This page contains scripts, links to other sites and "howto" docs that the staff at Open Technologies Inc. commonly use. You are free to use this material as you wish, but we take NO responsibility for your proper or improper use of this material. See Limitation of Liability below. Description: A quick howto on howto create a simple zone in Solaris 10 ---------------------- Revision Table Created: 10/25/04 pjf Revised: 01/05/05 pjf 04/29/05 pjf 08/07/06 pjf 03/03/08 pjf ---------------------- Zones can be built using different tools. We will show two approaches; 1) Using the manual steps outlined below or 2) Using a script from Sun called, "zonemgr." We have added wrapper scripts called, "makezones and createzones" to simplify the use of the zonemgr script. ---#1 Manual ------------------- The following example uses a zone name called "ldap" on a V240 that has a "bge0" network interface. 1. Install Solaris 10 2. mkdir -p /zones/ldap 3. chmod -R 700 /zones 4. zonecfg -z ldap a. zonecfg:ldap> create b. zonecfg:ldap> set zonepath=/zones/ldap c. zonecfg:ldap> set autoboot=true d. zonecfg:ldap> add net e. zonecfg:ldap:net> set address=192.168.0.231 f. zonecfg:ldap:net> set physical=bge0 g. zonecfg:ldap:net> end h. zonecfg:ldap> verify (optional) i. zonecfg:ldap> commit (optional) j. zonecfg:ldap> exit NOTE one way for making a "fat zone" (i.e., that do not inherit or use several of the global zone's directories in "read-only" mode, such as "/usr/local") you can edit the zone configuration file in /etc/zones and remove the lines with the word "inherited." 5. zoneadm -z ldap install 6. zoneadm -z ldap ready # zoneadm list -civ (can use to list zones and status) 7. zoneadm -z ldap boot 8. zlogin -C ldap (console for finishing zone build) ---#2 Scripted ------------------- Script "makethese" /root/scripts/createzone imailp 204.137.66.132 /root/scripts/createzone mmpp 204.137.66.133 Script "createzone" /root/scripts/zonemgr -a add -n $1 -P "password" -I $2 -t w -s lock -R /root -C /etc/ssh/sshd_config -C /etc/profile -C /etc/sfw/openssl/openssl.cnf -C /usr/sfw/bin/CA.pl -C /etc/defaultdomain -C /etc/resolv.conf -C /etc/nsswitch.conf -S ssh -z /zones Script "zonemgr" --- Additional notes-------------- File Systems Each non-global zone has its own file system name space, although a file system can be shared among zones. The global zone file systems are loopback-mounted into a zone using lofs(7FS). In addition to lofs, autofs, tmpfs, mntfs, ctfs, procfs, and NFS, a client can be locally mounted in a non-global zone. To hide a global-zone directory, for example /usr/local, from non-global zones, a global-zone administrator can create an empty directory in the global zone and configure a loopback mount for the non-global zone on top of the directory in question: global# zonecfg -z my-zone zonecfg:my-zone> add fs zonecfg:my-zone:fs> set dir=/usr/local zonecfg:my-zone:fs> set special=/empty zonecfg:my-zone:fs> set type=lofs zonecfg:my-zone:fs> add options ro zonecfg:my-zone:fs> end Several ways are available to add a file system to a non-global zone: * Use an LOFS mount: global# newfs /dev/rdsk/c1t0d0s0 global# mount /dev/dsk/c1t0d0s0 /mystuff global# zonecfg -z my-zone zonecfg:my-zone> add fs zonecfg:my-zone:fs> set dir=/usr/mystuff zonecfg:my-zone:fs> set special=/mystuff zonecfg:my-zone:fs> set type=lofs zonecfg:my-zone:fs> end * Use a UFS mount: global# newfs /dev/rdsk/c1t0d0s0 global# zonecfg -z my-zone zonecfg:my-zone> add fs zonecfg:my-zone:fs> set dir=/usr/mystuff zonecfg:my-zone:fs> set special=/dev/dsk/c1t0d0s0 zonecfg:my-zone:fs> set raw=/dev/rdsk/c1t0d0s0 zonecfg:my-zone:fs> set type=ufs zonecfg:my-zone:fs> end * Export the device node and mount from the non-global zone: global# zonecfg -z my-zone zonecfg:my-zone> add device zonecfg:my-zone:device> set match=/dev/rdsk/c1t0d0s0 zonecfg:my-zone:fs> end zonecfg:my-zone> add device zonecfg:my-zone:device> set match=/dev/dsk/c1t0d0s0 zonecfg:my-zone:fs> end my-zone# newfs /dev/rdsk/c1t0d0s0 my-zone# mount /dev/dsk/c1t0d0s0 /usr/mystuff * Mount UFS directly from the global zone: # mount /dev/dsk/c1t0d0s0 /export/home/my-zone/root/usr/mystuff * Add LOFI to the mix: global# newfs /dev/rdsk/c1t0d0s0 global# mount /dev/dsk/c1t0d0s0 /mystuff global# mkfile 1g /mystuff/myfile global# lofiadm -a /mystuff/myfile global# zonecfg -z my-zone zonecfg:my-zone> add device zonecfg:my-zone:device> set match=/dev/rlofi/1 zonecfg:my-zone:fs> end zonecfg:my-zone> add device zonecfg:my-zone:device> set match=/dev/lofi/1 zonecfg:my-zone:fs> end ----------------------------------- http://www.sun.com/software/solaris/howtoguides/containersLowRes.jsp http://docs.sun.com/app/docs/doc/819-4099/6n69a9soe?a=view In this example, the first Web server is installed in /usr/local/bin, which means we need to configure the zone to support this. To configure a read-write /usr/local directory: 3. In the global zone, create the directory to be exported to the zone, using the mkdir(1) command. global# mkdir -p /export/home/zones/Web1-zone/local 4. Set the permissions such that only root in the global zone can enter this directory, using the chmod(1) command. global# chmod 700 /export/home/zones/Web1-zone 5. Create the directory on which the file system is to be mounted if it doesn't already exist (otherwise skip this step). global# mkdir /usr/local 6. Enter the zone configuration tool for this zone, using zonecfg(1M) global# zonecfg -z Web1-zone 7. Add a file system to the zone, using the add fs command. zonecfg:Web1-zone> add fs 8. Specify a directory in the zone on which the file system can be mounted. zonecfg:Web1-zone:fs> set dir=/usr/local 9. Export the directory from the global zone to the new zone. zonecfg:Web1-zone:fs> set special=/export/home/zones/Web1-zone/local 10. Set the file system type to the loopback file system. zonecfg:Web1-zone:fs> set type=lofs 11. Set the directory to have read and write permissions. zonecfg:Web1-zone:fs> set options=[rw,nodevices] 12. End the configuration. zonecfg:Web1-zone:fs> end 13. Be sure to verify and commit the configuration, and then install and boot the zone. Perform a system configuration as shown in the Zone Login section, above (Page 8, Step 11). zonecfg:Web1-zone> verify zonecfg:Web1-zone> commit zonecfg:Web1-zone> exit global# zoneadm -z email-zone install global# [output omitted here for brevity] global# zoneadm -z Web1-zone boot global# zlogin -C Web1-zone Note: zoneadm list -cv is a quick way to see what state the zone is in. This results in the configuration depicted in Figure 10. You now have two containers created; one with a fixed amount of CPU, and one dynamically sharing CPU with the global zone. A second zone is added to the system, and is assigned three shares. Creating the Second Web Server Container Once the Container for the first Web server is created, installed, and booted, a