Navigation

Zones and Containers FAQ-2

This entry was posted in Uncategorized and tagged , , on June 17, 2012, by

Q: How can I add a filesystem to an existing zone?

A: There are four methods. The following list uses UFS examples, but other types of file systems, such as HSFS and VxFS, can be used in the zonecfg “fs” resource type property or attached by mount(1M).

  1. Create and mount the filesystem in the global zone and use LOFS to mount it into the non-global zone (very safe)
  2. Create the filesystem in the global zone and use zonecfg to mount the filesystem into the zone as a UFS filesystem (very safe)
  3. Export the device associated with the disk partition to the non-global zone, create the filesystem in the non-global zone and mount it. Security consideration: If a _block_ device is present in the zone, a malicious user could create a corrupt filesystem image on that device, and mount a filesystem. This might cause the system to panic. The problem is less acute with raw (character) devices. Disk devices should only be placed into a zone that is part of a relatively trusted infrastructure.
  4. Mount a UFS filesystem directly into the non-global zone’s directory structure (allows dynamic modifications to the mount without rebooting the non-global zone)

See the administration guide for instructions to use these methods. [September 2006]

Q: How can I make a writeable /usr/local in a sparse-root zone?

A: Use one of the methods above, for example:

global# mkdir -p /path/to/some/storage/local/twilight

global# zonecfg -z twilight

zonecfg:twilight> add fs

zonecfg:twilight:fs> set dir=/usr/local

zonecfg:twilight:fs> set special=/path/to/some/storage/local/twilight

zonecfg:twilight:fs> set type=lofs

zonecfg:twilight:fs> end

zonecfg:twilight> commit

zonecfg:twilight> exit

global#

 

Q: Can I assign an SVM meta-device, or a Veritas Volume, to a non-global zone?

A: With Solaris 10 1/06, you can directly assign an SVM meta-device into a non-global zone, using the same method you would with most other devices.
Symantec supports the assignment of a Veritas Volume into a non-global zone. For more information, [June 2009]

Q: Can I, and should I, import raw devices into a non-global zone?

A: The Solaris Zones feature set provides the global zone administrator with the ability to allow a non-global zone to access a raw device. There are many situations where this will be the best approach to solve a problem. There are even situations which require such use.

First, however, it is important to stress that there are usually other solutions that do not require direct device access. Let’s discuss this first.

With regard to importing VxVM devices into a zone, this is possible with VxVM 5.0MP3 and up. For earlier versions, your options depend on the goal. If the goal is to make a filesystem available in the zone, the solution is to create the filesystem in the global zone, and LOFS or direct mount the filesystem in the zone. On the other hand, if the goal is to make a mirrored block device available in the zone, the only solution is to upgrade to VxVM 5.0MP3 or higher.

If you want to make a filesystem available in the zone, create the filesystem in the global zone, and use LOFS to make the filesystem available in the zone. On the other hand, if the goal is to make a mirrored block device available in the zone, another solution must be found.

In any situation, if direct device access is required within a zone, you must perform careful failure analysis and evaluation of the possible outcomes of “catastrophic application failure. If the non-global zone will use COTS software, and will be managed by trustworthy people, then the risks will be small. Fortunately, in most cases there are also other solutions which do not use direct device access from a zone.

Here are two extreme examples:

  1. A zone will be created for the purpose of training students on basic Unix commands. The root account will only be used by the global zone administrator. The system will be attached to a LAN which is not connected to any other networks. The instructor needs access to the sound device. There are very few risks associated with such access – it would be very difficult for the sound device to suffer a failure, and even if it did it would be unlikely to affect other zones.
    The zone can be given access to this via the zonecfg sub-commands:

