Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Unix Operating Systems Software

Zones are in Solaris Express (Solaris 10) 164

Posted by CmdrTaco from the i-want-my-processes-in-the-danger-zone dept.
snoofy writes "Zones, as people from SUN Microsystems have talked about for some time are now available in solaris express (the pre-release of Solaris 10). This will let you virtualize Solaris so that processes run in isolation from other activity on the system... A system can then be configured to run several zones which will make it look like different systems on the network Some info from a posting to comp.unix.solaris. The cool stuff is that it works on both SPARC and x86."
This discussion has been archived. No new comments can be posted.

Zones are in Solaris Express (Solaris 10) More

Zones are in Solaris Express (Solaris 10)

Comments Filter:

  • Hmmm.... (Score:1, Interesting)

    by Anonymous Coward
    Where have I seen this before... Oh that's right, the features Compaq/Hp have been shipping with their Tru64 Alpha Servers for _years_. Good job Sun. http://h18002.www1.hp.com/alphaserver/nextgen/part itions.wmv [hp.com]. ANyone who buys Sparc over Alpha is an idiot. Hell, you can even do this on Linux with UML..sun is playing catchup with just about everyone, but somehow manages to push enough spin on it to make every dumbass journo announce as an amazing technical innovation. http://user-mode-linux.sourceforge.n [sourceforge.net]

    • Re:Hmmm.... (Score:5, Insightful)

      by GiMP ( 10923 ) on Tuesday March 02, 2004 @08:57AM (#8439693)
      That may be so but instead of buying an Alpha, you can run Solaris on x86 hardware. You're also right about UML, but that is probably not as easily configured and certainly not shipped in a ready-made form with a distribution, compared to Sun's solution. Of course, for all the people already commited to Sun, this is a great thing.

      • Re:Hmmm.... (Score:2, Informative)

        by sigxcpu ( 456479 )
        The UNL patch is in the -AC kernel and thus comes with RedHat, Mandrake and probably others as well.
        Just install the kernel-uml rpm which is included with the standard installation media.

    • don't forget... (Score:5, Informative)

      by qortra ( 591818 ) on Tuesday March 02, 2004 @09:01AM (#8439727)
      Don't forget Xen [cam.ac.uk], VMWare, and Bochs [sourceforge.net] (not as fast, but still cool).

      There are already a ton of viable OS virtualizers out there. This news is seriously a real yawner.

      • Re:don't forget... (Score:5, Informative)

        by iserlohn ( 49556 ) on Tuesday March 02, 2004 @09:28AM (#8439946) Homepage
        and also Linux-vserver [linux-vserver.org]. Great performance. Just like BSD jail.
      • I think this has nothing to do with OS emulators.
        It's more like FreeBSD jail.

      • Re:don't forget... (Score:2, Informative)

        by chilled ( 542681 )
        Actually it's not really like vmware et al. Part of the reason for zones is to make life as an admin EASIER not harder. Say a sys admin has a single Solaris machine (SPARC or x86, it doesn't matter). They are running 10 zones, however the sys admin only has to maintain one OS. There are additional overheads, ie setting up resource controls, but they are there and relatively simple, building up on pre-existing but extended Solaris 9 concepts (Solaris Resource Manager), but much easier than maintaining 10 dif
      • This news is seriously a real yawner Obviously you don't manage any Sun servers, but if you did ...

    • Re:Hmmm.... (Score:2, Informative)

      by haggar ( 72771 )
      Disclaimer: I am not the author of the following post, I took it form here. [osnews.com]

      I believe this is not too far from what you can achieve with user mode linux. We've been using similiar technology in unix classess at school using uml.

      There are however few differences:

      1.) Solaris accesses host filesystem, while in user mode linux, you have to provide file or block device with disk image it will use. This is quite bad, because you have to preallocate space for zones. There is a project that aims to allow this, b

      • Re:Hmmm.... (Score:3, Informative)

        by GiMP ( 10923 )
        User Mode Linux provides a hostfs driver for accessing the host's filesystem.

        You're right about not being as easy to setup, I suspect that Solaris has made it very easy to do - but this is speculation at this point.

        Linux has such resource allocations. Checkout /etc/security/limits.conf. This is a per-user setting, unfortunately.

