Hello everyone, I recently took on a project to run a VirtualBox guest within a whole Solaris zone. The idea was to protect the Solaris system from any crashes vbox might have. I need to run vbox on a production system, but I didn't want to put the whole system at risk.
I was using Solaris 5/09 x86 with VirtualBox 2.2.2. Vbox would run ok as long as I didn't try to power-off the virtual machine. When I would power off a vbox guest, within just a few mins the Solaris host would panic with the following message in syslog: [i]genunix: [ID 335743 kern.notice] BAD TRAP: type=e (#pf Page fault) rp=d55a3ccc addr=490070e4 occurred in module "genunix" due to an illegal access to a user address[/i] This was easily repeatable... and in two cases even made the host OS unbootable -- device driver couldn't be loaded. Without vbox running, the zone would function as expected and run indefinitely without issue. As a result of this, I had to change the version of vbox I was using and run the vbox within the global zone (risky). It seems to be running rock solid so far, but the whole experience has left me seriously questioning the safety of Solaris zones. Plus, I don't have the option of isolating the vbox machines as I originally had hoped. This is where I need help. I may simply have a misunderstanding of what a zone can do. My understanding was that applications (ie vbox) running within a zone would be completely isolated from the host system. Bad software, security breaches, etc. would all be contained within the zone and the host system, and any other zones, would be protected from a problem zone. As I have explained above, this was not the case. So, what should I expect from zones? Since they are not fully isolated from the global zone and underlying host, what degree of confidence should I put into their resiliency and their security? If, as I experienced, a rogue application can cause a system panic, wouldn't a potential intruder be able to do the same thing? I really was falling in love with Zones and the potential I thought they would offer me, but this experience has really made me question my decision to use them and I need some help understanding exactly what went wrong. If anyone can offer some insight, I'd be grateful. Thanks to all in advance, -Michael -- This message posted from opensolaris.org _______________________________________________ zones-discuss mailing list firstname.lastname@example.org