System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones

Chapter 31 About Branded Zones and the Linux Branded Zone

Branded zones are available beginning with the Solaris 10 8/07 release. Features added in later update releases are identified by release.

The branded zones facility in the Solaris Operating System is a simple extension of Solaris Zones. This chapter discusses the branded zones concept and the lx brand, which implements Linux branded zones functionality. Linux branded zones are also known as Solaris Containers for Linux Applications.


Note –

Although you can configure and install branded zones on a Trusted Solaris system that has labels enabled, you cannot boot branded zones on this system configuration.



Note –

Additional brands are supported on the Solaris Operating System.

The following two brands are supported on SPARC machines running the Solaris 10 8/07 Operating System or later Solaris 10 release:

The cluster brand, documented in the Sun Cluster 3.2 1/09 Software Collection for Solaris OS on docs.sun.com, is also supported on the Solaris 10 release.


About Using Zones on a Solaris System

See Chapter 16, Introduction to Solaris Zones for general information on the use of zones on a Solaris system.

You should be familiar with the following zones and resource management concepts:

The Glossary provides definitions for terms used with zones and resource management features.

Any additional information required to use branded zones on your system is provided in this part of the guide.


Note –

The following chapters in this guide are not applicable to branded zones:


Branded Zones Technology

The branded zone (BrandZ) framework extends the Solaris Zones infrastructure, documented in this manual in Part II, Zones, to include the creation of brands. The term brand can refer to a wide range of operating environments. BrandZ enables the creation of non-global zones that contain non-native operating environments used for running applications. The brand type is used to determine the scripts that are executed when a zone is installed and booted. In addition, a zone's brand is used to properly identify the correct application type at application launch time. All brand management is performed through extensions to the current zones structure.

A brand can provide a simple or a complex environment. For example, a simple environment could replace the standard Solaris utilities with their GNU equivalents. A complex environment could provide a complete Linux user space which supports the execution of Linux applications.

Every zone is configured with an associated brand. The default is the native brand, Solaris. A branded zone will support exactly one brand of non-native binary, which means that a branded zone provides a single operating environment.

BrandZ extends the zones tools in the following ways:


Note –

You can change the brand of a zone in the configured state. Once a branded zone has been installed, that brand cannot be changed or removed.


Processes Running in a Branded Zone

Branded zones provide a set of interposition points in the kernel that are only applied to processes executing in a branded zone.

A brand can also provide a plug-in library for librtld_db. The plug-in library allows Solaris tools such as the debugger, described in mdb(1), and DTrace, described in dtrace(1M), to access the symbol information of processes running inside a branded zone.

Branded Zone Device Support

The devices supported by each zone are documented in the man pages and other documentation for that brand. Device support is defined by the brand. A brand can choose to disallow the addition of any unsupported or unrecognized devices.

Branded Zone File System Support

The file systems required for a branded zone are defined by the brand.

Privileges in a Branded Zone

The privileges available in a branded zone are defined by the brand. For more information about privileges, see Privileges in a Non-Global Zone and Configurable Privileges in an lx Branded Zone.

About the lx Brand

The lx brand uses the branded zones framework to enable Linux binary applications to run unmodified on a machine with a Solaris Operating System kernel.

The machine must have one of the following supported i686 processor types:

Supported Linux Distributions

The lx brand includes the tools necessary to install a CentOS 3.x or Red Hat Enterprise Linux 3.x distribution inside a non-global zone. Versions 3.5 to 3.8 of each distribution are supported. The brand supports the execution of 32-bit Linux applications on x86 and x64 machines running the Solaris system in either 32-bit or 64-bit mode.

The lx brand emulates the system call interfaces provided by the Linux 2.4.21 kernel, as modified by Red Hat in the RHEL 3.x distributions. This kernel provides the system call interfaces consumed by the glibc version 2.3.2 released by Red Hat.

In addition, the lx brand partially emulates the Linux /dev and /proc interfaces.


Caution – Caution –

Note that you must maintain a supported configuration if you add packages to an lx branded zone. See About Maintaining a Supported Configuration for more information.


Application Support

The Solaris system imposes no limit on the number of Linux applications you can run in an lx branded zone. Sufficient memory must be available. Also see System and Space Requirements.

Regardless of the underlying kernel, only 32-bit Linux applications are able to run.

The lx zone supports only user-level Linux applications. You cannot use Linux device drivers, Linux kernel modules, or Linux file systems from inside an lx zone.

See http://hub.opensolaris.org/bin/view/Community+Group+brandz/applications for a list of some applications that have been successfully run under the lx brand. See How to Install an Application in an lx Branded Zone for an example of installing an application.