    • Re:Hmmm.... (Score:4, Insightful)

      by Jotaigna ( 749859 ) <jotaigna@yahoo.com> on Tuesday March 02, 2004 @09:03AM (#8439747) Homepage Journal
      You have pointed out a critical thing. Marketing. For many year Sun has been succesful in the market because is a reliable brand and quite good.(at least in Chile, of course) its like being "mercedes" or something like that. They have a name and a reputation that helps them a lot. If windows came with a better command line(like xterm) it would be news too!!, and they of course would make shure its news for everyone.

      If we want to make OS software more succesful in the market, we have to come up with marketing schemes for it, they can be as important as good coding.

    • Not Quite ! (Score:5, Informative)

      by Anonymous Coward on Tuesday March 02, 2004 @09:14AM (#8439833)
      >Where have I seen this before... Oh that's right,
      >the features Compaq/Hp have been shipping with
      > their Tru64 Alpha Servers for _years_.

      First I watched this movie, your comparsion is unfair; HP/Compaq/DEC partitions are more like Sun domains, i.e implemented in hardware. Domains have been around since say 1996 when E10K was introduced.

      > Sorry people, but sun are pushing 20th century
      > technology with some marketing spin to make it
      > sound up to date.

      While Solaris zones are similar to UML or other virtual OS instance technologies there are some innovative features which would be really useful say on multiprocessor Opteron that you want to consolidate some applications on:

      1) Support: I can expect to run Oracle/websphere,
      etc in this zone without having to say oh and this is UML (which I have seen many times on mailling lists) (I mean applications support the fact that a OS vendor is behind this is good news as well)

      2) Integration with Global Zone. From the global zone you can control each zone and watch and cap resources within a zone. This means modications to ps/prstat(solaris's top) and other core OS utilities. How hard would this be under Linux? Is the UML patch even accepted by Linus yet?

      3) Inteface bindings - can bind zone to specific NIC.

      4) Greenline - init.d replacement becomes service aware and can stop/start zones at boot and monitor services within a zone.

      5) Dtrace - the greatest thing even, dynamic tracing of the kernel. Fully integrated with Solaris Zones.

      • Re:Not Quite ! (Score:2, Informative)

        by arturs ( 758304 )
        At least some of those are really working well in a vserver:

        > 2) Integration with Global Zone. From the global
        > zone you can control each zone and watch and
        > cap resources within a zone. This means
        > modications to ps/prstat(solaris's top) and
        > other core OS utilities. How hard would this be
        > under Linux? Is the UML patch even accepted by
        > Linus yet?

        Very similar. You also get vps, vpstree, vtop, vkill, vdu utilities for management starting from security context 0 (hosting server, whic
      • Is the UML patch even accepted by Linus yet?

        Yes. It's an official 2.6 feature.

    • Re:Hmmm.... (Score:5, Informative)

      by SirTwitchALot ( 576315 ) on Tuesday March 02, 2004 @09:14AM (#8439836) Homepage Journal
      Well considering that alpha is a discontinued platform [nwfusion.com] I doubt anyone would be smart to buy one. Furthermore, if this technology is the next evolution of containers (which I think it is) it's nothing like what you speak of. You don't need to maintain a seperate os image for each zone, making administration easy. The only problem I've had with containers is isolation, which I hear has improved with zones. Physical partitioning (domains) have been in the sun product line since the 10k. Try understanding the technology before you comment about it... or more likely, IHBT

    • Re:Hmmm.... (Score:1, Interesting)

      by Anonymous Coward
      The difference between Alpha Tru64 partitions and Sun Solaris zones is that Tru64 requires dedicated I/O/CPU/Mem resources on per instance basis. This Alpha feature, which quite neat, works for OpenVMS too. But I think I like the Sun's solution better - no hardware resources pre-allocation is required.

      For instance, you can configure two partitions on Alpha, run an OpenVMS image on each of them and to even create a cluster on these two images. In this case if the first image fails for some reason, the secon

      • Re:Hmmm.... (Score:3, Informative)

        by christophersaul ( 127003 )
        The Zones mentioned here are sun's software partitions. Dynamic system domains are Sun's hardware equivalent of what you're talking about. You can adjust them on the fly, no reboot required, which I believe you can't do with Tru64. You certainly can't with HPUX.

    • Re:Hmmm.... (Score:2, Informative)

      by Mikkeles ( 698461 )

      Or one can go [gmu.edu] (e.g.) to the original from IBM (first introduced in 1967).

