Oracle Solaris is the world's first fully virtualized operating system allowing for the virtualization of the operating system, the storage and the network. In this lab we will introduce each of these virtualization options and more importantly show how they can be combined to create an extremely agile system.
If you're using the Oracle Solaris 11 VirtualBox VM, the environment is set up as follows:
Operating System: Oracle Solaris 11 11/11
Hostname: solaris (default)
IP address: 10.0.2.15
User: oracle (as recommended in the Installation lab)
Password: <user password you have configured at the first boot of Solaris VM>
Root password: <root password you have configured at the first boot of Solaris VM>
Oracle Solaris 11 introduces a new and powerful network stack architecture which includes:
We will be examining all three of these network virtualization features sets throughout the lab exercise. In this first exercise you will learn how to create a VNIC that later can be used in Exercise 2 when we create the zone.
Oracle Solaris Zones are a virtualization technology at the operating system level that allows you to reduce risk by isolating applications into their own secure environment. An Oracle Solaris Zone securely isolates file systems, processes and networks and appears as a separate system on the network. Attacks on the Oracle Solaris Zone are incapable of breaching the Oracle Solaris Zone boundary.
In addition to workload isolation, Oracle Solaris Zones also provide the ability to manage system resources dedicated to the workload. Specifically the Oracle Solaris Zone administrator can control the amount of CPU capacity, RAM and virtual memory the Oracle Solaris Zone is allowed to consume. Combined with the network virtualization technology we just examined in Exercise 1, it is also possible to manage the amount of network bandwidth consumed, as we will see in a later exercise.
Graphically, once complete, our machine will be configured to look as follows:
Create a ZFS file system to host the zone (this file system can also be used to house additional zones you decide to create). ZFS is beyond the scope of this lab, but please take the time to complete Introduction to the Oracle Solaris ZFS File System if you're not already familiar with ZFS.
By putting the zone in its own ZFS file system, you will be able to take advantage of ZFS' advanced data management capabilities, such as data compression and the ability to quickly and efficiently clone the zone. We are turning on compression because today's CPUs can compress and uncompress data faster than it takes to write and read uncompressed data to and form the disk. The final component of the zfs create command you see below, rpool/zones, is the name of the dataset, which you would use when applying other ZFS commands to the file system.
There are two options for a network interface dedicated to a zone:
View the network interfaces on the system:
In the next step, we will configure the zone. Here's a brief explanation of the values we will be setting during zone configuration:
Configure the zone using:
The zonecfg utility supports tab completion. Pressing tab at any point will display a list of possible commands, or complete the command if it's uninque.
Install the zone. A zone installation requires about 175 MB download. In the interest of time and network bandwidth, we are going to clone an existing zone, called tzone, that you hopefully already created as part of your OTN SysAdmin Day Pre-work. A zone install takes about 10 minutes to complete, where as a zone clone takes about 10 seconds. If you do not have this existing zone (run zoneadm list -cv to check), replace the clone tzone in the command below with install:
Identify the two zones configured on our system, the global zone (which is pre-existing on all Oracle Solaris systems), and our new non-global (or local) zone, myzone:
Note that myzone is installed, but not yet running. We will boot it up very shortly. The brand is ipkg, meaning the zone is running the same operating system as the global zone (Solaris 11). Oracle Solaris 11 also supports branded zones for running other operating systems such as Solaris 10.
The default compression algorithm used by ZFS is lzjb. Now that the zone is installed, check the compression ratio achieved for the rpool/zones dataset:
Prepare to boot the zone. On first boot, the zone walks you through a series of steps to configure itself.
# zoneadm -z myzone boot # zlogin -C myzone
The -C option to zlogin lets us access the zone console, that is, it takes us into the zone and lets us work within the zone. Because no system configuration files are available, the System Configuration Tool starts up, and you have to walk through a number of steps in order to setup time zone, root password and network configuration. The exact procedure of the setup is described in an article on Oracle Technology Network.
Note that (the root password and the password of oracle user is what you configured with System Configuration Tool when connected to the zone with zlogin -C).
Later you can run System Configuration Tools with sysconfig command in order to change the system configuration or to make a profile where system configuration is stored in .xml format.
Test if you can ping the outside world from within the zone:
Internet connectivity shall work out of the box, if you did not change your Oracle VM VirtualBox configuration and global zone configuration, and your host machine has been connected to the Internet. In case of any problem, you can troubleshoot your network configuration.
NOTE: network configuration has been changed in Oracle Solaris 11 comparing to earlier releases. While configuration files such as /etc/resolve.conf and /etc/nsswitch.conf still exist, they are just compiled from the information containing in SMF repository. Thus, you need following commands to check whether IP address, default gateway, nameservers address and name services configured properly:
A new utility, nscfg(1), has been provided to import and export name service configuration into and out of the SMF repository and allows legacy files such as /etc/nsswitch.conf and /etc/resolv.conf to regenerate from SMF configuration for backwards compatibility.
You can view the routing table with netstat:
The outside world should now be reachable:
At this point the zone is only accessible from the global zone using the zlogin utility. To access the zone remotely, a user account needs to be created. For the purpose of this exercise, we will create the user tstark. Please check which actual IP address your myzone interface has, it can be different from 10.0.2.25 which is used below as an example.
