I recently began to work with a project whose software runs on Solaris.
The software is normally deployed on a Solaris Zone. At the application level, I see several ways in which container technology could benefit the project. Can multiple Solaris containers execute on a single Solaris zone?
I apologize if this is a no-brainer question, but I'm coming from an environment where we ran Docker containers on an AWS Linux VM, and the distinction between the VM and the container was very clear.
I recently began to work with a project whose software runs on Solaris. The software is normally deployed on a Solaris Zone. At the application level, I see several ways in which container technology could benefit the project. Can multiple Solariscontainers execute on a single Solaris zone?
I apologize if this is a no-brainer question, but I'm coming from an environment where we ran Docker containers on an AWS Linux VM, and the distinction between the VM and the container was very clear.
Generally you can think of a zone as being a server in its own right,
just not (always) direct access to it's resources.
* So install all your apps etc in the zone.
* Don't allow users access to the GZ.
* A GZ can have separate admins to an NGZ
Patching is performed from the GZ (yes I know it some can be done
from the NGZ, and KZ) but as the NGZ has kernel dependencies on the
GZ it makes sense.
Welcome to how the world should be :-)
(I'm sure Linux will catch up one day).
On 2/5/20 2:55 AM, YTC#1 wrote:
Generally you can think of a zone as being a server in its own right,
just not (always) direct access to it's resources.
* So install all your apps etc in the zone.
* Don't allow users access to the GZ.
* A GZ can have separate admins to an NGZ
I agree that zones can be thought of as a server in their own right. But
I don't think the same can be said about containers. At least not containers from outside of the Solaris Zone world.
Containers, as I understand them, are supposed to be /just/ the
application and it's dependencies. The rest of the OS isn't there.
I feel like this is a stark contrast to Zones, which, as you say, are effectively a full server ~> OS in their own right.
Patching is performed from the GZ (yes I know it some can be done from
the NGZ, and KZ) but as the NGZ has kernel dependencies on the GZ it
makes sense.
This also differs from containers outside of Solaris. Containers
outside of the Solaris world are blown away and replaced. They aren't patched.
Welcome to how the world should be :-)
(I'm sure Linux will catch up one day).
Please elaborate on what you mean by these two statements.
I believe that Linux is capable of doing probably 80% (or more) of what Solaris Zones can do. It's just that few people do it. But, I'd like
to know more specifically what you're referring to.
This also differs from containers outside of Solaris. Containers
outside of the Solaris world are blown away and replaced. They aren't >patched.
The OS separation, partitioning and isolation of resources, for one thing. >Being able to run branded zones for another.
In article <r1r6ht$brk$1@dont-email.me>, YTC#1 <bdp@ytc1.co.uk> wrote:
The OS separation, partitioning and isolation of resources, for one thing. >> Being able to run branded zones for another.
I find the management lx branded zones to be easier than
Linux containers as far as resource controls and networking.
IMO Crossbow VNICs are more intuitive than the Linux vnet/virbr
counterpart.
TBH, I have not used the LX brand since it was dropped from Solaris :-(
In article <r1rvkd$vkf$1@dont-email.me>, YTC#1 <bdp@ytc1.co.uk> wrote:
TBH, I have not used the LX brand since it was dropped from Solaris :-(
I have had occassion to use them on illumos-based OmniOS. <URL:https://omniosce.org/info/lxzones.html>
Many thanks to Joyent for resurrecting after Oracle abandoned.
a shame.
And have you seen kernel zones ?
In article <r1r6ht$brk$1@dont-email.me>, YTC#1 <bdp@ytc1.co.uk> wrote:
And have you seen kernel zones ?
What are the use cases for kernel zones?
On 10/02/2020 22:01, John D Groenveld wrote:
In article <r1r6ht$brk$1@dont-email.me>, YTC#1 <bdp@ytc1.co.uk> wrote:
And have you seen kernel zones ?
What are the use cases for kernel zones?
I've had a couple of occasions where I just can't get an application to
work in S11.4, even after unfreezing obsolete stuff. On x86 it means I
can lock some resources to a zone and have it stuck at S11.3 while the
GZ is at S11.4
(And in 1 case I have a zone at S11.3SRU23 because I couldn't be
bothered upgrading Apache for a simple in house use Twiki :-) )
They are more akin to LDoms than branded zones.
Oh, and then there are immutable zones. So what if someone hacks in ?
They can't write stuff :-)
In article <r1s6pr$d1k$1@dont-email.me>, Chris Ridd <chrisridd@mac.com> wrote:
It is unfortunate they haven't kept up to date wrt Linux kernel changes.
Joyent seem to prefer using bhve zones instead of lx nowadays, which is
a shame.
I have had good success running Linux and FreeBSD on bhyve branded
zones.
