Solaris 10 branded zone VM Templates for Solaris 11 on OTN

Posted by jsavit on Oracle Blogs See other posts from Oracle Blogs or by jsavit
Published on Tue, 22 Nov 2011 19:11:20 -0600 Indexed on 2011/11/23 9:59 UTC
Read the original article Hit count: 949

Filed under:

/Oracle

Early this year I wrote the article Ours Goes To 11 which describes the ability to import Solaris 10 systems into a "Solaris 10 branded zone" under Oracle Solaris 11. I did this using Solaris 11 Express, and the capability remains in Solaris 11 with only slight changes. This important tool lets you painlessly inhaling a Solaris Container from Solaris 10 or entire Solaris 10 systems ("the global zone") into virtualized environments on a Solaris 11 OS.

Just recently, Oracle provided Oracle VM Templates for Oracle Solaris 10 Zones to let you create Solaris 10 branded zones for Solaris 11 even if you don't currently have access to install media or a running Solaris 10 system. To use this, just download the Oracle VM Template for Oracle Solaris Zone 10 from OTN at http://www.oracle.com/technetwork/server-storage/solaris11/downloads/virtual-machines-1355605.html. This page contains images of Oracle Solaris 10 8/11 (the recent update to Solaris 10) in SPARC and x86 formats suitable for creating branded zones. The same page also has a VirtualBox image you can download for a complete Solaris 10 install in a guest virtual machine you can run on any host OS that supports VirtualBox. Both sets of downloads provide a quick - and extremely easy - way to set up a virtual Solaris 10 environment. In the case of the Oracle VM Templates, they illustrate several advanced features of Solaris 11.

To start, just go to the above link, download the template for the hardware platform (SPARC or x86) you want, and download the README file also linked from that page.

Install prerequisites

The README file tells you to install the prerequisite Solaris 11 package that implements the Solaris 10 brand. Then you can install instances of zones with that brand.

# pkg install pkg:/system/zones/brand/brand-solaris10
           Packages to install:   1
       Create boot environment:  No
Create backup boot environment: Yes

DOWNLOAD                                  PKGS       FILES    XFER (MB)
Completed                                  1/1       44/44      0.4/0.4

PHASE                                        ACTIONS
Install Phase                                  74/74 

PHASE                                          ITEMS
Package State Update Phase                       1/1 
Image State Update Phase                         2/2

That took only a few minutes, and didn't require a reboot.

Install the Solaris 10 zone

Now it's time to run the downloaded template file. First make it executable via the chmod command, of course. I found that (unlike stated in the README) there was no need to rename the downloaded file to remove the .bin. When you run it you provide several parameters to describe the zone configuration:

-a IP address - the IP address and optional netmask for the zone. This is the only mandatory parameter.
-z zonename - the name of the zone you would like to create.
-i interface - the package will create an exclusive-IP zone using a virtual NIC (vnic) based on this physical interface. In my case, I have a NIC called rge0.
-p PATH - specifies the path in which you want the zoneroot to be placed. In my case, I have a ZFS dataset mounted at /zones, and this will create a zoneroot at /zones/s10u10.

Kicking it off, you will see a copyright message, and then messages showing progress building the zone, which only takes a few minutes.

# ./solaris-10u10-x86.bin -p /zones -a 192.168.1.100 -i rge0 -z s10u10

...
...

Checking disk-space for extraction
  Ok

Extracting in /export/home/CDimages/s10zone/bootimage.ihaqvh ...
100% [===============================>]

Checking data integrity
  Ok

Checking platform compatibility
      The host  and  the image  do not have  the same Solaris release:
        host  Solaris release:   5.11
        image Solaris release:   5.10

      Will create a Solaris 10 branded zone.

  Warning: could not find a defaultrouter
  Zone won't have any defaultrouter configured


IMAGE:      ./solaris-10u10-x86.bin
ZONE:       s10u10
ZONEPATH:   /zones/s10u10
INTERFACE:  rge0
VNIC:       vnicZBI13379
MAC ADDR:   2:8:20:5c:1a:cc
IP ADDR:    192.168.1.100
NETMASK:    255.255.255.0
DEFROUTER:  NONE
TIMEZONE:   US/Arizona

Checking disk-space for installation
  Ok

Installing in /zones/s10u10 ...
100% [===============================>]

Using a static exclusive-IP

Attaching s10u10

Booting s10u10

  Waiting for boot to complete
  booting...
  booting...
  booting...

Zone s10u10 booted

The zone's root password  has been set using the
root password of the local host.
You  can  change  the  zone's  root password  to
further harden  the security of the zone:  being
root,  log  into the zone  from  the  local host
with  the command 'zlogin s10u10'.
Once logged in, change the root password with the
command 'passwd'.