    • Re:Hmmm.... (Score:4, Informative)

      by raider_red ( 156642 ) on Tuesday March 02, 2004 @09:47AM (#8440121) Journal
      It actually sounds just like a feature that Sun already has on their servers. The Sunfires and Enterprise models can be split into multiple domains, each of which is configured to look like a different machine on the network.

    • Re:Hmmm.... (Score:5, Informative)

      by sapbasisnerd ( 729448 ) on Tuesday March 02, 2004 @10:05AM (#8440271)
      Not the same thing. In point of fact Sun has had roughly equivilant hard partitions through domains for years as well, before HP.

      This is quite similar to vPar's in HP/UX (forgive me but I stopped paying attention to HP's ugly stepchildren Alpha & Tru64 a long time ago, it's too bad 'cause it was a great chip but its moribund, you would be wise to do the same pretty soon).

      Hard partitions, like Sun Domains, HP's nPARs and IBM's LPARs slice up a physical machine and run an OS image on each slice. As far as I can tell here there is still just one OS image but applications running in these Zones can be isolated from each other. A malicous root user in the global zone is still able to make mischief in the zones if they want to.

      The nice thing here unlike on HP is that you can slice up a uniprocessor machine if you have many tiny workloads that need to be isolated. IBM will too be able to do this soon with the next crank of their LPAR technology but a better implmentation with no issues with a global root user.

    • Re:Hmmm.... (Score:3, Insightful)

      by shokk ( 187512 )
      If the vendors are not selling any Alpha software for what you need to run your business, buy Alpha over Sparc would make you an idiot. You buy whatever fits your business, not for some overzealous philosophy or the l33test stats. For those who are running Sparc, this is one less thing that Tru64 has over Sparc. Yes, I have a beef with Sun over how they have pretty much sat on their laurels for the past couple of years while being passed by Intel, AMD, and anyone else scribing on silicon. While Intel an

  • Can this be used for honeypots? (Score:5, Interesting)

    by El Volio ( 40489 ) on Tuesday March 02, 2004 @08:55AM (#8439679) Homepage
    It would be cool to do something like the UML honeypots in Linux. You could run multiple systems, each insulated from each other and the host system, see what you get.

    • Re:Can this be used for honeypots? (Score:5, Insightful)

      by Anonymous Coward on Tuesday March 02, 2004 @09:51AM (#8440158)
      If I am understanding the technology correctly, then I don't think you would want to run a honeypot/net in this configuration. The processes are isolated, but the kernel/core components are not.

      Most compromises break/modify some kernel/core components to achieve the compromise. If a honeypot/net were run using this configuration then, it seems, that once the honeypot/net were compromised, then the WHOLE system (read: the part you wanted to keep safe) would be compromised.

      Technology, like VMWare, uses a completely virtualized OS from a seperate installation and running instance of its kernel/core files. A compromise on a VMWare honeypot is much easier to recover from using the Snapshot/Revert features.

      Then again, I may not completely understand the technology.

      • Re:Can this be used for honeypots? (Score:5, Informative)

        by Rik van Riel ( 4968 ) on Tuesday March 02, 2004 @10:26AM (#8440529) Homepage
        The corresponding technology in Linux is called "vservers". It has been around for a number of years now, as an external kernel patch.

        You can find more info about it on linux-vserver.org [linux-vserver.org].

      • Re:Can this be used for honeypots? (Score:4, Informative)

        by Dillusionary ( 675442 ) on Tuesday March 02, 2004 @11:05AM (#8440948)
        This is based on Trusted solaris as the underlining of the virtual system, but it doesn't share kernel/core as far as the SUN engineer explained it. So in the future you can have different versions of Solaris that support this technology running on the same machine. Everything is separated, FS,Kernel,Core,etc.. AFAIK :)

        • Re:Can this be used for honeypots? (Score:4, Informative)

          by Darren.Moffat ( 24713 ) on Tuesday March 02, 2004 @12:15PM (#8441805)
          Sorry but that is wrong. Both in Trusted Solaris and in Zones there is a single Solaris kernel that is responsbile for the isolation. This is separate userlands with their own nameservice their own filesystems and their own root account.

          Zones can't load kernel modules (except indirectly as protocol modules (eg telmod, rlmod), Zones can't (by default) access any raw devices and can't add new network interfaces by themselves.
          • Then I was wrong, it wasn't explained like that to me by the SUN engineer, he said that the underline of the isolation is one kernel, but it doesn't sure kernels. He also mention that the underlining kernel is based on trusted solaris. Also pointed out that in later releases of Solaris, you will have the ability to upgrade one zone separately, away from all others. But you are correct the underlining kernel is the controller of the hardware, like HAL in Windoze.

