What You See Is What You Get Element

Delegating a ZFS Dataset to a Non-Global Zone

In Oracle Solaris 11.1

by Alexandre Borges

Part 4 of a series that describes the key features of ZFS in Oracle Solaris 11.1 and provides step-by-step procedures explaining how to use them. This article focuses on how to delegate a dataset, for example, a ZFS file system, to a non-global zone.


Published June 2014


right arrow Part 1 - Using COMSTAR and ZFS to Configure a Virtualized Storage Environment
right arrow Part 2 - Playing with Swap Monitoring and Increasing Swap Space Using ZFS Volumes
right arrow Part 3 - Playing with ZFS Shadow Migration
right arrow Part 4 - Delegating a ZFS Dataset to a Non-Global Zone
right arrow Part 5 - Playing with ZFS Encryption
right arrow Part 6 - Playing with ZFS Snapshots

When working with Oracle Solaris 11, sometimes the need arises for the global administrator to delegate a dataset (a ZFS file system, for example) to a non-global zone, because the non-global zone administrator needs a dedicated file system in which to install new applications.

Want to comment on this article? Post the link on Facebook's OTN Garage page.  Have a similar article to share? Bring it up on Facebook or Twitter and let's discuss.

The difference between delegating a dataset and adding a dataset or file system to a non-global zone is that when a dataset is delegated, the non-global zone administrator has control over the dataset's properties. When a file system is added to a non-global zone, it is just a way to share file system space with the non-global zone, but the global administrator retains control over the added file system's properties.

Note also that in most cases, dataset is term that can be used interchangeably with file system. The only difference between "delegating a dataset" and "adding a file system" is who has control over the file system. In most cases, you delegate a dataset or add a file system to a non-global zone.

Delegating a dataset to a non-global zone is an easy task and that's what we'll explore here.

Basically, we will split the task into two parts:

  • First, we will create a new non-global zone.
  • Second, we'll delegate a dataset for the created zone.

To begin, it's advisable to create a dedicated pool and a file system for our new non-global zone:

root@solaris11-1:~# zpool create myzones c8t4d0
root@solaris11-1:~# zpool list
NAME         SIZE  ALLOC   FREE  CAP  DEDUP  HEALTH  ALTROOT
iscsi_pool  3.97G  2.62M  3.97G   0%  1.00x  ONLINE  -
myzones     15.9G   126K  15.9G   0%  1.00x  ONLINE  -
repo_pool   15.9G  7.64G  8.24G  48%  1.00x  ONLINE  -
rpool       79.5G  37.8G  41.7G  47%  1.00x  ONLINE  -

root@solaris11-1:~# zfs create myzones/delegated_zone
root@solaris11-1:~# zfs list myzones/delegated_zone
NAME                    USED  AVAIL  REFER  MOUNTPOINT
myzones/delegated_zone   31K  15.6G    31K  /myzones/delegated_zone

Then, do the following to create a non-global zone called delegated_zone:

root@solaris11-1:~# zonecfg -z delegated_zone
Use 'create' to begin configuring a new zone.
zonecfg:delegated_zone> create -b
zonecfg:delegated_zone> set zonepath=/myzones/delegated_zone
zonecfg:delegated_zone> set autoboot=true
zonecfg:delegated_zone> set ip-type=shared
zonecfg:delegated_zone> set brand=solaris
zonecfg:delegated_zone> add net
zonecfg:delegated_zone:net> set physical=net0
zonecfg:delegated_zone:net> set address=192.168.1.198
zonecfg:delegated_zone:net> set defrouter=192.168.1.1
zonecfg:delegated_zone:net> end
zonecfg:delegated_zone> verify
zonecfg:delegated_zone> commit
zonecfg:delegated_zone> exit
root@solaris11-1:~#

By listing the zone summary, we can see that delegated_zone doesn't have an ID yet, because it hasn't been booted yet:

root@solaris11-1:~# zoneadm list -cv
  ID NAME             STATUS     PATH                           BRAND    IP    
   0 global           running    /                              solaris  shared
   - delegated_zone   configured /myzones/delegated_zone        solaris  shared

Using the zonecfg command, it is possible to gather more information about the new zone:

root@solaris11-1:~# zonecfg -z delegated_zone info
zonename: delegated_zone
zonepath: /myzones/delegated_zone
brand: solaris
autoboot: true
bootargs:
file-mac-profile:
pool:
limitpriv:
scheduling-class:
ip-type: shared
hostid:
fs-allowed:
net:
      address: 192.168.1.198
      allowed-address not specified
      configure-allowed-address: true
      physical: net0
      defrouter: 192.168.1.1
root@solaris11-1:~#

Next, run the sysconfig create-profile -o command to create a profile file called delegated_zone.xml, which we will use later to install the new zone:

root@solaris11-1:~# sysconfig create-profile -o delegated_zone.xml

When the interactive System Configuration tool appears, use the following to specify the required configuration information:

  • For Computer Name, specify delegatedzone, and then specify that the network configuration be done manually.
  • For IP Address, specify 192.168.1.198.
  • For Netmask, specify 255.255.255.0.
  • Choose Configure DNS, and then for DNS Server IP address, specify 8.8.8.8, 8.8.4.4.
  • For Search domain, specify example.com.
  • On the Alternate Name Service screen, specify None.
  • For Time Zone: Regions, specify Americas.
  • For Time Zone: Locations, specify the appropriate location.
  • For Time Zone, specify the appropriate time zone.
  • For Date and time, specify the current data and time.
  • For Root password, specify oracle123!.
  • For the registration e-mail address, specify anonymous@oracle.com.
  • For Network configuration, specify no proxy.

