Re: [zones-discuss] Using zones for simple usage
Anon Y Mous wrote: But this is fairly far from the Zones-discuss topic. I respectfully disagree, I think this is part of the Zones-discuss topic. The whole reason people want a minimal OpenSolaris install is to have a global zone with nothing running in it (except for maybe an SSH server and an internal crossbow "virtual network" based IPS package repository for the non-global zones) and then have Apache, Postfix / dovecot, BIND, glassfish, database software, etc. etc. all delegated out to the non-global zones. It seems that this would be a more secure arrangement and it would also be better for resource management since OpenSolaris's SUNWrcap resource management capabilities for zones are superb. So in a way, this is kind of a "zones-discuss" issue ;-) It is also partly an installation and package management issue, but the most important thing is that everything involving package management and a minimalized global zone "server install" integrates smoothly at the zone level. Zones / Containers are one of the main reasons Sun customers use Solaris, but IBM's AIX and Windows Server 2008 are slowly catching up. IBM is trying very hard to make their AIX WPAR's better than Solaris 10 zones (see link below): http://www.ibm.com/developerworks/aix/library/au-solaris/index.html and Microsoft is also pushing Hyper-V on Windows Server 2008 as a replacement for Solaris Zones (Hyper V can now even run SPARC Solaris workloads- see link below): http://blogs.zdnet.com/virtualization/?p=482 and there's also things like OpenVZ and Virtuozzo VPS on Linux, which are similar to Solaris zones and have captured a massive mind share and are slowly taking over the data center that I work in (even though they are, for the most part, pretty awful products compared to Solaris zones). So if Solaris is to win the race and stem the stem the migration of UNIX installations away from Sun and towards IBM and Red Hat, it's critical that we always remain a few steps ahead of the pack so that pro-Sun sysadmins such as myself will be able to tell our bosses- why should we ever migrate to Red Hat or IBM or Microsoft Server 2008 when it's obvious that OpenSolaris is a million times better in every way! In fact, if things in OpenSolaris continue to get better, I might be able to make a compelling case for why some of my existing customers who use Red Hat should migrate away from Linux and towards Sun, but we still have a ways to go. So how do we get there? First, in regards to IPS and ipkg zones, I think that this point can't be emphasized enough: CUSTOMERS DO NOT WANT TO BE PROHIBITED FROM DEPLOYING NEW ZONES JUST BECAUSE THEY ARE HAVING PROBLEMS CONNECTING TO THE OPENSOLARIS IPS REPOSITORY!!! Could you imagine me working for a major telecom, bank / financial institution, or government / military organization and having to tell my boss: I'm sorry , I couldn't deploy any new OpenSolaris ipkg zones today because we were having trouble connecting to pkg.opensolaris.org ? I would be fired in a heartbeat for being an OpenSolaris evangelist and all my kit would be replaced the next day with a massive pile of IBM gear running RHEL or AIX. What about military data centers that aren't even supposed to be connected to the internet? How are they supposed to be able to deploy new ipkg zones when their security policies don't allow them to go out on the internet and connect to pkg.opensolaris.org ? The basic stop-gap solution to the problem is simple: in January of the year 2010, Joe Unix-Administrator downloads the OpenSolaris "Server Core" version of the OpenSolaris Indiana operating system from genunix.org, and installs it. The installer asks him to put in a static IP address (something the current OpenSolaris installer never does unfortunately), installs a minimal server OS with no GNOME or X-Windows in the global zone, and then comes up after the reboot with a BASH or KSH command line with virtual terminals, SSH and nothing else running. Then Joe Unix-Administrator SSH's into the global zone and types in a command to tell the global zone to clone the opensolaris.org IPS repository, but because this is a server operating system, it will only clone all of the server and developer related packages (i.e. Apache, postfix, Bind / named, MySQL, Erlang... basically anything at pkg.opensolaris.org that's not an X-windows dependant application). The command the sysadmin types in to clone the IPS repository could be something like this: # pkg clone-repository pkg.opensolaris.org/server crossbow Now, the global zone starts downloading all the server packages from pkg.opernsolaris.org and several hours later we have a fully functioning local IPS repository running on an internal network inside the global zone. Now we have to make this local IPS repository the default repository for the entire system (including the non-global zones which haven't been deployed yet). To do this, Joe co
Re: [zones-discuss] Using zones for simple usage
> But this is fairly far from the Zones-discuss topic. I respectfully disagree, I think this is part of the Zones-discuss topic. The whole reason people want a minimal OpenSolaris install is to have a global zone with nothing running in it (except for maybe an SSH server and an internal crossbow "virtual network" based IPS package repository for the non-global zones) and then have Apache, Postfix / dovecot, BIND, glassfish, database software, etc. etc. all delegated out to the non-global zones. It seems that this would be a more secure arrangement and it would also be better for resource management since OpenSolaris's SUNWrcap resource management capabilities for zones are superb. So in a way, this is kind of a "zones-discuss" issue ;-) It is also partly an installation and package management issue, but the most important thing is that everything involving package management and a minimalized global zone "server install" integrates smoothly at the zone level. Zones / Containers are one of the main reasons Sun customers use Solaris, but IBM's AIX and Windows Server 2008 are slowly catching up. IBM is trying very hard to make their AIX WPAR's better than Solaris 10 zones (see link below): http://www.ibm.com/developerworks/aix/library/au-solaris/index.html and Microsoft is also pushing Hyper-V on Windows Server 2008 as a replacement for Solaris Zones (Hyper V can now even run SPARC Solaris workloads- see link below): http://blogs.zdnet.com/virtualization/?p=482 and there's also things like OpenVZ and Virtuozzo VPS on Linux, which are similar to Solaris zones and have captured a massive mind share and are slowly taking over the data center that I work in (even though they are, for the most part, pretty awful products compared to Solaris zones). So if Solaris is to win the race and stem the stem the migration of UNIX installations away from Sun and towards IBM and Red Hat, it's critical that we always remain a few steps ahead of the pack so that pro-Sun sysadmins such as myself will be able to tell our bosses- why should we ever migrate to Red Hat or IBM or Microsoft Server 2008 when it's obvious that OpenSolaris is a million times better in every way! In fact, if things in OpenSolaris continue to get better, I might be able to make a compelling case for why some of my existing customers who use Red Hat should migrate away from Linux and towards Sun, but we still have a ways to go. So how do we get there? First, in regards to IPS and ipkg zones, I think that this point can't be emphasized enough: CUSTOMERS DO NOT WANT TO BE PROHIBITED FROM DEPLOYING NEW ZONES JUST BECAUSE THEY ARE HAVING PROBLEMS CONNECTING TO THE OPENSOLARIS IPS REPOSITORY!!! Could you imagine me working for a major telecom, bank / financial institution, or government / military organization and having to tell my boss: I'm sorry , I couldn't deploy any new OpenSolaris ipkg zones today because we were having trouble connecting to pkg.opensolaris.org ? I would be fired in a heartbeat for being an OpenSolaris evangelist and all my kit would be replaced the next day with a massive pile of IBM gear running RHEL or AIX. What about military data centers that aren't even supposed to be connected to the internet? How are they supposed to be able to deploy new ipkg zones when their security policies don't allow them to go out on the internet and connect to pkg.opensolaris.org ? The basic stop-gap solution to the problem is simple: in January of the year 2010, Joe Unix-Administrator downloads the OpenSolaris "Server Core" version of the OpenSolaris Indiana operating system from genunix.org, and installs it. The installer asks him to put in a static IP address (something the current OpenSolaris installer never does unfortunately), installs a minimal server OS with no GNOME or X-Windows in the global zone, and then comes up after the reboot with a BASH or KSH command line with virtual terminals, SSH and nothing else running. Then Joe Unix-Administrator SSH's into the global zone and types in a command to tell the global zone to clone the opensolaris.org IPS repository, but because this is a server operating system, it will only clone all of the server and developer related packages (i.e. Apache, postfix, Bind / named, MySQL, Erlang... basically anything at pkg.opensolaris.org that's not an X-windows dependant application). The command the sysadmin types in to clone the IPS repository could be something like this: # pkg clone-repository pkg.opensolaris.org/server crossbow Now, the global zone starts downloading all the server packages from pkg.opernsolaris.org and several hours later we have a fully functioning local IPS repository running on an internal network inside the global zone. Now we have to make this local IPS repository the default repository for the entire system (including the non-global zones which haven't been deployed yet). To do this, Joe could type in somethi
Re: [zones-discuss] Using zones for simple usage
Jeff Victor wrote: > Seriously, it would be helpful for Sun to understand the advantages of > a release that doesn't have a GUI as an option. In other words, what > problems are caused by the existence of the GUI software (besides > wasted disk space)? > > Instead of a separate distro, perhaps it would be simpler for > everybody if there was a "no-GUI server" installation option that > simply doesn't install the GUI tools. Would that meet your needs? Especially if you consider how much hardware Sun ships that doesn't have a graphics terminal (or graphics card) in it. Specifically all of the SPARC servers. After all, who needs a monitor when you have RS232? On the other hand, by not doing the "Everything and the Kitchen Sink" cluster, don't you run the risk of unexpected and unsupported dependancies between programs. (For example scripts that need ksh93 broke if you didn't install /usr/dt/bin/ksh) But this is fairly far from the Zones-discuss topic. --Joe ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Using zones for simple usage
Rats. This post was supposed to be below my other two older posts in the forum, not above them. My bad. -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Using zones for simple usage
