Zones are in Solaris Express (Solaris 10)

snoofy writes "Zones, as people from SUN Microsystems have talked about for some time are now available in solaris express (the pre-release of Solaris 10). This will let you virtualize Solaris so that processes run in isolation from other activity on the system... A system can then be configured to run several zones which will make it look like different systems on the network Some info from a posting to comp.unix.solaris. The cool stuff is that it works on both SPARC and x86."

Hmmm....

Where have I seen this before... Oh that's right, the features Compaq/Hp have been shipping with their Tru64 Alpha Servers for _years_. Good job Sun. http://h18002.www1.hp.com/alphaserver/nextgen/part itions.wmv [hp.com]. ANyone who buys Sparc over Alpha is an idiot. Hell, you can even do this on Linux with UML..sun is playing catchup with just about everyone, but somehow manages to push enough spin on it to make every dumbass journo announce as an amazing technical innovation. http://user-mode-linux.sourceforge.net/ [sourceforge.net]. Sorry people, but sun are pushing 20th century technology with some marketing spin to make it sound up to date.

Re:Hmmm....

That may be so but instead of buying an Alpha, you can run Solaris on x86 hardware. You're also right about UML, but that is probably not as easily configured and certainly not shipped in a ready-made form with a distribution, compared to Sun's solution. Of course, for all the people already commited to Sun, this is a great thing.

don't forget...

Don't forget Xen [cam.ac.uk], VMWare, and Bochs [sourceforge.net] (not as fast, but still cool).

There are already a ton of viable OS virtualizers out there. This news is seriously a real yawner.

Re:don't forget...

and also Linux-vserver [linux-vserver.org]. Great performance. Just like BSD jail.

Re:Hmmm....

You have pointed out a critical thing. Marketing. For many year Sun has been succesful in the market because is a reliable brand and quite good.(at least in Chile, of course) its like being "mercedes" or something like that. They have a name and a reputation that helps them a lot. If windows came with a better command line(like xterm) it would be news too!!, and they of course would make shure its news for everyone.

If we want to make OS software more succesful in the market, we have to come up with marketing schemes for it, they can be as important as good coding.

Not Quite !

>Where have I seen this before... Oh that's right,
>the features Compaq/Hp have been shipping with
> their Tru64 Alpha Servers for _years_.

First I watched this movie, your comparsion is unfair; HP/Compaq/DEC partitions are more like Sun domains, i.e implemented in hardware. Domains have been around since say 1996 when E10K was introduced.

> Sorry people, but sun are pushing 20th century
> technology with some marketing spin to make it
> sound up to date.

While Solaris zones are similar to UML or other virtual OS instance technologies there are some innovative features which would be really useful say on multiprocessor Opteron that you want to consolidate some applications on:

1) Support: I can expect to run Oracle/websphere,
etc in this zone without having to say oh and this is UML (which I have seen many times on mailling lists) (I mean applications support the fact that a OS vendor is behind this is good news as well)

2) Integration with Global Zone. From the global zone you can control each zone and watch and cap resources within a zone. This means modications to ps/prstat(solaris's top) and other core OS utilities. How hard would this be under Linux? Is the UML patch even accepted by Linus yet?

3) Inteface bindings - can bind zone to specific NIC.

4) Greenline - init.d replacement becomes service aware and can stop/start zones at boot and monitor services within a zone.

5) Dtrace - the greatest thing even, dynamic tracing of the kernel. Fully integrated with Solaris Zones.

Re:Hmmm....

Well considering that alpha is a discontinued platform [nwfusion.com] I doubt anyone would be smart to buy one. Furthermore, if this technology is the next evolution of containers (which I think it is) it's nothing like what you speak of. You don't need to maintain a seperate os image for each zone, making administration easy. The only problem I've had with containers is isolation, which I hear has improved with zones. Physical partitioning (domains) have been in the sun product line since the 10k. Try understanding the technology before you comment about it... or more likely, IHBT

Re:Hmmm....

