On Fri, Mar 02, 2007 at 08:41:48PM -0800, John R Pierce wrote:
Paul wrote:
I second Solaris zones are very rubust. Easy to setup and maintain.
otoh, for those who aren't familiar, Zones are NOT virtual machines, they are simply virtual USER spaces. all zones run directly under the 'host' kernel. the zones are more like a super-chroot, aka bsd 'jail', they have their own /etc/passwd and so forth, but they do NOT have the capability of running different OS's.
A bit more detail, also for those who aren't familiar...
Zones (or "containers") are closer to "vserver" and "jails" and other variants like that rather than a true virtual machine . They are lightweight containers with security seperation. As Solaris matures additional resource limits are able to be placed on zones, but at the moment it's a pretty "co-operative" in nature thus far (eg "projects" _inside_ the zone). Security is absolute, CPU scheduling can controlled, memory and I/O is a little weak. What makes zones quite neat is that Sun have done a good job of updating lots of the tools to support them; eg patching can patch every zone on a box at the same time. Building a zone can take as little is 5 minutes and very little disk space if the main filesystems are shared, or a lot longer if individual copies of files are required.
Solaris 10 update 3 (or is it update 4?) will have "secure solaris" extensions built in, based on zone technology. Each zone has a security level and the OS can stop you from moving data from a restricted zone to an open zone (for example). Quite neat. Sun even put a security context onto each pixel of the X display to stop cut'n'paste from breaching security!