I know some of you guys are chuckling at my statements thinking "well, maybe his postfix and apache and BIND / named servers don't have a windowing environment, but Oracle needs X-windows". Well, actually it's possible to install Oracle without using X-windows on Red Hat Enterprise Linux (see link below): http://musialek.org/?p=68 Using a trick like that to get rid of the RAM and CPU cycles wasted on unneccessary windowing environment related computation on OpenSolaris could get "world record" Oracle performance from Sun (to use the phrase Sun likes to use so much in their own marketing writeups). Not to mention that GNOME and Xwindows is like a swiss cheese of security holes and obscure code bugs that nobody I personnaly know understands, there's nothing good that can come from having it unless you are a desktop user trying to do desktop things (like play games, write code, watch movies) on your desktop computer (which I have tried to do on my OpenSolaris desktop with varying degrees of success since lifewithsolaris.jp went down). Do you guys think that companies like Akamai and Google and Amazon waste unnecessary CPU cycles on their servers, and unnecessary disk space for a beautiful GNOME desktop environment that no one will ever see anyway because there's never a keyboard and monitor hooked up to the server? What if CISCO started forcing everyone to have a GNOME desktop and GNOME games on their routers and ASA / PIX firewalls? How do you think that would go down? Companies like Google and Amazon used to be running Solaris as their main OS at a time way back in the 1990's when the Google search engine was called "Backrub" and ran on a SPARC server made out of LEGOS at Stanford. Linux eventually won out not because the underlying core technology was better than Solaris (it wasn't), but because it was cheap, had no IP strings attached, and it was easier to customize it by modifying the source code and stripping it down into an efficient server appliance that doesn't waste CPU cycles, disk space, and RAM on things like windowing environments that don't directly benefit it's ability to server up web pages to the end user. Think how much money Sun would have if they had made this quality UNIX OS open source and easily customizable back then and kept Google and Amazon and everyone else who started out on Solaris in the 1990's as clients. All of you engineers on this mailing list would all be driving Ferraris and have your own Larry Ellison boats! Why are all the top Super Computer clusters like Texas Ranger buying a big football stadium full of Sun Gear and then running CentOS Linux on it instead of OpenSolaris? Maybe they don't want GNOME games installed when they're trying to break the next world record? -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Using zones for simple usage
> Another option: Have you tried using the Automated Installer > to install OpenSolaris without X, Gnome, etc.? In regards to using or not using the automated installer, keep in mind that some network administrators are VERY much against allowing anyone besides themselves to deploy a DHCP server anywhere on their network for security reasons (i.e. they won't let me do it, and just because me wanting to do it has something to do with this new unproven "OpenSolaris" thing that people are skeptical about doesn't justify it either). This "NO UNAUTHORIZED DHCP SERVERS ON THE NETWORK!" security policy many network admins have is something important to keep in mind as a lot of Sun's customers are very security focused and this is one of the main things that has been keeping me from using automated OpenSolaris installs in production. Red Hat Enterprise Linux (which is what a lot of my customers use) is immune to this "NO DHCP SERVERS" rule because the automated RHEL "kickstart" installs don't require a DHCP server, all it requires is that the Red Hat Anaconda installer can read the kickstart f ile from "somewhere" and that "somewhere" could be on a USB thumbdrive, on a custom made CD / DVD image, on a server somewhere on the network, etc. (anybody who has worked as an RHEL sysadmin and knows how kickstart works knows what I'm talking about). I think the lack of a supported server distro is overall a big issue (maybe the biggest issue) because it prevents Sun from getting server revenue from OpenSolaris that would bring lots of money in from paying customers like me that could be used to fund more projects, hire more people to work on the code, and thus make OpenSolaris even better than it already is. I'm a compulsive risk taker, so I can guarantee that I would definitely have already been using OpenSolaris in production somewhere back in the 2008.05 days and I would have definitely bought support for it IF it could be installed as a minimal server OS (like Nexenta Core) and supported the applications that we use (i.e. postfix, oracle, etc.). Right now, I haven't bought any support from Sun for OpenSolaris, and that's because all of my clients are using RHEL and Ubuntu Server and sending their support fee money over to those companies. Right now OpenSolaris Indiana is stuck between a rock and a hard place. In it's current configuration it caters very heavily to desktop users, but desktop users won't use it (they'll use Ubuntu or Mac OS X) because desktop users want to do things like put music on their ipod with itunes or watch movies with VLC media player (things that are almost impossible to do on OpenSolaris unless you have genius level VLC player compiling capabilities like kronox from lifewithsolaris.jp has). What about using OpenSolaris 2009.06 for a large organization's primary mail server? Let's see, do I need Firefox on my mail server? Nope. Do I need X-windows? Nope. Do I need Gnome games on my server? Nope. Well, what do I need on my mail server for a 1000 person plus organization? I need postfix, and dovecot and squirrelmail. But guess what? There's no official posfix package available from Sun even though the opensolaris.org mailing list runs on Postfix!!! Postfix is available from Blastwave, but we want to buy support from Sun for our company's mail server that handles the company's important e-mails, so yeah, we would like to be able to pay for the right to open a trouble ticket with Sun if we have problems with Postfix on Solaris So I guess if I want to deploy a Postfix server for a large business (something I do at least a dozen times a year) and I want to have paid-for support, I'm pretty much forced to use Ubuntu Server or RHEL or Suse then aren't I? People like me in the OpenSolaris community who work as RHCE Linux consultants for a living want to help Sun out and send revenue from some yearly support contract fees over to Sun, but Sun makes it almost impossible for us to do this, so I'm stuck using the same "if it ain't broke why fix it" Linux-based business model that I've been living off of for the last 4 years :-( -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Using zones for simple usage