It actually sounds just like a feature that Sun already has on their servers. The Sunfires and Enterprise models can be split into multiple domains, each of which is configured to look like a different machine on the network.

Re:Hmmm....

Not the same thing. In point of fact Sun has had roughly equivilant hard partitions through domains for years as well, before HP.

This is quite similar to vPar's in HP/UX (forgive me but I stopped paying attention to HP's ugly stepchildren Alpha & Tru64 a long time ago, it's too bad 'cause it was a great chip but its moribund, you would be wise to do the same pretty soon).

Hard partitions, like Sun Domains, HP's nPARs and IBM's LPARs slice up a physical machine and run an OS image on each slice. As far as I can tell here there is still just one OS image but applications running in these Zones can be isolated from each other. A malicous root user in the global zone is still able to make mischief in the zones if they want to.

The nice thing here unlike on HP is that you can slice up a uniprocessor machine if you have many tiny workloads that need to be isolated. IBM will too be able to do this soon with the next crank of their LPAR technology but a better implmentation with no issues with a global root user.

Can this be used for honeypots?

It would be cool to do something like the UML honeypots in Linux. You could run multiple systems, each insulated from each other and the host system, see what you get.

Re:Can this be used for honeypots?

If I am understanding the technology correctly, then I don't think you would want to run a honeypot/net in this configuration. The processes are isolated, but the kernel/core components are not.

Most compromises break/modify some kernel/core components to achieve the compromise. If a honeypot/net were run using this configuration then, it seems, that once the honeypot/net were compromised, then the WHOLE system (read: the part you wanted to keep safe) would be compromised.

Technology, like VMWare, uses a completely virtualized OS from a seperate installation and running instance of its kernel/core files. A compromise on a VMWare honeypot is much easier to recover from using the Snapshot/Revert features.

Then again, I may not completely understand the technology.

Re:Can this be used for honeypots?

The corresponding technology in Linux is called "vservers". It has been around for a number of years now, as an external kernel patch.

You can find more info about it on linux-vserver.org [linux-vserver.org].

Re:Can this be used for honeypots?

This is based on Trusted solaris as the underlining of the virtual system, but it doesn't share kernel/core as far as the SUN engineer explained it. So in the future you can have different versions of Solaris that support this technology running on the same machine. Everything is separated, FS,Kernel,Core,etc.. AFAIK :)

Re:Can this be used for honeypots?

Sorry but that is wrong. Both in Trusted Solaris and in Zones there is a single Solaris kernel that is responsbile for the isolation. This is separate userlands with their own nameservice their own filesystems and their own root account.

Zones can't load kernel modules (except indirectly as protocol modules (eg telmod, rlmod), Zones can't (by default) access any raw devices and can't add new network interfaces by themselves.

Re:Can this be used for honeypots?

It is more like FreeBSD jails I think (but then, I may not completely understand these technologies as well :))

Almost everything written under "Features:" can be also said about jails: Security, Isolation, Virtualization, Granularity, Transparency. For instance, you can put one single binary in a jail (if it works) or you can put there an entire system. Or, if you want to run a service in a jail (isolation, security), you can build the entire system with make buildworld targetting a jail,and you can optimize that system for running a single service, by stripping out most parts in make.conf:

NO_SENDMAIL=true
NO_SENDMAIL=true
NO_OPENSSH=tru e
NO_OPENSSL=true
NO_KERBEROS=true
WITH_LIBMAP= yes
NO_VINUM=true
NO_WHATEVER=true
# and leave bind there if you want to run only DNS in jail

Jailed processes/systems are so isolated, that even if you root one jailed system, you won't have access to the others/host system (unless admin was stupid enough to have the same passwords). Jails have their own ip addresses and firewall rules as well. I guess (if I read this correctly) we can say there is nothing new under the Sun :))

Re:Can this be used for honeypots?

This feature has been compared to BSD jails, and it's logical to say that it grew from that feature, but the functionality isn't exactly the same.

