Chapter 31 About Branded Zones and the Linux BrandedZone
Branded zones are available beginning with the Solaris 10 8/07 release.Features added in later update releases are identified by release.
The branded zones facility in the Solaris OperatingSystem is a simple extension of Solaris Zones. This chapter discusses thebranded zones concept and thelx brand, which implementsLinux branded zones functionality. Linux branded zones are also known as SolarisContainers for Linux Applications.
Note –
Although you can configure and install branded zones on a Trusted Solaris system that has labels enabled, you cannot bootbranded zones on this system configuration.
Note –
Additional brands are supported on the Solaris Operating System.
The following two brands are supported on SPARC machines running theSolaris 10 8/07 Operating System or later Solaris 10 release:
Thesolaris8 brand, Solaris 8 Containers,documented inSystem Administration Guide: Oracle Solaris 8 Containers
Thesolaris9 brand, Solaris 9 Containers,documented inSystem Administration Guide: Oracle Solaris 9 Containers
Thecluster brand, documented in theSunCluster 3.2 1/09 Software Collection for Solaris OS ondocs.sun.com, is also supported on the Solaris 10 release.
About Using Zones on a Solaris System
SeeChapter 16, Introduction to Solaris Zones for general information on the use of zones on a Solarissystem.
You should be familiar with the following zones and resource managementconcepts:
The global zone and the non-global zone, described inHow Zones Work
The global administrator and the zone administrator, describedinHow Non-Global Zones Are Administered andHow Non-Global Zones Are Created.
The zone state model, discussed inNon-Global Zone State Model.
The zone isolation characteristics covered inNon-Global Zone Characteristics.
Privileges, described inPrivileges in a Non-Global Zone.
Networking, described inNetworking in Shared-IP Non-Global Zones
The Solaris Container concept, which is the use of resourcemanagement features, such as resource pools, with zones. The use and interactionof zones and resource management features are described inUsing Resource Management Features With Non-Global Zones,Setting Zone-Wide Resource Controls,Chapter 27, Solaris Zones Administration (Overview), and the individual chapters in Part1 Resource Management of this manual that document each resource managementfeature. For example, resource pools are covered inChapter 12, Resource Pools (Overview) andChapter 13, Creating and Administering Resource Pools (Tasks)
The fair share scheduler (FSS), a scheduling class that enablesyou to allocate CPU time based on shares, is covered inChapter 8, Fair Share Scheduler (Overview) andChapter 9, Administering the Fair Share Scheduler (Tasks).
The resource capping daemon (rcapd), whichcan be used from the global zone to control resident set size (RSS) usageof branded zones. The property of thezonecfgcapped-memory resource sets themax-rss for azone. This value is enforced byrcapd runningin the global zone. For more information, seeChapter 10, Physical Memory Control Using the Resource Capping Daemon (Overview),Chapter 11, Administering the Resource Capping Daemon (Tasks) and thercapd(1M) man page.
TheGlossary provides definitionsfor terms used with zones and resource management features.
Any additional information required to use branded zones on your systemis provided in this part of the guide.
Note –
The following chapters in this guide are not applicable to brandedzones:
Branded Zones Technology
The branded zone (BrandZ) framework extends the Solaris Zones infrastructure, documented in this manual inPart II, Zones, to include the creation of brands.The termbrand can refer to a wide range of operatingenvironments. BrandZ enables the creation of non-global zones that containnon-native operating environments used for running applications. The brandtype is used to determine the scripts that are executed when a zone is installedand booted. In addition, a zone's brand is used to properly identify the correctapplication type at application launch time. All brand management is performedthrough extensions to the current zones structure.
A brand can provide a simple or a complex environment. For example,a simple environment could replace the standard Solaris utilities with theirGNU equivalents. A complex environment could provide a complete Linux userspace which supports the execution of Linux applications.
Every zone is configured with an associated brand. The default is thenative brand, Solaris. A branded zone will support exactly one brandof non-native binary, which means that a branded zone provides a single operatingenvironment.