> Instead of a separate distro, perhaps it would be simpler for > everybody if there was a "no-GUI server" installation option that > simply doesn't install the GUI tools. Would that meet your needs? Thanks for the quick response Jeff! We also already did have a discussion about having a minimal server installation option for Cayman / Indiana here: http://www.opensolaris.org/jive/thread.jspa?threadID=107921&tstart=15 and Alan Coopersmith said they had some problems getting IPS and the Cayman installer to inter-operate with each other to allow you to choose which packages you wanted in time for the 2009.06 release, which was why I suggested it might be easier to just create a minimalized "server only" distro for Indiana like Ubuntu did for Ubuntu Server than to fix whatever it is that's going on with IPS that prevents it from letting you choose what packages to install. IMO it doesn't matter that much whether Sun goes with the "Red Hat" approach of having one really big installation DVD / CD set that has a lot of packages on it and lets you choose what packages you want to install or whether Sun goes with the "Canonical / Ubuntu" approach of having an entirely separate "server only" installation CD that doesn't have any X-windows packages on it. Sun should just go with whatever method is easiest for them to implement so that they can get a decent OpenSolaris Indiana server configuration out to the public as quickly as possible so that Indiana can get a foot hold in the data center vis-a-vis RHEL and start to become a source of immediate revenue for Sun in terms of server support contracts. I will say though that in my opinion the Ubuntu Server method has a very slight advantage over Red Hat in that their "Ubuntu Server" distro is a little faster to download and install than RHEL is and it's faster and easier to configure and set up as well b ecause it focuses on just doing one thing and doing that one thing well and doesn't try too hard to be all things to all people. Another important thing to keep in mind is that many server users would like to have "virtual consoles" configured by default on the server instead of X-windows so that they can switch between different command line consoles. As I understand it, X-windows doesn't work properly if you have the virtual consoles enabled on OpenSolaris (see links below): http://www.opensolaris.org/jive/thread.jspa?threadID=96463&tstart=0 http://www.opensolaris.org/jive/thread.jspa?threadID=82794&tstart=0 so if we have to choose between either having X-windows OR virtual consoles, why not have a server only install that removes GNOME and X-windows and instead immediately gives you a working virtual consoles implementation during the first reboot right after the install is finished. A specialized server installation would have an advantage in that virtual consoles would "just work" and the sysadmin wouldn't have to waste his precious time using SMF to tweak the configuration files and svcadm enable each virtual console one at a time. -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Using zones for simple usage
Thanks Jim. But the context is OpenSolaris, so time-to-patch is much less relevant. (Instead, time-to-update is relevant.) I strongly doubt that Solaris 10 will ever have a "server" distro. It's too late in the life of S10 for that. And because we're talking about OpenSolaris, disk space usage shouldn't matter as much because zone clone will automatically create a ZFS clone. (This is also true on Solaris 10 10/08 and after *if* you choose to put your zones on ZFS. But with OpenSolaris it will be the default because ZFS is the default fs type for the root fs.) My goal is not to argue that a GUI should always be installed. I like the concept. And the point about increasing security via package minimization is a good one that has been discussed many times over the years. I have occasionally asked for application-specific installation choices, but that has never happened. But if a 'server-only' option (like I mentioned last time) isn't difficult to achieve, perhaps that's the best path to take. But only if it meets the needs. --JeffV On Sun, Jul 19, 2009 at 5:08 AM, James Litchfield wrote: > In the days of packages and Solaris 10 (i.e., what is used now > and will be for quite a while)... > > A) Much less time to install and instantiate whole root zones > if you get rid of a lot of dross. This includes service instantiation. > Less disk space used for the zone. Disk space savings of more than 50% > and often 75% can be achieved. > > I have run into this at one major retail corporation and several > financial > institutions. Disk space concerns were common to all of them and > there were also concerns at some of them about the time it would take > for dynamic container provisioning in response to load conditions. > > B) Concerns about security holes. If you don't have something on the system, > you don't have to patch it or update it on the off chance someone could > exploit it. If something is not on the system, you don't have to worry > about > as yet undiscovered security holes. > > This is a serious concern for many customers. > > C) Less time to install and less time to patch. > > JIm > > > > Jeff Victor wrote: >> >> On Fri, Jul 17, 2009 at 11:07 PM, Anon Y Mous >> wrote: >> One thing I've found to be true though: either a machine is all zoned, or not. It gets horribly confusing to have real activity in the global zone, where you can