Systems Performance 2nd Ed.



BPF Performance Tools book

Recent posts:
Blog index
About
RSS

Virtualization: Zones

Talk about the Solaris Zones technology (On Linux these are called containers) in 2007 by Brendan Gregg.

next
prev
1/22
next
prev
2/22
next
prev
3/22
next
prev
4/22
next
prev
5/22
next
prev
6/22
next
prev
7/22
next
prev
8/22
next
prev
9/22
next
prev
10/22
next
prev
11/22
next
prev
12/22
next
prev
13/22
next
prev
14/22
next
prev
15/22
next
prev
16/22
next
prev
17/22
next
prev
18/22
next
prev
19/22
next
prev
20/22
next
prev
21/22
next
prev
22/22

PDF: Sun2007_Zones_Intro.pdf

Keywords (from pdftotext):

slide 1:
    # zonecfg -z small-zone
    small-zone: No such zone configured
    Use 'create' to begin configuring a new
    zonecfg:small-zone>gt; create
    zonecfg:small-zone>gt; set autoboot=true
    zonecfg:small-zone>gt; set zonepath=/export
    zonecfg:small-zone>gt; add net
    zonecfg:small-zone:net>gt; set address=192.
    zonecfg:small-zone:net>gt; set physical=hme
    zonecfg:small-zone:net>gt; end
    zonecfg:small-zone>gt; info
    zonepath: /export/small-zone
    autoboot: true
    pool:
    inherit-pkg-dir:
    Virtualisation: Zones
    dir: /lib
    inherit-pkg-dir:
    dir: /platform
    inherit-pkg-dir:
    dir: /sbin
    Brendan Gregg
    Sun Microsystems
    May 2007
    inherit-pkg-dir:
    dir: /usr
    net:
    address: 192.168.2.101
    physical: hme0
    zonecfg:small-zone>gt; verify
    zonecfg:small-zone>gt; commit
    
slide 2:
    Virtualisation: Zones
    • This presentation is about Solaris 10 Zones and
    Containers.
    • These slides cover:
    >gt; What are Zones? Containers?
    >gt; Zone Features
    >gt; Zone Types
    >gt; Maintenance
    >gt; Security
    >gt; Resource Management
    >gt; Monitoring
    
slide 3:
    What are Zones?
    • Virtual instance of Solaris
    • Software Partition of the OS
    • A virtualisation solution (along with LDoms, Xen, ...)
    Solaris 10
    Zone 1
    Zone 2
    Zone 3
    Kernel
    
slide 4:
    Zone Features
    • Great Performance
    • Easy Administration
    • Resource Controls
    • Observability
    • Security
    • Low on-disk footprint
    • Supported since Solaris 10 3/05
    
slide 5:
    Not Zone Features
    • Since there is only one kernel, the following cannot
    currently be achieved using Zones:
    >gt; Zones for testing kernel patches
    – There are no separate “test kernels” to try patches on
    >gt; Zones for different OSes and Solaris versions
    – BrandZ for creating Linux zones is one exception (so far)
    
slide 6:
    What is best: Zones or VM?
    • Performance: Zones
    >gt; No doubling of syscall and kernel overheads
    • Observability: Zones
    >gt; Sysadmins can see inside all zones at once
    • Security: Zones
    >gt; Read-only /usr by default, and secure monitoring
    • Administration: Zones
    >gt; Zones have easy and fast creation/destruction
    • Different OSes: VM
    >gt; There is BrandZ for Zones; but can't do different kernels
    
slide 7:
    What are Containers
    • Zones + Resource Controls
    • Guide to History,
    >gt; 1998 - Sun creates Solaris Resource Manager (SRM)
    as a software package
    >gt; 2002 - SRM features added to Solaris 9, and additional
    features added to Solaris 9 updates
    >gt; 2005 - Resource Control features applied to Solaris 10
    Zones, then improved in Solaris 10 updates
    Solaris Container
    Resource Controls
    Zone
    
slide 8:
    Zone Types
    • Global Zone
    >gt; A default Solaris 10 system
    >gt; Can access raw devices
    >gt; Has direct access to the kernel
    – mdb -k
    – patching
    >gt; Exists whether you use zones or not
    
slide 9:
    Zone Types
    • Sparse Root Zone
    >gt; This “small zone” shares binaries with the global zone
    Global Zone
    /dev/dsk/c0t0d0s0
    Small Zone
    lofs (ro)
    /usr
    /lib
    /sbin
    /platform
    /var
    /etc
    /opt
    ~ 4 Gbytes
    gt;
    gt;
    gt;
    gt;
    /var
    /etc
    /opt
    ~ 100 Mbytes
    
slide 10:
    Zone Types
    • Whole Root Zone
    >gt; This “big zone” has its own OS files
    Global Zone
    /dev/dsk/c0t0d0s0
    /usr
    /lib
    /sbin
    /platform
    /var
    /etc
    /opt
    ~ 4 Gbytes
    Big Zone
    /dev/dsk/c0t1d0s0
    /usr
    /lib
    /sbin
    /platform
    /var
    /etc
    /opt
    ~ 4 Gbytes
    
slide 11:
    Zone Types
    • BrandZ
    >gt; A “Branded Zone”, allows a zone to run non-native
    operating environments
    >gt; lx brand - for Linux zone, provides syscall translation
    >gt; Can run CentOS 3.x, Red Hat Enterprise Linux 3.x
    – Versions 3.5 to 3.8 for both
    >gt; DTrace can trace Linux applications using the
    lxsyscall provider from the global zone
    
slide 12:
    Zone Types
    • Sparse Root Zone is default
    • Sparse Root Zone advantages
    >gt; Low disk overhead
    >gt; Faster creation, destruction, boot
    >gt; Better performance (higher OS file cache hit rate)
    >gt; Secure - read-only binary files
    • When to use the Whole Root Zone
    >gt; When OS binaries need to be modified, customised.
    
