Multi-network consolidation | Sun Microsystems 10 manual

Version 3.1-enSolaris 10 Container Guide - 3.1 3. Use Cases

Effective: 30/11/2009

3.3. Multi-network consolidation

Requirement

[dd]A company uses several different networks that are separated either by firewalls or by routers. Applications are run in the individual networks. The company would like to use the applications from different networks or security areas together on one physical system as an application itself does not require the capacity of a single system.

Solution

[dd]The individual applications are installed in one zone each. Zones are clustered together on physical servers according to certain criteria (redundancy, similar application, load behavior, etc.). Routing between the zones is switched off to separate the networks. The following details are used in particular:

∙Creation of zones.

∙Zones as runtime environments for one application each.

∙Routing of the global zone on the interfaces is switched off so that zones cannot reach each other. That is, the zones can only reach addresses in their respective network.

∙Use of exclusive-IP instances.

Assessment

[dd] This use case has the following characteristics:

∙The network structure is simplified by economizing routes and routers.

∙The number of required systems is reduced.

∙Applications can be organized according to new aspects, e.g. all web servers on a physical server, or e.g. T2000 are used for web servers, T1000 are used for proxy servers, UltraSPARC IV+ systems for all databases, etc.

∙The global zone can be used as the central administrative authority for all zones in a system. A separate administrative network can be placed on the global zones.

∙Application administration is located within the zone. If the same applications are clustered together on systems, an application administrator can administer all applications in the zones out of the global zone more easily, or can simplify administration by the use of sparse root zones.

Gateway/Router/

FireWall

Network A

Network B


App A1 App A2 App B				App A1' App A3 App B'
Global Zone				Global Zone
	System 1			System 2