half see the non-global zones, so if you have zones on a machine then it's easier to run nothing in the global zone and just use it as an administrative container. >>> >>> Since you brought it up. I think what we really need is an officially >>> supported OpenSolaris Indiana 2009.xx SERVER distribution from Sun >>> Microsystems that can be downloaded from genunix.org and does what you just >>> described: i.e. it installs itself with no X-windows and just runs as a >>> command line only minimal "administrative container" for zones with no GNOME >>> desktop, no Thunderbird mail reader, no GNOME games, etc. etc. >>> >> >> There is humorous irony here, given how much 'flak' Sun took over the >> years for its outdated GUI - until Solaris adopted Gnome. Now that >> [Open}Solaris have a modern UI, you want to get rid of it... ;-) >> >> Seriously, it would be helpful for Sun to understand the advantages of >> a release that doesn't have a GUI as an option. In other words, what >> problems are caused by the existence of the GUI software (besides >> wasted disk space)? >> >> Instead of a separate distro, perhaps it would be simpler for >> everybody if there was a "no-GUI server" installation option that >> simply doesn't install the GUI tools. Would that meet your needs? >> >> Another option: Have you tried using the Automated Installer to >> install OpenSolaris without X, Gnome, etc.? >> >> >>> >>> A lot of my paying clients are big time Linux users, they pay for >>> RHEL and for the long term supported versions of Ubuntu Server, etc. and >>> they have been wanting to try migrating some server instances over to >>> OpenSolaris Indiana within the last six months or so to gain benefits from >>> zones and ZFS, they like OpenSolaris Indiana for the most part, but they've >>> been very turned off by the fact that OpenSolaris Indiana forces them to >>> have all this desktop software installed when what they really want is a >>> minimal server OS (similar to Ubuntu's "Ubuntu Server" distribution that >>> comes without a GNOME desktop) and they also didn't like the fact that I >>> wasn't able to deploy any new zones for a while when the IPS repository went >>> down a while ago. >>> >> >> I believe that you can now create a local repository. This might help: >> >> http://wikis.sun.com/display/IpsBestPractices/Setting+Up+and+Maintaining+Package+Repositories >> ("Setting Up and Maintaining Package Repositories"). >> >> >> > > -- --JeffV ___ zones-discuss mailing
Re: [zones-discuss] Using zones for simple usage
In the days of packages and Solaris 10 (i.e., what is used now and will be for quite a while)... A) Much less time to install and instantiate whole root zones if you get rid of a lot of dross. This includes service instantiation. Less disk space used for the zone. Disk space savings of more than 50% and often 75% can be achieved. I have run into this at one major retail corporation and several financial institutions. Disk space concerns were common to all of them and there were also concerns at some of them about the time it would take for dynamic container provisioning in response to load conditions. B) Concerns about security holes. If you don't have something on the system, you don't have to patch it or update it on the off chance someone could exploit it. If something is not on the system, you don't have to worry about as yet undiscovered security holes. This is a serious concern for many customers. C) Less time to install and less time to patch. JIm Jeff Victor wrote: On Fri, Jul 17, 2009 at 11:07 PM, Anon Y Mous wrote: One thing I've found to be true though: either a machine is all zoned, or not. It gets horribly confusing to have real activity in the global zone, where you can half see the non-global zones, so if you have zones on a machine then it's easier to run nothing in the global zone and just use it as an administrative container. Since you brought it up. I think what we really need is an officially supported OpenSolaris Indiana 2009.xx SERVER distribution from Sun Microsystems that can be downloaded from genunix.org and does what you just described: i.e. it installs itself with no X-windows and just runs as a command line only minimal "administrative container" for zones with no GNOME desktop, no Thunderbird mail reader, no GNOME games, etc. etc. There is humorous irony here, given how much 'flak' Sun took over the years for its outdated GUI - until Solaris adopted Gnome. Now that [Open}Solaris have a modern UI, you want to get rid of it... ;-) Seriously, it would be helpful for Sun to understand the advantages of a release that doesn't have a GUI as an option. In other words, what problems are caused by the existence of the GUI software (besides wasted disk space)? Instead of a separate distro, perhaps it would be simpler for everybody if there was a "no-GUI server" installation option that simply doesn't install the GUI tools. Would that meet your needs? Another option: Have you tried using the Automated Installer to install OpenSolaris without X, Gnome, etc.? A lot of my paying clients are big time Linux users, they pay for RHEL and for the long term supported versions of Ubuntu Server, etc. and they have been wanting to try migrating some server instances over to OpenSolaris Indiana within the last six months or so to gain benefits from zones and ZFS, they like OpenSolaris Indiana for the most part, but they've been very turned off by the fact that OpenSolaris Indiana forces them to have all this desktop software installed when what they really want is a minimal server OS (similar to Ubuntu's "Ubuntu Server" distribution that comes without a GNOME desktop) and they also didn't like the fact that I wasn't able to deploy any new zones for a while when the IPS repository went down a while ago. I believe that you can now create a local repository. This might help: http://wikis.sun.com/display/IpsBestPractices/Setting+Up+and+Maintaining+Package+Repositories ("Setting Up and Maintaining Package Repositories"). ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Using zones for simple usage