BrandZ extends the zones tools in the following ways:
Thezonecfg command is used to set a zone'sbrand type when the zone is configured.
Thezoneadm command is used to report azone's brand type as well as administer the zone.
Note –
You can change the brand of a zone in the configured state. Oncea branded zone has been installed, that brand cannot be changed or removed.
Processes Running in a Branded Zone
Branded zones provide a set of interposition points in the kernelthat are only applied to processes executing in a branded zone.
These points are found in such paths as thesyscall path,the process loading path, and the thread creation path.
At each of these points, a brand can choose to supplementor replace the standard Solaris behavior.
A brand can also provide a plug-in library forlibrtld_db.The plug-in library allows Solaris tools such as the debugger, described inmdb(1), and DTrace, described indtrace(1M), to access the symbol informationof processes running inside a branded zone.
Branded Zone Device Support
The devices supported by each zone are documented in the man pagesand other documentation for that brand. Device support is defined by the brand.A brand can choose to disallow the addition of any unsupported or unrecognizeddevices.
Branded Zone File System Support
The file systems required for a branded zone are defined by thebrand.
Privileges in a Branded Zone
The privileges available in a branded zone are defined by thebrand. For more information about privileges, seePrivileges in a Non-Global Zone andConfigurable Privileges in anlx Branded Zone.
About thelx Brand
Thelx branduses the branded zones framework to enable Linux binary applications to rununmodified on a machine with a Solaris Operating System kernel.
The machine must have one of the following supported i686 processortypes:
Intel
Pentium Pro
Pentium II
Pentium III
Celeron
Xeon
Pentium 4
Pentium M
Pentium D
Pentium Extreme Edition
Core
Core 2
AMD
Opteron
Athlon XP
Athlon 64
Athlon 64 X2
Athlon FX
Duron
Sempron
Turion 64
Turion 64 X2
Supported Linux Distributions
Thelx brandincludes the tools necessary to install a CentOS 3.x orRed Hat Enterprise Linux 3.x distribution insidea non-global zone. Versions 3.5 to 3.8 of each distribution are supported.The brand supports the execution of 32-bit Linux applications on x86 andx64 machines running the Solaris system in either 32-bit or 64-bit mode.
Thelx brand emulates the system call interfacesprovided by the Linux 2.4.21 kernel, as modified by Red Hat in the RHEL 3.x distributions. This kernel provides the system call interfacesconsumed by theglibc version 2.3.2 released by Red Hat.
In addition, thelx brand partially emulates theLinux/dev and/proc interfaces.
Caution –Note that you must maintain a supported configuration if youadd packages to anlx branded zone. SeeAbout Maintaining a Supported Configuration formore information.
Application Support
The Solaris system imposes no limit on the number of Linux applicationsyou can run in anlx branded zone. Sufficient memory mustbe available. Also seeSystem and Space Requirements.
Regardless of the underlying kernel, only 32-bit Linux applicationsare able to run.
Thelx zone supports only user-level Linux applications.You cannot use Linux device drivers, Linux kernel modules, or Linux file systemsfrom inside anlx zone.
Seehttp://hub.opensolaris.org/bin/view/Community+Group+brandz/applications fora list of some applications that have been successfully run under thelx brand. SeeHow to Install an Application in anlx Branded Zone for an example of installing an application.
You cannot run Solaris applications inside anlx zone.However, thelx zone enables you to use the Solaris systemto develop, test, and deploy Linux applications. For example, you can placea Linux application in anlx zone and analyze it usingSolaris tools run from the global zone. You can then make improvements anddeploy the tuned application on a native Linux system.
Debugging Tools
Solaris debugging tools such as DTrace andmdb canbe applied to Linux processes executing inside the zone, but the tools themselvesmust be running in the global zone. Any core files generated are producedin the Solaris format and can only be debugged with Solaris tools.
DTrace is enabled for Linux applications by the DTracelxsyscall dynamictracing provider. The provider acts like the DTracesyscall provider.Thelxsyscall provider provides probes that fire whenevera thread enters or returns from a Linux system call entry point.