Before starting the zone installation, we should check the publishers' locations (which can be remote or local) to ensure we have access to a local publisher that can install the Oracle Solaris packages in the zone:

root@solaris11-1:~# pkg publisher
PUBLISHER                   TYPE     STATUS P LOCATION
solaris                     origin   online F http://localhost:9999/
solaris                     mirror   online F http://localhost:9999/
solarisstudio  (disabled)   origin   online F https://pkg.oracle.com/solarisstudio/release/
training       (disabled)   origin   online F http://localhost:8888/

Looks like we have access to local publisher solaris at localhost:9999, so it can be used when we install the zone.

In order to install the zone, the owner of the installation directory must have read, write, and execute permissions (rwx), so run the following command:

root@solaris11-1:/myzones# chmod 700 delegated_zone

We're now ready to install the delegated_zone zone using the delegated_zone.xml file we created earlier:

root@solaris11-1:~# zoneadm -z delegated_zone install -c /root/delegated_zone.xml
The following ZFS file system(s) have been created:
    myzones/delegated_zone
Progress being logged to /var/log/zones/zoneadm.20131206T171039Z.delegated_zone.install
       Image: Preparing at /myzones/delegated_zone/root.

 AI Manifest: /tmp/manifest.xml.2uaWxj
  SC Profile: /root/delegated_zone.xml
    Zonename: delegated_zone
Installation: Starting ...

              Creating IPS image
Startup linked: 1/1 done
              Installing packages from:
                  solaris
                      origin:  http://localhost:9999/
DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                            183/183   33556/33556  222.2/222.2  323k/s

PHASE                                          ITEMS
Installing new actions                   46825/46825
Updating package state database                 Done
Updating image state                            Done
Creating fast lookup database                   Done
Installation: Succeeded

        Note: Man pages can be obtained by installing pkg:/system/manual

 done.

        Done: Installation completed in 830.765 seconds.

  Next Steps: Boot the zone, then log into the zone console (zlogin -C)

              to complete the configuration process.

Log saved in non-global zone as /myzones/delegated_zone/root/var/log/zones/zoneadm.20131206T171039Z.delegated_zone.install

Excellent. Everything seems OK. Let's check the zone status:

root@solaris11-1:~# zoneadm list -iv
  ID NAME             STATUS     PATH                           BRAND    IP    
   0 global           running    /                              solaris  shared
   - delegated_zone   installed  /myzones/delegated_zone        solaris  shared

The status of delegated_zone is now installed.

Boot delegated_zone using the following command:

root@solaris11-1:~# zoneadm -z delegated_zone boot

If we check the zone status again, we should see that now delegated_zone has a zone ID, because the zone is running:

root@solaris11-1:~# zoneadm list -iv
  ID NAME             STATUS     PATH                           BRAND    IP    
   0 global           running    /                              solaris  shared
   1 delegated_zone   running    /myzones/delegated_zone        solaris  shared

Nice. Let's log in to delegated_zone to confirm its installation:

root@solaris11-1:~# zlogin delegated_zone
[Connected to zone 'delegated_zone' pts/4]
Oracle Corporation	SunOS 5.11	11.1	September 2012

root@delegatedzone:~# uname -a
SunOS delegatedzone 5.11 11.1 i86pc i386 i86pc

root@delegatedzone:~# zfs list
NAME                     USED  AVAIL  REFER  MOUNTPOINT
rpool                    423M  15.2G    31K  /rpool
rpool/ROOT               423M  15.2G    31K  legacy
rpool/ROOT/solaris       423M  15.2G   397M  /
rpool/ROOT/solaris/var  24.4M  15.2G  23.8M  /var
rpool/VARSHARE            39K  15.2G    39K  /var/share
rpool/export              63K  15.2G    32K  /export
rpool/export/home         31K  15.2G    31K  /export/home
root@delegatedzone:~# zpool list
NAME    SIZE  ALLOC   FREE  CAP  DEDUP  HEALTH  ALTROOT
rpool  15.9G   423M  15.5G   2%  1.00x  ONLINE  -

root@delegatedzone:~# exit
logout
[Connection to zone 'delegated_zone' pts/4 closed]
root@solaris11-1:~#