Container can be created for the second Web server. This Container is similar to the one just created, but will be assigned a different amount of FSS shares, and also includes access to a CD-ROM device and a raw disk partition. To create the second Container: 1. Create the zone for the second Web site using the same process used to create the Web1-zone zone. Be sure to change the name of the zone, its location, the name of the pool used, and the IP address. zonecfg -z Web2-zone Web2-zone: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:Web2-zone> create zonecfg:Web2-zone> set zonepath=/export/home/zones/Web2-zone zonecfg:Web2-zone> add net zonecfg:Web2-zone:net> set address=10.0.0.3 zonecfg:Web2-zone:net> set physical=eri0 zonecfg:Web2-zone:net> end... zonecfg:Web2-zone> set pool=pool_default 2. Specify the use of the Fair Share Scheduler, and assign two shares to the zone. zonecfg:Web2-zone> add rctl zonecfg:Web2-zone:rctl> set name=zone.cpu-shares zonecfg:Web2-zone:rctl> add value (priv=privileged,limit=2,action=none) zonecfg:Web2-zone:rtcl> end To give the users of the Container access to the CD-ROM device: 3. Add a file system to the zone, using add fs. zonecfg:Web2-zone> add fs 4. Specify the CD-ROM directory for the zone. zonecfg:Web2-zone:fs> set dir=/cdrom 5. Export the directory from the global zone to the new zone. zonecfg:Web2-zone:fs> set special=/cdrom 6. Use the loopback file system. zonecfg:Web2-zone:fs> set type=l 7. Set the directory to have read only permission because it is a read only CD device. zonecfg:Web2-zone:fs> set options=[nodevices] 8. End the configuration. zonecfg:Web2-zone:fs> end Note: If CD-ROM access is granted to a zone, other zones should not be configured to access the same CD-ROM drive. To configure the zone to access a raw device (raw disk partition) perform the following steps: 9. Add the block device for the raw partition to the zone. zonecfg:Web2-zone> add device zonecfg:Web2-zone:device> set match=/dev/dsk/c0t0d0s6 zonecfg:Web2-zone:device> end 10. Add the character device for the raw partition to the zone. zonecfg:Web2-zone> add device zonecfg:Web2-zone:device> set match=/dev/rdsk/c0t0d0s6 zonecfg:Web2-zone:device> end zonecfg:Web2-zone> verify zonecfg:Web2-zone> commit zonecfg:Web2-zone> exit The global zone administrator must ensure the disk partition is not exported to other zones for the duration of this process. Failure to do so may result in data corruption. 11. Install , boot, and configure. LIMITATION OF LIABILITY TO THE FULL EXTENT PERMITTED BY LAW, HOST IS NOT LIABLE TO YOU OR ANY OTHER INDIVIDUAL OR ENTITY FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, SPECIAL OR CONSEQUENTIAL DAMAGES RELATED TO OR ARISING OUT OF ANY USE OF, ACCESS TO, OR INABILITY TO ACCESS THIS WEBSITE, CONTENT, SERVICES, OR OF ANY OTHER LINKED WEBSITE OR EXTERNAL RESOURCE INCLUDING, WITHOUT LIMITATION, ANY LOST PROFITS, LOST SALES, LOST REVENUE, LOSS OF GOODWILL, BUSINESS INTERRUPTION, LOSS OF PROGRAMS OR OTHER DATA EVEN IF OPEN TECHNOLOGIES INC. IS EXPRESSLY ADVISED OR AWARE OF THE POSSIBILITY OF SUCH DAMAGES OR LOSSES. YOU ASSUME ALL RISK FOR ANY DAMAGE TO YOUR COMPUTER SYSTEM OR LOSS OF DATA THAT RESULTS FROM OBTAINING ANY CONTENT FROM THE WEBSITE, INCLUDING ANY DAMAGES RESULTING FROM COMPUTER VIRUSES, WORMS, OR OTHER ITEMS OF A DESTRUCTIVE NATURE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE LIMITATION MAY NOT APPLY TO YOU.