Solaris Containers and ZFS
I had to create some containers for developers to do their work. Developers always seem to want root access to a machine. Containers work very nice in this scenario: if a developer messes up his container, I can just clone a new one off a “gold” container. ZFS can be very handy here as well: by installing a container on ZFS filesystem and assigning ZFS quota, you can limit how big the container can grow.
So, first I created a ZFS pool out of two slices on two disks. This is not really recommended way to create ZFS pool. You should really be using two whole disks. And, ignore the fact that those disks both reside on the same controller. Right after that I created dev1 filesystem within the zonepool:
bash-3.00# zpool create -m /export/home/zones zonepool mirror c0t0d0s3 c0t1d0s3
bash-3.00# zfs create zonepool/dev1
bash-3.00# zfs list
NAME USED AVAIL REFER MOUNTPOINT
zonepool 122K 55.6G 25.5K /export/home/zones
zonepool/dev1 24.5K 8.00G 24.5K /export/home/zones/dev1
Next I set ZFS quota on the filesystem to 8GB:
bash-3.00# zfs set quota=8G zonepool/dev1
bash-3.00# zfs get all zonepool/dev1
NAME PROPERTY VALUE SOURCE
zonepool/dev1 type filesystem -
zonepool/dev1 creation Fri Jun 4 9:17 2010 -
zonepool/dev1 used 24.5K -
zonepool/dev1 available 8.00G -
zonepool/dev1 referenced 24.5K -
zonepool/dev1 compressratio 1.00x -
zonepool/dev1 mounted yes -
zonepool/dev1 quota 8G local
zonepool/dev1 reservation none default
zonepool/dev1 recordsize 128K default
zonepool/dev1 mountpoint /export/home/zones/dev1 inherited from zonepool
zonepool/dev1 sharenfs off default
zonepool/dev1 checksum on default
zonepool/dev1 compression off default
zonepool/dev1 atime on default
zonepool/dev1 devices on default
zonepool/dev1 exec on default
zonepool/dev1 setuid on default
zonepool/dev1 readonly off default
zonepool/dev1 zoned off default
zonepool/dev1 snapdir hidden default
zonepool/dev1 aclmode groupmask default
zonepool/dev1 aclinherit secure default
zonepool/dev1 canmount on default
zonepool/dev1 shareiscsi off default
zonepool/dev1 xattr on default
Now, I should mention, that prior to configuring /export/home/zones to reside on ZFS I uninstalled dev1 container which was there previously. So, the container itself was gone, but the system still had knowledge of the container’s configuration. I wrote a post on configuring containers here.
bash-3.00# zoneadm list -cv
ID NAME STATUS PATH BRAND IP
0 global running / native shared
- dev1 configured /export/home/zones/dev1 native shared
Since the container was already configured, I went ahead and started installing it:
bash-3.00# zoneadm -z dev1 install
/export/home/zones/dev1 must not be group readable.
/export/home/zones/dev1 must not be group executable.
/export/home/zones/dev1 must not be world readable.
/export/home/zones/dev1 must not be world executable.
could not verify zonepath /export/home/zones/dev1 because of the above errors.
zoneadm: zone dev1 failed to verify
bash-3.00#
Woops, looks like the container directory permissions need some fixing:
bash-3.00# cd /export/home/zones/
bash-3.00# ls -l
total 3
drwxr-xr-x 2 root sys 2 Jun 3 09:48 dev1
bash-3.00# chmod 700 dev1
bash-3.00# chown root:root dev1
One more try to install the container:
bash-3.00# zoneadm -z dev1 install
Preparing to install zone .
Creating list of files to copy from the global zone.
Copying <2561> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <1086> packages on the zone.
Initialized <1086> packages on zone.
Zone is initialized.
The file contains a log of the zone installation.
That’s it. After the container install completed, before booting dev1, I stuck the following sysidcfg file into /etc directory of dev1 container:
bash-3.00# more sysidcfg
system_locale=en_US
timezone=US/Central
terminal=vt100
security_policy=NONE
network_interface=primary {
hostname=dev1
}
nfs4_domain=dynamic
name_service=NIS {
domain_name=example.com
name_server=nis1(10.1.1.1)
}
That way I would not be asked any container configuration questions during first container boot. Except for the root password, of course.