slide 13:
    Zone Example
    • Creating a sparse root zone,
    # zonecfg -z small-zone
    small-zone: No such zone configured
    Use 'create' to begin configuring a new zone.
    zonecfg:small-zone>gt; create
    zonecfg:small-zone>gt; set autoboot=true
    zonecfg:small-zone>gt; set zonepath=/export/small-zone
    zonecfg:small-zone>gt; add net
    zonecfg:small-zone:net>gt; set address=192.168.2.101
    zonecfg:small-zone:net>gt; set physical=hme0
    zonecfg:small-zone:net>gt; end
    zonecfg:small-zone>gt; verify
    zonecfg:small-zone>gt; commit
    zonecfg:small-zone>gt; exit
    # zoneadm list -cv
    ID NAME
    STATUS
    PATH
    0 global
    running
    - small-zone
    configured
    /export/small-zone
    
slide 14:
    Zone Example
    • Installing a sparse root zone,
    # zoneadm -z small-zone verify
    # zoneadm -z small-zone install
    Preparing to install zone gt;.
    Creating list of files to copy from the global zone.
    Copying gt; files to the zone.
    Initializing zone product registry.
    Determining zone package initialization order.
    Preparing to initialize gt; packages on the zone.
    Initialized gt; packages on zone.
    Zone gt; is initialized.
    Installation of these packages generated warnings: gt;
    The file gt;
    contains a log of the zone installation.
    # zoneadm -z small-zone boot
    # zoneadm list -cv
    ID NAME
    STATUS
    PATH
    0 global
    running
    1 small-zone
    running
    /export/small-zone
    
slide 15:
    Maintenance
    • Packages
    >gt; pkgadd is zone aware
    – from global will attempt installing to all zones, unless -G
    • Patching
    >gt; patchadd is zone aware
    – from global will attempt installing to all zones if needed
    • Upgrading
    >gt; Upgrades on the global zone will upgrade all zones
    (Solaris 10 1/06); live upgrade, check for support (soon)
    • Cloning
    >gt; fast zone creation, especially on ZFS
    
slide 16:
    Security
    • Zones are ideal as security containers
    • Some applications have a high risk of attack, such
    as public facing web servers hosting cgi scripts
    • What happens if you think your server may be
    compromised?
    >gt; Your Intrusion Response Plan may involve booting from
    “known to be good” CDROMs for analysis. Imagine the
    down time. Picture making that call if you suspect an
    attack but have no hard proof (it is tough!)
    >gt; Zones can be examined live from a “known to be good”
    global Zone, which runs no risky software but ssh.
    
slide 17:
    Resource Management
    • Many resource management features are available,
    depending on the version of Solaris 10
    >gt; features in italic are in development
    Resource
    CPU
    Memory
    Disk Size
    Disk Throughput
    Network
    Swap
    Fine Control
    FSS
    rcapd
    ZFS, SVM soft partitions
    IPQoS
    swap-max
    Course Control
    Processor Sets
    Memory Sets
    volumes, disks
    disks, controllers
    Seperate NICs
    Swap Sets
    
slide 18:
    FSS
    • Fair Share Scheduler
    >gt; Fine grained CPU resource control
    >gt; Allocate each zone a share value
    >gt; Each zone gets a CPU ration of its shares divided by
    total busy shares
    >gt; If only one zone is busy, it gets 100% CPU
    >gt; Good for CPU utilisation - ROI
    Global Zone
    Zone 1
    Zone 2
    Zone 3
    50 shares
    10 shares
    10 shares
    20 shares
    
slide 19:
    Pools
    • CPU Resource Pools
    >gt; Allows fixed CPU allocation
    – useful for by-CPU licensing
    >gt; Allows min/max CPU configs
    – CPU allocation can be tweaked manually
    – CPU allocation can change during dynamic reconfiguration
    (add/remove system boards)
    – CPU allocation can move based on configured objectives
    Global Zone
    Zone 1
    Zone 2
    Zone 3
    1 - 3 CPUs
    1 CPU
    2 CPUs
    2 - 4 CPUs
    
slide 20:
    Monitoring
    • Many Solaris observability tools are zone aware
    >gt; some are only zone aware with psets (this will get better)
    • ps -Z, df -hZ
    • prstat -Z - by-zone status
    # prstat -Z
    PID USERNAME SIZE
    RSS STATE PRI NICE
    TIME CPU PROCESS/NLWP
    2008 root
    4000K 1168K cpu513 28
    0:02:11 3.7% cpuhog.pl/1
    [...]
    ZONEID
    NPROC SIZE
    RSS MEMORY
    TIME CPU ZONE
    51 182M
    93M
    0.5%
    0:37:27 59% workzone1
    51 182M
    92M
    0.5%
    0:16:25 30% workzone2
    51 183M
    93M
    0.5%
    0:16:30 10% workzone3
    61 359M 194M
    1.1%
    0:00:11 0.1% global
    34 116M
    72M
    0.4%
    0:00:12 0.0% workzone4
    Total: 248 processes, 659 lwps, load averages: 51.19, 40.28, 20.52
    
slide 21:
    References
    • http://www.opensolaris.org/os/community/zones
    • http://docs.sun.com
    >gt; Zones and Containers System Administration Guide
    • http://www.solarisinternals.com/wiki/index.php/Zones
    >gt; Community wiki
    
slide 22:
    Ctrl-D
    Brendan Gregg
    brendan@sun.com