Configuring Nexenta Zone - Example

OpenSolaris is not only powerful, but it is very innovative. Somebody smart figured that simplistic chroot or BSD jail concepts could be extended to the level where every single part of HW is virtualized. Linux kernel also offers somewhat similar proposition called vserver, but we all know that until a proposition is not a part of main-line kernel tree it will never be a solution (*). Well, forget about Linux, we have OpenSolaris now and it trully opens new horizons for us to explore.

OK. Lets get started with Nexenta Zones!

First, we need to make sure that "nexenta-zones" package is installed. If it is not, just do:

$ sudo apt-get update
$ sudo apt-get install nexenta-zones sunwzoneu

The package integrates debootstrap capability to fetch packages out of APT repository and integrates it with zoneadm command. We are now ready to configure our new zone.

Lets list what I have on my box:

$ zoneadm list -vc
  ID NAME             STATUS         PATH
   0 global           running        /
   - zone1            installed      /zone/1
   - zone2            installed      /zone/2
   - zone3            installed      /zone/3

Great! I have a global zone with status "running" :-), and 3 more zones with status "installed". I'm going to add a new zone named "zone4":

$ sudo zonecfg -z zone4
zone4: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:zone4> create
zonecfg:zone4> set zonepath=/zone/4
zonecfg:zone4> set autoboot=false
zonecfg:zone4> add net
zonecfg:zone4:net> set address=172.10.7.104
zonecfg:zone4:net> set physical=ipw0
zonecfg:zone4:net> end
zonecfg:zone4> info
zonename: zone4
zonepath: /zone/4
autoboot: false
pool:
limitpriv:
inherit-pkg-dir:
        dir: /lib
inherit-pkg-dir:
        dir: /platform
inherit-pkg-dir:
        dir: /sbin
inherit-pkg-dir:
        dir: /usr
net:
        address: 172.10.7.104
        physical: ipw0

I don't want loopback mounted dirs from global zone. Frankly, I don't see a point of using inherit-pkg-dir property, since we have APT repository, which manages setups and offers some more flexibility. So, I disabled that (**) :

zonecfg:zone4> remove inherit-pkg-dir dir=/lib
zonecfg:zone4> remove inherit-pkg-dir dir=/platform
zonecfg:zone4> remove inherit-pkg-dir dir=/sbin
zonecfg:zone4> remove inherit-pkg-dir dir=/usr
zonecfg:zone4> info
zonename: zone4
zonepath: /zone/4
autoboot: false
pool:
limitpriv:
net:
        address: 172.10.7.104
        physical: ipw0

At the end, to finilize my changes I do:

zonecfg:zone4> verify
zonecfg:zone4> commit
zonecfg:zone4>^D
$

The above will also create a new configuration file /etc/zones/zone4.xml. Theoretically it could be modified manually, but "zonecfg" offers somewhat more intelligent way of managing zones.

Now lets se what we've got:

$ zoneadm list -vc
  ID NAME             STATUS         PATH
   0 global           running        /
   - zone1            installed      /zone/1
   - zone2            installed      /zone/2
   - zone3            installed      /zone/3
   - zone4            configured     /zone/4

export BOOTSTRAP_EXTRA_DEBS="pkg1 pkg2 ..."

Bellow is the actual installation procedure for "zone4". Notice that I'm using this environment variable to pass "apache2" package to /usr/bin/createzone script via zoneadm command line, i.e. zoneadm will call /usr/lib/lu/lucreatezone which is a symlink to /usr/bin/createzone. The command requires internet connectivity and will take quite a bit of time since it will need to download about 100Mb of packages.

$ BOOTSTRAP_EXTRA_DEBS=apache2 sudo zoneadm -z zone4 install
     __                    _          _____
  /\ \ \_____  _____ _ __ | |_ __ _  / _  / ___  _ __   ___  ___
 /  \/ / _ \ \/ / _ \ '_ \| __/ _` | \// / / _ \| '_ \ / _ \/ __|
/ /\  /  __/>  <  __/ | | | || (_| |  / //\ (_) | | | |  __/\__ \
\_\ \/ \___/_/\_\___|_| |_|\__\__,_| /____/\___/|_| |_|\___||___/

This operation will take some time.
I: Retrieving Packages.gz
I: Resolving dependencies of required packages...
I: Resolving dependencies of base packages...
I: Found additional base dependencies: apache2-common apache2-mpm-worker apache2-utils libapr0 libmagic1 mime-support openssl readline-common ssl-cert vim-co
mmon vim-runtime
I: Retrieving adduser
I: Validating adduser
I: Retrieving apache2
I: Validating apache2
...
...
I: Configuring sasl2-bin...
I: Configuring apache2-utils...
I: Configuring apache2-common...
I: Configuring apache2-mpm-worker...
I: Configuring apache2...
I: Base system installed successfully.

