• Introduction
• Solaris 10 Feature overview
• Solaris Zones
• Summary and Resources
Solaris Timeline
• 1990: work begins on Solaris 2.0
> Multithreading, scalability, real-time, ...
• 2000: major architectural efforts finish
> 64-bit, IPv6, NFS v3, ...
• Several different engineering teams began to
pursue new, radical ideas
• These ideas have taken 2-3 years to migrate to final
product
• 2004: all available in Solaris 10
TCP/IP Overhaul
• Problem:
> Poor “first byte” TCP/IP latency
> STREAMS are flexible but complex (=slow)
> NCA is fast but not generally used
• Solution:
> Major rewrite of TCP/IP implementation
> Eliminates STREAMS between TCP and IP
> Improved CPU locality
> No API changes
> Result: 20-40% on SPECweb99
Advanced Processor Support
• Problem:
> Emerging multithreaded/multicore processors have
new OS requirements
> Mostly CPU scheduling, synchronization
> Also need to cope with heterogeneous systems
• Solution:
> New scheduler design allows per-CPU optimizations
> Supports a variety of CMT enhancements for SPARC
and x86
> Behavior on existing systems unchanged
Process Rights Management
• Problem:
> Current “all or nothing” privilege model leads to
security problems
> Applications needing only a few privileged operations
run as root (network daemons)
> No way to limit root's privileges
> No way for non-root users to perform privileged
operations
• Solution:
> Fine-grained privileges allow apps and users to run
with just the privileges they need
> Even root can be restricted
Predictive Self-Healing
• Problem:
> Limited resilience to HW faults
> Ad hoc error reporting and handling
> Dependent on human fault diagnosis
• Solution:
> Cohesive structure for fault management
> Consistent standards for error and fault
reporting
> Pluggable diagnosis engines consuming error
event stream
> Tracks dependencies between system
components – needed to limit impact of faults
Predictive Self-Healing (cont'd)
• Problem:
> Ad hoc mechanisms for managing services:
rc scripts, /etc files
• Solution:
> Framework for service management
> Repository for configuration data
> Administrative enable/disable controls
> Fine-grained access control
> Link between applications and fault management
> Automated single-node restart
Solaris Zones
Zones Overview
• Provides virtualized OS services that look like
different Solaris instances
• Can improve system security
• Isolates applications from each other
• Hides details of the underlying platform
• Provides almost arbitrary granularity in isolating
and sharing resources
• Application environment is compatible for existing
programs
When to Deploy Zones
• Hostile and untrustworthy applications
> Sample 2 web servers each binding to port 80
> Untrusted software that should be isolated
• Data center consolidation
> Multiple database instances with different admins
• Hosting
> Consolidate many small customers onto a server,
giving some or all of them a root password
• Software development
> A cheap way to simulate a set of production systems,
test software installation, etcetera
What is a Zone
• Virtual Platform
> File systems
> Network interfaces
> Devices
> Resource Management Controls
• Application Environment
> Security
> Processes
> IPC objects
> Identity: Nodename, Timezone, RPC domain, Locale,
et cetera
Zones Block Diagram
global zone (serviceprovider.com)
blue zone (bslugs.com) foo zone (foo.net) beck zone (beck.org)
zone root: /aux0/bslugs zone root: /aux0/foonet zone root: /aux0/beck
web services login services web services
(Apache 1.3.22, J2SE) (OpenSSH sshd 3.4) (Apache 2.0)
Environment
Application
enterprise services network services network services
(Oracle 8i, IAS 6) (BIND 8.3, sendmail) (BIND 9.2, sendmail)
core services core services core services
(ypbind, automountd) (ypbind, inetd, rpcbind) (inetd, ldap_cachemgr)
/opt/yt
zcons
zcons
zcons
ce0:1
ge0:1
ge0:2
Platform
ce0:2
/usr
/usr
/usr
Virtual
zoneadmd zoneadmd zoneadmd
core services
remote admin/monitoring platform administration
(inetd, rpcbind, ypbind,
automountd, snmpd, dtlogin, (SNMP, SunMC, WBEM) (syseventd, devfsadm, ...)
sendmail, sshd, ...)
• Zone name
> Modeled after host names
• Zone path
• IP address
> Not required, but makes a zone more interesting
> IPv4 and IPv6 (manual configuration only)
> Unless explicitly provided as a prefix length, netmask
is looked up in netmasks(4) of the global zone
Inherited Package Directories