A Solaris zone can be rebooted independant of the other zones on the machine; it can have resources added or removed from the zone (CPUs, for example) dynamically, etc.

I'm still installing my copy of SolExp, so I haven't played with the feature just yet. But it looks to be located somewhere between FreeBSD jails and a completely emulated machine like VMWare.

Look up Argante

That was a project of a cross-platform "virtual OS" to be run "on top of" other OSes (loaded like a normal process) designed with security in mind - building exploits in it was meant to be impossible. I'm not sure about progress, but launching 10 Argante processes on, say, plain Linux running nothing but "bare bones" was meant to be equal to creating 10 computers, each running Argante OS, to create, say, 10 super-secure servers.

Question

Is this similar to running multiple instances of VMWare [vmware.com] or Bochs [sourceforge.net]?

Only if it works...

This would be interesting to see if the installer actually worked. I tried downloading and installing the Solaris Express preview on my SunBlade 100, and the installer died halfway through the installation. When I was finally able to get the installatin finished, I couldn't even make it recognize the integrated network card.

I've always been surprised how Linux installers can easily support the large variety of OEM Network cards available, and yet Sun can't make an installer that recognises their own hardware.

Re:FUD

My colleagues had no problems on an x86 laptop or Ultra 10. Don't bother with the installer, just boot off CD1, if it's anything like Solaris 9/9. The installer is just a pretty front end that ends up adding ages onto the install.

Just like Xen, in other words?

This sounds like Xen [cam.ac.uk] for Linux...

Jails vs. Zones

From what I read in the newsgroup article, this sounds awfully like the "jail" feature in BSD. You can effectively set up entirely different machines using jails. You can reboot, configure, and manage individual jails just like zones.

Can anyone more knowledgeable comment on whether they use similar kinds of calls to set up a zone as opposed to a jail?

Re:Jails vs. Zones

Zones differ from jails in that you can limit the amount of resources a zone can consume. Even in jail you can launch a denial of service with a fork() bomb or busy loop, or even netcat. With zones, you can limit the amount of cpu cycles, network io, and (perhaps? don't have docs nearby) disk and serial io. Plus zones get their "own" virtual os, so you can reboot them.

Re:Jails vs. Zones

Very sure.
The zones routines, just re-read the zone config and re-initialise it. From the outside it can appear as an OS, but from another perspective (and this is gross over simplification but works for this point) it's just like loading an instance of an application.

But... does "rebooting" a zone fix issues?

What makes zones so important in large systems is the ability to restart one, or totally reconfigure it, without taking down the other zones. This seems obvious, but it helps put a layer in between the hardware and the software. What surprises me is that if so many other platforms already supported this to a large degree, how come its deployment has not been extensive? It seems like a great feature.

Re:But... does "rebooting" a zone fix issues?

Yes there are other platforms that have similar features (AIX LPAR and DLPAR, HP-UX VPAR, Solaris Dynamic Domains). The problems are (1) you have to be using recent versions of the OS for the software virtualization (AIX 5L 5.2, HP-UX 11 and 11i) or (2) have the specific hardware necessary to use the hardware virtualization (AIX, HP-UX, and Solaris). And this hardware is costly (minimum cost for a Sun Sun Fire midrange to support dynamic domains is $100,000.00).

The other reason could be that management (particularly in DoD) won't allow the use of hardware or software virtualization despite the benefits. Management could see this as a "toy" rather than a feature. Of all the documentation I have read concerning DoD, implementation, security, etc., I have never read anything about setting up or using virtualization. Not to say that some DoD activities aren't using it, but they are not well "advertised". The last Navy project I worked on we tried to deploy an Open Source monitoring solution and was basically told "we will not the first in doing anything!"

The neatest benefit

Network security will now be called "Zone Defense."
What does that make man-to-man? P2P?

