How to Get Started Creating Oracle Solaris Kernel Zones in Oracle Solaris 11

Oracle Solaris 11 is a complete, integrated, and open platform engineered for large-scale enterprise environments. Its built-in Oracle Solaris Native Zones technology provides application virtualization through isolated, encapsulated, and highly secure environments that run on top of a single, common kernel. As a result, native zones provide a highly efficient, scalable, zero-overhead virtualization solution that sits at the core of the platform.


With the inclusion of the Kernel Zones feature, Oracle Solaris 11.2 provides a flexible, cost-efficient, cloud-ready solution that is perfect for the data center.

This article describes how to create a kernel zone in Oracle Solaris 11.2, as well as how to configure the kernel zone to your requirements, install it, and boot it.

You will learn about the two main methods of installing a kernel zone: direct installation and installation via an ISO image. In addition, you will learn about a third installation method that enables you to convert a native zone to a kernel zone. You will learn how to update a kernel zone so that it uses a different Oracle Solaris release than the release that is running in the host machine's kernel.

The examples in this article will leave you familiar with the basic procedures for installing, configuring, and managing kernel zones in Oracle Solaris 11.2.

Note: This article demonstrates how to update a kernel zone from Oracle Solaris 11.2 to a later release through examples that mention "Oracle Solaris 11.3" and "Oracle Solaris Next." These examples are purely hypothetical and are for demonstration purposes only; no release later than Oracle Solaris 11.2 is currently available.

About Oracle Solaris Zones and Kernel Zones

Oracle Solaris Zones let you isolate one application from others on the same operating system (OS), allowing you to create a user-, security-, and resource-controlled environment suitable to that particular application. Each Oracle Solaris Zone can contain a complete environment and also allows you to control different resources such as CPU, memory, networking, and storage.

The system administrator who owns the host system can choose to closely manage all the Oracle Solaris Zones on the system. Alternatively, the system administrator can assign rights to other system administrators for specific Oracle Solaris Zones. This flexibility lets you tailor an entire computing environment to the needs of a particular application.

Kernel zones, the newest type of Oracle Solaris Zones, provide all the flexibility, scalability, and efficiency of Oracle Solaris Zones while adding the capability to have zones with independent kernels. This capability is highly useful when you are trying to coordinate the updating of multiple zone environments belonging to different owners.

With kernel zones, the updates can be done at the level of an individual kernel zone at a time that is convenient for each owner. In addition, applications that have specific version requirements can run side by side on the same system and benefit from the high consolidation ratios that Oracle Solaris Zones provide.

Benefits of the Each Installation Method

In this article, we will create three kernel zones using different methods:

• The first method will show how quickly and easily you can create a new kernel zone using a direct installation—that is, an installation based on the OS running on the host system. This is an extremely useful method for getting additional kernel zone environments up and running quickly in response to a new application or user demands.
• Using the second method, you will learn how to create a kernel zone from an ISO image. This is useful when it is desirable to deploy a specific kernel version to support an application or environment.
• Using the final method, you will learn how to convert a native zone to a kernel zone. This is useful when you want to update an application or service to run on a later kernel version without affecting the other services running on the system.

Figure 1 summarizes what we will do:


Figure 1. Illustration of the three methods for creating kernel zones

Prerequisites

There are a couple of tasks that need to be completed before we create our first kernel zone. We need to check that the hardware is capable of running kernel zones, and we also need to provide a hint to the system about application memory usage.

Checking the Hardware Capabilities

Kernel zones will run only on certain types of hardware, as follows:

• Intel CPUs with CPU virtualization (VT-x) enabled in BIOS and with support for Extended Page Tables (EPT), such as Nehalem or newer CPUs
• AMD CPUs with CPU virtualization (AMD-v) enabled in BIOS and with support for Nested Page Tables (NPT), such as Barcelona or newer CPUs
• sun4v CPUs with a "wide" partition register, for example, Oracle's SPARC T4 or SPARC T5 processors running a supported firmware version and Oracle's SPARC M5, SPARC M6, or newer processors

You can easily check that the system is capable of running kernel zones by using the virtinfo command, as shown in Listing 1:

root@global:~# virtinfo
NAME            CLASS     
non-global-zone supported 
kernel-zone     supported 

Listing 1

You can see from the output in Listing 1 that kernel zones are supported.

There are some other hardware prerequisites; for a full list, see the Oracle Solaris Kernel Zones documentation.

Providing Information About Application Memory Usage

When using kernel zones, is it necessary to provide a hint to the system about application memory usage. This information is used to limit the growth of the ZFS Adaptive Replacement Cache (ARC) so that more memory stays available for applications and, in this case, for the kernel zones themselves.

Providing this hint is achieved by setting the user_reserve_hint_pct parameter. A script is provided for doing this, and the current recommendation is to set the value to 80.

root@global:~# ./set_user_reserve.sh -f 80
Adjusting user_reserve_hint_pct from 0 to 80
Adjustment of user_reserve_hint_pct to 80 successful.

You can find this script and more information by visiting the My Oracle Support website and then accessing Doc ID 1663862.1.