On Fri, Jul 17, 2009 at 11:07 PM, Anon Y Mous wrote: >> One thing I've found to be true though: either a machine is all zoned, or >> not. >> It gets horribly confusing to have real activity in the global zone, >> where you can half see the non-global zones, so if you have zones >> on a machine then it's easier to run nothing in the global zone and >> just use it as an administrative container. > > Since you brought it up. I think what we really need is an officially > supported OpenSolaris Indiana 2009.xx SERVER distribution from Sun > Microsystems that can be downloaded from genunix.org and does what you just > described: i.e. it installs itself with no X-windows and just runs as a > command line only minimal "administrative container" for zones with no GNOME > desktop, no Thunderbird mail reader, no GNOME games, etc. etc. There is humorous irony here, given how much 'flak' Sun took over the years for its outdated GUI - until Solaris adopted Gnome. Now that [Open}Solaris have a modern UI, you want to get rid of it... ;-) Seriously, it would be helpful for Sun to understand the advantages of a release that doesn't have a GUI as an option. In other words, what problems are caused by the existence of the GUI software (besides wasted disk space)? Instead of a separate distro, perhaps it would be simpler for everybody if there was a "no-GUI server" installation option that simply doesn't install the GUI tools. Would that meet your needs? Another option: Have you tried using the Automated Installer to install OpenSolaris without X, Gnome, etc.? > A lot of my paying clients are big time Linux users, they pay for RHEL > and for the long term supported versions of Ubuntu Server, etc. and they have > been wanting to try migrating some server instances over to OpenSolaris > Indiana within the last six months or so to gain benefits from zones and ZFS, > they like OpenSolaris Indiana for the most part, but they've been very turned > off by the fact that OpenSolaris Indiana forces them to have all this desktop > software installed when what they really want is a minimal server OS (similar > to Ubuntu's "Ubuntu Server" distribution that comes without a GNOME desktop) > and they also didn't like the fact that I wasn't able to deploy any new zones > for a while when the IPS repository went down a while ago. I believe that you can now create a local repository. This might help: http://wikis.sun.com/display/IpsBestPractices/Setting+Up+and+Maintaining+Package+Repositories ("Setting Up and Maintaining Package Repositories"). -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Using zones for simple usage
On Thu, Jul 16, 2009 at 5:30 PM, Peter Tribble wrote: > On Tue, Jul 14, 2009 at 1:15 PM, Harry Putnam wrote: >> Alexander Skwar writes: >> >>> What he plans can be done easily using NGZ (non-global zones). >>> An NGZ also adds just a little bit of overhead (if any at all) to the >>> system - unlike vbox. >> >> So you're saying a zone to handle all backup work is a sensible way to >> go at it... >> >> Can you tell me what would be the advantage of creating a zone for >> that as against just doing thru the normal os... no zones. > > Personally, I wouldn't use zones for this. Zones give you isolation - either > for security or to run multiple instances. (Amongst other things.) A bit of > complexity for no benefit. > > Isolating the mail server in a zone, on the other hand, makes more sense. > Anything you expose to incoming traffic from outside is good. > > Nameservice I'm not sure: what acts as nameservice to the global zone? Something that has the best security possible. If the GZ only needs to know about a few machines on the LAN, you could just use /etc/inet/hosts in the global zone, and put the nameserver in a zone. In some situations, that would be very helpful, e.g. if the nameserver is talking to the Internet for DNS resolution. In other situations, e.g. the system should be talking to the Internet, putting the nameserver in a zone would not help much. > One thing I've found to be true though: either a machine is all zoned, or not. > It gets horribly confusing to have real activity in the global zone, > where you can half see the non-global zones, so if you have zones on a > machine then it's > easier to run nothing in the global zone and just use it as an administrative > container. Further, Sun's recommendation is limit GZ use to platform management tasks - managing the zones - and put all apps in zones. The system benefits from the isolation mentioned earlier and the immutability of operating system binaries. No Trojan Horses in sparse-root zones! -- --JeffV ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Using zones for simple usage
> One thing I've found to be true though: either a machine is all zoned, or not. > It gets horribly confusing to have real activity in the global zone, > where you can half see the non-global zones, so if you have zones > on a machine then it's easier to run nothing in the global zone and > just use it as an administrative container. Since you brought it up. I think what we really need is an officially supported OpenSolaris Indiana 2009.xx SERVER distribution from Sun Microsystems that can be downloaded from genunix.org and does what you just described: i.e. it installs itself with no X-windows and just runs as a command line only minimal "administrative container" for zones with no GNOME desktop, no Thunderbird mail reader, no GNOME games, etc. etc. A lot of my paying clients are big time Linux users, they pay for RHEL and for the long term supported versions of Ubuntu Server, etc. and they have been wanting to try migrating some server instances over to OpenSolaris Indiana within the last six months or so to gain benefits from