Creating a "zone" from another "zone" (from another "zone" (from another "zone" )) ...

Creating a "zone" from another "zone" (from another "zone" (from another "zone" )) ...

Post by Roland Main » Tue, 30 Mar 2004 12:20:45



Hi!

----

Is it possible to create a Solaris "zone" from another (=not the
"global" one) zone ?
For example: Can I create a zone for a user and permit the user to
create another bunch of zones which inherit from his current zone (and
that user permits his users to create their own "zones", too) ?

Example:

global_zone
   |
   |
   +--user_zone_1
         |
         |
         +-- user_zone_1__1
         |
         |
         |
         +--user_zone_1__2
         |     |
         |     |
         |     +--user_zone_1__2__1
         |     |     |
         |     |     |
         |     |     +--user_zone_1__2__1__1
         |     |     |
         |     .     .
         |     .     .
         |     .     .
         |     .
         |     .
         |
         |
         |
         +--user_zone_1__3
         |
         |
         .
         .
         .

----

Bye,
Roland

--
  __ .  . __

  \__\/\/__/  MPEG specialist, C&&JAVA&&Sun&&Unix programmer
  /O /==\ O\  TEL +49 2426 901568 FAX +49 2426 901569
 (;O/ \/ \O;)

 
 
 

Creating a "zone" from another "zone" (from another "zone" (from another "zone" )) ...

Post by Chris 'Saundo' Saunderso » Tue, 30 Mar 2004 12:36:55



> Hi!

> ----

> Is it possible to create a Solaris "zone" from another (=not the
> "global" one) zone ?
> For example: Can I create a zone for a user and permit the user to
> create another bunch of zones which inherit from his current zone (and
> that user permits his users to create their own "zones", too) ?

Interesting question.  Here's what one of my zones just reported when I
tried it:
# zonecfg -zone zone11
zonecfg can only be run from the global zone.
#

Saundo
--

Unix/CCNA/CCDA Guy           Powered by Linux and the Orb.          

 
 
 

Creating a "zone" from another "zone" (from another "zone" (from another "zone" )) ...

Post by Roland Main » Tue, 30 Mar 2004 12:43:57



> > Is it possible to create a Solaris "zone" from another (=not the
> > "global" one) zone ?
> > For example: Can I create a zone for a user and permit the user to
> > create another bunch of zones which inherit from his current zone (and
> > that user permits his users to create their own "zones", too) ?

> Interesting question.  Here's what one of my zones just reported when I
> tried it:
> # zonecfg -zone zone11
> zonecfg can only be run from the global zone.
> #

Ouch. Ouch. Ouch.
Can anyone please file a bugreport for that ("can't create/configure
zones outside the global zone") ?

----

Bye,
Roland

--
  __ .  . __

  \__\/\/__/  MPEG specialist, C&&JAVA&&Sun&&Unix programmer
  /O /==\ O\  TEL +49 2426 901568 FAX +49 2426 901569
 (;O/ \/ \O;)

 
 
 

Creating a "zone" from another "zone" (from another "zone" (from another "zone" )) ...

Post by Bob Palowo » Tue, 30 Mar 2004 22:32:30




> > > Is it possible to create a Solaris "zone" from another (=not the
> > > "global" one) zone ?
> > > For example: Can I create a zone for a user and permit the user to
> > > create another bunch of zones which inherit from his current zone (and
> > > that user permits his users to create their own "zones", too) ?

> > Interesting question.  Here's what one of my zones just reported when I
> > tried it:
> > # zonecfg -zone zone11
> > zonecfg can only be run from the global zone.
> > #

> Ouch. Ouch. Ouch.
> Can anyone please file a bugreport for that ("can't create/configure
> zones outside the global zone") ?

Roland,

 You mean to say you can't give feedback on the Solaris Express
program for an RFE on the subject?  You have time to use Express
so maybe there is a problem with communications on the feedback.

---Bob

 
 
 

Creating a "zone" from another "zone" (from another "zone" (from another "zone" )) ...

Post by Chris 'Saundo' Saunderso » Wed, 31 Mar 2004 11:07:48



>> Interesting question.  Here's what one of my zones just reported when I
>> tried it:
>> # zonecfg -zone zone11
>> zonecfg can only be run from the global zone.
>> #

> Ouch. Ouch. Ouch.
> Can anyone please file a bugreport for that ("can't create/configure
> zones outside the global zone") ?

I don't think it's a bug. I'm not sure you want to create zones on top
of zones on top of zones. The overhead would be a killer to interactive
performance.

Saundo
--

Unix/CCNA/CCDA Guy           Powered by Linux and the Orb.          

 
 
 

Creating a "zone" from another "zone" (from another "zone" (from another "zone" )) ...

Post by John Bec » Wed, 31 Mar 2004 13:46:24


Roland> Is it possible to create a Solaris "zone" from another (=not the
Roland> "global" one) zone ? For example: Can I create a zone for a user
Roland> and permit the user to create another bunch of zones which inherit
Roland> from his current zone (and that user permits his users to create
Roland> their own "zones", too) ?

No.