Force tstark to change his password on first login:
Switch back to the other terminal window that's logged into the global zone. For convenience, add myzone to the hosts file as follows:
Then log into myzone as tstark:
Our user tstark is pretty toothless. In order to allow him to assume a root role, we'd like to assign it to him. Connect to the zone myzone as a root, and modify tstark account accordingly:
Then login as user tstark again and add user tstark to the sudoers file. To edit the sudoers file you need to use visudo:
|VI Cheatsheet |
If you're unfamiliar with vi, following are a few common keyboard commands to get you though this exercise:
k = up
Add the following line anywhere in the file. The NOPASSWD: setting is optional, but will make your use of sudo throughout the rest of this lab less painful:
Finally, exit out of the root user:
We're going to customize this zone a bit so we can show the advantages of cloning a zone in a later exercise. Let's install the apache web server
Then enable the Apache server:
Start Firefox in your global zone and test the web server running in the zone:
Now that we've configured the zone the way we like it, we're going to use it as a template for creating additional zones. You'll note how much quicker the creating process is and the zone will be pre-configured just as we want it.
The first step is to create another VNIC for the new zone:
Next define the zone configuration:
You'll note that took a matter of seconds, where the prior install took several minutes.
Now we need to provide the system configuration information for the new zone. Use the following. The only changes from the myzone configuration are the hostname and IP address. Let's define IP address for this zone manually, and it is to be 10.0.2.35 in our example. Use another one if 10.0.2.35 does not reflect your network configuration. You'll be prompted to enter appropriate values while sysconfig guides you through configuration.
The configuration can be done prior to installing and booting a zone with configuration profile.
The profile can be created with a command introduced in Oracle Solaris 11:
If you edited system configuration profile manually and if there's a typo or formatting error in the sysconfig profile, the zone boot process will resort to an interactive mode.
# mkdir profiles # mkdir profiles/defaultprofile # cp sc_profile.xml profiles/defaultprofile/
# zoneadm -z myzoneclone install -c /home/oracle/profilesor
# zoneadm -z myzoneclone clone myzone -c /home/oracle/profiles
The next step is to install the zone, but rather than install, we also have the option to clone an existing zone. First, halt the zone we want to clone:
Then clone myzone:
Now, boot the zone.
# zoneadm -z myzoneclone boot # zlogin -C myzoneclone [Connected to zone 'myzoneclone' console] Hostname: unknown Hostname: myzoneclone myzoneclone console login: Nov 18 03:37:55 myzoneclone sendmail: My unqualified host name (myzoneclone) unknown; sleeping for retry Nov 18 03:38:55 myzoneclone sendmail: unable to qualify my own domain name (myzoneclone) -- using short name myzoneclone console login: tstark Password: 123abc Oracle Corporation SunOS 5.11 11.0 November 2011 tstark@myzoneclone:~$ ifconfig -a4 lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 myzoneclone0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 inet 10.0.2.35 netmask ffffff00 broadcast 10.0.2.255
Return to Firefox and test the web server.
It's important to have 10.0.2.35 to be routable from your global zone. If you have another IP address configured for the myzoneclone zone, use it instead. It has to be appropriate for your network configuration.
We'll just use the IP address rather than taking the time to set the hostname:
User tstark is also available in the clone. It even detects a "last login", which was actually from myzone:
Thus far we've seen the powerful combination of operating system virtualization and storage virtualization in that we were able to get a clone of an operating environment up and running in just a couple of minutes. In this exercise we are going to look at the additional value network virtualization brings to our zones.
From the global zone, ping myzoneclone with 10K of data as follows:
It's currently taking 1-2 ms to transfer 10K bytes of data.
Let's assume this particular zone was something like a low priority network tape backup service. However, when it kicked in to perform it's daily backup, it bogged down the rest of the network with it's backup data traffic, creating a quality of service issue. By utilizing resource controls on the virtual network interface, we can easily limit the amount of bandwidth that this particular interface is allowed to consume, therefore freeing up bandwidth for other consumers on the network.
View the VNICs:
myzoneclone0 is currently configured to operate at 1Gbits/sec. For the purposes of this exercise, let's throttle this way down to 8Mbits/sec. With the ping still running, switch to another terminal and enter the following command:
You should immediately see your ping response times jump by a factor of about 10:
If we do the math here, 10K bytes of data in 10 ms would equate to 1M bytes of data per second. We then set our transmission speed to 8 Mbits/sec, which equates to 1MB/sec.
The other important thing to note is that the change was instant and dynamic. There is no need for anything to be restarted in order to make changes to our network traffic.
In this exercise we set a bandwidth setting to the entire VNIC. However, it is also possible to configure bandwidth based on IP address, port, protocol or MAC address, so even different network flows over the same NIC can be adjusted. For more information on this topic, see Oracle Solaris 11 Networking Virtualization Technology page.
A new feature of Solaris 11 is the ability to delegate the administration of a zone to another user in the global zone. For this exercise, we first to to create a new user in the global zone, ppotts:
Now, switch to ppotts and try to administer myzoneclone:
pfexec is used to run commands against a user's profile. In the next step we are going to assign Pepper the authorizations she needs to administer the zone.
Now let's give Pepper the privilege to administer myzoneclone:
Now switch back to Pepper and try to administer the zone again:
What happens if Pepper tries to manage a different zone?
Congratulations, you've just employed 3 types of virtualization to create a more agile data center. By combining network virtualization with ZFS and zones you can establish environments which can be quickly replicated and controlled.