      • Re:Can this be used for honeypots? (Score:5, Informative)

        by molnarcs ( 675885 ) <csabamolnarNO@SPAMgmail.com> on Tuesday March 02, 2004 @11:20AM (#8441102) Homepage Journal
        It is more like FreeBSD jails I think (but then, I may not completely understand these technologies as well :))

        Almost everything written under "Features:" can be also said about jails: Security, Isolation, Virtualization, Granularity, Transparency. For instance, you can put one single binary in a jail (if it works) or you can put there an entire system. Or, if you want to run a service in a jail (isolation, security), you can build the entire system with make buildworld targetting a jail,and you can optimize that system for running a single service, by stripping out most parts in make.conf:
        NO_SENDMAIL=true
        NO_SENDMAIL=true
        NO_OPENSSH=tru e
        NO_OPENSSL=true
        NO_KERBEROS=true
        WITH_LIBMAP= yes
        NO_VINUM=true
        NO_WHATEVER=true
        # and leave bind there if you want to run only DNS in jail
        Jailed processes/systems are so isolated, that even if you root one jailed system, you won't have access to the others/host system (unless admin was stupid enough to have the same passwords). Jails have their own ip addresses and firewall rules as well. I guess (if I read this correctly) we can say there is nothing new under the Sun :))
        • Ooops, made a mistake: WITH_LIBMAP shouldn't be there (I copied my own make.conf, and forget to remove that line). That's for choosing between different threading libraries for your applications. (FreeBSD has three: libc_r - old one, libthr - 1:1 threading like linux, libkse - M:N threading).

        • Re:Can this be used for honeypots? (Score:4, Informative)

          by Brandon Hume ( 73471 ) on Tuesday March 02, 2004 @11:59AM (#8441640) Homepage
          This feature has been compared to BSD jails, and it's logical to say that it grew from that feature, but the functionality isn't exactly the same.

          A Solaris zone can be rebooted independant of the other zones on the machine; it can have resources added or removed from the zone (CPUs, for example) dynamically, etc.

          I'm still installing my copy of SolExp, so I haven't played with the feature just yet. But it looks to be located somewhere between FreeBSD jails and a completely emulated machine like VMWare.

      • Sun has gone to great lengths to make sure that a compromized zone does not imply compromize of other zones.

        In fact, one of Suns examples is a Zone for each service, where the technician that explained to me explicitly said that if one of the Zones run a sendmail which is rooted, the others are unaffected because there are separate "root" accounts for each zone (and we're not just talking separare passwords but actual separate root:s).

        They protect stuff like /dev/kmem, you can't access raw devices, and

  • Look up Argante (Score:5, Interesting)

    by SharpFang ( 651121 ) on Tuesday March 02, 2004 @08:59AM (#8439705) Homepage Journal
    That was a project of a cross-platform "virtual OS" to be run "on top of" other OSes (loaded like a normal process) designed with security in mind - building exploits in it was meant to be impossible. I'm not sure about progress, but launching 10 Argante processes on, say, plain Linux running nothing but "bare bones" was meant to be equal to creating 10 computers, each running Argante OS, to create, say, 10 super-secure servers.

    • Re:Look up Argante (Score:3, Insightful)

      by afidel ( 530433 )
      User mode Linux is similar. It's nearly impossible to break out from the child servers to the main server. I know of several hosting services that use this to give clients "private" servers at a reduced cost.

  • Question (Score:3, Interesting)

    by mikeophile ( 647318 ) on Tuesday March 02, 2004 @08:59AM (#8439707)
    Is this similar to running multiple instances of VMWare [vmware.com] or Bochs [sourceforge.net]?

    • Re:Question (Score:1, Informative)

      by Anonymous Coward
      It seems to be similar to running VMware with multiple virtual machines (VMs) where each VM runs the same OS with different apps.

    • Re:Question (Score:3, Informative)

      by mmusson ( 753678 )
      This sounds like a small part of vmware. With vmware you can install multiple different OSes and run them concurrently. Also you have the ability to pause a vm (save the running vm state to disk) and also snapshot/restore. This later feature is great if you are testing. Being able to back up to a known machine state at a press of a button is very handy.