global# zonecfg -z zonename

zonecfg:zonename> add device

zonecfg:zonename:device> set match=/dev/sound/*

zonecfg:zonename:device> end

zonecfg:zonename> exit

The zone will have access to sound devices, but will not have access to any other devices.
2. A zone will be created for the purpose of teaching students about a database program that requires access to raw disk partitions. The instructor knows how to use Unix, but does not have a background in Unix system administration. Further, the instructor will require use of the root account to assist students. It is possible that the instructor could make a mistake, or a malicious student could abuse the raw disk access, leading to a crash of the kernel. This would also stop all of the other non-global zones, as well as the global zone. If the other zones are running production software, this request for raw disk access in a zone should not be fulfilled. Other solutions should be pursued, such as creating an RBAC role for the instructor which only gives the necessary privileges to the isntructor’s Unix account.

Other examples must be judged by their particulars, e.g. a production database program which needs raw access. Factors to consider include:

  • Who will login to the zone? How trustworthy are they?
  • Is this system protected from unauthorized access by a firewall?
  • What level of availability is required by applications running in this zone and in other zones?

For more information on this topic, see the section “SECURITY AND DATA INTEGRITY” of the man page for sgen(7d).
[June 2009]

Q: Can I share an I/O resource (e.g. NIC, HBA) between containers?

A: Yes, in fact, that is the default model. Each container is assigned its own IP address, but usually multiple containers will share one NIC. Further, multiple zones may be assigned separate filesystems accessed through one HBA.

Q: Can zones in one computer communicate via the network?

A: Both shared-IP and exclusive-IP zones can communicate via the network. In general, a zone is assigned to use one or more network ports (aka NICs), and network traffic to or from other computers uses the assigned NIC(s), following standard IP rules.
Network traffic between two zones on the same system may require extra planning. If a zone is an “exclusive-IP” zone, its network packets will always leave the computer, and inbound packets will always come from outside the computer. Further, an exclusive-IP zone performs all of its own network configuration, including routing and IP filtering.
Before Solaris 10 10/08, network traffic between two shared-IP zones always stayed in the computer, i.e. it didn’t traverse the physical network. This provided very high bandwidth, low latency transmission. However, starting with Solaris 10 10/08, traffic between two shared-IP zones stays in the computer unless a default router is used for one or both zones. Traffic from a zone with a default router will go out to the router before coming back to the destination zone. For more information on default routers for zones, and Steffen’s blog.
Full IP-level functionality is available in an exclusive-IP zone. Exclusive-IP zones always communicate with each other over the physical network. That communication can be restriced using IP Filter from within such zones, just as it can for a separate system.

For shared-IP zones in one computer that communicate using IP networking,the following applies:

  • Inter-zone network latency is extremely small, and bandwidth is extremely high
  • Solaris IP Filter can be enabled in non-global zones by turning on loopback filtering as described in System Administration Guide: IP Services. Filter rules are still configured in the global zone.

It is possible to configure routing to block traffic between specific zones completely.
For more information on IP types, see the System Administration Guide: Solaris Containers-Resource Management and Solaris Zones.
[January 2009]

Q: How do I modify the network configuration of a running zone?

A: For shared-IP zones, the ifconfig(1M) command can be used in the global zone to modify that zone’s existing network configuration or to add new logical interfaces to a zone. Here are some examples that add, and then delete a logical interface assigned to a zone:

global# ifconfig bge0 addif 192.168.200.202 zone myzone

global# ifconfig bge0 removeif 192.168.200.202

 

[January 2009]

Q: Can IP Multipathing (IPMP) be used with zones?

A: Yes.
Exclusive-IP zones can use IPMP. IPMP is configured the same way in an exclusive-IP zone as it is on a system not using zones.
For shared-IP zones, IPMP can be configured in the global zone. Failover of a network link (e.g. hme0) that is protected by IPMP will bring the associated logical interfaces (e.g. hme0:3) for the zones over to the secondary link (e.g. bge0).
For more information, see the section “Using IP Network Multipathing on a Solaris System With Zones Installed” in System Administration Guide: Solaris Containers-Resource Management and Solaris Zones.
Take extra care with IPMP and the defrouter setting. [January 2009]

Q: Can IP Filter be used with zones?