Solaris Express

"available in solaris express (the pre-release of Solaris 10). "

Solaris Express is a program that they are using to give people early access to sun software. Solaris 10 is not solaris express

linux-vserver/BSD jail

Essentially the same as what the linux-vserver project http://www.linux-vserver.org/ [linux-vserver.org] or BSD jail feature provided. It sets up different contexts for different processes so that they are isolated from each other with a different root directory. The effect is that they acts each context acts like a separate sever, but in fact they are all running on the same kernel.

Linux-vserver is a great project. We have been running different services under differnt "virtual" servers for a while and its performance is stellar.

looking at the bootup of his system....

What sysadmin with any brains runs NIS in this day and age? Thats so 1995. I mean come on, you might as well post your passwords on the wall for all to see.

NIS+ or LDAP, folks....

bah

It's clearly just a shameless ploy to gain market share.

:)

Sun says this isn't like a VM thing

I've been prowling around Sun's site on this, and apparently it isn't like the old IBM 360 VM thing (or VMWare, or any of the many other Virtual Machine stuff people have mentioned). Zones aren't a VM that you run different kernels in, they're "application containers" running under a given kernel.

It sounds to me more like a Java Servlet container model than a VM. There's even a "global zone" that can see all the others.

Here's [sun.com] a post about it.

Here's [sun.com] Sun's page on it

Jacques Gelinas' VServer

This looks just like the Virtual Server project [linux-vserver.org] that Jacques Gelinas started a number of years ago. Possibly with some neat configuration utilities, but much the same. I'm not sure whether VServers can be allocated a dedicated CPU, or certain hardware exclusively, etc, but I think it can.

Xen, on the other hand is a much "heavier" approach, similar to VMWare, which virtualises the hardware, and emulates certain peripherals.

BSD Jails

Actually this is Sun's implementation of BSD jails with their "Resource Manager" software for resoruce allocation.

Nice addition to the existing domain capabilities

Sun has had the ability to do multiple system images on the same box for a while, but they've always been hardware partitioning only. The 4800/6800/12k/15k allowed you to run different domains on the same system, so long as you had the right combo of CPU and I/O boards. This was great if you had one of those systems, but not so hot it you had a workgroup level system (e.g. E450 or V880). I'm glad to see they've put software partitioning in the O/S so I can take a mid range system and chop it up into separate pieces. AIX and HP-UX have been able to do the software side thing for a while (but not the dedicated hardware piece, I believe).

This will help with consolidation and utilisation on existing machines, I think.

Details

Disclaimer: I am not the author of the following post, I took it from here [slashdot.org].

I believe this is not too far from what you can achieve with user mode linux. We've been using similiar technology in unix classes at school using uml.

There are however few differences:

1.) Solaris accesses host filesystem, while in user mode linux, you have to provide file or block device with disk image it will use. This is quite bad, because you have to preallocate space for zones. There is a project that aims to allow this, but I don't know how usable is this. You could of course overcome this by doing Root FS on NFS and dhcp and letting the guest os mount host's partition via NFS. This would probably have quite significant performance overhead though :(. Filesystem in filesystem is not very optimal too.

2.) It is not that easy to setup. This could be done with few scripts. I would love Debian and possibly other distros to have scripts, which would instantly create the zone's filesystem. Preferably, it would allow for some sharing (f.e. creating hard links to original data and kernel would unlink, copy transparently if slave wants to write -- some equivalent of copy on write seen in memory management).

3.) The networking is not so easy to setup. Could be also part of the script

4.) Linux does not have so well done resource allocation as Solaris. So the guest kernel should be able to limit itself (f.e. not to use more than 30% of cpu time). Is it possible to do some precise resource allocation under Linux (maybe using some patch to kernel, or something like that?)

Questions

Is a zone just a stripped-down virtual machine? This doesn't seem to be answered too well, but that's what it looks like.

VMs are bad, if only because the I/O performance takes an obvious hit. Any attacker worth his/her salt would be able to tell that they're logged into a VM with a little experimentation...so this thing's use as an effective honeypot is pretty much (against a smart attacker).