    • Re:Question (Score:3, Informative)

      by addaon ( 41825 )
      It seems a lot closer to VMWare ESX than VMWare workstation, from the quick blurb.
    • http://user-mode-linux.sourceforge.net/
    • Sorta kinda. It sounds more like a chroot jail, just a little larger. Some calls are intercepted and zonified - so one process will think the machines IP is 10.0.0.1 and another will think it's 10.0.0.2 because they are in different zones, where the machines actuall IP may be 10.20.10.1.

      With VMWare/Bochs, you are running multiple copies of the OS...one for each virtual machine, running under one master OS. With this zone method, it's basically the OS lying to it's programs about various things!

  • Only if it works... (Score:5, Interesting)

    by RunAmuk ( 686898 ) on Tuesday March 02, 2004 @09:00AM (#8439714)
    This would be interesting to see if the installer actually worked. I tried downloading and installing the Solaris Express preview on my SunBlade 100, and the installer died halfway through the installation. When I was finally able to get the installatin finished, I couldn't even make it recognize the integrated network card.

    I've always been surprised how Linux installers can easily support the large variety of OEM Network cards available, and yet Sun can't make an installer that recognises their own hardware.

    • FUD (Score:2, Informative)

      by Anonymous Coward
      This is not true; I have run several copies of Solaris Express (b42, b44, b51) on several Sun Blade 100/ Sun Blade 150s. Install was fine. There are some bugs; yes. Which is why this is a beta. But basic support for networking and install are not one of these bugs. Nice try.

      • Re:FUD (Score:2, Insightful)

        by RunAmuk ( 686898 )
        This isn't true? Sorry, I didn't see you sitting there next to me while I ran the install. I wish you had told me that the blank screen the install froze on (I left it for an hour before restarting) was part of a "fine" install. This happened all THREE times I tried to run the installatn. I also wish you would have told me that network card wasn't supposed to let me see anything on the network, before I spent 2 days on and off trying to get it to. Had I recognized these components of a fine intstall I p

        • Re:FUD (Score:4, Informative)

          by christophersaul ( 127003 ) on Tuesday March 02, 2004 @10:35AM (#8440641)
          My colleagues had no problems on an x86 laptop or Ultra 10. Don't bother with the installer, just boot off CD1, if it's anything like Solaris 9/9. The installer is just a pretty front end that ends up adding ages onto the install.

          • Yeah, I don't even know why Sun ships that "Install CD", when the real install program is in CD1. The Install CD must be for the occasional sysadmin who needs a bib to protect his shirt from drool.
            • The Install CD must be for the occasional sysadmin who needs a bib to protect his shirt from drool.

              I have the DVD-ROM version, you insensitive clod! :-)
              Actually, I have both CD and DVD media; I'd like to use the latter (no need to swap CDs in the middle of the installation), but I was foiled:
              • The Sun DVD drives we have at work don't support booting from DVD media without a firmware patch - potentially an interesting Catch-22 situation... (Usually you'll have either a Solaris CD and/or a Sun pre-insta
    • is there any chance you ended up with a corrupted installer? (md5sums match?)

  • Just like Xen, in other words? (Score:4, Informative)

    by vinsci ( 537958 ) on Tuesday March 02, 2004 @09:00AM (#8439719) Journal
    This sounds like Xen [cam.ac.uk] for Linux...

  • Jails vs. Zones (Score:2, Informative)

    by Vexler ( 127353 )
    From what I read in the newsgroup article, this sounds awfully like the "jail" feature in BSD. You can effectively set up entirely different machines using jails. You can reboot, configure, and manage individual jails just like zones.

    Can anyone more knowledgeable comment on whether they use similar kinds of calls to set up a zone as opposed to a jail?

    • Re:Jails vs. Zones (Score:5, Informative)

      by sysadmn ( 29788 ) <sysadmn AT gmail DOT com> on Tuesday March 02, 2004 @09:19AM (#8439877) Homepage
      Zones differ from jails in that you can limit the amount of resources a zone can consume. Even in jail you can launch a denial of service with a fork() bomb or busy loop, or even netcat. With zones, you can limit the amount of cpu cycles, network io, and (perhaps? don't have docs nearby) disk and serial io. Plus zones get their "own" virtual os, so you can reboot them.
      • Plus zones get their "own" virtual os, so you can reboot them.

        Sure about that? All the zones share the same copy of Solaris, so how can you reboot one without rebooting all the others?