Creating Your First Kernel Zone Using the Direct Installation Method

For a full discussion on all the steps involved in creating a kernel zone and configuring all its attributes, please see Creating and Using Oracle Solaris Kernel Zones. This article will concentrate on a subset of the steps to demonstrate how to quickly get a kernel zone instance up and running.
 

Prerequisites

First, check the status of the ZFS file system and the network, as shown in Listing 2:

demo@global:~$ zfs list | grep zones
rpool/VARSHARE/zones           16.5G   348G    32K  /system/zones

demo@global:~$ dladm show-link
LINK                CLASS     MTU    STATE    OVER
net1                phys      1500   unknown  --
net2                phys      1500   unknown  --
net0                phys      1500   up       --
net3                phys      1500   unknown  --

Listing 2

Note: In Listing 2, there are no ZFS datasets associated with any specific zones. We will see later how these are created for you as you install zones. Also note that there are no virtual network interface card (VNIC) devices.

Let's also check the Oracle Solaris version of the global zone, as shown in Listing 3, because we will use this information later:

root@global:~# uname -a
SunOS global 5.11 11.2 i86pc i386 i86pc

Listing 3

In Listing 3, we can see the version is Oracle Solaris 11.2.

Note: In this article, we will use uname as a quick way of showing the kernel version of the system. However, that is not the recommended way to check the system version. The recommended way is to query the entire package, as shown in Listing 4, which also indicates that the version is Oracle

Solaris 11.2. (See "Understanding Oracle Solaris 11 Package Versioning" for an explanation about how to decipher the output when you query the entire package.)

demo@dcsw-79-168:~$ pkg list entire
NAME (PUBLISHER)                                  VERSION                    IFO
entire                                            0.5.11-0.175.2.0.0.41.0    i—

Listing 4

We can also see that the system has a publisher set up:

root@global:~# pkg publisher
PUBLISHER       TYPE     STATUS P LOCATION
solaris         origin   online F http://ipkg.us.oracle.com/solaris11/dev/

 

Step 1: Create the Kernel Zone

Let's start by creating our first kernel zone using the command line, as shown in Listing 5:

root@global:~# zonecfg -z myfirstkz create -t SYSsolaris-kz

Listing 5

In Listing 5, note that all we need to supply is the zone name (myfirstkz) and the kernel zone brand (SYSsolaris-kz).

By default, all Oracle Solaris Zones are configured to have an automatic VNIC called anet, which gives us a network device automatically. We cannot see this network device, but it is automatically created upon booting the zone (and also automatically destroyed upon shutdown). We can check this by using the dladm command:

root@global:~# dladm show-link
LINK                CLASS     MTU    STATE    OVER
net1                phys      1500   unknown  --
net2                phys      1500   unknown  --
net0                phys      1500   up       --
net3                phys      1500   unknown  --

We can also see that, as of yet, no storage has been created for our kernel zone:

root@global:~# zfs list | grep zones
rpool/VARSHARE/zones                  16.5G   348G    32K  /system/zones

We can verify that the kernel zone is now in the configured state by using the zoneadm command:

root@global:~# zoneadm list -cv
  ID NAME             STATUS      PATH                         BRAND      IP    
   0 global           running     /                            solaris    shared
   - myfirstkz        configured  -                            solaris-kz excl  

Let's take a look at the default settings for the kernel zone that we have created. We can do this by passing the info option to the zonecfg command, as shown in Listing 6:

root@global~# zonecfg -z myfirstkz info
zonename: myfirstkz
brand: solaris-kz
autoboot: false
autoshutdown: shutdown
bootargs: 
pool: 
scheduling-class: 
hostid: 0x3888f5a3
tenant: 
anet:
        lower-link: auto
        allowed-address not specified
        configure-allowed-address: true
        defrouter not specified
        allowed-dhcp-cids not specified
        link-protection: mac-nospoof
        mac-address: auto
        mac-prefix not specified
        mac-slot not specified
        vlan-id not specified
        priority not specified
        rxrings not specified
        txrings not specified
        mtu not specified
        maxbw not specified
        rxfanout not specified
        vsi-typeid not specified
        vsi-vers not specified
        vsi-mgrid not specified
        etsbw-lcl not specified
        cos not specified
        evs not specified
        vport not specified
        id: 0
device:
        match not specified
        storage: dev:/dev/zvol/dsk/rpool/VARSHARE/zones/myfirstkz/disk0
        id: 0
        bootpri: 0
capped-memory:
        physical: 2G

Listing 6

From the output in Listing 6, we can see that the zone is called myfirstkz, that it is a kernel zone (brand: solaris-kz), that we have a boot disk (and its location is dev:/dev/zvol/dsk/rpool/VARSHARE/zones/myfirstkz/disk0) and, finally, that we have 2 GB of physical memory assigned to this kernel zone.

What we don't see is the amount of CPU resources we have for this kernel zone. When nothing is specified, the default is to have one virtual CPU assigned. We'll see how to verify this later when we boot the kernel zone.

Step 2: Install the Kernel Zone

Now that the kernel zone has been created, we need to install it.

For this first installation, we are going to use what is called a direct installation. With a direct installation, the installer runs on the host. It will create and format the kernel zone's boot disk and install Oracle Solaris packages on that disk, using the host's package publishers. Since the installer is running on the host, the installer can install only the exact version of Oracle Solaris that it is actively running on the host.