<URL:https://omniosce.org/info/bhyve_kvm_brand.html>
But I haven't benchmarked lx zone vs bhyve with Centos7 Linux guest.
YTC#1 <bdp@ytc1.co.uk> writes:
On 10/02/2020 22:01, John D Groenveld wrote:
In article <r1r6ht$brk$1@dont-email.me>, YTC#1 <bdp@ytc1.co.uk> wrote: >>>> And have you seen kernel zones ?
What are the use cases for kernel zones?
I've had a couple of occasions where I just can't get an application to
work in S11.4, even after unfreezing obsolete stuff. On x86 it means I
can lock some resources to a zone and have it stuck at S11.3 while the
GZ is at S11.4
(And in 1 case I have a zone at S11.3SRU23 because I couldn't be
bothered upgrading Apache for a simple in house use Twiki :-) )
They are more akin to LDoms than branded zones.
Oh, and then there are immutable zones. So what if someone hacks in ?
They can't write stuff :-)
Works for the global zone also (and thus for kernel zones)
On 11/02/2020 14:42, Casper H.S. Dik wrote:
YTC#1 <bdp@ytc1.co.uk> writes:
On 10/02/2020 22:01, John D Groenveld wrote:
In article <r1r6ht$brk$1@dont-email.me>, YTC#1 <bdp@ytc1.co.uk> wrote: >>>>> And have you seen kernel zones ?
What are the use cases for kernel zones?
I've had a couple of occasions where I just can't get an application to
work in S11.4, even after unfreezing obsolete stuff. On x86 it means I
can lock some resources to a zone and have it stuck at S11.3 while the
GZ is at S11.4
(And in 1 case I have a zone at S11.3SRU23 because I couldn't be
bothered upgrading Apache for a simple in house use Twiki :-) )
They are more akin to LDoms than branded zones.
Oh, and then there are immutable zones. So what if someone hacks in ?
They can't write stuff :-)
Works for the global zone also (and thus for kernel zones)
Yeah, just don't make /var/tmp immutable, and forget you have done it :-)
I find the management lx branded zones to be easier than Linux
containers as far as resource controls and networking.
IMO Crossbow VNICs are more intuitive than the Linux vnet/virbr
counterpart.
I recently began to work with a project whose software runs on Solaris. The software is normally deployed on a Solaris Zone. At the application level, I see several ways in which container technology could benefit the project. Can multiple Solariscontainers execute on a single Solaris zone?
I apologize if this is a no-brainer question, but I'm coming from an environment where we ran Docker containers on an AWS Linux VM, and the distinction between the VM and the container was very clear.
The term "Containers" original meaning is: something to which you can
apply resource controls. Sun Marketing (snarky comment here) in there
wisdom called Solaris 10 Zones containers but the term originated with
a un-bundled Sun product (I think the name may have been different)
was call Resource Management. This product introduced the first
"container" called "Projects".
This bundle was integrated into Solaris with the release of Solaris
9, as a little trivia, you can not log into Solaris without having
a project but that is a longer discussion.
So Marketing did correct this by dropping the term "Containers" with
the release of Solaris 11 but the damage was done and here we are. :)
A quick (simplified) description of Zones is separate user land
environments for workloads. With features I won't list but you already
are aware of those. And, of course, you can apply resource controls
to zones.
Dockers in Linux are more aligned with Projects is Solaris, by no means
the same thing but conceptually and purpose are similar (in my mind,
I won't argue this point, if you disagree, that's fine)
The statement that Kernel Zones are similar to a LDOM is correct,
KZ requires a lot more resources, particularly memory, than regular
zones. However you can have regular Zones in a Kernel Zone.
So, I would recommend Zones for application (workloads) that you
might have used with Dockers in Linux, Zones have drawbacks but that
too is a much longer discussion.
In GENERAL you can size for zones by looking at the overall resources available against the resources required by the workloads and then
place them in zones, you need not worry about the overhead of the
zone, it is minimal. You should try to balance resource utilization,
so not all high IO, or high memory or CPU utilization workloads are
on the same server. (Global Zone)
I wouldn't recommend Project if you have never used them, they are
not hard to use but for some reason the learning curve seems to be
a bit steep, YMMV. You can use projects within a Zone.
One last comment, lx zones were a proof of concept and not really
intended for production use, but were pretty cool... IMO.
In the non Solaris world, maybe.
As above, I was pointing out that the words are used to mean the
same thing. Back when they came out the usage swung one way or
another depending who was talking, and the two phrases are still
used occasionally.
Fine, but this is Solaris and it was a Solaris query. However,
zones can be treated in the same way providing you use a decent
installation tool.
Is it not obvious ?
Solaris zones are still seen as being way ahead of Linux containers.
There was a shot period of time when docker was mean to appear on
Solaris, and work with containers. But that failed to pass :-(
The OS separation,
partitioning and isolation of resources, for one thing.