        • Re:Jails vs. Zones (Score:5, Informative)

          by chilled ( 542681 ) on Tuesday March 02, 2004 @10:11AM (#8440341)
          Very sure.
          The zones routines, just re-read the zone config and re-initialise it. From the outside it can appear as an OS, but from another perspective (and this is gross over simplification but works for this point) it's just like loading an instance of an application.

      • Zones differ from jails in that you can limit the amount of resources a zone can consume. Even in jail you can launch a denial of service with a fork() bomb or busy loop, or even netcat. With zones, you can limit the amount of cpu cycles, network io, and (perhaps? don't have docs nearby) disk and serial io. Plus zones get their "own" virtual os, so you can reboot them.

        To add to the protection of chroot / "jails", the BSDs have the limit command to allow you to cap how much CPU and memory a process is al

    • Re:Jails vs. Zones (Score:2, Informative)

      by paxvel ( 758242 )
      Marko Zec has done an excellent work on further virtualizing FreeBSD kernel: Network stack cloning / virtualization extensions [tel.fer.hr].

      Within a patched kernel, every process, socket and network interface belongs to a unique virtual image. Each virtual image provides entirely independent:

      * set of network interfaces and userland processes;
      * interface addresses and routing tables;
      * TCP, UDP, raw protocol control blocks (PCBs);
      * network traffic counters / statistics;
      * set of net.inet tunable sysctl variable

    • Re:Jails vs. Zones (Score:3, Informative)

      by dohcvtec ( 461026 )
      Here [blastwave.org] is a very informative article not only describing Solaris Zones, but also showing it in action. From what I can see, it seems similar to UserMode Linux, but nicely integrated into the OS, and supplied with a good set of administration tools.
  • What makes zones so important in large systems is the ability to restart one, or totally reconfigure it, without taking down the other zones. This seems obvious, but it helps put a layer in between the hardware and the software. What surprises me is that if so many other platforms already supported this to a large degree, how come its deployment has not been extensive? It seems like a great feature.
    • It has been! Notice the huge growth of "virtual colocation" services? Those are usually run with BSD jails or UML. They are a middle ground between consumer shared hosting and full-on managed servers.

      This technology has already created a successful and useful market. I think we can only expect more.

    • Re:But... does "rebooting" a zone fix issues? (Score:5, Interesting)

      by nemaispuke ( 624303 ) on Tuesday March 02, 2004 @09:48AM (#8440124)

      Yes there are other platforms that have similar features (AIX LPAR and DLPAR, HP-UX VPAR, Solaris Dynamic Domains). The problems are (1) you have to be using recent versions of the OS for the software virtualization (AIX 5L 5.2, HP-UX 11 and 11i) or (2) have the specific hardware necessary to use the hardware virtualization (AIX, HP-UX, and Solaris). And this hardware is costly (minimum cost for a Sun Sun Fire midrange to support dynamic domains is $100,000.00).

      The other reason could be that management (particularly in DoD) won't allow the use of hardware or software virtualization despite the benefits. Management could see this as a "toy" rather than a feature. Of all the documentation I have read concerning DoD, implementation, security, etc., I have never read anything about setting up or using virtualization. Not to say that some DoD activities aren't using it, but they are not well "advertised". The last Navy project I worked on we tried to deploy an Open Source monitoring solution and was basically told "we will not the first in doing anything!"

      • AIX does have DLPAR, but the problem with this is that it is only partitioning on a CPU boundary which means despite the fact it is supported on lower-end AIX boxes kind of limits it's use. However with AIX 5.3 and Power-5, DLPARing will be at a sub-CPU partition, up to 100 partitions per CPU is what I've heard. The Power-5 machines will ship with the lower end first before the replacement to the p690, certainly less than $100k per box. It will also support virtual networking etc, so that the LPARs will not
      1. What makes zones so important in large systems is the ability to restart one, or totally reconfigure it, without taking down the other zones.

      This "rebooting" that you speak of...tell me more...it is forign to me.

  • The neatest benefit (Score:5, Funny)

    by ArmenTanzarian ( 210418 ) on Tuesday March 02, 2004 @09:09AM (#8439795) Homepage Journal
    Network security will now be called "Zone Defense."
    What does that make man-to-man? P2P?

