Friday, August 1, 2008

Branded Linux Zones In Open Solaris?

Hey again,

Today, we're going to be looking at installing "branded" zones in Open Solaris; specifically, RedHat Enterprise Linux (although CentOS is also supported). We'll take a look at what Linux OS's and hardware are supported in Open Solaris, do a quick rundown of how to set up a Branded Linux zone and sneak a quick peak at some test results from Sun's site.

STOP: Please.. Before you go any further, read this paragraph regarding the question mark at the end of this post's title. Today's post is a bit lengthy (mostly due to examples of the configuration of Linux Branded zones on Open Solaris) so, if you're thinking to yourself something along the lines of "why in the world would I want to run Linux on top of Solaris on a machine that's perfectly capable of running Linux without Solaris?," or "I already use VMWare, or something similar, to virtualize Linux hosts on a single physical machine, so what do I need with an extra Operating System?" you should just stop reading right now. Following is a long list of specifications and walk-throughs that will probably not change your mind or your answer to either question. If you're just curious, hop on in. The water's fine ;)

Supported Hardware for Linux Branded zones (This definition is fairly loose, since all I could find were lists of supported processors - I guess the natural assumption would be that, if you can get Branded Linux to run on your Open Solaris box, you'd be able to use any other hardware that would normally be supported by RedHat or CentOS):

Intel Chipset - Pentium Pro, Pentium II, Pentium III, Celeron, Xeon, Pentium 4, PentiumM, PentiumD, Pentium Extreme Edition, Core, Core 2 (x86 in general)
AMD Chipset - Opteron, Athlon XP, Athlon 64, Athlon 64 X2, Athlon FX, Duron, Sempron, Turion 64, Turion 64 X2 (x64 in general)

Supported Linux Operating Systems: RedHat Enterprise Linux 3.x and the CentOS equivalent.

Supported Linux Kernels: kernel 2.4.21/glibc 2.3 is "emulated" by Sun's Branded Linux zone. If you attempt to install RedHat (or any Vendor's) Linux that doesn't use this kernel/gcc revision, there's no guarantee that it will work at all.

On to the good stuff. How to set up a Linux Branded zone on Open Solaris:

1. Download and install the Open Solaris/Solaris Express - Community Release from opensolaris.org. You have your choice of 6 CD's, a 2 segment DVD or a single image DVD. Extras, including a CentOS tarball and additional script for Scientific Linux 3.0.8 can be found at the Branded Zones Download Page.

NOTE: If you already have Open Solaris 10 Release 8/07 or newer installed, you probably won't need to re-install, upgrade or add any pkg's to your existing configuration. An easy way to tell if you already have support for Branded Zones installed (assuming you're running Open Solaris, of course :) is to use the zoneadm command's list option:

host # zoneadm list -v 
ID NAME STATUS PATH BRAND
0 global running / native
host # head -1 /etc/release
Solaris 10 8/07 s10x_u4wos_12b X86
host # uname -a
SunOS TheDeadZone 5.10 Generic_120012-14 i86pc i386 i86pc


since we see that there's a "BRAND" column, we know that we're okay to proceed. The output from /etc/release confirms the date. I always like to use "zoneadm list" to make extra sure, as I will generally replace the contents of /etc/release-type files on boxes I build with a generic security warning, so that I don't advertise what version of exploits people should look for when they're thinking about attacking my site. For this reason I also check the output of "uname -a" to be sure that we have an x86 or x64 processor. Sparc-based systems support Branded zones as well, but don't support the Linux Branded zone!

Finally, check that you have the Linux Branded zone pkg file installed:

host # pkginfo|grep SUNWlx

If you get an error that this package cannot be found, you should be able to download it from opensolaris.org or get it off of your installation media. Also, and this is a point that sometimes get missed, make sure that you're running "Open Solaris" and not "Solaris 10" - Some folks (like me, for instance, when they both first came out) confuse them with one another or, more commonly, may assume they're the same thing.

2. From the "global" zone on your system, use the zonecfg command to begin setting up the zone:

host # zonecfg -z linuxzone <-- You will probably receive an error here, like "No such zone. Use create..." etc. This is normal for the first time you invoke zonecfg with a not-yet-existent zone name.
zonecfg:linuxzone> create -t SUNWlx <-- here we're using the -t flag that, technically stands for "template." In this instance we're using the SUNWlx pkg as the template for the Branded zone, rather than a template from another similar zone that we'd already created. It's more confusing to explain than it is to do ;)