An interesting fact is that the IP address associated with delegated_zone (192.168.1.198) appears in the global zone network configuration associated with the net0 interface because we specified ip-type=shared when we created the zone:

root@solaris11-1:/myzones# ipadm show-addr
ADDROBJ           TYPE     STATE        ADDR
lo0/v4            static   ok           127.0.0.1/8
lo0/zoneadmd.v4   static   ok           127.0.0.1/8
net0/v4           dhcp     ok           192.168.1.105/24
net0/zoneadmd.v4  static   ok           192.168.1.198/24
lo0/v6            static   ok           ::1/128
lo0/zoneadmd.v6   static   ok           ::1/128
net0/v6           addrconf ok           fe80::a00:27ff:fe56:85b8/10

The environment is ready. As mentioned earlier, ZFS allows us to delegate a file system (dataset) to a non-global zone and, thereafter, the non-global zone administrator will be able to administer this dataset as the owner.

Creating a new pool (delegated_pool) and a new file system (delegated_filesystem_1) is easy:

root@solaris11-1:/myzones# zpool create delegated_pool c8t8d0
root@solaris11-1:/myzones# zfs create delegated_pool/delegated_filesystem_1

root@solaris11-1:/myzones# zpool list delegated_pool
NAME             SIZE  ALLOC   FREE  CAP  DEDUP  HEALTH  ALTROOT
delegated_pool  3.97G   124K  3.97G   0%  1.00x  ONLINE  -

root@solaris11-1:/myzones# zfs list delegated_pool/delegated_filesystem_1
NAME                                   USED  AVAIL  REFER  MOUNTPOINT
delegated_pool/delegated_filesystem_1   31K  3.91G    31K  /delegated_pool/delegated_filesystem_1

Now it's time to perform the main task. We will use the zonecfg command to delegate delegated_filesystem_1 and, afterwards, well check the result and reboot the zone:

root@solaris11-1:~# zonecfg -z delegated_zone
zonecfg:delegated_zone> add dataset
zonecfg:delegated_zone:dataset> set name=delegated_pool/delegated_filesystem_1
zonecfg:delegated_zone:dataset> end
zonecfg:delegated_zone> verify
zonecfg:delegated_zone> commit
zonecfg:delegated_zone> exit

root@solaris11-1:~# zonecfg -z delegated_zone info
zonename: delegated_zone
zonepath: /myzones/delegated_zone
brand: solaris
autoboot: true
bootargs:
file-mac-profile:
pool:
limitpriv:
scheduling-class:
ip-type: shared
hostid:
fs-allowed:
net:
      address: 192.168.1.198
      allowed-address not specified
      configure-allowed-address: true
      physical: net0
      defrouter: 192.168.1.1
dataset:
      name: delegated_pool/delegated_filesystem_1
      alias: delegated_filesystem

root@solaris11-1:~# zoneadm  -z delegated_zone reboot
root@solaris11-1:~# zlogin delegated_zone
[Connected to zone 'delegated_zone' pts/4]
Oracle Corporation   SunOS 5.11   11.1   September 2012

root@delegatedzone:~# uname -a
SunOS delegatedzone 5.11 11.1 i86pc i386 i86pc

root@delegatedzone:~# zfs list
NAME                     USED  AVAIL  REFER  MOUNTPOINT
delegated_filesystem      31K  3.91G    31K  /delegated_filesystem
rpool                    446M  15.2G    31K  /rpool
rpool/ROOT               446M  15.2G    31K  legacy
rpool/ROOT/solaris       446M  15.2G   416M  /
rpool/ROOT/solaris/var  24.5M  15.2G  23.8M  /var
rpool/VARSHARE            39K  15.2G    39K  /var/share
rpool/export              63K  15.2G    32K  /export
rpool/export/home         31K  15.2G    31K  /export/home
root@delegatedzone:~#      

From the global zone, run the following command to verify that the new file system was delegated successfully:

root@solaris11-1:~# zfs list -r delegated_pool
NAME                                    USED  AVAIL  REFER  MOUNTPOINT
delegated_pool                          124K  3.91G    31K  /delegated_pool
delegated_pool/delegated_filesystem_1  31.5K  3.91G  31.5K  /myzones/delegated_zone/root/delegated_filesystem

Amazing! We've successfully delegated a dataset for the delegated_zone zone.

See Also

Here are some links to other things I've written:

And here are some Oracle Solaris 11 resources:

About the Author

Alexandre Borges is an Oracle ACE and who worked as an employee and contracted instructor at Sun Microsystems from 2001 to 2010 teaching Oracle Solaris, Oracle Solaris Cluster, Oracle Solaris security, Java EE, Sun hardware, and MySQL courses. Nowadays, he teaches classes for Symantec, Oracle partners, Hitachi, and EC-Council, and he teaches several very specialized classes about information security. In addition, he is a regular writer and columnist at Linux Magazine Brazil.

Revision 1.0, 04/09/2014

Follow us:
Blog | Facebook | Twitter | YouTube