Solaris Containers Research Design Team Leading The Way Agenda ► Containers and the TCO game ► Solaris Resource Management ► Solaris Zones ► Solaris 10 benefits ► Potential Usage Consolidation and the TCO shell game ► “Consolidate” ► What constitutes consolidation? ► Factors to consider ► “Work Smarter……..” Solaris Containers ► ► ► ► Build customized, isolated containers—each with their own IP address, file system, users, and assigned resources—to safely and easily consolidate systems Guarantee sufficient CPU and memory resource allocation to applications while retaining the ability to use idle resources as needed Reserve and allocate a specific CPU or group of CPUs for the exclusive use of the container Automatically recover from potentially catastrophic system problems by leveraging the combined functionality of Predictive Self Healing and Solaris Containers Solaris Resource Management ► All features are included in Solaris ► Fair Share scheduler Controls allocation of CPU Meet application SLA Real time allocation based on what else is running ► Dynamic Resource Pools ► Extended Accounting In the Zone……. ► Virtualized O/S layer File System Network Processes Devices ► Privacy - can’t see other zones on same host ► Security – Can’t affect activity outside zone ► Failure Isolation – application failure in one zone does not affect other zones Failure Isolation ► Each process is associated with one zone ► From within a zone, only processes in the same zone can be seen or affected ► “root” in a zone has authority for that zone only! Security ► Each zone has a security boundary ► Processes running in a zone are unable to affect activity in the global zone or other zones ► A compromised zone can not escalate its privileges File Systems ► Each zone is allocated its own root / ► File systems can be inherited in read-only, copied into zone, mounted read-write: /usr, /lib /sbin and /platform are read-only /etc and /opt are copied into zones ► Sections of a file system can be mounted into one or more zones (read-only) Patch and Package Management Network and Identity ► Global system admin can administer software on every zone ► Global zones use Solaris packaging and patch tools ► Each zone has its own identity Node name, RPC domain name, time zone, Separate /etc/passwd Private IP addresses ► Only one TCP/IP stack per kernel Each zone is shielded from stack specifics Each zone is prohibited from view of other zones traffic ► Each zone has its own logical network interfaces Global Zone ► ► ► ► ► ► ► ► ► Is assigned ID 0 by the system Provides the single instance of the Solaris kernel that is bootable and running on the system Contains a complete installation of the Solaris system packages Can contain additional software packages or additional software, directories, files, and other data not installed through packages Provides a complete and consistent product database that contains information about all software components installed in the global zone Holds configuration information specific to the global zone only, such as the global zone host name and file system table Is the only zone that is aware of all devices and all file systems Is the only zone with knowledge of non-global zone existence and configuration Is the only zone from which a non-global zone can be configured, installed, managed, or uninstalled Non-global or Local zone ► ► ► ► ► ► ► ► ► ► Is assigned a zone ID by the system when the zone is booted Shares operation under the Solaris kernel booted from the global zone Contains an installed subset of the complete Solaris Operating System software packages Contains Solaris software packages shared from the global zone Can contain additional installed software packages not shared from the global zone Can contain additional software, directories, files, and other data created on the non-global zone that are not installed through packages or shared from the global zone Has a complete and consistent product database that contains information about all software components installed on the zone Is not aware of the existence of any other zones Cannot install, manage, or uninstall other zones, including itself Has configuration information specific to that non-global zone only Solaris 10 Benefits ► Dynamic Tracing (DTrace) ► Predictive Self Healing ► Services ► The Least Privilege Model ► Linux Application Environment (allow users on x86 systems to take existing, unmodified Linux binaries and run them on the Solaris platform ) UPS futures ► Limit/reduce overall TCO Consolidate and reduce O/S images to maintain Reduced number of server footprints ► Use of commodity hardware ► Increased flexibility ► Reduce time to market Possible applications? ► MRS lab – simultaneous training on new products and features. ► Build environments for POC efforts quickly ► Horizontally scaled applications Q&A