Saundo> Interesting question.  Here's what one of my zones just reported
Saundo> when I tried it:
Saundo> # zonecfg -zone zone11
Saundo> zonecfg can only be run from the global zone.
Saundo> #

Roland> Ouch. Ouch. Ouch.  Can anyone please file a bugreport for that
Roland> ("can't create/configure zones outside the global zone") ?

Don't waste your time, as this is very much by design.  Quoting the
first two paragraphs of the zones(5) man page

     The  zones facility in Solaris provides an isolated environ-
     ment for running applications. Processes running in  a  zone
     are  prevented  from  monitoring  or  interfering with other
     activity in the system. Access to other  processes,  network
     interfaces,  file systems, devices, and inter-process commu-
     nication facilities are restricted  to  prevent  interaction
     between processes in different zones.

     The  privileges  available  within  a zone are restricted to
     prevent  operations  with  system-wide  impact.  See  privi-
     leges(5).

Creating zones is an operation with system-wide impact; as such, the
privileges required to do so are restricted to the global zone.

-- John

 
 
 

Creating a "zone" from another "zone" (from another "zone" (from another "zone" )) ...

Post by Andrew Gabri » Wed, 31 Mar 2004 23:20:54





>>> Interesting question.  Here's what one of my zones just reported when I
>>> tried it:
>>> # zonecfg -zone zone11
>>> zonecfg can only be run from the global zone.
>>> #

>> Ouch. Ouch. Ouch.
>> Can anyone please file a bugreport for that ("can't create/configure
>> zones outside the global zone") ?

> I don't think it's a bug. I'm not sure you want to create zones on top
> of zones on top of zones.

There are several reasons this isn't allowed, but...

Quote:> The overhead would be a killer to interactive
> performance.

...isn't an issue -- zones doesn't add an overhead of this type.
If you are operating in a local zone, you are not going through
any type of emulation or other software layering in the global
zone. Applications are running natively on the real processor(s).

--
Andrew Gabriel

 
 
 

Creating a "zone" from another "zone" (from another "zone" (from another "zone" )) ...

Post by Roland Main » Thu, 01 Apr 2004 03:31:20



> Creating zones is an operation with system-wide impact;

Why ? The new "child" zones could inherit the restrictions of the
"parent" zone (and changes made to the "parent" zone always affect all
"child" zones), therefore the "system-wide" impact would be reduced to
"parent-zone" impact (in theory... ;-/). Such a design would also allow
"grouping" of zones, making adminstration of large numbers of (similar)
zones much easier.

Quote:> as such, the
> privileges required to do so are restricted to the global zone.

So there is still a "single-point-of-failure" in the design of zone
adminstration - only the admin of the "global" zone can create/adminster
zones. IMHO this is not a very flexible design since there needs to be
always someone with access to the "global" zone (and that person needs
to be a "trusted" one...).

----

Bye,
Roland

--
  __ .  . __

  \__\/\/__/  MPEG specialist, C&&JAVA&&Sun&&Unix programmer
  /O /==\ O\  TEL +49 2426 901568 FAX +49 2426 901569
 (;O/ \/ \O;)

 
 
 

Creating a "zone" from another "zone" (from another "zone" (from another "zone" )) ...

Post by Casper H.S. Di » Thu, 01 Apr 2004 05:15:32


Quote:>So there is still a "single-point-of-failure" in the design of zone
>adminstration - only the admin of the "global" zone can create/adminster
>zones. IMHO this is not a very flexible design since there needs to be
>always someone with access to the "global" zone (and that person needs
>to be a "trusted" one...).

Create yes; administer only in the sense of resource allocation
(IP address, devices, diskspace, other resource pools)

You can have users which run services from within your zone;
what specific things do you have in mind that you want the
zone's own "super user" to be able to do what you cannot do
now?

Casper
--
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

 
 
 

Creating a "zone" from another "zone" (from another "zone" (from another "zone" )) ...

Post by Roland Main » Thu, 01 Apr 2004 06:09:29



> >So there is still a "single-point-of-failure" in the design of zone
> >adminstration - only the admin of the "global" zone can create/adminster
> >zones. IMHO this is not a very flexible design since there needs to be
> >always someone with access to the "global" zone (and that person needs
> >to be a "trusted" one...).

> Create yes; administer only in the sense of resource allocation
> (IP address, devices, diskspace, other resource pools)

> You can have users which run services from within your zone;
> what specific things do you have in mind that you want the
> zone's own "super user" to be able to do what you cannot do
> now?

I can say you want I do NOT want: Give people access to the "global"
zone.
They should be able to do everything defined in the bounds of the
current zone incl. the abilty to split their own zone into smaller parts
(e.g. "zones").

1. Real-world example:
Just think about a university which bought a SF12K monster machine
(multiple institutes worked together to raise the money) and wants to
give those institutes access to that box (each institute should live in
a seperate zone). The FISRT thing they usual want is to have
adminstration access (e.g. "root" password", e.g. control for the
resources they have paid for - that's why thes should live in sepeate
zones) and a way to seperate concurrent workgroups (e.g. work groups fed
from the same pool of memory) that they can't bite (e.g. ssh around and
blow-up the workstations of people they don't like via % cd /tmp ; while
true ; do mkfile 10M $RANDOM ; done) each other.
Usually I would say that each of these workgroups should be put into a
seperate zone which can be created/adminstrated/destroyed by the admin
of that institute (which itself lives in a zone).
But right now this requires that I have to give access to the "global"
zone to people which really shouldn't have access to it.

