The
OpenSolaris 2008.11
release just came out and we’ve made
some significant changes in the way that zones are installed
on this release. The motivation for these changes are so that we
can eventually have software management operations using
IPS
work in a non-global zone much the same way as they work
in the global zone. Global zone software management
uses the
SNAP Upgrade
project along with IPS and the idea is to create a new Boot
Environment (BE) when you update the software in the global
zone. A BE is based on a ZFS snapshot and clone, so that you
can easily roll back if there are any problems with the newly
installed software. Because the software in the non-global zones
should be in sync with the global zone, when a new BE is created
each of the non-global zones must also have a new ZFS snapshot and
clone that matches up to the new BE.

We’d also eventually like to have the same software management capabilities
within a non-global zone. That is, we’d like the non-global zone
system administrator to be able to use IPS to install software in
the zone, and as part of this process, a new BE inside the zone would
be created based on a ZFS snapshot and clone. This way the
non-global zone can take advantage of the same safety features for
rolling back that are available in the global zone.

In order to provide these capabilities, we needed to make some
important changes in how zones are laid out in the file system.
To support all of this we need the actual zone root file system
to be its own delegated ZFS dataset. In this way the non-global zone
sysadmin can make their own ZFS snapshots and clones of the zone root
and the IPS software can automatically create a new BE within the zone
when a software management operation takes place in the zone.

The gory details of this are discussed in
the
spec.

All of the capabilities described above don’t work yet, but we have laid
a foundation to enable this for the future. In particular, when you create
a new global zone BE, all of the non-global zones are also cloned as well.
However, running image-update in the global zone still doesn’t update each
individual zone. You still need to do that manually, as Dan described
in his
blog
about zones on the 2008.05 release. In a future post I’ll talk about some other ways
to update each zone. Another feature that isn’t done yet is the full
SNAP Upgrade support from within the zone itself. That is, zone roots
are now delegated ZFS datasets, but when you run IPS inside the zone itself,
a new clone is not automatically created. Adding this feature should be fairly
straightforward though, now that the basic support is in the release.

With all of these changes to how zone roots use ZFS in 2008.11, here is
a summary of the important differences and limitations with using zones
on 2008.11.

1) Existing zones can’t be used. If you have zones
installed on an earlier release of OpenSolaris and image-update to 2008.11 or
later, those zones won’t be usable.

2) Your global zone BE needs a UUID. If you are running 2008.11 or later
then your global zone BE will have a UUID.

3) Zones are only supported in ZFS. This means that the zonepath
must be a dataset. For example, if the zonepath for your
zone is /export/zones/foo, then /export/zones must be a dataset.
The zones code will then create the foo dataset and all the
underlying datasets when you install the zone.

4) As I mentioned above, image-updating the global BE doesn’t update
the zones yet. After you image-update the global zone, don’t forget to
update the new BE for each zone so that it is in sync with the global zone.

This is turning out to be a busy week for zones related news. First,
the newest version of Solaris 10, the 8/07 release, is now
available.
This release includes the improved resource management
integration with zones that has been available for a while now in
the OpenSolaris nevada code base and which I blogged about

here. It also includes other zones enhancements such as
brandz and IP instances. Jeff Victor has a nice description
of all of these new zone features on his
blog.

If that wasn’t enough, we have started to talk about our latest
project, code named Etude. This is a new brand for zones, building on the
brandz framework, and allows you to run a Solaris 8 environment
within a zone. We have been working on this project for a good part
of the year and it is exciting to finally be able to talk more about it.
With Etude you can quickly consolidate those dusty old
Solaris 8 SPARC systems, running on obsolete hardware, onto current generation,
energy efficient,

systems.
Marc Hamilton, VP of Solaris Marketing, describes
this project at a high level on his
blog
but for more details, Dan Price, our project lead, wrote up a really
nice overview on his
blog.
If you have old systems still running Solaris 8 and would like an
easy path to Solaris 10 and to newer hardware, then this project
might be what you need.

The many Resource Management (RM) features in Solaris
have been developed and evolved over the course of years and several releases.
We have resource controls, resource pools, resource capping
and the Fair Share Scheduler (FSS). We have rctls, projects, tasks,
cpu-shares, processor sets and the rcapd(1M). All of these features
have different commands and syntax to configure the
feature. In some cases, particularly with resource pools, the
syntax is quite complex and long sequences of commands are needed
to configure a pool. When you first look at RM it is not immediately
clear when to use one feature vs. another or if some combination
of these features is needed to achieve the RM objectives.

In Solaris 10 we introduced Zones, a lightweight system virtualization
capability. Marketing
coined the term ‘containers’ to refer to a combination of
Zones and RM within Solaris. However, the integration
between the two was fairly weak. Within Zones we had the ‘rctl’
configuration option, which you could use to set a couple of zone specific
resource controls, and we had the ‘pool’ property which could
be used to bind the zone to an existing resource pool, but that was it.
Just setting the ‘zone.cpu-shares’ rctl wouldn’t actually
give you the right cpu shares unless you also configured the
system to use FSS. But, that was
a separate step and easily overlooked. Without the correct
configuration of these various, disparate components even a simple
test, such as a fork bomb within a zone, could disrupt the
entire system.

