to zone 'webzone-1' pts/2 closed]

Note: When using the sysconfig tool, you are not allowed to use any existing user names in the user account section. In our case, we could not use the user name fred so we chose jack instead.

We'll copy this file to a more convenient location in a later step.

Step 2: Create the Zone Profile File

From the global zone on our system, we first need to halt webzone-1, the zone we want to clone. (You should not clone a running zone.) We use zoneadm list to verify that the zone is shut down, as shown in Listing 13.

Listing 13: Verifying the Zone is Shut Down
root@global:~# zoneadm list -iv
  ID NAME             STATUS     PATH                           BRAND    IP    
   0 global           running    /                              solaris  shared
   2 testzone         running    /zones/testzone                solaris  excl  
   3 webzone-1        running    /zones/webzone-1               solaris  excl  
root@global:~# zoneadm -z webzone-1 shutdown
root@global:~# zoneadm list -iv
  ID NAME             STATUS     PATH                           BRAND    IP    
   0 global           running    /                              solaris  shared
   2 testzone         running    /zones/testzone                solaris  excl  
   - webzone-1        installed  /zones/webzone-1               solaris  excl  

Now let's capture the configuration of the zone and use it as a master profile template for other zones we will create, in this case, webzone-2:

root@global:~# zonecfg -z webzone-1 export -f /zones/webzone-2-profile

Using your favorite editor, make the file read as shown in Listing 14. (You always need to update the zonepath, but we have also chosen to update autoboot.)

Listing 14: Editing the Template
root@global:~# cat /zones/webzone-2-profile
create -b
set zonepath=/zones/webzone-2
set brand=solaris
set autoboot=true
set ip-type=exclusive
add anet
set linkname=net0
set lower-link=auto
set configure-allowed-address=false
set link-protection=mac-nospoof
set mac-address=random
set auto-mac-address=2:8:20:f1:e4:b7
end

We now want to place the system configuration template (webzone-2-template.xml) we created earlier in a more convenient location. Fortunately, you can access a zone's file system while it is shut down:

root@global:~# pwd
/root
root@global:~# cp /zones/webzone-1/root/root/webzone-2-template.xml /zones
root@global:~# ls /zones/webzone-2-template.xml 
/zones/webzone-2-template.xml

Step 3: Create webzone-2 by Cloning webzone-1

Next create webzone-2 using the modified configuration (by using zonecfg), and then perform the clone of webzone-1 (by using zoneadm). Remember to add the full path to the system config template. Note how quickly the clone is completed. (We can see this by prepending the time command to our zonecfg clone command.)

root@global:~# zonecfg -z webzone-2 -f /zones/webzone-2-profile
root@global:/zones# time zoneadm -z webzone-2 clone -c /zones/webzone-2-template.xml webzone-1
A ZFS file system has been created for this zone.
Progress being logged to /var/log/zones/zoneadm.20111029T193536Z.webzone-2.clone
Log saved in non-global zone as /zones/webzone-2/root/var/log/zones/zoneadm.20111029T193536Z.webzone-2.clone

real	0m13.269s
user	0m1.740s
sys	0m2.716s

The cloning of webzone-1 took only 13 seconds. In addition, because we used the clone command, we took advantage of a ZFS snapshot. Let's check the disk space taken by both webzone-1 and webzone-2, as shown in Listing 15.