Network C

App C App C App C

Global Zone

System 3

Figure 9: [dd] Use case: Multi-network consolidation

18

Image 25

Sun Microsystems 10 manual Dd Use case Multi-network consolidation

Contents

Solaris 10 Container Guide Table of contents III Network limitation IPQoS Duplicating zones with zoneadm detach/attach and zfs clone Disclaimer VII Introduction Overview Solaris Containers and Solaris Zones Ug Characteristics of Solaris 10 Zones Zones and security Zones and software installationZones and privileges CPU resources Zones and resource managementProcessor sets in a resource pool Fair share scheduler in a resource pool Memory resource management Network resource management IPQoS = IP Quality of ServiceUser interfaces for zones Branded zones Linux and Solaris 8/Solaris 9 compatibility Zones and high availability Solaris container cluster aka zone cluster Virtualization technologies compared Domains/physical partitions App Server Dd Logical partitions Logical partitions Dd Container Solaris zones in an OS Containers Solaris zones in an OS Dd Consolidation in one computer Consolidation in one computer Summary of virtualization technologies Physical Logical Resource Virtualisation Management App Grid computing with isolation SolutionRequirement Assessment Small web servers Global Zone System Dd Use case Multi-network consolidation Multi-network consolidation Dd Use case Multi-network monitoring Multi-network monitoring Dd Use case Multi-network backup Multi-network backup Consolidation development/test/integration/production Dd Use case Consolidation of test systems Consolidation of test systems Requirements Training systems Dd Use case Server consolidation Server consolidation Dd Use case Confidentiality of data and processes Confidentiality of data and processes Dd Use case Developer test systems Test systems for developers Solaris 8 and Solaris 9 containers for development Solaris 8 and Solaris 9 containers as revision systems Dd Use case Hosting for different companies on one computer Hosting for several companies on one computer Da Use case SAP portals in Solaris containers SAP portals in Solaris containers Da Live upgrade Upgrade- and Patch-management in a virtual environment DC1 DC2 Flying zones Service-oriented Solaris server infrastructure Solaris Container Cluster aka zone cluster Sparse-root zones Concepts− /lib − /platform − /sbin − /usr Whole-root zones Whole-root Var Usr Comparison between sparse-root zones and whole-root zonesPlatform ~3.6 GB Software in zones Software installation by the global zone usage in all zones Software installations in Solaris and zones Installation by the local zone usage in the local zone Program/application storage Data storage Opt/staroffice Root disk layoutZFS within a zone Volume manager in local zones Options for using ZFS in local zonesNFS and local zones Network address management for zones Network concepts Introduction into networks and zonesShared IP instance and routing between zones Ndd -set /dev/ip iprestrictinterzoneloopback Plumb, snoop1M, dhcp5 or ipfilter5 is possible Exclusive IP instanceInterface = InterfacenameInstance + VLAN-ID Firewalls between zones IP filter Ipmp Zones and limitations in the network Dynamic configuration of devices Static configuration of devices Services Separate name services in zonesHosts database Projects Applications in local zones only Paradigms Clustered containers One application per zone Client Solaris Container Cluster Configuration and administration Automated provisioning of services Automatic configuration of zones by scriptInstallation and administration of a branded zone Lifecycle management Patching with live upgradePatching a system with local zones Patching with zoneadm attach -u Patching with upgrade serverMoving zones between architectures sun4u/sun4v ∙ create /zones/zone1 Backup and recovery of zones Using boot arguments in zones Backup of zones with ZFSManagement and monitoring Migration of a zone to another system Monitoring zone workload Consolidating log information of zonesExtended accounting with zones Auditing operations in the zone Global# dtrace -n iostart@zonename = count DTrace of processes within a zone Types of resource management Resource managementCapping of CPU time for a zone General resource pools Fair share scheduler FSS Lightweight processes LWPFair share scheduler in a zone Projects, projadd, projmod, projdel Rcapstat Limiting memory resourcesAssessing memory requirements for global and local zones Limiting virtual memory Network limitation IPQoS Limiting locked memoryIPC limits Semaphore, shared memory, message queues Privileges and resource management Dd Planning a Solaris container Solaris container navigator Dd Self-qualification of an application in a container 4zonecfgbrand=native Configuration files Installation and configurationDd File /etc/zones/index Command Description Special commands for zones Command Description Var SwapVar/crash Metadb Configuring a sparse root zone required Actions Configuring a whole root zone required Actions Zone initialization with sysidcfg Zone installation Uninstalling a zone Starting zones automatically Optional settingsChanging the set of privileges of a zone Storage within a zone Using a device in a local zone Zone1# ls /dev/dsk C1d0s0 Local zone mounts a UFS file system from a device User level NFS server in a local zone Using a DVD drive in the local zone Version 3.1-enSolaris 10 Container Guide 3.1 5. Cookbooks ZFS in a zone Several zones share a file systemTank 30.2M 10G 18K None Tank/zone1 16.3M 983M Mnt User attributes for ZFS within a zone Automatic quick installation of zones Configuring a zone by command file or templateWith zonecfg -z zone export -f file of an existing zone − zonecfg -z zone -f file Zones hardening Accelerated automatic creation of zones on a ZFS file system Set default router for shared IP instance Change network configuration for shared IP instancesNetwork Network interfaces for exclusive IP instances Set interceptloopback IP filter between shared IP zones on a system Zones, networks and routing IP filter between exclusive IP zones on a systemGlobal and local zone with shared network Implementation NetworkNetwork Zone 1 /etc/hostname.bge1 Zone 2 /etc/hostname.bge2 Ifconfig bge1 plumb down Zones in separate networks using the shared IP instanceZoneadm -z zone1 ready Zoneadm -z zone2 ready Set defrouter=192.168.202.2 Zonecfg set ip-type=exclusive Zones in separate networks using exclusive IP instancesZone 1 /etc/hostname.bge1 Zone2 192.168.202.1 are now active 192.168.101.201 Zone 1 /etc/hostname.bge1 Zone1 192.168.201.1,192.168.200.1 and zone2192.168.202.1 Zoneadm -z zone1 boot, zoneadm -z zone2 boot Zone 1 /etc/hostname.bge3 /etc/defaultrouter Load Balancer Boot arguments in zones Booting a zoneRoot password for system maintenance control-d to bypass Software installation per mount Zone migration among systems Software installation with provisioning system∙ Detach the zone with zoneadm -z zone detach Global# zoneadm List -vc Zone migration within a systemGlobal Running Native Shared Test Export/home/zone/test Global# zoneadm -z test halt Duplicating zones with zoneadm clone Global Running Native Shared Test Installed Container/test 100 ID Name Status Path Brand 101 Duplicating zones with zoneadm detach/attach and zfs clone 102 Moving a zone between a sun4u and a sun4v system 103 Shutting down a zone Using live upgrade to patch a system with local zonesLucreate -c s10-807 -n s10-807+1 -m //dev/dsk/c1t0d0s4ufs Lumount s10-807+1 105 Reboot Luactivate s10-807+1 init Zone1# dtrace -l tail +2 zone1# DTrace in a local zoneZone accounting Zone audit Swap Tmp Tmpfs Yes Size=250m Limiting the /tmp-size within a zoneLimiting the CPU usage of a zone CPU capping Resource pools with processor sets 108 Global # svcs dynamic Dynamic resource pools for zones109 Implementing memory resource management for zones Limiting the physical main memory consumption of a projectRcapadm -z zone1 -m 40m 110 Zone.max-swap Privileged 180MB Deny System 16.0EB Max Global # prctl -i zone zone1 Zone 22 zone1111 OpenSolaris general Solaris Container in OpenSolarisIpkg-Branded zones 112 Cookbook Installing an ipkg zone Cookbook Configuring an ipkg zone113 114 References