That's it, my new zone is installed. And we see that status of "zone4" changed to "installed":

$ zoneadm list -vc
  ID NAME             STATUS         PATH
   0 global           running        /
   - zone1            installed      /zone/1
   - zone2            installed      /zone/2
   - zone3            installed      /zone/3
   - zone4            installed      /zone/4

I am now ready to boot it manually:

$ sudo zoneadm -z zone4 boot

Interesting that new interfaces lo0:1 and ipw0:1 appear in the system and their properties show that those interfaces belongs to "zone4":

$ ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000
lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        zone zone4
        inet 127.0.0.1 netmask ff000000
ipw0: flags=1004843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4> mtu 1500 index 3
        inet 172.10.7.8 netmask ffffff00 broadcast 172.10.7.255
        ether 0:4:23:87:4a:f9
ipw0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
        zone zone4
        inet 172.10.7.104 netmask ffff0000 broadcast 172.10.255.255

And "zone4" status is now changed to "running":

$ zoneadm list -vc
  ID NAME             STATUS         PATH
   0 global           running        /
   1 zone4            running        /zone/4
   - zone1            installed      /zone/1
   - zone2            installed      /zone/2
   - zone3            installed      /zone/3

Now lets see if we could login to our new zone:

$ sudo zlogin zone4
[Connected to zone 'zone4' pts/7]
root@zone4:~# ifconfig -a
lo0:1: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000
ipw0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
        inet 172.10.7.104 netmask ffff0000 broadcast 172.10.255.255

Yep, I'm in. And I see that only newly created interfaces are available. OK. I'll exit now and will see if apache is actually started and serving port 80:

$ telnet 172.10.7.104 80
Trying 172.10.7.104...
Connected to 172.10.7.104.
Escape character is '^]'.
GET
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html>
 <head>
  <title>Index of /</title>
 </head>
 <body>
<h1>Index of /</h1>
<address>Apache/2.0.55 (GNU_OpenSolaris) Server at 127.0.0.1 Port 80</address>
</body></html>
Connection to 172.10.7.104 closed by foreign host.

yep, it is. Apache is installed and now is running in my newly created zone. Sure, newly created zone has apt-get, aptitude and all "required" software which will help you easily manage a setup. I'll shutdown it for now:

$ sudo zoneadm -z zone4 halt
$ zoneadm list -vc
  ID NAME             STATUS         PATH
   0 global           running        /
   - zone1            installed      /zone/1
   - zone2            installed      /zone/2
   - zone3            installed      /zone/3
   - zone4            installed      /zone/4

OK. Time to go get some tea.. :-). Ok your back. What's that you say?? You named your zone wrong?? you want to rename it. Ok that's fine by me. Lets try this on for size, see if you can follow along. I'm assuming that you want to rename zone4 to zone33. Maybe you were working on a software upgrade for what was running in zone3 and wanted to try another version. Ok well thats easy enough. There is a couple steps to changing the name of your zone. This assumes you have your zone stored on a zfs file system. It also assumes that you have halted your zone like we did above.

$ sudo zonecfg -z zone4
zonecfg:zone4> info
zonename: zone4
zonepath: /zone/4
brand: native
autoboot: false
bootargs:
pool:
limitpriv:
scheduling-class:
ip-type: shared
net:
        address: 172.10.7.104
        physical: ipw0

Now we need to update the zone to have the new name. So lets try that out from inside zonecfg.

zonecfg:zone4> set zonename=zone33
zonecfg:zone33> set zonepath=/zone/33
zonecfg:zone33> verify
zonecfg:zone33> commit
zonecfg:zone33> exit

The zone configuration now knows about the new name and the new path we just need to move the zfs file system. This assumes you have a zpool named syspool that has a zfs filesystem on it named zone and that your old zone was installed into a zfs file system and that your renamed zone is going to be a zfs file system.

$ sudo zfs rename syspool/zone/4 syspool/zone/33
$ sudo zoneadm -z zone33 boot

After a while you should see the newly named zone33 come up. This is due to the fact that OpenSolaris rocks so hard. It lets us combine the powers of zones and zfs with the ease of use of debian and apt to accomplish amazing things. Once zfs moves our filesystem our zone rename is complete and we can keep working on our zone with its new name once its booted up. Now go tell all your buddies in irc.

[*] Solution - in my understanding means intgrated and supported proposition either by distribution vendor or as a part of main-line kernel. Separately maintained set of patches which drasticaly changes behaviour of kernel are not counting.

[**] One could eliminate the zonecfg "remove inherit-pkg-dir ..." steps by using the blank template to create your zone. ie, in zonecfg do "create -b". Then the zone won't have the inherit-pkg-dir directives by default.