2. Theoretical example:
Just think about a ISP who wants to sell server-services (HTTP server,
compute server, etc.) to customers, even those who themselves re-sell
those services. It would be nice if the re-sellers (which live in their
own zones) could create zones for their customers, too.

----

Bye,
Roland

--
  __ .  . __

  \__\/\/__/  MPEG specialist, C&&JAVA&&Sun&&Unix programmer
  /O /==\ O\  TEL +49 2426 901568 FAX +49 2426 901569
 (;O/ \/ \O;)

 
 
 

Creating a "zone" from another "zone" (from another "zone" (from another "zone" )) ...

Post by Alan Coopersmit » Thu, 01 Apr 2004 14:46:02



| You mean to say you can't give feedback on the Solaris Express
|program for an RFE on the subject?  You have time to use Express
|so maybe there is a problem with communications on the feedback.

Only those who pay $99 get passwords to the web site for filing bugs and
RFE's.  Free downloaders just get to post here.

--
________________________________________________________________________


  Working for, but definitely not speaking for, Sun Microsystems, Inc.

 
 
 

Creating a "zone" from another "zone" (from another "zone" (from another "zone" )) ...

Post by Markus Gyg » Thu, 01 Apr 2004 15:11:31



> Only those who pay $99 get passwords to the web site for filing bugs and
> RFE's.  Free downloaders just get to post here.

The license one has to agree to before download also reads:
  ... "5.0 YOUR DUTIES The Software is experimental and is
  constantly being developed.  As such, You agree to evaluate
  and test the Software for use with your products and provide
  Feedback to Sun; the Feedback should be sent to the

Markus

 
 
 

Creating a "zone" from another "zone" (from another "zone" (from another "zone" )) ...

Post by Andy Tuck » Thu, 01 Apr 2004 15:19:50



> They should be able to do everything defined in the bounds of the
> current zone incl. the abilty to split their own zone into smaller parts
> (e.g. "zones").

While I agree that there is potential value in supporting a hierarchy of
zones (beyond the current one of "global" and "everything else"), this
would make the overall model much more complex.  For example, currently
there are a number of places in the kernel where we need to check whether
a given process is allowed to access a system object (process, network
interface, IPC object, file system mount, etc.).  Currently, these checks
are very simple, with virtually no overhead; basically, either the acting
process needs to be in the global zone, or the zone IDs need to match.
If we were to support a hierarchy of zones, we'd need to determine if the
acting process is an ancestor of the zone with which the object is
associated.  Now, this is just a tree walk, but it turns what was a
constant time operation (one or two comparisons) into one that is
O(log n).

There are also implementation details with regards to device creation,
etc., that would make it difficult for one (non-global) zone to provision
another.  In general, we decided that the KISS aspect of the current
(mostly) "flat" design outweighed the potential advantages of a more
flexible hierarchical approach.  We could certainly reconsider this if
there is sufficient demand, but right now it isn't at the top of our
list.

I will note that the label facility in Trusted Solaris supports
something similar to this; an administrator can establish a "*"
relationship between labels that controls the flow of information.
For example, a "Top Secret" process can read "Secret" data, and a
"Secret" process can read "Confidential" data, but the reverse won't
be allowed.

--
Andy Tucker
Solaris Kernel and Data Services
Sun Microsystems, Inc.

 
 
 

Creating a "zone" from another "zone" (from another "zone" (from another "zone" )) ...

Post by APA » Thu, 01 Apr 2004 19:18:07



Quote:> That hasn't been true for most of March. The passwd comes up after you
> agree to the NDA, whether you are doing the free or pay-for download.

> You have to download the item called "Solaris Express Documentation,
> Multi-language"

> The password is contained in this small (211 byte) text file.

> This release's password is really sad.

And before anyone comments, "really sad" is a descriptive term not the
password.

alan.
--
Alan Hargreaves
Senior Technical Support Specialist/VOSJEC Engineer
Product Technical Support (APAC)
Sun Microsystems

 
 
 

Creating a "zone" from another "zone" (from another "zone" (from another "zone" )) ...

Post by APA » Thu, 01 Apr 2004 19:11:45


That hasn't been true for most of March. The passwd comes up after you
agree to the NDA, whether you are doing the free or pay-for download.

You have to download the item called "Solaris Express Documentation,
Multi-language"

The password is contained in this small (211 byte) text file.

This release's password is really sad.

alan.



> | You mean to say you can't give feedback on the Solaris Express
> |program for an RFE on the subject?  You have time to use Express
> |so maybe there is a problem with communications on the feedback.

> Only those who pay $99 get passwords to the web site for filing bugs and
> RFE's.  Free downloaders just get to post here.

--
Alan Hargreaves
Senior Technical Support Specialist/VOSJEC Engineer
Product Technical Support (APAC)
Sun Microsystems