lists at spuddy.org
Sat Mar 3 13:27:59 UTC 2007
On Fri, Mar 02, 2007 at 08:41:48PM -0800, John R Pierce wrote:
> Paul wrote:
> >I second Solaris zones are very rubust. Easy to setup and maintain.
> otoh, for those who aren't familiar, Zones are NOT virtual machines,
> they are simply virtual USER spaces. all zones run directly under the
> 'host' kernel. the zones are more like a super-chroot, aka bsd 'jail',
> they have their own /etc/passwd and so forth, but they do NOT have the
> capability of running different OS's.
A bit more detail, also for those who aren't familiar...
Zones (or "containers") are closer to "vserver" and "jails" and other
variants like that rather than a true virtual machine . They are
lightweight containers with security seperation. As Solaris matures
additional resource limits are able to be placed on zones, but at the
moment it's a pretty "co-operative" in nature thus far (eg "projects"
_inside_ the zone). Security is absolute, CPU scheduling can controlled,
memory and I/O is a little weak. What makes zones quite neat is that
Sun have done a good job of updating lots of the tools to support them;
eg patching can patch every zone on a box at the same time. Building a
zone can take as little is 5 minutes and very little disk space if the
main filesystems are shared, or a lot longer if individual copies of
files are required.
Solaris 10 update 3 (or is it update 4?) will have "secure solaris"
extensions built in, based on zone technology. Each zone has a security
level and the OS can stop you from moving data from a restricted zone
to an open zone (for example). Quite neat. Sun even put a security
context onto each pixel of the X display to stop cut'n'paste from
More information about the CentOS