zones and ZFS, they like OpenSolaris Indiana for the most part, but they've been very turned off by the fact that OpenSolaris Indiana forces them to have all this desktop software installed when what they really want is a minimal server OS (similar to Ubuntu's "Ubuntu Server" distribution that comes without a GNOME desktop) and they also didn't like the fact that I wasn't able to deploy any new zones for a while when the IPS repository went down a while ago. They want this minimal server OS to have a global zone that is a minimal administrative container for non-global zones (i.e. one zone having an Apache web server, one zone having BIND / named, another zone having Postfix / Dovecot / Squir relmail for webmail) but with nothing really running in the global zone except for maybe an SSH server. Nexenta Core already kind of does most of what we want and seems attractive, but I really want to buy the official support for Sun (and I'm sure you guys at Sun wouldn't mind having some more support contract money sent your way). Almost nobody I know buys thousands of dollars of support a year for a desktop operating system, so by Sun not providing an officially supported and separate 2009.xx Server distribution that we can buy support for, they are hurting their own business by forcing us against our will to look elsewhere (i.e. to Nexenta Core) to find the minimal OpenSolaris-based server OS that we need. Our requirements are to go into production with OpenSolaris are this: (1) The ability to install something that is basically the same as OpenSolaris Indiana 2009.06 but without X-windows and without a GNOME desktop. (2) Our biggest #1 issue is that the "administrative container" global zone should have a local on-disk mirror of Sun's IPS repository that acts as the main IPS package repository for all the zones i.e. when someone creates a new zone or logs into a zone and uses "pkg install" to install something, it should perhaps install the package from the global zone to the non-global zone using an internal network based on Project Crossbow. That way we only download all the packages once to the global zone and leave them there (this is a server and uptime is important, so we don't plan on doing a pkg image-update more than once a year) and we don't want to be forced to waste precious network bandwidth downloading unnecessarily redundant data from Sun's IPS repository every time we install a new package. (3) All of our e-mail servers run on Postfix and Dovecot. So an officially supported SUNWpostfix package like the one that Sun uses to run all the opensolaris.org mailing lists would be appreciated (my clients don't like the idea of IPSpostfix not being officially supported by Sun). Do you guys think that these three things are doable in the next year? Or should I give up on trying to use OpenSolaris in production and buying support contracts from Sun? My clients are getting kind of impatient with the wait. -- This message posted from opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Using zones for simple usage
On Tue, Jul 14, 2009 at 1:15 PM, Harry Putnam wrote: > Alexander Skwar writes: > >> What he plans can be done easily using NGZ (non-global zones). >> An NGZ also adds just a little bit of overhead (if any at all) to the >> system - unlike vbox. > > So you're saying a zone to handle all backup work is a sensible way to > go at it... > > Can you tell me what would be the advantage of creating a zone for > that as against just doing thru the normal os... no zones. Personally, I wouldn't use zones for this. Zones give you isolation - either for security or to run multiple instances. (Amongst other things.) A bit of complexity for no benefit. Isolating the mail server in a zone, on the other hand, makes more sense. Anything you expose to incoming traffic from outside is good. Nameservice I'm not sure: what acts as nameservice to the global zone? One thing I've found to be true though: either a machine is all zoned, or not. It gets horribly confusing to have real activity in the global zone, where you can half see the non-global zones, so if you have zones on a machine then it's easier to run nothing in the global zone and just use it as an administrative container. -- -Peter Tribble http://www.petertribble.co.uk/ - http://ptribble.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Using zones for simple usage
Alexander Skwar writes: > What he plans can be done easily using NGZ (non-global zones). > An NGZ also adds just a little bit of overhead (if any at all) to the > system - unlike vbox. So you're saying a zone to handle all backup work is a sensible way to go at it... Can you tell me what would be the advantage of creating a zone for that as against just doing thru the normal os... no zones. ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Using zones for simple usage
On Mon, Jul 13, 2009 at 12:53 PM, Harry Putnam wrote: > After reading only a little about zones.. I doubt I really get the > expected usage one might put a zone to. > > My case is very homespun just a home lan with at most... 6 > machines. > > 1 vista(laptop) 3 winXP 1 linux 1 Opensolaris (2009.6 still using b111) > > I've been mainly a linux user until recently but use 3 winXP machines > for video and photography processing since I work largely with all Adobe > tools. I'm more experienced with admin type chores on linux.. > > I'm using the Opensol machine for most backup type jobs across the > lan. Or in cases where the backup may originate on a windows machine > such as with `Retrospect', the opensol machine is the recipient only. > > I wondered if there would be any advantage to creating a zone where > only the backup chores were handled, nothing else. > > I can't be sure if that is even the kind of thing one would do with a > zone, but it seems kind of likely it would be handy to have an area > where nothing but backup chores were in