  • Solaris Express (Score:5, Informative)

    by njcoder ( 657816 ) on Tuesday March 02, 2004 @09:14AM (#8439834)
    "available in solaris express (the pre-release of Solaris 10). "

    Solaris Express is a program that they are using to give people early access to sun software. Solaris 10 is not solaris express

    • Interesting. That's not what Sun says, and I'm more inclined to believe them over you.

      Software Express for Solaris home page [sun.com]

      The general program is Software Express, which is what you described. The specific program which gives access to a preview of Solaris 10 is called Solaris Express. So the article is using the right term.

  • linux-vserver/BSD jail (Score:5, Informative)

    by iserlohn ( 49556 ) on Tuesday March 02, 2004 @09:16AM (#8439845) Homepage
    Essentially the same as what the linux-vserver project http://www.linux-vserver.org/ [linux-vserver.org] or BSD jail feature provided. It sets up different contexts for different processes so that they are isolated from each other with a different root directory. The effect is that they acts each context acts like a separate sever, but in fact they are all running on the same kernel.

    Linux-vserver is a great project. We have been running different services under differnt "virtual" servers for a while and its performance is stellar.

  • looking at the bootup of his system.... (Score:1, Interesting)

    by Anonymous Coward
    What sysadmin with any brains runs NIS in this day and age? Thats so 1995. I mean come on, you might as well post your passwords on the wall for all to see.

    NIS+ or LDAP, folks....

  • bah (Score:4, Funny)

    by tuffy ( 10202 ) on Tuesday March 02, 2004 @09:20AM (#8439882) Homepage Journal
    It's clearly just a shameless ploy to gain market share.

    :)

    • a shameless ploy to gain market share? That's what companies are supposed to do! Give the customer what they want and need. What is "shameless" about that?
    • which is different from other for-profit companies ?
      It should be shameless.

  • Sun says this isn't like a VM thing (Score:5, Informative)

    by dukerobillard ( 582741 ) on Tuesday March 02, 2004 @09:23AM (#8439899)
    I've been prowling around Sun's site on this, and apparently it isn't like the old IBM 360 VM thing (or VMWare, or any of the many other Virtual Machine stuff people have mentioned). Zones aren't a VM that you run different kernels in, they're "application containers" running under a given kernel.

    It sounds to me more like a Java Servlet container model than a VM. There's even a "global zone" that can see all the others.

    Here's [sun.com] a post about it.

    Here's [sun.com] Sun's page on it

  • Jacques Gelinas' VServer (Score:5, Informative)

    by Gollum ( 35049 ) on Tuesday March 02, 2004 @09:29AM (#8439958)
    This looks just like the Virtual Server project [linux-vserver.org] that Jacques Gelinas started a number of years ago. Possibly with some neat configuration utilities, but much the same. I'm not sure whether VServers can be allocated a dedicated CPU, or certain hardware exclusively, etc, but I think it can.

    Xen, on the other hand is a much "heavier" approach, similar to VMWare, which virtualises the hardware, and emulates certain peripherals.

  • Nice addition to the existing domain capabilities (Score:5, Informative)

    by adam872 ( 652411 ) on Tuesday March 02, 2004 @09:52AM (#8440173)
    Sun has had the ability to do multiple system images on the same box for a while, but they've always been hardware partitioning only. The 4800/6800/12k/15k allowed you to run different domains on the same system, so long as you had the right combo of CPU and I/O boards. This was great if you had one of those systems, but not so hot it you had a workgroup level system (e.g. E450 or V880). I'm glad to see they've put software partitioning in the O/S so I can take a mid range system and chop it up into separate pieces. AIX and HP-UX have been able to do the software side thing for a while (but not the dedicated hardware piece, I believe).

    This will help with consolidation and utilisation on existing machines, I think.
    • AIX and HPUX have been able to do similar-ish stuff for a while, but with severe restrictions. IBM's LPARs require a mix of hardware and software and IBM recommend a minimum of three cpus. There are other restrictions regarding sharing I/O boards, etc, etc. You can't dynamically resize an LPAR without a reboot, for example.

      With the mix of software 'zones' and Sun's hardware oriented dynamic system domains, you have something that's a lot more powerful than IBM's LPARs.

      HP can do what I believe they call
      • You've been able to grow the AIX LPARS dynamically in various ways for a couple of years now, adding CPU and memory is just a case of clicking an arrow in the Java management gui used.

        AIX5.2 does require the allocation of an entire CPU, hard drive, and network adapter to each partition though, and this is the real problem - there's no hardware virtualisation.