As users started experimenting with Zones we found that
many of them were not leveraging the RM capabilities provided
by the system. We would get dinged in

evaluations
because Zones, without a correct RM configuration, didn’t provide all
of the containment users needed.
We always expected Zones and RM to be used together, but due the
the complexity of the RM features and the loose integration between
the two, we were seeing that few Zones users actually had a proper RM
configuration. In addition, our RM for memory control
was limited to rcapd running within a zone and capping RSS on projects.
This wasn’t really adequate.

About 9 months ago the Zones engineering team started a project to
try to improve this situation. We didn’t want to just paper over
the complexity with things like a GUI or wizards, so it took
us quite a bit of design before we felt like we hit upon
some key abstractions that we could use to truly simplify the
interaction between the two components. Eventually we settled upon
the idea of organizing the RM features into ‘dedicated’ and ‘capped’
configurations for the zone. We enhanced resource pools to add
the idea of a ‘temporary pool’ which we could dynamically instantiate
when a zone boots. We enhanced rcapd(1M) so that we could do physical
memory capping from the global zone. Steve Lawrence did a lot
of work to improve resident set size (RSS) accounting as well
as adding new rctls for maximum swap and locked memory.
These new features significantly improve RM of memory for Zones.
We then enhanced the Zones infrastructure to automatically do
the work to set up the various RM features that were configured
for the zone. Although the project made many smaller
improvements, the key ideas are the two new configuration options
in zonecfg(1M). When configuring a zone you can now configure
‘dedicated-cpu’ and ‘capped-memory’. Going forward, as additional
RM features are added, we anticipate this idea will evolve gracefully
to add ‘dedicated-memory’ and ‘capped-cpu’ configuration. We also
think this concept can be easily extended to support RM features for other
key parts of the system such as the network or storage subsystem.

Here is our simple diagram of how we eventually unified the RM
view within Zones.

| dedicated  |  capped
---------------------------------
cpu    | temporary  | cpu-cap
| processor  | rctl*
| set        |
---------------------------------
memory | temporary  | rcapd, swap
| memory     | and locked
| set*       | rctl

*

memory sets
and

cpu caps
are under development but are not yet part of Solaris.

With these enhancements, it is now almost
trivial to configure RM for a zone. For example, to configure
a resource pool with a set of up to four cpu’s, all you do in zonecfg is:

zonecfg:my-zone> add dedicated-cpu
zonecfg:my-zone:dedicated-cpu> set ncpus=1-4
zonecfg:my-zone:dedicated-cpu> set importance=10
zonecfg:my-zone:dedicated-cpu> end

To configure memory caps, you would do:

zonecfg:my-zone> add capped-memory
zonecfg:my-zone:capped-memory> set physical=50m
zonecfg:my-zone:capped-memory> set swap=128m
zonecfg:my-zone:capped-memory> set locked=10m
zonecfg:my-zone:capped-memory> end

All of the complexity of configuring the associated RM capabilities
is then handled behind the scenes when the zone boots. Likewise,
when you migrate a zone to a new host, these RM settings migrate too.

Over the course of the project we

discussed
these ideas within the
opensolaris Zones community where we benefited from much good
input which we used in the final design and implementation.
The full details of the project are available

here
and

here.

This work is available in

Solaris Express
build 56 which was just
posted. Hopefully folks using Zones will get a chance to try
out the new features and let us know what they think. All of
the core engineering team actively participates in the

zones discuss
list and we’re happy to try to answer any questions or just hear
your thoughts.

Although I haven’t been working on SVM for over 6 months (I am
working on Zones now), I still get
questions about SVM and x86 root mirroring from time to time. Some
of these procedures are different when using the new x86 boot
loader (GRUB) that is now part of Nevada and S10u1. I have some old
notes that I wrote up about 9 months ago that describe the
updated procedures and I think these are still valid.

Root mirroring on x86 is more complex than is root mirroring
on SPARC. Specifically, there are issues with being able to boot
from the secondary side of the mirror when the primary side fails.
On x86 machines the system BIOS and fdisk partitioning are the
complicating factors.

The x86 BIOS is analogous to the PROM interpreter on SPARC.
The BIOS is responsible for finding the right device to boot
from, then loading and executing GRUB from that device.

All modern x86 BIOSes are configurable to some degree but the
discussion of how to configure them is beyond the scope of this
document. In general you can usually select the order of devices that
you want the BIOS to probe (e.g. floppy, IDE disk, SCSI disk, network)
but you may be limited in configuring at a more granular level.
For example, it may not be possible to configure the BIOS to probe
the first and second IDE disks. These limitations may be a factor
with some hardware configurations (e.g. a system with two IDE
disks that are root mirrored). You will need to understand
the capabilities of the BIOS that is on your hardware. If your
primary boot disk fails you may need to break into the BIOS
while the machine is booting and reconfigure to boot from the
second disk.