A: You have the same IP Filter functionality that you have in the global zone in an exclusive-IP zone. IP Filter is also configured the same way in exclusive-IP zones and the global zone.
For shared-IP zones, the IPFilter features in Solaris 10 can be used to filter traffic passing between one non-global zone and other computers on the network. This includes the ability to use NAT features, i.e., redirect traffic destined for the global zone to non-global zones.
[November 2007]

Q: Can I prevent a zone from using the network?

A: Yes. A zone does not need a network interface in order to operate. If you don’t specify a network interface when you create the zone, it will still boot correctly. If an existing zone has been given access to a network interface, you can use zonecfg(1M) to remove that access, but if the zone is running you must also either re-boot the zone or use ifconfig(1M) to remove access until the next re-boot.
It is also possible to allow a shared-IP zone to access the network, but not communicate with other zones on the same system. One method is to set up a pair of routes using the “-reject” argument to the route(1) command. For example, if one zone has an IP address of <Addr1> and the second zone has an address of <Addr2>, then the following commands will prevent network traffic from passing between the two zones. [July 2006]

global# route add <Addr1> <Addr2> -interface -reject

global# route add <Addr2> <Addr1> -interface -reject

 

Q: Are VLANs supported in zones?

A: Yes. For a shared-IP zone, the VLAN interface must be plumbed in the global zone. LAN and VLAN separation are available in an exclusive-IP non-global zone.

Q: How do I configure a default route in a container?

A: For a shared-IP configuration: All routes, including default routes, must be configured by the global zone administrator. By default, such zones use the global zone’s default router. Starting with Solaris 10 10/08, each shared-IP zone can be assigned its own default router with the “defrouter” setting. For more information on default routers for zones, see the documentation and Steffen’s blog.
For an exclusive-IP configuration: The zone administrator can configure IP on those data-links with the same flexibility and options as in the global zone.
[January 2009]

Q: How can I restrict a zone (or a few zones) to one NIC (network connector)?

A: The global zone administrator configures each zone’s access to zero or more NICs. A shared-IP zone can be the only zone using a NIC.
Exclusive-IP zones have more separation which reaches down to the data-link layer. One or more data-link names, which can be a NIC or a VLAN on a NIC, are assigned to an exclusive-IP zone by the global administrator. The zone administrator can configure IP on those data-links with the same options as in the global zone.[January 2009]

Q: When I tried to mount a file system into a non-global zone, an error message displayed stating that the mount point was busy. Why?

A: All accesses to entries in lofs mounted file systems map to their underlying file system. Therefore, if a mount point is made available in multiple locations via lofs and it is in use in any of those locations (as a mount point, a current working directory, etc.), an attempt to mount a file system at that mount point will fail unless the overlay flag has been specified. [November 2007]

Q: How can I mount a filesystem into two or more different zones safely?

A: Create a directory in the global zone, and remount it into each non-global zone using lofs. This will allow reading and writing from both zones without corrupting. It’s the same mechanism used by the automounter in certain cases.

Q: How can I create a zone with its own /usr or  root file system (a ’whole root file system’)?

A: By default a zone shares /usr and a few other directories with the global zone. If a zone needs its own separate copy of /usr, et al., you must tell zonecfg to not use the default configuration. To do this, use the “-b” option on the “create” sub-command of the zonecfg(2) command.
If you do this, you must specify each existing file system that you do want to share with this new zone.

Q: How can I restrict a zone (or a few zones) to one HBA (storage connector)?

Each zone uses space in at least one disk partition – its root directory and several others (e.g. /etc) live there. All of these files are part of Solaris. In addition, each zone can be given access to one or more file systems and/or one or more raw disks. By planning carefully, you can configure one zone so that all of its files and devices are accessible through one HBA, and all of the storage of another zone is accessible through a different HBA. [August 2005]

Q: Can a non-global zone NFS-mount a file system that has been shared from its own global zone?