You cannot run Solaris applications inside an lx zone. However, the lx zone enables you to use the Solaris system to develop, test, and deploy Linux applications. For example, you can place a Linux application in an lx zone and analyze it using Solaris tools run from the global zone. You can then make improvements and deploy the tuned application on a native Linux system.

Debugging Tools

Solaris debugging tools such as DTrace and mdb can be applied to Linux processes executing inside the zone, but the tools themselves must be running in the global zone. Any core files generated are produced in the Solaris format and can only be debugged with Solaris tools.

DTrace is enabled for Linux applications by the DTrace lxsyscall dynamic tracing provider. The provider acts like the DTrace syscall provider. The lxsyscall provider provides probes that fire whenever a thread enters or returns from a Linux system call entry point.

For more information on debugging options, see the Solaris Dynamic Tracing Guide, and the dtrace(1M) and mdb(1) man pages. The Solaris Dynamic Tracing Guide describes the public documented interfaces available for the DTrace facility. The documentation about the syscall provider can be used for the lxsyscall provider.


Note –

Because NFS is dependent on name services, which are zone specific, you cannot access any NFS file system that is mounted outside of the current zone. Thus, you cannot debug NFS-based Linux processes from the global zone.


Commands and Other Interfaces

The commands identified in the following table provide the primary administrative interface to the zones facility.

Table 31–1 Commands and Other Interfaces Used With lx Branded Zones

Command Reference 

Description 

zlogin(1)

Log in to a non-global zone 

zoneadm(1M)

Administers zones on a system 

zonecfg(1M)

Used to set up a zone configuration 

getzoneid(3C)

Used to map between zone ID and name 

brands(5)

Provides description of branded zones facility 

lx(5)

Provides description of Linux branded zones 

zones(5)

Provides description of zones facility 

lx_systrace(7D)

DTrace Linux system call tracing provider 

zcons(7D)

Zone console device driver 

The zoneadmd daemon is the primary process for managing the zone's virtual platform. The man page for the zoneadmd daemon is zoneadmd(1M). The daemon does not constitute a programming interface.


Note –

Table 27–5 covers commands that can be used in the global zone to display information about all non-global zones, including branded zones. Table 27–4 covers commands used with the resource capping daemon.


Setting Up lx Branded Zones on Your System (Task Map)

The following table provides an overview of the tasks that are involved in setting up lx zones on your system for the first time.

Task 

Description 

For Instructions 

Identify each 32–bit Linux application that you would like to run in a zone. 

Assess the system needs of the application. 

Refer to your business goals and to your system documentation if necessary. 

Determine how many zones to configure. 

Assess: 

  • The number of Linux applications you intend to run.

  • The disk space requirements for Linux branded zones.

  • Whether you need to use a script.

See Application Support, System and Space Requirements, Evaluating the Current System Setup, Script to Configure Multiple lx Branded Zones.

Determine whether you will use resource pools with your zone to create a container. 

If you are using resource pools, configure the pools before you configure zones. 

Note that you can add zone-wide resource controls and pool functionality to a zone quickly by using zonecfg properties.

See How to Configure the lx Branded Zone, Chapter 13, Creating and Administering Resource Pools (Tasks).

Perform the preconfiguration tasks. 

Determine the zone name and the zone path for each zone. If network connectivity is required, obtain IP addresses. Determine the scheduling class for the zone. Determine the set of privileges that processes inside the zone should be limited to, if the standard default set is not sufficient. 

For information on the zone name, zone path, IP addresses, and scheduling class, see lx Branded Zone Configuration Components. For a listing of default privileges and privileges that can be configured in a non-global zone, see Privileges in a Non-Global Zone.

For information on resource pool association, see How Zones Work and How to Configure the lx Branded Zone.

Develop configurations. 

Configure non-global zones. 

See Configuring, Verifying, and Committing a Zone and the zonecfg(1M) man page.

As global administrator, verify and install configured zones. 

Zones must be verified and installed prior to booting the zone. You must obtain a Linux distribution before you install a Linux branded zone. 

See Chapter 34, About Installing, Booting, Halting, Cloning, and Uninstalling lx Branded Zones (Overview) and Chapter 35, Installing, Booting, Halting, Uninstalling and Cloning lx Branded Zones (Tasks).

As global administrator, boot the non-global zones. 

Boot each zone to place the zone in the running state. 

See Chapter 35, Installing, Booting, Halting, Uninstalling and Cloning lx Branded Zones (Tasks).

Prepare the new zone for production use. 

Create user accounts, add additional software, and customize the zone's configuration using standard Linux system administration tools and methodologies from within the zone. 

Refer to the documentation you use to set up a newly installed machine and install applications. Special considerations applicable to a system with zones installed are covered in this guide.