        The AIX5.3 update and the soon to be released Power5 hardware supports 10 partitions per CPU, and virtual disks and ethernet adapters.

        Ewan

  • Questions (Score:2, Interesting)

    by giminy ( 94188 )
    Is a zone just a stripped-down virtual machine? This doesn't seem to be answered too well, but that's what it looks like.

    VMs are bad, if only because the I/O performance takes an obvious hit. Any attacker worth his/her salt would be able to tell that they're logged into a VM with a little experimentation...so this thing's use as an effective honeypot is pretty much (against a smart attacker).
  • I've read about chroot, and even set one up a while ago, but more or less just using the howto. Are Solaris Zones similar to the chroot setup in Linux?
    • Chroot is not secure, all it really does it change the location of what the application thinks is the root of the filesystem. root in a choot is the same root as the rest of the system. You can break out of chroot environments.

      Zones are full application environments with their own network addresses, their own filesystems, etc etc. They look to users and applications like separate machines, but their are acutally all running on a single Solaris kernel that ensures resource and security isolation between
  • Only 30 years to catch up with IBM. Have they even caught up? Sorry if I don't get over excited about this.

  • Solaris is for real users (Score:5, Insightful)

    by mveloso ( 325617 ) on Tuesday March 02, 2004 @02:03PM (#8443098)
    After reading the comments, it seems blatantly obvious that most /. readers don't work in the industry.

    Zones fix some really important, real world problems. The main problem that it will solve for organizations is migration of apps from development to production boxes.

    In Real Life (and in the well run organizations) there's a separation between dev, production, and sometimes test. There are a number of implications for this, the main one being this: there are usually two sets of hardware (or three, if there's a separate test area).

    Now with a few moments of thought, you can see the problem. By moving the software from place to place you introduce changes. Change is bad, because change causes software to break. How many times have you had problems with your apps because you forgot to change some config file, or a machine name, or whatever?

    With zones you don't need to change the machine to change the machine. You just copy your zone from one machine to another. Ta-da! You have no problem with changes impacting your app. If the app worked in test, it'll work in production. Do you need to mirror production in a test environment? Just create a bunch of zones and do it. You don't have to change the IP addresses or anything.

    Need to migrate your app to a bigger box? Heck, just move your zone. No need to reinstall your app, synchronize and adjust all the configs, and repoint everyone and everything to the new box. Move it from that ultra 5 in the basement to the big cat in the data center.

    I suppose you'll be able to auto-migrate zones between machines in later releases, in a form of cross data-center load balancing. Hey, that E450 is unused, let's move the web server there on the fly.

    Just another step on the road to virtualization...

  • Sun Discovers LPARs... (Score:4, Funny)

    by frank_adrian314159 ( 469671 ) on Tuesday March 02, 2004 @02:32PM (#8443588) Homepage
    IBM said to be reeling after this 30-year late counterpuch. News at eleven.
    • Actually, this is more like IBM's VM, but not exactly like that either - read the posts here and you'll see it does NOT create virtual machines (each of which requires its own operating system). LPAR gives you only a small and fixed number of OS contexts on a box: a z900 goes up only to 16! Virtualization via VM lets you have hundreds or several thousand, Zones lets you have hundreds or several thousands with less overhead.

      FWIW: LPARs were introduced by IBM in 1987 (plus or minus a year), and it was imita

  • What are the differences between the 3?

    I am curious if I could write some assembly level programs in a virtual state or isolated area that will be bullet proof. As you all know you can screw up and freeze your system if you make a mistake in assembly.

    I would love a way to write assembly level programs for computer science virtualized so if it freezes it wont take down the whole system.

    I multitask alot and use FreeBSD which unfortunatly does not have a journaling filesystem.

    User mode Linux seems promisin

  • Virtual routers anyone? (Score:2, Interesting)

    by sd3 ( 756787 )

    It would be interesting to virtualize the machine down to the IP level. You could run separate instances of routed (or whatever) in each virtualized machine's space, then have a router cloud-in-a-box. Now you can play games like changing the data or error rate on certain links, bring routers up or down, etc.

    Yes, I know you could use NISTnet [slashdot.org] but this would allow you to do other things. Besides, with a virtualized machine you get (?) more assurance that things are correct down to the Nth level.

    I tried

Slashdot Top Deals

To be awake is to be alive. -- Henry David Thoreau, in "Walden"

Close