[CentOS] Virtualisation

Sat Mar 3 13:27:59 UTC 2007
Stephen Harris <lists at spuddy.org>

On Fri, Mar 02, 2007 at 08:41:48PM -0800, John R Pierce wrote:
> Paul wrote:
> >I second Solaris zones are very rubust.  Easy to setup and maintain.
> otoh, for those who aren't familiar, Zones are NOT virtual machines, 
> they are simply virtual USER spaces.   all zones run directly under the 
> 'host' kernel.  the zones are more like a super-chroot, aka bsd 'jail', 
> they have their own /etc/passwd and so forth, but they do NOT have the 
> capability of running different OS's.

A bit more detail, also for those who aren't familiar...

Zones (or "containers") are closer to "vserver" and "jails" and other
variants like that rather than a true virtual machine .  They are
lightweight containers with security seperation.  As Solaris matures
additional resource limits are able to be placed on zones, but at the
moment it's a pretty "co-operative" in nature thus far (eg "projects"
_inside_ the zone).  Security is absolute, CPU scheduling can controlled,
memory and I/O is a little weak.  What makes zones quite neat is that
Sun have done a good job of updating lots of the tools to support them;
eg patching can patch every zone on a box at the same time.  Building a
zone can take as little is 5 minutes and very little disk space if the
main filesystems are shared, or a lot longer if individual copies of
files are required.

Solaris 10 update 3 (or is it update 4?) will have "secure solaris"
extensions built in, based on zone technology.  Each zone has a security
level and the OS can stop you from moving data from a restricted zone
to an open zone (for example).  Quite neat.  Sun even put a security
context onto each pixel of the X display to stop cut'n'paste from
breaching security!