This installation method makes use of the Oracle Solaris 11 Image Packaging System. You will need to make sure you have access to your Image Packaging System repository; in this case, we have network access to our repository. For more details on the Image Packaging System, see "Introducing the Basics of Image Packaging System (IPS) on Oracle Solaris 11."

Run the following command to install the myfirstkz kernel zone:

root@global:~# zoneadm -z myfirstkz install
Progress being logged to /var/log/zones/zoneadm.20140724T124406Z.myfirstkz.install
pkg cache: Using /var/pkg/publisher.
 Install Log: /system/volatile/install.7395/install_log
 AI Manifest: /tmp/zoneadm6814.Voa43n/devel-ai-manifest.xml
  SC Profile: /usr/share/auto_install/sc_profiles/enable_sci.xml
Installation: Starting ...

        Creating IPS image
        Installing packages from:
            solaris
                origin:  http://ipkg.us.oracle.com/solaris11/dev/
        The following licenses have been accepted and not displayed.
        Please review the licenses for the following packages post-install:
          consolidation/osnet/osnet-incorporation                     
        Package licenses may be viewed using the command:
          pkg info --license 

DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                            483/483   64276/64276  543.8/543.8 11.6M/s

PHASE                                          ITEMS
Installing new actions                   87529/87529
Updating package state database                 Done 
Updating package cache                           0/0 
Updating image state                            Done 
Creating fast lookup database                   Done 
Installation: Succeeded
        Done: Installation completed in 538.018 seconds.

We can check on the status of the myfirstkz kernel zone using the zoneadm command:

root@global:~# zoneadm list -cv
  ID NAME             STATUS      PATH                         BRAND      IP    
   0 global           running     /                            solaris    shared
   - myfirstkz        installed   -                            solaris-kz excl

Note: A kernel zone needs a boot disk on which it is installed; by using the command shown in Listing 7, we can see that this boot disk has been created for us:

root@global:~# zfs list | grep zones
rpool/VARSHARE/zones                            16.5G   348G    32K  /system/zones
rpool/VARSHARE/zones/myfirstkz                  16.5G   348G    31K  /system/zones/myfirstkz
rpool/VARSHARE/zones/myfirstkz/disk0            16.5G   361G  2.92G  -

Listing 7

You can see in Listing 7 that the /myfirstkz/disk0 dataset has been created automatically for you.
 

Step 3: Boot the Kernel Zone and Complete the System Configuration

The final step in getting myfirstkz up and running is to boot it and set up the system configuration. We will boot the zone and then access its console using one command at the command line, as shown in Listing 8, so the majority of the console output can be seen:

root@global:~# zoneadm -z myfirstkz boot; zlogin -C myfirstkz
[Connected to zone 'myfirstkz' console]
Boot device: disk0  File and args: 
reading module /platform/i86pc/amd64/boot_archive...done.
reading kernel file /platform/i86pc/kernel/amd64/unix...done.
SunOS Release 5.11 Version 11.2 64-bit
Copyright (c) 1983, 2014, Oracle and/or its affiliates. All rights reserved.
Loading smf(5) service descriptions: 183/183
Configuring devices.

Listing 8

Note: The -C option to zlogin shown in Listing 8 lets us access the zone console; the command will bring us into the zone and let us work within the zone.

Because no system configuration files are available, the System Configuration Tool starts up, as shown in Figure 2.

             Figure 2. Initial screen of the System Configuration Tool

Press F2 to continue.

In the System Identity screen (shown in Figure 3), enter myfirstkz as the computer name, and then
press F2 to continue.

             Figure 3. System Identity screen

In the Network screen (shown in Figure 4), Enter the network settings appropriate for your network and then press F2. Here we will select Automatically.

             Figure 4. Network screen

In the Time Zone: Regions screen (shown in Figure 5), choose the time zone region appropriate for your location. In this example, we chose Europe. Then press F2.

             Figure 5. Time Zone: Regions screen

In the Time Zone: Locations screen (shown in Figure 6), choose the time zone location appropriate for your location, and then press F2.

             Figure 6. Time Zone: Locations screen

In the Time Zone screen (shown in Figure 7), choose the time zone appropriate for your location, and then press F2.

             Figure 7. Time Zone screen

In the Locale: Language screen (shown in Figure 8), choose the language appropriate for your location, and then press F2.

             Figure 8. Locale: Language screen

In the Locale: Territory screen (shown in Figure 9), choose the language territory appropriate for your location, and then press F2.

             Figure 9. Locale: Territory screen

In the Date and Time screen (shown in Figure 10), set the date and time, and then press F2.

             Figure 10. Date and Time screen

In the Keyboard screen (shown in Figure 11), select the appropriate keyboard, and then press F2.

             Figure 11. Keyboard screen

In the Users screen (shown in Figure 12), choose a root password and enter information for a user account. Then press F2.

            Figure 12. Users screen

In the Support — Registration screen (shown in Figure 13), enter your My Oracle Support credentials. Then press F2.

             Figure 13. Support — Registration screen

In the Support — Network Configuration screen (shown in Figure 14), choose how you will send configuration data to Oracle. Then press F2.