A: No. This may be addressed in the future. However, the filesystem can be LOFS-mounted into the local zone, and, if necessary, the global zone can export the same filesystem via NFS so that other computers can also access those files. [August 2005]

Q: Can a zone’s root directory be on a ZFS file system?

A: Solaris 10 release:
Placing a zone’s root directory (i.e. it’s PATHNAME) on ZFS is supported starting with Solaris 10 10/08, and you can then upgrade with Live Upgrade going forward. There are still issues with placing a zone on ZFS on a release prior to Solaris 10 10/08 and then trying to upgrade.
Solaris Express Release:
You can place the zonepath of a non-global zone on ZFS. However, see the question “How do I upgrade a system with zones installed? Does Live Upgrade work?” for related issues. [Sept 2008]

Q: Can a zone be an NFS server?

A: A global zone can be an NFS server. A non-global zone cannot use the Solaris NFS server featuers. This issue may be addressed in the future. See RFE 5102011.
However, non-Solaris NFS server software (i.e. “userland” NFS server software) has been shown to work correctly in a non-global zone. Such software works because it does not run in the kernel, unlike the Solaris NFS server software which runs in the Solaris kernel.
[January 2009]

Q: Can a zone be a DHCP server?

A: A global zone can be a DHCP server.

Starting with Solaris 10 11/06, a non-global zone can be a DHCP server. This ability became more flexible with Solaris 10 8/07, which added a feature called IP Instances. [January 2008]

Q: Can a zone be a DNS server?

A: Yes.

Q: Can a zone be an NTP client or server?

A1: A zone can be an NTP server.
A2: The NTP client software sets the system time clock shared by all zones, including the global zone. By default, non-global zones cannot do this. However, the global zone administrator can give a zone the ability to change the system time clock with the “sys_time” privilege. Be aware that this changes the time clock for all zones.(February 2009)

Q: Can a zone be a NIS (aka yp), NIS+, or LDAP server?

A: Yes, yes, and yes.

Q: Can a zone provide network login via telnet, rlogin, rsh or ssh?

A: Yes, yes, and yes.

Q: Can a zone be an ftp server?

A: A zone can be an ftp server, but it is not possible to use ftpconfig(1M) to set up a zone to be an anonymous ftp server. This is because ftpconfig attempts to set up certain device special files, and a zone does not have the necessary privileges. [December 2005]

Q: Can a zone run sendmail?

A: Yes.

Q: Can I use X windows in a zone?

A: There are a few different methods to use X windows with zones:

  1. On the system console: at the login screen, you can choose “Remote Host” and enter the hostname of the zone. The X windows login screen should be replaced with an X windows remote login screen.
    2. At the console, logged into the global zone: you can tell X to allow remote connections from the non-global zone, telnet to that zone, and set the appropriate environment variable so that X sessions go to the global zone’s X windows session, e.g. “setenv DISPLAY my-global-zone”.
    3. At another system, you can login directly to the non-global zone, and perform steps similar to the previous method.

Leave a Reply

Your email address will not be published. Required fields are marked *

Login




Recent Posts

Tags

Containers DHCP ESX FAQ Jass Jumpstart LVM NFS NIC NIS Oracle Predictive QLx40xx QLx40xx FCode RAID RAID-Z redhat Runlevels Samba SAN boot Sar Scenarios Securing Systems Security Toolkit software Self-Healing Services SMF Software Companents Solaris Solaris + Emulex HBA Solaris 10 solaris 10 boot from SAN Solaris 10 OS Solaris zone Solaris Zones Sun Sun Microsystems SVM swap VCS Volume Manager VXVM ZFS Zone Zones

Quick Links

Copyright 2017 ©Aceadmins. All rights reserved.