And then, we proceed to install the bare necessities (zonepath, network adapter address, etc), similar to the following (this example is very sparse compared to the amount of options you can set in the zone, but will allow you to build and run):

zonecfg:linuxzone> set zonepath=/export/linuxzone_root <-- this directory will be created for you when the "commit" step is taken.
zonecfg:linuxzone> add net
zonecfg:linuxzone:net> set address=10.10.99.99/16
zonecfg:linuxzone:net> set physical=ce1
zonecfg:linuxzone:net> end
<-- This just ends the network part. If we were doing a more complex setup, we could continue to add more attributes after going from the net setup back to the basic setup (shown in the zonecfg prompt)
zonecfg:linuxzone> commit
zonecfg:linuxzone> exit <-- It should be noted that if you just "exit," the zonecfg command will attempt to do a "commit" anyway. This is okay, if you decided you didn't want the zone, because you can destroy it just as easily as you created it ("zonecfg -z linuxzone delete -F" should do it). Just FYI :)

If you're so inclined, you can also do this all from the command line in one fell swoop. Until you get comfortable with it, it's generally easier to use the interactive mode, as shown above, since your zone setup has the potential to be as incredibly complicated and specific as you'd like and interactive mode allows you to ask for context-relevant help.

host # zonecfg -z linuxzone "create -t SUNWlx; set zonepath=/export/linuxzone_root; add net; set address=10.10.99.99/16; set physical=c1; end; commit"

3. Now, we need to install our new Linux Branded zone, from the global zone on our host:

Ensure that "volfs" is running (unless you're not installing Linux from a CD or DVD):

host # svcs | grep volfs <-- It's not running, so we'll start it. It doesn't hurt either way.
host # svcadm enable svc:/system/filesystem/volfs:default
host # svcs | grep volfs
online 14:22 svc:/system/filesystem/volfs:default


Now, either install from a tarball on the local system, like so:

host # zoneadm -z linuxzone install -d /path/to/tarball

or you can be specific about where you want the CD image to be read from:

host # zoneadm -z linuxzone install -d /cdrom/cdrom0 <-- /cdrom/cdrom0 is actually the path that gets used by default if you don't supply the -d option on the command line.

or

host # zoneadm -z linuxzone install -d /path/to/your/RedHat/ISO <-- If you want to install from an ISO or other image

If you prefer to be as specific as you can, at this point, you can follow any of the above commands with a directive indicating a subset of packages that you want installed, instead of the entire distribution. Your options are: core, server, desktop, developer and all - with each subset of packages containing more stuff that you may or may not need. Each subset (in order) is hierarchical, so the "developer" subset contains all the packages in core, server and desktop, as well. I don't know exactly what packages are in which, but on the Open Solaris BrandZ Site it must be listed out somewhere. Or, maybe not ;) - So assuming we wanted to install the server subset, our command would only be altered to a slight degree from:

host # zoneadm -z linuxzone install -d /cdrom/cdrom0

to

host # zoneadm -z linuxzone install -d /cdrom/cdrom0 server

4. Now we'll verify that the zone is installed using the same command from step 1, except we'll add the "-i" flag to show "installed" zones as well as running ones:

host # zoneadm list -iv 
ID NAME STATUS PATH BRAND
0 global running / native
1 linuxzone installed /export/linuxzone_root lx


5. And, finally, assuming all has gone well, we can boot the Branded Linux Zone, like so:

host # zoneadm -z linuxzone boot

double check it to make sure it's out of the "installed" state:

host # zoneadm list -iv 
ID NAME STATUS PATH BRAND
0 global running / native
1 linuxzone running /export/linuxzone_root lx


and then we can login (NOTE: You have to log in locally with Linux Branded zones at this point. Even though we configured networking in the zone, the network interface won't work properly until we do the next few quick steps. Goofy ;)

host # zlogin linuxzone

linuxzone # hostname
linuxzone


6. Now, we'll set up the networking. You do it pretty much exactly the way you do in RedHat, normally. At the very simplest (since we only have one NIC and one IP), we'd just edit /etc/sysconfig/network and add:

NETWORKING=yes
HOSTNAME=linuxzone


and then just type:

linuxzone # reboot

like you would on a normal machine and it should come back up with networking all set. You can bring up the network manually, in a number of ways, also, but (at least on the first go at installation) I like to do the reboot so I can see if there are any startup errors that I might need to check out. You can also do the whole reboot process from the global zone using the zoneadm command (zoneadm -z linuxzone reboot) after simply exiting from your login shell in the new zone.

And that's all there is to it :)

If you eventually find this to be a "huge" waste of your time, don't say I didn't warn ya ;) If you want, check out this page that lists Linux applications that are certified to run on Open Solaris in a Linux Branded zone. I thought it was interesting that pretty much everything that got a "green" rating (the best) already works fine on Linux and on Solaris (like Apache). But, don't take my word for it, go there and be pessimistic for yourself ;)

Have a great weekend!

, Mike