             Figure 14. Support — Network Configuration screen

In the System Configuration Summary screen (shown in Figure 15), verify that the configuration you have chosen is correct and apply the settings by pressing F2.

            Figure 15. System Configuration Summary screen

The zone will continue booting, and soon you will see the console login:

SC profile successfully generated as:
/etc/svc/profile/sysconfig/sysconfig-20140724-130314/sc_profile.xml

Exiting System Configuration Tool. Log is available at:
/system/volatile/sysconfig/sysconfig.log.287
Hostname: myfirstkz


myfirstkz console login: 

The zone is now ready to be logged in to. For this example, we will now exit the console using the "~." escape sequence.

You can check that your zone is booted and running using the zoneadm command:

root@global:~# zoneadm list -cv
  ID NAME             STATUS      PATH                         BRAND      IP    
   0 global           running     /                            solaris    shared
   2 myfirstkz        running     -                            solaris-kz excl  

As promised, a VNIC was automatically created for us when the zone was booted. We can verify this by using the dladm command shown in Listing 9:

root@global:~# dladm show-link
LINK                CLASS     MTU    STATE    OVER
net1                phys      1500   unknown  --
net2                phys      1500   unknown  --
net0                phys      1500   up       --
net3                phys      1500   unknown  --
myfirstkz/net0      vnic      1500   up       net0

Listing 9

In Listing 9, we can see the VNIC is listed as myfirstkz/net0.

Step 4: Log In to Your Kernel Zone

The last step is to log in to your zone and have a look. You can do this from the global zone using the zlogin command, as shown in Listing 10:

root@global:~# zlogin myfirstkz
[Connected to zone 'myfirstkz' pts/1]
Oracle Corporation      SunOS 5.11      11.2    June 2014
root@myfirstkz:~# uname -a
SunOS myfirstkz 5.11 11.2 i86pc i386 i86pc 

root@myfirstkz:~# ipadm show-addr
ADDROBJ           TYPE     STATE        ADDR
lo0/v4            static   ok           127.0.0.1/8
net0/v4           dhcp     ok           10.134.79.210/24
lo0/v6            static   ok           ::1/128
net0/v6           addrconf ok           fe80::8:20ff:fe47:ca30/10 

root@myfirstkz:~# dladm show-link
LINK                CLASS     MTU    STATE    OVER
net0                phys      1500   up       -- 

root@myfirstkz:~# zfs list
NAME                              USED  AVAIL  REFER  MOUNTPOINT
rpool                            4.65G  10.7G  32.5K  /rpool
rpool/ROOT                       2.58G  10.7G    31K  legacy
rpool/ROOT/solaris-5             2.58G  10.7G  2.08G  /
rpool/ROOT/solaris-5/var          510M  10.7G   508M  /var
rpool/VARSHARE                   2.52M  10.7G  2.43M  /var/share
rpool/VARSHARE/pkg                 63K  10.7G    32K  /var/share/pkg
rpool/VARSHARE/pkg/repositories    31K  10.7G    31K  /var/share/pkg/repositories
rpool/VARSHARE/zones               31K  10.7G    31K  /system/zones
rpool/dump                       1.03G  10.8G  1.00G  -
rpool/export                     96.5K  10.7G    32K  /export
rpool/export/home                64.5K  10.7G    32K  /export/home
rpool/export/home/demo           32.5K  10.7G  32.5K  /export/home/demo
rpool/swap                       1.03G  10.8G  1.00G  - 

root@myfirstkz:~# zonename
global 

root@myfirstkz:~# exit
logout

[Connection to zone 'myfirstkz' pts/1 closed]

Listing 10

Note: In Listing 10, we did not use the -C option for the zlogin command, which means we are not accessing the zone via its console. This is why we can simply exit the shell at the end to leave the zone.

Let's look at the output shown in Listing 10 to see what we have:

• The output of the uname command shows that we are running on Oracle Solaris 11.2—the same kernel version used in the global zone in which our myfirstkz kernel zone is running.
• The output of the ipadm command shows the IP address for myfirstkz. There are four entries: two loopback devices (IPv4 and IPv6), our IPv4 net0 device with an IP address of 10.134.79.210 and, finally, an IPv6 net0 device.
• The output of the dladm command shows our automatically created net0 VNIC.
• The output of the zfs list command shows our ZFS dataset.
• Finally, the output of the zonename command shows that our zone name is global. With native zones, this would be the actual zone name. However, a kernel zone actually runs a full kernel instance, so users running inside the kernel zone have their own instance of a global zone.

If you want to determine the zone name from inside the kernel zone, you can use the virtinfo command:

root@global:~# zlogin myfirstkz
[Connected to zone 'myfirstkz' pts/1]
Oracle Corporation      SunOS 5.11      11.2    June 2014 

root@myfirstkz:~# virtinfo -c current get zonename
NAME        CLASS   PROPERTY VALUE     
kernel-zone current zonename myfirstkz 
root@myfirstkz:~# exit
logout

Note: From within myfirstkz, we cannot see any information about the global zone; we can see only the attributes of our own zone.

You have now verified that myfirstkz is up and running. You can give the login information to your users to allow them to complete the setup of their team's kernel zone as if it were a single system.

