experchange > solaris

Jay Braun (02-04-20, 06:55 PM)
I recently began to work with a project whose software runs on Solaris. The software is normally deployed on a Solaris Zone. At the application level, I see several ways in which container technology could benefit the project. Can multiple Solaris containers execute on a single Solaris zone?

I apologize if this is a no-brainer question, but I'm coming from an environment where we ran Docker containers on an AWS Linux VM, and the distinction between the VM and the container was very clear.
None (02-05-20, 04:39 AM)
Jay Braun <jaybraun2.0> wrote:
> I recently began to work with a project whose software runs on Solaris.
> The software is normally deployed on a Solaris Zone. At the application
> level, I see several ways in which container technology could benefit the
> project. Can multiple Solaris containers execute on a single Solaris zone?
> I apologize if this is a no-brainer question, but I'm coming from an
> environment where we ran Docker containers on an AWS Linux VM, and the
> distinction between the VM and the container was very clear.


A Solaris Zone is a container, so how would you run containers within a
container? I think your real answer is to run multiple zones.
YTC#1 (02-05-20, 11:55 AM)
On 04/02/2020 16:55, Jay Braun wrote:
> I recently began to work with a project whose software runs on Solaris. The software is normally deployed on a Solaris Zone. At the application level, I see several ways in which container technology could benefit the project. Can multiple Solaris containers execute on a single Solaris zone?
> I apologize if this is a no-brainer question, but I'm coming from an environment where we ran Docker containers on an AWS Linux VM, and the distinction between the VM and the container was very clear.

As pointed out, and understanding of zones/containers is needed. And
maybe more info about what you are doing.

When you install Solaris the OS is at that point known as the "Global
Zone" , it will often be called the GZ.

Each GZ can have many, many Non Global Zones (or NGZ, or just zones) *
IIRC 8192 was the stated limit, but I believe it is way beyond that in
practice :-)

Then there are Kernel Zones (KZ) in S11.2 onwards... really cool.

A zone is often called a container, there was a lot of naming and
renaming back in the early days, but the phrase "a container is a zone
with resource allocations" helps understanding.


Next we have "branded" zones. This is where we can run solaris 8/9 zones
inside Solaris 10. Or Solaris 10 zones on Solaris 11.
So an understanding of what you want and where you are will help.

In S10 there are 2 types of zone (other than brands) , whole or sparse.
I'll let you read up on that one.

Generally you can think of a zone as being a server in its own right,
just not (always) direct access to it's resources. * So install all your
apps etc in the zone.
* Don't allow users access to the GZ.
* A GZ can have separate admins to an NGZ

Patching is performed from the GZ (yes I know it some can be done from
the NGZ, and KZ) but as the NGZ has kernel dependencies on the GZ it
makes sense.

Welcome to how the world should be :-)
(I'm sure Linux will catch up one day).
Grant Taylor (02-09-20, 11:24 PM)
On 2/5/20 2:55 AM, YTC#1 wrote:
> Generally you can think of a zone as being a server in its own right,
> just not (always) direct access to it's resources.
> * So install all your apps etc in the zone.
> * Don't allow users access to the GZ.
> * A GZ can have separate admins to an NGZ


I agree that zones can be thought of as a server in their own right.
But I don't think the same can be said about containers. At least not
containers from outside of the Solaris Zone world.

Containers, as I understand them, are supposed to be /just/ the
application and it's dependencies. The rest of the OS isn't there.

I feel like this is a stark contrast to Zones, which, as you say, are
effectively a full server ~> OS in their own right.

> Patching is performed from the GZ (yes I know it some can be done
> from the NGZ, and KZ) but as the NGZ has kernel dependencies on the
> GZ it makes sense.


This also differs from containers outside of Solaris. Containers
outside of the Solaris world are blown away and replaced. They aren't
patched.

> Welcome to how the world should be :-)
> (I'm sure Linux will catch up one day).


Please elaborate on what you mean by these two statements.

I believe that Linux is capable of doing probably 80% (or more) of what
Solaris Zones can do. It's just that few people do it. But, I'd like
to know more specifically what you're referring to.
YTC#1 (02-10-20, 11:08 AM)
On 09/02/2020 21:24, Grant Taylor wrote:
> On 2/5/20 2:55 AM, YTC#1 wrote:
> I agree that zones can be thought of as a server in their own right. But
> I don't think the same can be said about containers.  At least not
> containers from outside of the Solaris Zone world.


I was only referring to Solaris zones/containers. The words are used to
mean the same thing.

> Containers, as I understand them, are supposed to be /just/ the
> application and it's dependencies.  The rest of the OS isn't there.


In the non Solaris world, maybe.

> I feel like this is a stark contrast to Zones, which, as you say, are
> effectively a full server ~> OS in their own right.


As above, I was pointing out that the words are used to mean the same
thing. Back when they came out the usage swung one way or another
depending who was talking, and the two phrases are still used occasionally.

>> Patching is performed from the GZ (yes I know it some can be done from
>> the NGZ, and KZ) but as the NGZ has kernel dependencies on the GZ it
>> makes sense.

> This also differs from containers outside of Solaris.  Containers
> outside of the Solaris world are blown away and replaced.  They aren't
> patched.


Fine, but this is Solaris and it was a Solaris query.
However, zones can be treated in the same way providing you use a decent
installation tool.

>> Welcome to how the world should be :-)
>> (I'm sure Linux will catch up one day).

> Please elaborate on what you mean by these two statements.


Is it not obvious ?
Solaris zones are still seen as being way ahead of Linux containers.
There was a shot period of time when docker was mean to appear on
Solaris, and work with containers. But that failed to pass :-(

> I believe that Linux is capable of doing probably 80% (or more) of what
> Solaris Zones can do.  It's just that few people do it.  But, I'd like
> to know more specifically what you're referring to.


