This section describes the virtualization features in this release. These features provide efficient cloud virtualization with no loss in performance and enable the running of large scale applications on cloud with the optimized use of resources.
Users of Oracle Solaris Kernel Zones can now move kernel zone instances around their cloud infrastructure without causing an outage to the kernel zone. Live migration means kernel zone environments can now be moved with ease, enabling administrators to perform updates at the global zone level without an impact on applications or end users. In addition, you can move kernel zone instances to achieve load-balanced workloads across the data center without interrupting the end user or application.
Kernel Zone live migration is available on SPARC and x86 platforms, and is automatically done in a secure manner protecting the migration at several levels. An initial check ensures that you are allowed to migrate the kernel zone. The resulting connection is not only encrypted but also includes integrity protection, which protects the enclosed data and prevents man-in-the-middle attacks. With Kernel Zone live migration on SPARC, you can also perform cross-CPU migration to enable the adoption of newer systems and later OS versions quickly, without interrupting kernel zone operations.
When using the Kernel Zone live migration feature, you only need to identify a zone and the target system.
# zoneadm -z zone-name migrate ssh://destination-host/
For more information, see the zoneadm(1M) and zonecfg(1M) man pages.
The Oracle Solaris Zones on shared storage feature allowed zones to be placed on fiber channel storage area network (FC-SAN) and internet small computer system interface (iSCSI) devices. In this release, zones on shared storage support has been extended to network file system (NFS) for kernel zones storage devices. Administrators now have the flexibility to choose the appropriate storage for their environment while maintaining the ability to benefit from zone boot environments, and quick snapshots and instant cloning. Zones on shared storage greatly simplifies the administration of kernel zones on storage devices, making configuration straight forward thereby reducing the number of configuration steps. This administration simplification also has the benefit of assisting the migration of kernel zones and eliminating configuration mistakes.
For example, to create the NFS URI and also set the size of the kernel zone's root file system:
# zonecfg -z kernelzone1 >add device >set storage=nfs://amy:staff@west/eng/zones/kernelzone1 >set create-size=4g >end >exit
For more information, see the zonecfg(1M) man page. You can also see Creating and Using Oracle Solaris Zones and Oracle Solaris Zones Configuration Resources.
The Oracle Solaris 11.3 release introduces the Live Zone Reconfiguration feature for Oracle Solaris Kernel Zones. With this feature, you can reconfigure the network and the attached devices of a running kernel zone. Because the configuration changes are applied immediately without requiring a reboot, there is zero downtime service availability within the zone. You can use the standard zone utilities such as zonecfg and zoneadm to administer the Live Zone Reconfiguration.
For more information, see Chapter 6, Live Zone Reconfiguration in Creating and Using Oracle Solaris Zones. You can also see the zonecfg(1M) and zoneadm(1M) man pages.
N_Port ID virtualization (NPIV) technology support enables Oracle Solaris Zones to enhance the management of fibre channel devices and take advantage of several NPIV benefits. From the virtual instance perspective, NPIV helps to address the problem of how multiple VM instances can get access to the storage area network (SAN). NPIV enables multiple virtual instances to gain single or multiple virtual port access through a single physical port ID. This capability enables associated savings by reducing physical connections and allowing virtual instances to scale out, and also simplifies administration overhead by allowing multiple virtual port instances to be allocated to a single virtual instance quickly and easily. You can create a secure virtual fabric using this technology by sharing out only the resources that virtual instances need to access.
For more information, see the zonecfg(1M) man page and Oracle Solaris Zones Configuration Resources.
In Oracle Solaris 11.3, the networking performance in Oracle Solaris Kernel Zones has been enhanced with the support for single root I/O virtualization (SR-IOV). The support enables the kernel zone to use the SR-IOV virtual function (VF) of a network interface card (NIC). You need to specify the zonecfg anet property, iov, to configure the kernel zone with the SR-IOV VF. When you create or modify the kernel zone, you can specify the iov property for the anet resource by using the zonecfg command.
For more information, see the zonecfg(1M) man page and Managing Network Virtualization and Network Resources in Oracle Solaris 11.3.
The native cross-CPU migration class support for Oracle Solaris Kernel Zones helps a kernel zone to migrate across different CPU types. The new zone configuration property, cpu-arch, enables you to specify the migration class on which the kernel zone will be run. The kernel zone can be migrated across all CPU types that support the specified migration class.
For more information, see Oracle Solaris Zones Configuration Resources. You can also see the zonecfg(1M) and solaris-kz(5) man pages.
Resource management in Oracle Solaris Zones includes the control of memory caps assigned to Oracle Solaris Native Zones. With Oracle Solaris 11.3, the memory cap's capability is enhanced to perform its memory checking three times faster and also identify hot or cold memory, working to recover “cold” memory first. With memory capping enabled, applications are less affected while the process of identifying the memory to reclaim is much more effective.
For more information, see the rcapd(1M) man page and Administering Resource Management in Oracle Solaris 11.3.