Updating a Kernel Zone to a Later Oracle Solaris Release

One of the main features of kernel zones is the ability to run your kernel zone with a different kernel version from that of the host global zone.

Starting with Oracle Solaris 11.2, kernel zones support both backwards and forwards compatibility. What that means in practice is that you can not only have a kernel zone running Oracle Solaris 11.2 on a host running a later Oracle Solaris version, say Oracle Solaris 11.3 (when it is available), but you can also have a kernel zone running a later Oracle Solaris version, say Oracle Solaris 11.3, on a host running Oracle Solaris 11.2. Figure 16 illustrates this capability.

               Figure 16. Example of forward and backward compatibility of kernel zones

Updating myfirstkz to a Later Oracle Solaris Release

Let's update our kernel zone to use a later Oracle Solaris release—a hypothetical "Oracle Solaris Next" release—rather than the release running on the host (Oracle Solaris 11.2).

First, let's use the command shown in Listing 11 to look at what boot environments we have from the host global zone:

root@global:~# beadm list
BE                 Active Mountpoint Space   Policy Created          
--                 ------ ---------- -----   ------ -------          
solaris            -      -          44.67M  static 2012-01-26 18:59 
solaris-1          -      -          47.78M  static 2014-06-25 08:12 
solaris-2          -      -          46.71M  static 2014-06-25 08:40 
solaris-3          -      -          1.03G   static 2014-06-25 23:30 
solaris-3-backup-1 -      -          221.0K  static 2014-07-10 14:23 
solaris-4          NR     /          52.77G  static 2014-07-20 18:41 
solaris-backup-1   -      -          144.0K  static 2012-01-26 19:28 

Listing 11

In Listing 11, we could see a list of native zone boot environments, if there were any. However, we will not see kernel zone boot environments listed, because a kernel zone has its own boot disk.

Let's check what our current publisher is and point the kernel zone to a publisher that has a newer kernel. We start by logging in to myfirstkz, as shown in Listing 12:

root@global:~# zlogin myfirstkz
[Connected to zone 'myfirstkz' pts/2]
Oracle Corporation      SunOS 5.11      11.2    June 2014 

root@myfirstkz:~# pkg publisher
PUBLISHER                   TYPE     STATUS P LOCATION
solaris                     origin   online F http://ipkg.us.oracle.com/solaris11/dev/ 

root@myfirstkz:~# pkg set-publisher -G '*' -g http://ipkg.us.oracle.com/solaris-n/dev/ solaris 

root@myfirstkz:~# pkg publisher
PUBLISHER                   TYPE     STATUS P LOCATION
solaris                     origin   online F http://ipkg.us.oracle.com/solaris-n/dev/

Listing 12

Note that in this example, we will use an internally created repository. You will be able to reproduce this for yourself as later releases of Oracle Solaris become available. In Listing 12, we can see that we are running Oracle Solaris 11.2, and we have set our publisher to point to the dev repository.

Before we update, let's look at what the kernel zone sees as its boot environment:

root@myfirstkz:~# beadm list
BE        Active Mountpoint Space Policy Created          
--        ------ ---------- ----- ------ -------          
solaris-5 NR     /          7.91M static 2014-07-24 13:44 

Now, let's update our kernel zone, as shown in Listing 13:

root@myfirstkz:~# pkg update --accept
------------------------------------------------------------
Package: pkg://solaris/consolidation/osnet/osnet-incorporation@5.12,5.12-
5.12.0.0.0.52.0:20140714T022826Z
License: lic_OTN

You acknowledge that your use of this Oracle Solaris software product
is subject to (i) the license terms that you accepted when you obtained
the right to use Oracle Solaris software; or (ii) the license terms that
you agreed to when you placed your Oracle Solaris software order with
Oracle; or (iii) the Oracle Solaris software license terms included with
the hardware that you acquired from Oracle; or, if (i), (ii) or (iii)
are not applicable, then, (iv) the OTN License Agreement for Oracle
Solaris (which you acknowledge you have read and agree to) available at
http://www.oracle.com/technetwork/licenses/solaris-cluster-express-license-
167852.html.
Note: Software downloaded for trial use or downloaded as replacement
media may not be used to update any unsupported software.



            Packages to remove:  37
           Packages to install:  57
            Packages to update: 432
           Mediators to change:   4
       Create boot environment: Yes
Create backup boot environment:  No
DOWNLOAD                                PKGS         FILES    XFER (MB)   SPEED
Completed                            526/526   23157/23157  363.4/363.4 16.7M/s

PHASE                                          ITEMS
Removing old actions                       6580/6580
Installing new actions                     9594/9594
Updating modified actions                24807/24807
Updating package state database                 Done 
Updating package cache                       469/469 
Updating image state                            Done 
Creating fast lookup database                   Done 
Updating package cache                           1/1 

A clone of solaris-5 exists and has been updated and activated.
On the next boot the Boot Environment solaris-6 will be
mounted on '/'.  Reboot when ready to switch to this updated BE.