For more information on debugging options, see the Solaris Dynamic TracingGuide, and thedtrace(1M) andmdb(1) man pages. TheSolaris Dynamic Tracing Guide describesthe public documented interfaces available for the DTrace facility. The documentationabout thesyscall provider can be used for thelxsyscall provider.
Note –
Because NFS is dependent on name services, which are zone specific,you cannot access any NFS file system that is mounted outside of the currentzone. Thus, you cannot debug NFS-based Linux processes from the global zone.
Commands and Other Interfaces
Thecommands identified in the following table provide the primary administrativeinterface to the zones facility.
Table 31–1 Commands and Other Interfaces Used Withlx Branded ZonesCommand Reference | Description |
|---|---|
Log in to a non-global zone | |
Administers zones on a system | |
Used to set up a zone configuration | |
Used to map between zone ID and name | |
brands(5) | Provides description of branded zones facility |
lx(5) | Provides description of Linux branded zones |
Provides description of zones facility | |
lx_systrace(7D) | DTrace Linux system call tracing provider |
Zone console device driver |
Thezoneadmd daemon is the primary process for managingthe zone's virtual platform. The man page for thezoneadmd daemonis zoneadmd(1M). The daemon does not constitute a programming interface.
Note –
Table 27–5 coverscommands that can be used in the global zone to display information aboutall non-global zones, including branded zones.Table 27–4 covers commands used with the resource capping daemon.
Setting Uplx Branded Zones onYour System (Task Map)
The following table provides an overview of the tasks that are involvedin setting uplx zones on your system for the first time.
Task | Description | For Instructions |
|---|---|---|
Identify each 32–bit Linux application that you would like torun in a zone. | Assess the system needs of the application. | Refer to your business goals and to your system documentation if necessary. |
Determine how many zones to configure. | Assess:
| SeeApplication Support,System and Space Requirements,Evaluating the Current System Setup,Script to Configure Multiplelx Branded Zones. |
Determine whether you will use resource pools with your zone to createa container. | If you are using resource pools, configure the pools before you configurezones. Note that you can add zone-wide resource controls and pool functionalityto a zone quickly by usingzonecfg properties. | SeeHow to Configure thelx Branded Zone,Chapter 13, Creating and Administering Resource Pools (Tasks). |
Perform the preconfiguration tasks. | Determine the zone name and the zone path for each zone. If networkconnectivity is required, obtain IP addresses. Determine the scheduling classfor the zone. Determine the set of privileges that processes inside the zoneshould be limited to, if the standard default set is not sufficient. | For information on the zone name, zone path, IP addresses, and schedulingclass, seelx Branded Zone Configuration Components.For a listing of default privileges and privileges that can be configuredin a non-global zone, seePrivileges in a Non-Global Zone. For information on resource pool association, seeHow Zones Work andHow to Configure thelx Branded Zone. |
Develop configurations. | Configure non-global zones. | SeeConfiguring, Verifying, and Committing a Zone and thezonecfg(1M) manpage. |
As global administrator, verify and install configured zones. | Zones must be verified and installed prior to booting the zone. Youmust obtain a Linux distribution before you install a Linux branded zone. | SeeChapter 34, About Installing, Booting, Halting, Cloning, and Uninstallinglx Branded Zones (Overview) andChapter 35, Installing, Booting, Halting, Uninstalling and Cloninglx Branded Zones (Tasks). |
As global administrator, boot the non-global zones. | Boot each zone to place the zone in the running state. | SeeChapter 35, Installing, Booting, Halting, Uninstalling and Cloninglx Branded Zones (Tasks). |
Prepare the new zone for production use. | Create user accounts, add additional software, and customize the zone'sconfiguration using standard Linux system administration tools and methodologiesfrom within the zone. | Refer to the documentation you use to set up a newly installed machineand install applications. Special considerations applicable to a system withzones installed are covered in this guide. |
- © 2010, Oracle Corporation and/or its affiliates