“Containers” feature allows multiple virtual machines to share a single copy of the Solaris operating system, unlike other virtual-machine technologies.
OpenSolaris Has Virtual-Machine Edge
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
This could open up some very interesting oppurtunities for testing kernel code and such.
The other nice thing about such containers is that changes in one VM, while possibly corrupting it, are not acknowledged by the rest of the system, giving you a complete sandbox mode.
This could open up some very interesting oppurtunities for testing kernel code and such.
No, for kernel code development you need a real virtual machine monitor that runs a separate instance of the kernel. There is no point to use a zone/jail as you still have only one instance of the kernel and you gained exactly nothing.
Do you think something similar to chroot jail can be created by using an OS instances for each user? Will this method give ultimate security? Any thoughts?
Of course. vservers (http://linux-vserver.org/) already provide this kind of functionality. Generally more useful for servers (separate web, mail, dns…) but could be applied to separate users.
I didn’t think solaris zones are virtual machines – more really heavy weight chroot’s.
Also, the process of creating a container, copies files from the host, and not share the files as implied in the article.
Am I missing something, are containers something different to zones?
You can check out the following for an overview of where zones fall in the range of virtualization options:
http://blogs.sun.com/roller/page/eschrock?entry=solaris_virtualizat…
By default, the majority of files (/usr, /lib, /sbin, /platform) are shared (via read-only loopback mounts) with the global zone. Zones can also be configured in “whole root” mode, which copies files from the above directories instead of sharing them.
“Containers” are the marketing term for zones – they are the same thing.
This sounds like a fancy, powerful extension of chroot. Containers are a good idea.
Does each container have its own partition? Do they share programs (e.g. /usr)?
If I am correct, they create virtualizations of the original partition, utilising each file, but not actually modifying the source file, but it’s own doppelganger version.
looks like FreeBSD’s jail(8)s. One kernel, many userlands.
However Solaris’ implementation seems to have interesting capping capabilities for cpu cycles (or is it just nice(1)?) and memory (afair with FreeBSD you can cap only the number of processes)
For more information on Zones (a.k.a. containers), check out the bigadmin site:
http://www.sun.com/bigadmin/content/zones/
As well as the OpenSolaris Zones community:
http://www.opensolaris.org/os/community/zones/
I think one of the things I recall form a Solars 10 demo that Sun did is to mention how containers/zones can also be given resource limits to CPU’s, memory, etc. This works really well (according to them) when you have a multi-core or multi-cpu system and want to allocate some hard resources to different projects contained within zones.
Both escrock and Anonymous discuss the use of Resource Controls with Containers and Zones. These controls can be changed dynamically, unlike previous releases of Solaris where changes usually required a reboot. On a large machine using Projects, Resource Controls, Containers and Zones gives the system administrator extremely fine grained control over a system that no other operating system I am aware of can match.
Step by Step :
http://www.blastwave.org/docs/Solaris-10-b51/DMC-0002/dmc-0002.html
Once you have a Zone running then see what Brendan Gregg has to offer here :
http://users.tpg.com.au/adsln4yb/zones.html
Dennis at Blastwave