On x86 machines fdisk partitions are used and it is common to have
multiple operating systems installed. Also, there are different flavors
of master boot programs (e.g. LILO) in addition to GRUB which is the standard
Solaris master boot program. The boot(1M) man page is a good resource
for a detailed discussion of the multiple components that are used during
booting on Solaris x86.

Since SVM can only mirror Solaris slices within the Solaris fdisk
partition this discussion will focus on a configuration that only
has Solaris installed. If you have multiple fdisk partitions
then you will need to use some other approach to protect the data
outside of the Solaris fdisk partition.

Once your system is installed you create your metadbs and root
mirror using the normal procedures.

You must ensure that both disks are bootable so that you can boot from
the secondary disk if the primary fails. You use the installgrub program
to setup the second disk as a Solaris bootable disk (see installgrub(1M)).
An example command is:

/sbin/installgrub /boot/grub/stage1 /boot/grub/stage2 /dev/rdsk/c0t1d0s0

Solaris x86 emulates some of the behavior of the SPARC eeprom. See
eeprom(1M). The boot device is stored in the “bootpath” property that
you can see with the eeprom command. The value should be assigned to the
the device tree path of the root mirror. For example:

bootpath=/pseudo/md@0:0,10,blk

Next you need to modify the GRUB boot menu so that you can manually boot
from the second side of the mirror, should this ever be necessary.
Here is a quick overview of the GRUB disk naming convention.

(hd0),(hd1) — first & second BIOS disk (entire disk)

(hd0,0),(hd0,1) — first & second fdisk partition of first BIOS disk

(hd0,0,a),(hd0,0,b) — Solaris/BSD slice 0 and 1 on first fdisk
partition on the first BIOS disk

Hard disk names starts with hd and a number, where 0 maps to BIOS
disk 0x80 (first disk enumerated by the BIOS), 1 maps to 0x81, and so on.
One annoying aspect of BIOS disk numbering is that the order may change
depending on the BIOS configuration. Hence, the GRUB menu may become
invalid if you change the BIOS boot disk order or modify the disk
configuration. Knowing the disk naming convention is essential to
handling boot issues related to disk renumbering in the BIOS.
This will be a factor if the primary disk in the mirror is not seen by
the BIOS so that it renumbers and boots from the secondary disk in the
mirror. Normally this renumbering will mean that the system can
still automatically boot from the second disk, since you configured
it to boot in the previous steps, but it becomes a factor
when the first disk becomes available again, as described below.

You should edit the GRUB boot menu in /boot/grub/menu.lst and add
an entry for the second disk in the mirror.
It is important that you be able to manually boot from
the second side of the mirror due to the BIOS renumbering described
above. If the primary disk is unavailable, the boot archive on that
disk may become stale. Later, if you boot and that disk is available
again, the BIOS renumbering would cause GRUB to load that stale boot
archive which could cause problems or may even leave the system unbootable.

If the primary disk is once again made available and then you reboot without
first resyncing the mirror back onto the primary drive, then you
should use the GRUB menu entry for the second disk to manually boot from
the correct boot archive (the one on the secondary side of the mirror).
Once the system is booted, perform normal metadevice maintenance to resync
the primary disk. This will restore the current boot archive to the
primary so that subsequent boots from that disk will work correctly.

The previous procedure is not normally necessary since you would replace the
failed primary disk using cfgadm(1M) and resync but it will be required
if the primary is simply not powered on, causing the BIOS to miss the disk
and renumber. Subsequently powering up this disk and rebooting would
cause the BIOS to renumber again and by default you would boot from the
stale disk.

Note that all of the usual considerations of mddb quorum apply
to x86 root mirroring, just as they do for SPARC.

Its been quite a long time since my last blog entry.
I have moved over from the SVM team onto the Zones team
and I have been busy coming up to speed on Zones.

So far I have just fixed a few Zones bugs but now I am
starting to work on some new features. One of the big
things people want from Zones is the ability to move
them and clone them.

I have a

proposal
for moving and cloning zones over on the
OpenSolaris zones discussion. This has been approved by our internal
architectural review committee and the code is basically done so it
should be available soon.
Moving a zone is currently limited to a single system but the
next step is migrating the zone from one machine to another.
Thats the next thing we’re going to work on.

For cloning we currently copy the bits from one zone instance
to another and we’re seeing significant performance wins compared
to installing the zone from scratch (13x faster on one test machine).
With

ZFS now available
it seems obvious that we could use ZFS clones to quickly clone
Zone instances. This is something that we are actively looking at
but for now we don’t recommend that you place your zonepath on ZFS.
This is bug

6356600 and is due to the current limitation that you won’t be able to
upgrade your system if your zonepath is on ZFS. Once the upgrade
issues have been resolved, we’ll be extending Zone cloning to be
better integrated with ZFS clones. In the meantime, while you can
use ZFS to hold your zones, you need to be aware that the system won’t
be upgradeable.