Solaris Zones

Earlier in my experience with OpenSolaris I was concerned about security and so chose to isolate certain server functions through Virtualization. However, virtual machines require disk space, cpu time, and memory. This meant that my server wasn't slow, but it was starting to use its swap memory. And for a box that is barely doing anything, that wasn't acceptable to me. So next, I learned how to disable the GUI. In this quest, I ran into issues, especially when it came to updating. The new Boot Environment (BE) booted into the GUI again. Flustered, I turned to IRC for help and while explaining my issues the main response was, "Weird, but why aren't you using zones?." There are a lot of features of Solaris that differ from other operating systems. ZFS was what initially lead me to OpenSolaris. However, zones would have lead me here too if I had learned about them first.

First, a little bit more about zones. Zones create a completely separate environment on your server. They have their own filesystem, and run commands off of the hardware still. So far it sounds like virtualization. But, they do not have the added layer of virtualization. They are able to communicate with the kernel because it is the exact same operating system. But it is isolated. I log in with different usernames and passwords, I connect to it through a different IP address, I have to add packages to it even if they're installed on my main operating system, or as called while dealing with zones, my Global zone. So my webserver can sit on my main server, isolated with its own traffic, with a much lower toll on my system. While not applicable in every situation, for mine it is amazing.

Lets get one going! First off, the instructions I used to create my zone were incomplete in only one sense: where you put the zone. Zones must be created in a ZFS dataset. Because I have a ZFS filesystem set up already, I merely added another dataset to it. These are the steps requiered to do so.

#zfs create tank/zones/web

If you've read any other post on my blog, or read this one at the beginning, you'll understand that I love zfs, and this should show you why. It is just easy to work wtih. Next, lets set up our zone.

First we'll configure the zone

#zonecfg -z webzone
No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:webzone>create
zonecfg:webzone>set zonepath=/tank/zones/web
zonecfg:webzone>add net
zonecfg:webzone:net>set physical=bge0
zonecfg:webzone:net>set address=192.168.1.109
zonecfg:webzone:net>end
zonecfg:webzone>exit

Let me clarify a few things. First off, the zonepath is where the zone filesystem will be installed. It has to be on a ZFS dataset. It will not give you an error at this point if you have not put it in the right place. Next, the physical nic you are adding to the zone is the physical nic you are using in your system. If you are using e1000g0 then it should be set to that. If there are further questions, submit them in comments and I will try and answer them.

At this point, our zone is configured. Next we need to install it. To verify its configured, we can do
#zoneadm list -cv

In the status, it should say its configured, but not installed (It won't say "not installed" it just will say configured). Next, do the command to install it!

#zoneadm -z webzone install

This will take some time as it installs the entire filesystem as if its a new Solaris install. Once its done, you can do the zoneadm list command shown above to verify. The last thing that will need to be done is to boot the zone. However, the zone must be configured on the first boot like any Solaris install, so it requires two terminals: one to boot it, and one to view the console. For the console do this command:

#zlogin -C webzone

This will show you all output from the zone as it boots, and allow you to set some of the required settings.

On the second prompt, do this:
#zoneadm -z webzone boot

It will go back to the prompt, while your first terminal starts to show a normal boot up of a Solaris system. Fill in the necessary items here and you'll be up and running in no time!

Once my install was up and running, I immediately wanted to install the amp-dev package. However, it became obvious quickly that my zone was not utilizing DNS. It didn't have a /etc/resolv.conf so why should it? In the second terminal you have installed, you can dump your resolv.conf file directly into the appropriate directory. This brings up that the Global Zone can interact wtih the filesystem of all installed zones.

global#cp /etc/resolv.conf /tank/zones/web/root/etc/

this will put your DNS server config into the new server. This wasn't enough though, I also had to do the following command on the zone.

webzone#cp /etc/nsswitch.dns /etc/nsswitch.conf

After this, my system was completely functional and working as I wanted.

If you have any issues, feel free to ask here, or ask in IRC or on the web. Zones, for me at least, provide a more secure method of serving files to myself as well as safely serving files to the outside.