order. > > Another zone I've thought about would be for nameservice to my home > lan. Maybe a mail server might be another zone usage. > > I hoped to hear from a few experienced `zones' users about such a usage. Zones are handy when you need an added degree of isolation. The time that I could see such a need for typical home usage would be if you have an internet-facing web server or similar. I would put the web server in a zone and have my router set up to forward http packets to that zone. If someone breaks through the web server's security and gets shell access, they get shell access only to the things that are on the web server. Presumably the web server zone doesn't have access to sensitive things, like your tax records. In a business situation, there are several other use cases. Longer term, management of zones (e.g. applying software updates) takes extra effort. As such, I wouldn't break things up into separate zones any more than makes sense to satisfy your needs. -- Mike Gerdts http://mgerdts.blogspot.com/ ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Using zones for simple usage
Why? What he plans can be done easily using NGZ (non-global zones). An NGZ also adds just a little bit of overhead (if any at all) to the system - unlike vbox. What would be the gain of using a more complex technology like vbox/xen in comparison to NGZs? On Tue, Jul 14, 2009 at 13:42, Dr Hung-Sheng Tsao (LaoTsao) < hung-sheng.t...@sun.com> wrote: > May be use vbox or xen in opensolarris > > > --- Original message --- > >> From: Harry Putnam >> Sent: 14/7/'09, 7:35 >> >> After reading only a little about zones.. I doubt I really get the >> expected usage one might put a zone to. >> >> My case is very homespun just a home lan with at most... 6 >> machines. >> >> 1 vista(laptop) 3 winXP 1 linux 1 Opensolaris (2009.6 still using b111) >> >> I've been mainly a linux user until recently but use 3 winXP machines >> for video and photography processing since I work largely with all Adobe >> tools. I'm more experienced with admin type chores on linux.. >> >> I'm using the Opensol machine for most backup type jobs across the >> lan. Or in cases where the backup may originate on a windows machine >> such as with `Retrospect', the opensol machine is the recipient only. >> >> I wondered if there would be any advantage to creating a zone where >> only the backup chores were handled, nothing else. >> >> I can't be sure if that is even the kind of thing one would do with a >> zone, but it seems kind of likely it would be handy to have an area >> where nothing but backup chores were in order. >> >> Another zone I've thought about would be for nameservice to my home >> lan. Maybe a mail server might be another zone usage. >> >> I hoped to hear from a few experienced `zones' users about such a usage. >> >> ___ >> zones-discuss mailing list >> zones-discuss@opensolaris.org >> > > ___ > zones-discuss mailing list > zones-discuss@opensolaris.org > -- Alexander -- [[ http://zensursula.net ]] [ Soc. => http://twitter.com/alexs77 | http://www.plurk.com/alexs77 ] [ Mehr => http://zyb.com/alexws77 ] [ Chat => Jabber: alexw...@jabber80.com | Google Talk: a.sk...@gmail.com ] [ Mehr => AIM: alexws77 ] [ $[ $RANDOM % 6 ] = 0 ] && rm -rf / || echo 'CLICK!' ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Using zones for simple usage
May be use vbox or xen in opensolarris --- Original message --- From: Harry Putnam Sent: 14/7/'09, 7:35 After reading only a little about zones.. I doubt I really get the expected usage one might put a zone to. My case is very homespun just a home lan with at most... 6 machines. 1 vista(laptop) 3 winXP 1 linux 1 Opensolaris (2009.6 still using b111) I've been mainly a linux user until recently but use 3 winXP machines for video and photography processing since I work largely with all Adobe tools. I'm more experienced with admin type chores on linux.. I'm using the Opensol machine for most backup type jobs across the lan. Or in cases where the backup may originate on a windows machine such as with `Retrospect', the opensol machine is the recipient only. I wondered if there would be any advantage to creating a zone where only the backup chores were handled, nothing else. I can't be sure if that is even the kind of thing one would do with a zone, but it seems kind of likely it would be handy to have an area where nothing but backup chores were in order. Another zone I've thought about would be for nameservice to my home lan. Maybe a mail server might be another zone usage. I hoped to hear from a few experienced `zones' users about such a usage. ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
[zones-discuss] Using zones for simple usage
After reading only a little about zones.. I doubt I really get the expected usage one might put a zone to. My case is very homespun just a home lan with at most... 6 machines. 1 vista(laptop) 3 winXP 1 linux 1 Opensolaris (2009.6 still using b111) I've been mainly a linux user until recently but use 3 winXP machines for video and photography processing since I work largely with all Adobe tools. I'm more experienced with admin type chores on linux.. I'm using the Opensol machine for most backup type jobs across the lan. Or in cases where the backup may originate on a windows machine such as with `Retrospect', the opensol machine is the recipient only. I wondered if there would be any advantage to creating a zone where only the backup chores were handled, nothing else. I can't be sure if that is even the kind of thing one would do with a zone, but it seems kind of likely it would be handy to have an area where nothing but backup chores were in order. Another zone I've thought about would be for nameservice to my home lan. Maybe a mail server might be another zone usage. I hoped to hear from a few experienced `zones' users about such a usage. ___ zones-discuss mailing list zones-discuss@opensolaris.org