Sun Microsystems 10 用户手册
Version 3.1-en
Solaris 10 Container Guide - 3.1 2. Functionality
Effective: 30/11/2009
2.2.3. Containers (Solaris zones) in an OS
[ug] In an operating system installation, execution environments for applications and services are
created that are independent of each other. The kernel becomes multitenant enabled: it exists only
once but appears in each zone as though it was assigned exclusively.
[ug] In an operating system installation, execution environments for applications and services are
created that are independent of each other. The kernel becomes multitenant enabled: it exists only
once but appears in each zone as though it was assigned exclusively.
Separation is implemented by restricting access to resources, such as e.g. the visibility of processes
(modified procfs), the usability of the devices (modified devfs) and the visibility of the file tree (as with
chroot).
(modified procfs), the usability of the devices (modified devfs) and the visibility of the file tree (as with
chroot).
Advantages:
•
Application: All applications are executable unless they use their own drivers or other system-
oriented features. Separate drivers can, however, be used via installations in the global zone.
oriented features. Separate drivers can, however, be used via installations in the global zone.
•
Scalability: Container capacity can be configured (through resource management, processor
sets and CPU caps).
sets and CPU caps).
•
Separation: Applications are separated from each other; direct mutual influence via the OS is
not possible.
not possible.
•
OS maintenance: OS installation, patches and implementation of in-house standards must take
place in a central location (in the global zone) only.
place in a central location (in the global zone) only.
•
Delegation: The department responsible for the application/ service requires root privileges for
part of the administration. Here, it can obtain the root privileges within the zone without being in
a position to affect other local zones or the global zone. The right to allocate resources is
reserved to the global zone only.
part of the administration. Here, it can obtain the root privileges within the zone without being in
a position to affect other local zones or the global zone. The right to allocate resources is
reserved to the global zone only.
•
Overhead: All local zone processes are merely normal application processes from the point of
view of the global zone. The OS overhead (memory management, scheduling, kernel) and
memory requirements for shared objects (files, programs, libraries) are created only once. Each
zone has only a small additional number of system processes. For that reason, it is possible to
have hundreds of zones on a single-processor system.
view of the global zone. The OS overhead (memory management, scheduling, kernel) and
memory requirements for shared objects (files, programs, libraries) are created only once. Each
zone has only a small additional number of system processes. For that reason, it is possible to
have hundreds of zones on a single-processor system.
Disadvantages:
•
HW maintenance: If a shared component fails, many or all zones may be affected. Solaris 10
recognizes symptoms of a future failure through FMA (Fault Management Architecture) and can
deactivate the affected components (CPU, memory, bus systems) while running, or instead use
alternative components that are available. Through the use of cluster software (Sun Cluster),
the availability of the application in the zone can be improved (Solaris Container Cluster/ Solaris
Container Agent).
recognizes symptoms of a future failure through FMA (Fault Management Architecture) and can
deactivate the affected components (CPU, memory, bus systems) while running, or instead use
alternative components that are available. Through the use of cluster software (Sun Cluster),
the availability of the application in the zone can be improved (Solaris Container Cluster/ Solaris
Container Agent).
•
Separation: The applications can influence each other through shared hardware. That influence
can be minimized in Solaris with resource management and network bandwidth management.
can be minimized in Solaris with resource management and network bandwidth management.
•
OS versions: Different operating systems/versions are possible with branded zones only. Here,
a virtual process environment for another operating system is created in one zone but the kernel
of the global zone is used by the branded zones as well.
a virtual process environment for another operating system is created in one zone but the kernel
of the global zone is used by the branded zones as well.
Implementations in the BSD operating system are Jails, in Solaris: zones, and in Linux the vserver
project. HW requirements are not necessary.
project. HW requirements are not necessary.
12
Figure 4: [dd] Container (Solaris zones) in an OS
Server
OS
App
App 1
App 2
App 3
BrandZ