Solaris Needs to Pay More Attention to Detail

I've got a fairly standard Sun Ultra2 Creator3D workstation. Solaris 9 was a complete horror show... I've got many years experience noodling around with Solaris, from it's old SunOS 4 days as "Solaris 1" right up to Solaris 7 (2.7, for those on the inside.) I know what the hell I'm doing, but I was completely baffled and defeated by Solaris 9. Nothing worked, from the installer to the administration utilities (command line and GUI) to the SunScreen firewall software. I spent a week trying to get this basic web server/NAT firewall up and running. It's lack of attention to basic detail is inexcuseable, and goes a long way toward explainging why Sun has lost so much market share in the past two years. IBM's a PITA to work with, but it's well documented and works out of the box with only a bit of tinkering.

For grins, I popped out the extra processor, and loaded, configured and deployed OpenBSD in all of three hours, NAT and Apache and DJBDNS and all.

I tried an earlier build of Solaris 10, and it didn't go at all well. I'll try this one (which purportedly has a Sun-comissioned version of IPfilter), and if I can't get it to do what I want in an afternoon, I'll slap SuSe on it instead. Or Gentoo... Gentoo might be fun, even if does take forever to compile.

SoupIsGood Food

Zones aren't going to help

I am sorry but isn't this more or less the same as CPU partitioning like the Xeon hyperthreading.

Sun needs to lower the prices of sparc systems so that a 400mhz sparc doesn't cost $1000 in the year 2004. If it wasn't for Ebay sun would have disappeared in more places than just datacenters.

Is this like CHROOT in Linux?

I've read about chroot, and even set one up a while ago, but more or less just using the howto. Are Solaris Zones similar to the chroot setup in Linux?

Whoo hoo.

Only 30 years to catch up with IBM. Have they even caught up? Sorry if I don't get over excited about this.

Sounds like IBM's venerable VM

Zones kind of sound like IBM's VM (Virtual Machine) OS, except that with VM, you could run a different operating system in each "zone".

Solaris is for real users

After reading the comments, it seems blatantly obvious that most /. readers don't work in the industry.

Zones fix some really important, real world problems. The main problem that it will solve for organizations is migration of apps from development to production boxes.

In Real Life (and in the well run organizations) there's a separation between dev, production, and sometimes test. There are a number of implications for this, the main one being this: there are usually two sets of hardware (or three, if there's a separate test area).

Now with a few moments of thought, you can see the problem. By moving the software from place to place you introduce changes. Change is bad, because change causes software to break. How many times have you had problems with your apps because you forgot to change some config file, or a machine name, or whatever?

With zones you don't need to change the machine to change the machine. You just copy your zone from one machine to another. Ta-da! You have no problem with changes impacting your app. If the app worked in test, it'll work in production. Do you need to mirror production in a test environment? Just create a bunch of zones and do it. You don't have to change the IP addresses or anything.

Need to migrate your app to a bigger box? Heck, just move your zone. No need to reinstall your app, synchronize and adjust all the configs, and repoint everyone and everything to the new box. Move it from that ultra 5 in the basement to the big cat in the data center.

I suppose you'll be able to auto-migrate zones between machines in later releases, in a form of cross data-center load balancing. Hey, that E450 is unused, let's move the web server there on the fly.

Just another step on the road to virtualization...

Sun Discovers LPARs...

IBM said to be reeling after this 30-year late counterpuch. News at eleven.

not a big deal as Virtuozzo is several years old

Why this is considered as a big deal? With the presence of such technologies as VMWare, Bochs, UML and especially Virtuozzo/Linux I'm really not understanding such a hype about Zones.

How is this similiar to user-mode Linux and jails?

What are the differences between the 3?

I am curious if I could write some assembly level programs in a virtual state or isolated area that will be bullet proof. As you all know you can screw up and freeze your system if you make a mistake in assembly.

