My favourite feature in Solaris 10 is zones. (I don't care what Sun marketing call 'em this week, either. They're zones.) Isolated containers that give the appearance of a separate system to applications while being hosted by a master system.
This little test was inspired by the desire to be able to run individual applications in isolated managed environments. I'm thinking of servers such as tomcat or mysql, where you only want enough support to run the one application, and you only need a single network port to gain access.
One of the problems with mysql, tomcat, and other similar servers, is that you can generally only run one instance on a machine. Yes, you can hack it so that you can fiddle port numbers and the like to get multiple copies running, but the idea here was to run the applications inside their own zones. That way, they think they have the machine to themselves and the multiple instances don't conflict with each other. You only need to communicate from the global zone, so you can send all traffic over the loopback.
OK, so I create a minimal zone:
root@platinum# zonecfg -z zone100 zone100: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:zone100> create zonecfg:zone100> set zonepath=/opt/zones/zone100 zonecfg:zone100> add net zonecfg:zone100:net> set physical=lo0 zonecfg:zone100:net> set address=127.0.0.100 zonecfg:zone100:net> end zonecfg:zone100> verify zonecfg:zone100> commit zonecfg:zone100>
and then install it with zoneadm -z zone100
install. This takes a little while (far too long for my liking,
to be honest) but eventually it's done.
(Note that in order to talk to it you need to route add
127.0.0.100 127.0.0.1 in the global zone. I've wondered how this
works, actually, as zone100 sends the packets back to 127.0.0.1 and
there's one of those in each zone so how does it know which one is
which?)
How much impact does a zone actually have? I consider the process count below, but in terms of disk my first check was about 220Mbytes.
That's quite a lot, but this is actually quite high. I'm doing this on my own workstation which is set up for testing and so has a much larger install footprint than normal. And while the common stuff in /usr gets loopback mounted into a zone, a lot of stuff is copied.In particular, /opt gets copied across, and most of that stuff isn't needed. It you have apache or tomcat installed then you get stuff in /var. You can strip most of this stuff out, and you end up with about 20Meg for the package system and about 35Meg in /etc - most of that is gconf, and on a server you might not even bother installing the JDS components. So you can dramatically reduce the disk footprint and install time of a zone by trimming the software installed in the global zone.
OK, so I boot the zone, go through the configuration dialog and supply a root password. After the reboot I let it settle down, and see what processes are running:
% ps -z zone100 PID TTY TIME CMD 17719 ? 0:00 rpcbind 17837 ? 0:01 stfontse 17849 ? 0:00 dtlogin 17928 ? 0:00 snmpd 18019 ? 0:00 smtp-sen 17640 ? 0:01 svc.star 17773 ? 0:00 syslogd 17876 ? 0:00 cron 17642 ? 0:07 svc.conf 17905 ? 0:00 snmpdx 17946 ? 0:00 sac 17826 ? 0:00 smcboot 17638 ? 0:00 init 17954 ? 0:01 inetd 17759 zoneconsole 0:00 ttymon 17947 ? 0:00 ttymon 17914 ? 0:00 dmispd 17627 ? 0:00 zsched 17694 ? 0:00 kcfd 17827 ? 0:00 smcboot 17828 ? 0:00 smcboot 17939 ? 0:00 nscd 18020 ? 0:00 sendmail 18017 ? 0:00 automoun 17723 ? 0:00 statd 17866 ? 0:00 sshd 17750 ? 0:00 utmpd 17915 ? 0:00 snmpXdmi 17736 ? 0:00 lockd
Urgh. What a load of junk! Most of that lot can go.
# svcadm disable inetd # svcadm disable smtp # svcadm disable autofs # svcadm disable cron # /etc/init.d/init.sma stop # /etc/init.d/init.dmi stop # /etc/init.d/init.snmpdx stop # /etc/init.d/init.wbem stop # pkill -u 0 -x dtlogin # pkill -x stfontserverd # svcadm disable name-service-cache
At which point I get down to:
PID TTY TIME CMD 17640 ? 0:02 svc.star 17773 ? 0:00 syslogd 17642 ? 0:09 svc.conf 17946 ? 0:00 sac 17638 ? 0:00 init 18299 zoneconsole 0:00 sh 17947 ? 0:00 ttymon 17627 ? 0:00 zsched 17694 ? 0:00 kcfd 17866 ? 0:00 sshd 17750 ? 0:00 utmpd
That's 11 processes. I'm not sure I can get much lower than this. I need to retain sshd so that users can get in (only root can use zlogin) and that implies kcfd.
In terms of memory footprint I have a little script that goes through pmap output to get the private and shared pages:
PID TTY TIME CMD 17640 ? 0:02 svc.star 2216K shared, 4296K private 17773 ? 0:00 syslogd 1800K shared, 1744K private 17642 ? 0:09 svc.conf 2208K shared, 5480K private 17946 ? 0:00 sac 1664K shared, 336K private 17638 ? 0:00 init 1896K shared, 320K private 18299 zoneconsole 0:00 sh 1136K shared, 168K private 17947 ? 0:00 ttymon 1816K shared, 320K private 17627 ? 0:00 zsched 17694 ? 0:00 kcfd 3288K shared, 688K private 17866 ? 0:00 sshd 3448K shared, 536K private 17750 ? 0:00 utmpd 1056K shared, 224K private
The shared pages really are shared - with identical processes running in other zones, at least. So the total impact is about 15Meg (you can't get any answers out of zsched). And most of the footprint is actually greenline.
Of course, if you run tomcat it's probably going to dwarf the other processes completely. On the other hand, an apache process has about 1200K private and 5216K shared, so if you prefork 3 processes that's about another 10Meg in total. Looking at a simple mysql instance, that's probably 30 or 40Meg.
You can probably page out the 2 greenline processes (possibly...) which takes it down to 5Meg plus the application. If you share the apache binaries between the zones then you can run a minimalist apache server in 10Meg per zone.
A minimalist zone needs about 50Meg of disk and 15Meg of memory to support 10 processes.