Updating package cache                           1/1 

---------------------------------------------------------------------------
NOTE: Please review release notes posted at:

http://www.oracle.com/pls/topic/lookup?ctx=solaris11&id=SERNS
---------------------------------------------------------------------------

Listing 13

In the command shown in Listing 13, we use the --accept option to automatically accept any licenses. We can see in the output that a boot environment has been created. Let's look at what that is, as shown in Listing 14:

root@myfirstkz:~# beadm list
BE        Active Mountpoint Space Policy Created          
--        ------ ---------- ----- ------ -------          
solaris-5 N      /          7.91M static 2014-07-24 13:44 
solaris-6 R      -          7.39G static 2014-07-24 17:04

Listing 14

In Listing 14, we can see from the R next to the solaris-6 boot environment that after a reboot, we will select this new environment.

Finally, let's reboot the zone.

root@myfirstkz:~# reboot

[Connection to zone 'myfirstkz' pts/2 closed]
root@global:~# 

We are now back in the host global zone, and we can use zoneadm to check the status of our kernel zone, as shown in Listing 15:

root@global:~# zoneadm list -cv
  ID NAME             STATUS      PATH                         BRAND      IP    
   0 global           running     /                            solaris    shared
   3 myfirstkz        running     -                            solaris-kz excl  

Listing 15

As shown in Listing 15, our kernel zone has already rebooted and is running again.

Let's log back in, as shown in Listing 16, and check what kernel version we are running:

root@global:~# zlogin myfirstkz
[Connected to zone 'myfirstkz' pts/2]
Oracle Corporation      SunOS 5.n      sn_52  June 2014

Listing 16

Listing 16 shows we are running a completely different kernel: the hypothetical "Oracle Solaris Next."

Let's run the command shown in Listing 17 to take a final look at the boot environments before we leave this kernel zone:

root@myfirstkz:~# beadm list
BE        Active Mountpoint Space  Policy Created          
--        ------ ---------- -----  ------ -------          
solaris-5 -      -          12.35M static 2014-07-24 13:44 
solaris-6 NR     /          7.50G  static 2014-07-24 17:04 
root@myfirstkz:~# exit
logout

[Connection to zone 'myfirstkz' pts/2 closed]

Listing 17

In Listing 17, we can see that we are running in the new boot environment.

Installing a Kernel Zone from an ISO Image

Sometimes you might not want to do a direct installation with a kernel zone; you might want to install from an ISO image instead. This is supported for kernel zones, and this section will show how to do that.

We will also use this opportunity to explore how to allocate some dedicated CPU resources to the kernel zone, as well as how to add some extra memory and increase the size of its boot disk.

Step 1: Configure Dedicated CPU Resources and More Memory

Let's create a new kernel zone similar to what we did before, but this time we will use the zonecfg command to add some dedicated CPU resources.

Let's start by checking how many CPU resources we have:

root@global:~# psrinfo -t
socket: 0
  core: 0
    cpus: 0,8
  core: 1
    cpus: 1,9
  core: 2
    cpus: 2,10
  core: 3
    cpus: 3,11
socket: 1
  core: 8
    cpus: 4,12
  core: 9
    cpus: 5,13
  core: 10
    cpus: 6,14
  core: 11
    cpus: 7,15

Now, let's create a new kernel zone called iso-kz and then add four CPU's worth of dedicated CPU resources to it:

root@global:~# zonecfg -z iso-kz create -t SYSsolaris-kz
root@global:~# zonecfg -z iso-kz
zonecfg:iso-kz> add dedicated-cpu
zonecfg:iso-kz:dedicated-cpu> set ncpus=4
zonecfg:iso-kz:dedicated-cpu> end
zonecfg:iso-kz> verify
zonecfg:iso-kz> commit
zonecfg:iso-kz> exit

We can check that the zone creation and resource configuration worked by using the zonecfg command:

root@global:~# zonecfg -z iso-kz info dedicated-cpu
dedicated-cpu:
         ncpus: 4
         cpus not specified
         cores not specified
         sockets not specified

You can set a kernel zone to have either virtual CPUs or dedicated CPUs. The difference between the two types is basically about sharing.

• With a virtual CPU, the CPU resource is shared with the rest of the system or other zones and it can be leveraged in cases where the kernel zone is not busy.
• With dedicated a CPU, the CPU resource is exclusive to the kernel zone and will never be used by anything other than that specific kernel zone.

We can also use the zonecfg command to add some extra memory to the kernel zone:

root@global:~# zonecfg -z iso-kz
zonecfg:iso-kz> select capped-memory
zonecfg:iso-kz:capped-memory> set physical=3g
zonecfg:iso-kz:capped-memory> end
zonecfg:iso-kz> verify
zonecfg:iso-kz> commit
zonecfg:iso-kz> exit 

root@global:~# zonecfg -z iso-kz info capped-memory
capped-memory:
         physical: 3G

Step 2: Install the Kernel Zone with a Bigger Disk

It's now time to install our zone. We will use a hypothetical Oracle Solaris 11.3 ISO image to do this and we will also increase the size of the install disk. The default is a 16 GB disk, so let's increase that to 24 GB. Listing 18 shows how you do this at installation time:

root@global:~# zoneadm -z iso-kz install -b /root/sol-11_3-42-text-x86.iso -x install-size=24g

Listing 18

In Listing 18, you can see that this time, the image we used is using the text installer.
Once we have answered the usual installation questions, we can log in to our zone, as shown in