I would love a way to write assembly level programs for computer science virtualized so if it freezes it wont take down the whole system.

I multitask alot and use FreeBSD which unfortunatly does not have a journaling filesystem.

User mode Linux seems promising and I was wondering if Solaris Zones or BSD jails had this type of functionality? They seem great for security but if there were VMware like would be a plus for development work as well.

Sun is still toast

This new feature ought to be called a "twilight zone".

Virtual routers anyone?

It would be interesting to virtualize the machine down to the IP level. You could run separate instances of routed (or whatever) in each virtualized machine's space, then have a router cloud-in-a-box. Now you can play games like changing the data or error rate on certain links, bring routers up or down, etc.

Yes, I know you could use NISTnet [slashdot.org] but this would allow you to do other things. Besides, with a virtualized machine you get (?) more assurance that things are correct down to the Nth level.

I tried running four instances of UML on a 2400XP+ machine and it's usable, though not necessarily for 100Mb/s traffic. Doesn't give you much in the way of network depth though. Tried four instances of VMware+NetBSD on a P-III/500 and it's painful. Am currently struggling with Xen now, but I'm ready to try a userland VM instead.

zones allow s/w to failover onto another zone

Not only can zones allow you to consolidate the dev, test, training, and staging environments that usually needed to be on several boxes, but, now you can have additional uptime with your s/w application on the production server. If the app crashes or locks up another zone can take over. Its not HA because you are still relying on a single box, but, it is a way to provide more uptime for an app. BTW, don't consolidate production with those other non-production functions. It really is never a good practice to place too many variables and potentials for OE onto the production server.

linux zones

SW soft has a commercial product that creates zones for linux. they are called virtual environemnts - VEs - and they all share the same kernel - check it out http://www.sw-soft.com/. it is light weight.

Re:UML honeypot? what does Fowler's book have here

UML here means User Mode Linux.
You are refering to UML as Unified Modelling Language

Re:in comparison?

Quite possibly nothing technically, but when a company with the sort of customers Sun has says it will support something, they have to be damn sure it'll work.

If your LinBSD chroot experiment screws up, you can get told to RTFM by the resident "expert" on your favourite mailing list. If your Sun box goes tits up, Mr. Sun engineer comes round and fixes it for you before you've finished typing the mail.

I'm not saying one method is better than the other for all people, but when you're betting a zillion pounds an hour on it working, it's nice to have backup :)

Re:in comparison?

"fixes it for you before you've finished typing the mail."

no need to exaggerate here.

the differences between jails and zones should be quite clear, but I can see how someone not having a Sun engineer on the clock to explain it to them might not get it.

zones should be used for a completely different purpose than jails. chrooted 'jails' are for restricting the runtime and filesystems environments for a particular process. in most cases, chrooted jails have nothing but the bare minimum libs and binaries, but it spawned from the original kernel which the parent machines runs.

zones are more like vmware in the way that it is a self-contained runtime environment that has its own protected memory space and kernel...these can then be restricted and allowed for full destruction, since the parent OS is not ifluenced in the same way as a chrooted jail.

in my opinion, Sun's support has never been worse or better than SGI's, HP's or DEC's...and that is still true today. the guy asked a question about the differences between jails and zones, not which is better from a support standpoint. it's a digression, and somewhat of a trolling one at that.

Re:UML honeypot? what does Fowler's book have here

I guess the smartass answer is to say that Unified Modeling Language is a honeypot for trapping managers.

Re:Partitions arent new...

So how is that relavent to existing Solaris users?

The point is "It's available to Solaris users"!

It doesn't matter whether VMWare, User-Mode Linux, SGI, HP, Digital or whoever came up with this. The point is it's available in SOLARIS NOW! (well soon)

Re:um, freebsd jails

Yes, FreeBSD forever, till the boss says, the budget is half a million for the next year, then it's "Good morning Sunshine!"

Re:So...

It's an interesting tool for any company looking at easy consolidation without the prohibitive costs of hardware partitioning.