Listing 15: Checking Disk Space
root@global:/zones# zfs list | grep webzone
rpool/zones/webzone-1                            470M   843G    33K  /zones/webzone-1
rpool/zones/webzone-1/rpool                      470M   843G    31K  /rpool
rpool/zones/webzone-1/rpool/ROOT                 470M   843G    31K  legacy
rpool/zones/webzone-1/rpool/ROOT/solaris         470M   843G   366M  /zones/webzone-1/root
rpool/zones/webzone-1/rpool/ROOT/solaris/var    97.8M   843G  57.9M  /zones/webzone-1/root/var
rpool/zones/webzone-1/rpool/export              96.5K   843G    32K  /export
rpool/zones/webzone-1/rpool/export/home         64.5K   843G    32K  /export/home
rpool/zones/webzone-1/rpool/export/home/fred    32.5K   843G  32.5K  /export/home/fred
rpool/zones/webzone-2                            350K   843G    34K  /zones/webzone-2
rpool/zones/webzone-2/rpool                      316K   843G    31K  /rpool
rpool/zones/webzone-2/rpool/ROOT                 295K   843G    31K  legacy
rpool/zones/webzone-2/rpool/ROOT/solaris-0       294K   843G   366M  /zones/webzone-2/root
rpool/zones/webzone-2/rpool/ROOT/solaris-0/var    39K   843G  57.9M  /zones/webzone-2/root/var
rpool/zones/webzone-2/rpool/export                 3K   843G    32K  /export
rpool/zones/webzone-2/rpool/export/home            2K   843G    32K  /export/home
rpool/zones/webzone-2/rpool/export/home/fred       1K   843G  32.5K  /export/home/fred

Even after we added the Apache Web server, webzone-1 is only 470 M. Even better, webzone-2, an exact copy of webzone-1, is only 350 K, providing a great savings on disk space.

Finally, boot webzone-2 and watch the console. Occasionally, you will see the system configuration being applied. You can see below that the host name has been set for us from the template.

root@global:~# zoneadm -z webzone-2 boot; zlogin -C webzone-2
 [Connected to zone 'webzone-2' console]

Hostname: unknown
Unconfiguration failed for svc:/system/config-user:default
Hostname: webzone-2

webzone-2 console login: ~.
[Connection to zone 'webzone-2' console closed]

Remember to exit from the console using the "~." escape sequence.

Note that we now have a .xml template for webzone-2. We could very easily copy and edit this template to allow us to deploy a whole set of other Web zones just as quickly.

Now log in to webzone-2 and look for the Apache Web server package, as shown in Listing 16.

Listing 16: Looking for the Apache Web Server Package
root@global:~# zlogin webzone-2
[Connected to zone 'webzone-2' pts/3]
Oracle Corporation	SunOS 5.11	11.0	November 2011
root@webzone-2:~# pkg info /web/server/apache-22
          Name: web/server/apache-22
       Summary: Apache Web Server V2.2
   Description: The Apache HTTP Server Version 2.2
      Category: Web Services/Application and Web Servers
         State: Installed
     Publisher: solaris
       Version: 2.2.20
 Build Release: 5.11
        Branch: 0.175.0.0.0.1.530
Packaging Date: Wed Oct 12 14:13:31 2011
          Size: 9.24 MB
          FMRI: pkg://solaris/web/server/apache-22@2.2.20,5.11-0.175.0.0.0.1.530:20111012T141331Z

As you can see, unlike before, when we created a zone from scratch, the Apache Web server package that we had to add to webzone-1 is here already. This cloning method is frequently used when a "master" zone is created with all the additional packages and configuration in place. The master zone is then simply cloned as new, similar environments are required.

We can also check that the IP address was applied correctly:

root@webzone-2:~# ipadm show-addr
ADDROBJ           TYPE     STATE        ADDR
lo0/v4            static   ok           127.0.0.1/8
net0/v4           static   duplicate    10.134.79.243/24
lo0/v6            static   ok           ::1/128
net0/v6           addrconf ok           fe80::8:20ff:fe7a:7b0f/10

Note: The Oracle Solaris Automated Installer also provides a method for creating ready-made zones as part of the system install service.

Conclusion

In this article, we saw how to create, install, boot, and configure an Oracle Solaris Zone. We also saw how a ZFS data set is automatically created and how the networking is set up automatically for you. Finally, we saw how to add an application to an Oracle Solaris zone using IPS and then clone that zone.

For More Information

Here are some additional resources:

Revision 1.0, 11/03/2011