The OS separation, partitioning and isolation of resources, for one thing.
Being able to run branded zones for another.

And have you seen kernel zones ?

Fair enough, I am a Solaris through and through, and can be a touch
biased. I find the concept of the isolation of a zone more likeable to
the way I understand linux containers to work.
John D Groenveld (02-10-20, 03:41 PM)
In article <r1pt8r$6td$1>,
Grant Taylor <gtaylor> wrote:
>This also differs from containers outside of Solaris. Containers
>outside of the Solaris world are blown away and replaced. They aren't
>patched.


The Linux containers that I have used are the distro OS sans kernel.
They are patched from the host or from within container.

John
groenveld
John D Groenveld (02-10-20, 03:50 PM)
In article <r1r6ht$brk$1>, YTC#1 <bdp> wrote:
>The OS separation, partitioning and isolation of resources, for one thing.
>Being able to run branded zones for another.


I find the management lx branded zones to be easier than
Linux containers as far as resource controls and networking.
IMO Crossbow VNICs are more intuitive than the Linux vnet/virbr
counterpart.

John
groenveld
YTC#1 (02-10-20, 06:16 PM)
On 10/02/2020 13:50, John D Groenveld wrote:
> In article <r1r6ht$brk>, YTC#1 <bdp> wrote:
> I find the management lx branded zones to be easier than
> Linux containers as far as resource controls and networking.
> IMO Crossbow VNICs are more intuitive than the Linux vnet/virbr
> counterpart.


TBH, I have not used the LX brand since it was dropped from Solaris :-(
John D Groenveld (02-10-20, 07:06 PM)
In article <r1rvkd$vkf$1>, YTC#1 <bdp> wrote:
>TBH, I have not used the LX brand since it was dropped from Solaris :-(


I have had occassion to use them on illumos-based OmniOS.
<URL:https://omniosce.org/info/lxzones.html>

Many thanks to Joyent for resurrecting after Oracle abandoned.
John
groenveld
Chris Ridd (02-10-20, 08:18 PM)
On 10/02/2020 17:06, John D Groenveld wrote:
> In article <r1rvkd$vkf$1>, YTC#1 <bdp> wrote:
>> TBH, I have not used the LX brand since it was dropped from Solaris :-(

> I have had occassion to use them on illumos-based OmniOS.
> <URL:https://omniosce.org/info/lxzones.html>
> Many thanks to Joyent for resurrecting after Oracle abandoned.


It is unfortunate they haven't kept up to date wrt Linux kernel changes.
Joyent seem to prefer using bhve zones instead of lx nowadays, which is
a shame.
John D Groenveld (02-10-20, 11:51 PM)
In article <r1s6pr$d1k$1>, Chris Ridd <chrisridd> wrote:
>It is unfortunate they haven't kept up to date wrt Linux kernel changes.
>Joyent seem to prefer using bhve zones instead of lx nowadays, which is
>a shame.


I have had good success running Linux and FreeBSD on bhyve branded
zones.
<URL:https://omniosce.org/info/bhyve_kvm_brand.html>
But I haven't benchmarked lx zone vs bhyve with Centos7 Linux guest.

BTW FreeBSD now has Centos8 Linux compatible jails.
<URL:https://www.freebsd.org/news/status/report-2019-10-2019-12.html>

John
groenveld
John D Groenveld (02-11-20, 12:01 AM)
In article <r1r6ht$brk$1>, YTC#1 <bdp> wrote:
>And have you seen kernel zones ?


What are the use cases for kernel zones?

John
groenveld
YTC#1 (02-11-20, 11:29 AM)
On 10/02/2020 22:01, John D Groenveld wrote:
> In article <r1r6ht$brk$1>, YTC#1 <bdp> wrote:
>> And have you seen kernel zones ?

> What are the use cases for kernel zones?


I've had a couple of occasions where I just can't get an application to
work in S11.4, even after unfreezing obsolete stuff. On x86 it means I
can lock some resources to a zone and have it stuck at S11.3 while the
GZ is at S11.4
(And in 1 case I have a zone at S11.3SRU23 because I couldn't be
bothered upgrading Apache for a simple in house use Twiki :-) )

They are more akin to LDoms than branded zones.

Oh, and then there are immutable zones. So what if someone hacks in ?
They can't write stuff :-)
Casper H.S. Dik (02-11-20, 04:42 PM)
YTC#1 <bdp> writes:

>On 10/02/2020 22:01, John D Groenveld wrote:
>> In article <r1r6ht$brk$1>, YTC#1 <bdp> wrote:
>>> And have you seen kernel zones ?

>> What are the use cases for kernel zones?


>I've had a couple of occasions where I just can't get an application to
>work in S11.4, even after unfreezing obsolete stuff. On x86 it means I
>can lock some resources to a zone and have it stuck at S11.3 while the
>GZ is at S11.4
>(And in 1 case I have a zone at S11.3SRU23 because I couldn't be
>bothered upgrading Apache for a simple in house use Twiki :-) )


>They are more akin to LDoms than branded zones.


>Oh, and then there are immutable zones. So what if someone hacks in ?
>They can't write stuff :-)


Works for the global zone also (and thus for kernel zones)

Casper
Chris Ridd (02-11-20, 07:35 PM)
On 10/02/2020 21:51, John D Groenveld wrote:
> In article <r1s6pr$d1k>, Chris Ridd <chrisridd> wrote:
> I have had good success running Linux and FreeBSD on bhyve branded
> zones.
> <URL:https://omniosce.org/info/bhyve_kvm_brand.html>
> But I haven't benchmarked lx zone vs bhyve with Centos7 Linux guest.


I'm sure they work well. They're just heavyweight compared to an lx zone.

Similar Threads