Listing 19:

root@global:~# zoneadm list -cv
  ID NAME             STATUS      PATH                         BRAND      IP    
   0 global           running     /                            solaris    shared
   3 myfirstkz        running     -                            solaris-kz excl  
   5 iso-kz           running     -                            solaris-kz excl  

root@global:~# zlogin iso-kz
[Connected to zone 'iso-kz' pts/2]
Oracle Corporation      SunOS 5.11      11.3    June 2014
root@:~# 
root@solarisiso-kz:~# psrinfo -t
socket: 0
  core: 0
    cpu: 0
  core: 1
    cpu: 1
  core: 2
    cpu: 2
  core: 3
    cpu: 3
 root@:~# exit
logout

[Connection to zone 'iso-kz' pts/2 closed]

Listing 19

In Listing 19, we can see the four dedicated CPUs we assigned and we can see that we are running a release different than that of the host global zone.

Before we move on, let's shut down our two kernel zones:

root@global:~# zoneadm -z myfirstkz shutdown
root@global:~# zoneadm -z iso-kz shutdown

Converting a Native Zone to a Kernel Zone

The final operation to try is converting a native zone to a kernel zone, which is made especially easy through the use of Oracle Solaris Unified Archives.

In this example, we will use a native zone that has already been created. If you are not sure how to create a native zone, see "How to Get Started Creating Oracle Solaris Zones in Oracle Solaris 11."

Let's start by having a look at the native zone we are going to convert, as shown in Listing 20:

root@global:~# zoneadm list -cv
  ID NAME             STATUS      PATH                         BRAND      IP    
   0 global           running     /                            solaris    shared
   6 native-zone      running     /system/zones/native-zone    solaris    excl  
   - myfirstkz        installed   -                            solaris-kz excl  
   - iso-kz           installed   -                            solaris-kz excl  

root@global:~# zlogin native-zone
[Connected to zone 'native-zone' pts/2]
Oracle Corporation      SunOS 5.11      11.2    June 2014
root@native-zone:~# touch my_special_files
root@native-zone:~# zonename
native-zone
root@native-zone:~# exit
logout

[Connection to zone 'native-zone' pts/2 closed]
root@global:~# zoneadm list -cv
  ID NAME             STATUS      PATH                         BRAND      IP    
   0 global           running     /                            solaris    shared
   - myfirstkz        installed   -                            solaris-kz excl  
   - iso-kz           installed   -                            solaris-kz excl  
   - native-zone      installed   /system/zones/native-zone    solaris    excl  

Listing 20

In Listing 20, we can see our native-zone is already up and running, and we have logged in and created a file called my_special_files. This example is just to reflect any configuration that we might have done when taking a zone from a real environment. Finally, we checked the zone name, logged out, and shut down the native zone.

Note: One of the big advantages of using a Unified Archive to capture a zone is that you can do the capture on a running zone, which means you can avoid outages to end users. In this case, because we want to convert our native zone to a kernel zone (rather than clone the native zone), we shut down the native zone.

Now let's create a Unified Archive of our native zone:

root@global:~# archiveadm create -z native-zone ./native-zone-archive.uar
Initializing Unified Archive creation resources...
Unified Archive initialized: /root/native-zone-archive.uar
Logging to: /system/volatile/archive_log.26165
Executing dataset discovery...
Dataset discovery complete
Preparing archive system image...
Beginning archive stream creation...
Archive stream creation complete
Beginning final archive assembly...
Archive creation complete

Once we have created the archive, we can examine it to see what it contains:

root@global:~# ls -l
total 5602777
-rw-r--r--   1 root     root     901992448 Jul  1 06:18 0.175.2_ai_i386.iso
-rw-r--r--   1 root     root     1308958720 Jul 24 17:27 native-zone-archive.uar
-rw-r--r--   1 demo     staff    675102720 Jul 24 07:37 sol-11_2-42-text-x86.iso

root@global:~# archiveadm info -v ./native-zone-archive.uar
Archive Information
          Creation Time:  2014-07-24T21:54:08Z
            Source Host:  global
           Architecture:  i386
       Operating System:  Oracle Solaris 11.3 X86
       Recovery Archive:  No
              Unique ID:  e1bf0d42-338b-e879-fec4-ab78290ef55c
        Archive Version:  1.0

Deployable Systems
'native-zone'
             OS Version:  0.5.11
              OS Branch:  0.175.3.0.0.1.0
              Active BE:  solaris
                  Brand:  solaris
            Size Needed:  978MB
              Unique ID:  f488ea7c-ab1e-6cc4-d407-c60fce1e3818
               AI Media:  0.175.3_ai_i386.iso
              Root-only:  Yes

Next, let's configure a new kernel zone and when we are ready to install it, we will pass in the archive, as shown in

Listing 21:

root@global:~# zonecfg -z converted-zone-kz create -t SYSsolaris-kz
root@global:~# zoneadm -z converted-zone-kz install -a ./native-zone-archive.uar
Progress being logged to /var/log/zones/zoneadm.20140724T233807Z.converted-zone-kz.install
[Connected to zone 'converted-zone-kz' console]
Boot device: cdrom1  File and args: -B install=true,auto-shutdown=true -B aimanifest=/system/shared/ai.xml
reading module /platform/i86pc/amd64/boot_archive...done.
reading kernel file /platform/i86pc/kernel/amd64/unix...done.
SunOS Release 5.11 Version 11.2 64-bit
Copyright (c) 1983, 2014, Oracle and/or its affiliates. All rights reserved.
Remounting root read/write
Probing for device nodes ...
Preparing image for use
Done mounting image
Configuring devices.
Hostname: solaris
Using specified install manifest : /system/shared/ai.xml

solaris console login: 
Automated Installation started
The progress of the Automated Installation will be output to the console
Detailed logging is in the logfile at /system/volatile/install_log
Press RETURN to get a login prompt at any time.