Being able to run branded zones for another.
And have you seen kernel zones ?
Fair enough, I am a Solaris through and through, and can be a touch
biased.
I find the concept of the isolation of a zone more likeable to the
way I understand linux containers to work.
YTC#1 <bdp@ytc1.co.uk> writes:
On 11/02/2020 14:42, Casper H.S. Dik wrote:
YTC#1 <bdp@ytc1.co.uk> writes:
On 10/02/2020 22:01, John D Groenveld wrote:
In article <r1r6ht$brk$1@dont-email.me>, YTC#1 <bdp@ytc1.co.uk> wrote: >>>>>> And have you seen kernel zones ?
What are the use cases for kernel zones?
I've had a couple of occasions where I just can't get an application to >>>> work in S11.4, even after unfreezing obsolete stuff. On x86 it means I >>>> can lock some resources to a zone and have it stuck at S11.3 while the >>>> GZ is at S11.4
(And in 1 case I have a zone at S11.3SRU23 because I couldn't be
bothered upgrading Apache for a simple in house use Twiki :-) )
They are more akin to LDoms than branded zones.
Oh, and then there are immutable zones. So what if someone hacks in ?
They can't write stuff :-)
Works for the global zone also (and thus for kernel zones)
Yeah, just don't make /var/tmp immutable, and forget you have done it :-)
That is, I think, only true in the "strict" profile.
Of course, we did make sure that libc and some other applications
should not use /var/tmp when it is not writable.
Casper
On 2/10/20 2:08 AM, YTC#1 wrote:
In the non Solaris world, maybe.
Is chroot still a thing in the Solaris world now that zones are common?
As above, I was pointing out that the words are used to mean the same
thing. Back when they came out the usage swung one way or another
depending who was talking, and the two phrases are still used
occasionally.
Am I understanding you correctly that in the Solaris parlance, zone ≈ container. Thus Solaris meaning ≠ non-Solaris meaning?
Fine, but this is Solaris and it was a Solaris query. However, zones
can be treated in the same way providing you use a decent installation
tool.
Technology can be used a lot of different ways.
How common is it to blow a NGZ a way and ""deploy a new version of it vs patching (upgrading) said NGZ?
Fair enoughIs it not obvious ?
No. Hence my question.
Solaris zones are still seen as being way ahead of Linux containers.
Please elaborate on /why/ Solaris zones are seen as being way ahead of
Linux containers. I'm specifically interested in /what/ is different
and /how/ that is significant.
There was a shot period of time when docker was mean to appear on
Solaris, and work with containers. But that failed to pass :-(
Interesting, and somewhat unsurprising given how Docker seems to want to
be everywhere. My opinion of Docker not withstanding.
The OS separation,
Unfortunately, that's too generic for me to get any value out of
partitioning and isolation of resources, for one thing.
I believe that it's possible to use cgroups to restrict which resources
that a ""container (in non-Solaris parlance) has access too. I believe there are even ways to control processor affinity to ensure that two ""containers can't interfere with each other. I believe that similar
can be done with other resources.
Being able to run branded zones for another.
I know it's a different methodology, but I suspect that User Mode Linux
— which allows running different kernels, older or newer — can provide similar functionality to branded zones. I expect that this can be
extended to allow running CentOS 6 w/ a 4.x kernel on an Ubuntu host
running a 5.x kernel. (Or vice versa.)
Will it be as easy, or pretty as branded zones, no. Is similar functionality possible, probably.
Looks like it, but I believe the Solaris approach may be more performant.And have you seen kernel zones ?
I believe that a kernel zone would be quite similar to a UML kernel
running a different Linux distribution than the host.
Fair enough, I am a Solaris through and through, and can be a touch
biased.
I have no problem with biases as long as people are aware of the bias
and still willing to have polite discussions. :-)
I know that I'm biased towards Linux, but I'm trying to keep an openYep, that is about right.
mind and learn about other things. I have respect for Solaris and SPARC hardware. Despite the last Solaris environment I was in being
administered like it was the late '90s. I see Solaris LDOMs as being similar in concept to AIX LPARs, particularly with service domains being
analogs to VIOs, especially when there are multiple redundant service
domains / VIOs. I believe there is a LOT of capability there. I wish
more people took advantage of it.
I find the concept of the isolation of a zone more likeable to the way
I understand linux containers to work.
Can I ask that you elaborate on what you think each side of that
statement means?
The statement that Kernel Zones are similar to a LDOM is correct, KZ
requires a lot more resources, particularly memory, than regular
zones. However you can have regular Zones in a Kernel Zone.
To me, LDOM is a hardware partition concept. I'm guessing that the KZ
is a software partition concept, which runs inside of an LDOM. Is that correct?
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 87:47:52 |
Calls: | 6,658 |
Files: | 12,203 |
Messages: | 5,333,954 |