Immutable Zones enable the Global Zone administrator to lock down an individual zone into a read-only mode in which the applications within the zone can only read but not write, or only write into certain directories. This mode can greatly limit the impact of intrusions, especially for Internet-facing applications. Immutable global zones support extends the immutable zone capability to the global zone. If a system is configured to have an immutable global zone, files in the root file system are read-only. However, as this environment was previously locked down, you could not create Oracle Solaris Zone instances. As of Oracle Solaris 11.3, you can choose a profile that allows zone creation in this locked down environment.
To select and activate the profile, use the following command:
# zonecfg -z global set file-mac-profile=dynamic-zones
For more information, see the zonecfg(1M) man page and Creating and Using Oracle Solaris Zones.
Oracle Solaris non-global zones that are migrated from host to host can accumulate zone boot environments that are not associated with any global zone. Oracle Solaris 11.3 now allows failsafe zone migration and destruction of zone boot environments that become orphaned during zone migration. The changes are implemented through the following commands:
zoneadm attach
beadm list
beadm destroy
zoneadm attach –x consists of three new options to manage Oracle Solaris zone boot environments during attach.
The beadm list output indicates that a boot environment is orphaned with the help of a new active flag O. Orphaned boot environments shown in beadm list output can be destroyed.
The new beadm destroy –O option destroys all orphaned boot environments.
For more information, see Creating and Administering Oracle Solaris 11.3 Boot Environments and Creating and Using Oracle Solaris Zones. You can also see the beadm(1M) and solaris(5) man pages.
Oracle Solaris Native Zones now have virtualized clocks to support applications that need to run in different times or to test specific time-related scenarios, for example, how an environment might respond to a leap second.
You can set time values in non-global zones that are different from the value in the global zone. The ability to set different time values in non-global zones is still dependent on the time changes in the global zone. If you change the time in the global zone, the non-global zone time is offset by the same amount.
For example, to set the time value in a non-global zone:
# zonecfg -z myzone zonecfg:myzone> set limitpriv=default,sys_time zonecfg:myzone> set global-time=false zonecfg:myzone> exit
For more information, see Oracle Solaris Zones Configuration Resources and Creating and Using Oracle Solaris Zones. You can also see the zonecfg(1M) and date(1) man pages.
The default CPU and memory configuration for kernel zones has been increased to 4 vCPUs and 4 GB of memory to provide a better out-of-the-box experience. A new zone template, SYSsolaris-kz-minimal, provides the minimal supported kernel zone configuration of 1 vCPU and 2 GB of memory.
For more information, see Oracle Solaris Zones Configuration Resources and Creating and Using Oracle Solaris Kernel Zones.
The Oracle VM Server for SPARC 3.3 software introduces the virtual SCSI host bus adapter (vHBA) feature, which enables you to virtualize any type of SCSI device (such as disk, tape, CD, and DVD). The virtualized SCSI device can be accessible from a guest domain.
The vHBA feature leverages other Oracle Solaris I/O interfaces such as MPxIO multipathing, which enables a virtual logical unit number (LUN) to have the same behavior as a physical LUN. vHBA also enables you to easily configure virtual SANs, which can contain an unbounded number of SCSI devices.
For more information, see the Oracle VM Server for SPARC 3.3 Administration Guide and Oracle VM Server for SPARC 3.3 Reference Manual.
Whole-core dynamic reconfiguration management (DRM) provides an adaptive mechanism to increase or decrease CPU core resources based on domain utilization. This feature means that dynamic reconfiguration can now be performed at the unshared core level in addition to the strand, or vCPU, level of granularity.
For more information, see the Oracle VM Server for SPARC 3.3 Administration Guide and Oracle VM Server for SPARC 3.3 Reference Manual.
I/O Domain Resiliency is a high availability feature for Oracle VM Server for SPARC on sun4v platforms. This feature enables an I/O domain to continue running even when the root domain that provides the I/O domain with virtual function devices is interrupted. When the root domain is restored, the affected virtual function devices are restored automatically to service.
To use this functionality, you must set up the multipath I/O configurations. These configurations enable the I/O domain to fail over to alternate device paths, when one of the root domains is interrupted. This feature is currently supported only when the I/O domain is configured with SR-IOV virtual function devices.
For more information, see the Oracle VM Server for SPARC 3.3 Administration Guide.
InfiniBand is a network architecture for the large-scale interconnection of computing and I/O nodes through a high-speed switched fabric. To operate InfiniBand on an Oracle server, you need an InfiniBand HCA (the adapter) and an InfiniBand software stack. As of Oracle Solaris 11.3, InfiniBand support is available for Oracle Solaris Kernel Zones including improved observability and paravirtualized support for the IPoIB protocol.
For more information, see the dladm(1M), zonecfg(1M), and solaris-kz(5) man pages. You can also see Oracle Solaris Zones Configuration Resources and Creating and Using Oracle Solaris Zones.