23:40:15    Install Log: /system/volatile/install_log
23:40:15    Using XML Manifest: /system/volatile/ai.xml
23:40:15    Using profile specification: /system/volatile/profile
23:40:15    Starting installation.
23:40:15    0% Preparing for Installation
23:40:15    100% manifest-parser completed.
23:40:15    100% None
23:40:15    0% Preparing for Installation
23:40:18    1% Preparing for Installation
23:40:18    2% Preparing for Installation
23:40:19    3% Preparing for Installation
23:40:19    4% Preparing for Installation
23:40:19    5% archive-1 completed.
23:40:21    8% target-discovery completed.
23:40:23    Pre-validating manifest targets before actual target selection
23:40:23    Selected Disk(s) : c1d0
23:40:24    Pre-validation of manifest targets completed
23:40:24    Validating combined manifest and archive origin targets
23:40:24    Selected Disk(s) : c1d0
23:40:24    9% target-selection completed.
23:40:24    10% ai-configuration completed.
23:40:24    9% var-share-dataset completed.
23:40:29    10% target-instantiation completed.
23:40:29    10% Beginning archive transfer
23:40:29    Commencing transfer of stream: ce6d4b69-ad85-e7e1-aaf7-fdbfdc17f001-0.zfs
to rpool
23:40:35    30% Transferring contents
23:40:39    50% Transferring contents
23:40:43    70% Transferring contents
23:40:54    86% Transferring contents
23:41:09    Completed transfer of stream: 'ce6d4b69-ad85-e7e1-aaf7-fdbfdc17f001-0.zfs'
from file:///system/shared/uafs/OVA
23:41:12    Archive transfer completed
23:41:31    90% generated-transfer-965-1 completed.
23:41:31    90% Beginning IPS transfer
23:41:31    Setting post-install publishers to:
23:41:31        solaris
23:41:31            origin:  http://ipkg.us.oracle.com/solaris11/dev/
23:41:32    90% generated-transfer-965-2 completed.
23:41:32    Changing target pkg variant. This operation may take a while
23:51:17    90% apply-pkg-variant completed.
23:51:21    Setting boot devices in firmware
23:51:21    91% boot-configuration completed.
23:51:21    91% update-dump-adm completed.
23:51:21    92% setup-swap completed.
23:51:22    92% device-config completed.
23:51:23    92% apply-sysconfig completed.
23:51:23    93% transfer-zpool-cache completed.
23:51:36    98% boot-archive completed.
23:51:36    98% transfer-ai-files completed.
23:51:37    98% cleanup-archive-install completed.
23:51:38    100% create-snapshot completed.
23:51:39    100% None
23:51:39    Automated Installation succeeded.
23:51:39    You may wish to reboot the system at this time.
Automated Installation finished successfully
Shutdown requested. Shutting down the system
Log files will be available in /var/log/install/ after reboot
svc.startd: The system is coming down.  Please wait.
root@global:~# zoneadm list -cv
  ID NAME             STATUS      PATH                         BRAND      IP    
   0 global           running     /                            solaris    shared
   - myfirstkz        installed   -                            solaris-kz excl  
   - iso-kz           installed   -                            solaris-kz excl  
   - native-zone      installed   /system/zones/native-zone    solaris    excl  
   - converted-zone-kz installed   -                            solaris-kz excl  

Listing 21

As we can see in Listing 21, the install process completed successfully and we have an installed kernel zone.

Let's boot up our newly converted zone and have a look at it, as shown in Listing 22:

root@global:~# zoneadm -z converted-zone-kz boot
root@global:~# zoneadm list -cv
  ID NAME             STATUS      PATH                         BRAND      IP    
   0 global           running     /                            solaris    shared
   3 converted-zone-kz running     -                            solaris-kz excl  
   - duckstack        unavailable -                            solaris-kz excl  
   - native-zone      installed   /system/zones/native-zone    solaris    excl  
root@global:~# zlogin converted-zone-kz
[Connected to zone 'converted-zone-kz' pts/1]

Oracle Corporation      SunOS 5.11      11.2    June 2014
root@unknown:~# ls
my_special_files

Listing 22

In Listing 22, we can see that the contents of our native zone have been preserved.

Conclusion

In this article, we explored how to create, install, boot, and configure a kernel zone. You learned that Oracle Solaris Kernel Zones have the ability to run kernel versions that are different from the kernel version running on the host. We also saw how to do a direct installation and an installation based on an ISO image. Finally, we saw how to convert a native zone to a kernel zone using Unified Archives.