The nifty part in my opinion (besides being so easy), is that the zone was created as an exclusive-IP zone on a virtual NIC. This network configuration lets you enforce traffic isolation from other zones, enforce network Quality of Service, and even let the zone set its own characteristics like IP address and packet size.

Independence of the zone's network characteristics from the global zone is one of the enhancements in Solaris 10 that make it easier to consolidate zones while preserving their autonomy, yet provide control in a consolidated environment.

Let's see what the virtual network environment looks like by issuing commands from the Solaris 11 global zone. First I'll use Old School ifconfig, and then I'll use the new ipadm and dladm commands.

# ifconfig -a4
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
	inet 127.0.0.1 netmask ff000000 
rge0: flags=1004943<UP,BROADCAST,RUNNING,PROMISC,MULTICAST,DHCP,IPv4> mtu 1500 index 2
	inet 192.168.1.3 netmask ffffff00 broadcast 192.168.1.255
	ether 0:14:d1:18:ac:bc 
vboxnet0: flags=201000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4,CoS> mtu 1500 index 3
	inet 192.168.56.1 netmask ffffff00 broadcast 192.168.56.255
	ether 8:0:27:f8:62:1c 
# dladm show-phys
LINK              MEDIA                STATE      SPEED  DUPLEX    DEVICE
yge0              Ethernet             unknown    0      unknown   yge0
yge1              Ethernet             unknown    0      unknown   yge1
rge0              Ethernet             up         1000   full      rge0
vboxnet0          Ethernet             up         1000   full      vboxnet0
# dladm show-link
LINK                CLASS     MTU    STATE    OVER
yge0                phys      1500   unknown  --
yge1                phys      1500   unknown  --
rge0                phys      1500   up       --
vboxnet0            phys      1500   up       --
vnicZBI13379        vnic      1500   up       rge0
s10u10/vnicZBI13379 vnic      1500   up       rge0
s10u10/net0         vnic      1500   up       rge0
# dladm show-vnic
LINK                OVER         SPEED  MACADDRESS        MACADDRTYPE       VID
vnicZBI13379        rge0         1000   2:8:20:5c:1a:cc   random            0
s10u10/vnicZBI13379 rge0         1000   2:8:20:5c:1a:cc   random            0
s10u10/net0         rge0         1000   2:8:20:9d:d0:79   random            0
# ipadm show-addr
ADDROBJ           TYPE     STATE        ADDR
lo0/v4            static   ok           127.0.0.1/8
rge0/_a           dhcp     ok           192.168.1.3/24
vboxnet0/_a       static   ok           192.168.56.1/24
lo0/v6            static   ok           ::1/128

Log into the zone

The install step already booted the zone, so lets log into it. Notice how you have to be appropriately privileged to log into a zone. This is my home system so I'm being a bit cavalier, but in a production environment you can give granular control of who can login to which zones. Voila! a Solaris 10 environment under a Solaris 11 kernel. Notice the output from the uname -a and ifconfig commands, and output from a ping to a nearby host.

$ zlogin s10u10
zlogin: You lack sufficient privilege to run this command (all privs required)
savit@home:~$ sudo zlogin s10u10
Password: 
[Connected to zone 's10u10' pts/5]
Oracle Corporation	SunOS 5.10	Generic Patch	January 2005
# uname -a
SunOS s10u10 5.10 Generic_Virtual i86pc i386 i86pc
# ifconfig -a4
lo0: flags=2001000849 mtu 8232 index 1
	inet 127.0.0.1 netmask ff000000 
vnicZBI13379: flags=1000843 mtu 1500 index 2
	inet 192.168.1.100 netmask ffffff00 broadcast 192.168.1.255
	ether 2:8:20:5c:1a:cc 
# bash
bash-3.2# ifconfig -a
lo0: flags=2001000849 mtu 8232 index 1
	inet 127.0.0.1 netmask ff000000 
vnicZBI13379: flags=1000843 mtu 1500 index 2
	inet 192.168.1.100 netmask ffffff00 broadcast 192.168.1.255
	ether 2:8:20:5c:1a:cc 
bash-3.2# ping 192.168.1.2
192.168.1.2 is alive

For fun, I configured Apache (setting its configuration file in /etc/apache2) and brought it up. Easy - took just a few minutes.

bash-3.2# svcs  apache2
STATE          STIME    FMRI
disabled       12:38:46 svc:/network/http:apache2
bash-3.2# svcadm enable apache2

Summary

In just a few minutes, I built a functioning virtual Solaris 10 environment under by Solaris 11 system. It was... easy! While I can still do it the manual way (creating and using a system archive), this is a low-effort way to create a Solaris 10 zone on Solaris 11.

Developer IT