> But this is fairly far from the Zones-discuss topic. I respectfully disagree, I think this is part of the Zones-discuss topic.
The whole reason people want a minimal OpenSolaris install is to have a global zone with nothing running in it (except for maybe an SSH server and an internal crossbow "virtual network" based IPS package repository for the non-global zones) and then have Apache, Postfix / dovecot, BIND, glassfish, database software, etc. etc. all delegated out to the non-global zones. It seems that this would be a more secure arrangement and it would also be better for resource management since OpenSolaris's SUNWrcap resource management capabilities for zones are superb. So in a way, this is kind of a "zones-discuss" issue ;-) It is also partly an installation and package management issue, but the most important thing is that everything involving package management and a minimalized global zone "server install" integrates smoothly at the zone level. Zones / Containers are one of the main reasons Sun customers use Solaris, but IBM's AIX and Windows Server 2008 are slowly catching up. IBM is trying very hard to make their AIX WPAR's better than Solaris 10 zones (see link below): http://www.ibm.com/developerworks/aix/library/au-solaris/index.html and Microsoft is also pushing Hyper-V on Windows Server 2008 as a replacement for Solaris Zones (Hyper V can now even run SPARC Solaris workloads- see link below): http://blogs.zdnet.com/virtualization/?p=482 and there's also things like OpenVZ and Virtuozzo VPS on Linux, which are similar to Solaris zones and have captured a massive mind share and are slowly taking over the data center that I work in (even though they are, for the most part, pretty awful products compared to Solaris zones). So if Solaris is to win the race and stem the stem the migration of UNIX installations away from Sun and towards IBM and Red Hat, it's critical that we always remain a few steps ahead of the pack so that pro-Sun sysadmins such as myself will be able to tell our bosses- why should we ever migrate to Red Hat or IBM or Microsoft Server 2008 when it's obvious that OpenSolaris is a million times better in every way! In fact, if things in OpenSolaris continue to get better, I might be able to make a compelling case for why some of my existing customers who use Red Hat should migrate away from Linux and towards Sun, but we still have a ways to go. So how do we get there? First, in regards to IPS and ipkg zones, I think that this point can't be emphasized enough: CUSTOMERS DO NOT WANT TO BE PROHIBITED FROM DEPLOYING NEW ZONES JUST BECAUSE THEY ARE HAVING PROBLEMS CONNECTING TO THE OPENSOLARIS IPS REPOSITORY!!! Could you imagine me working for a major telecom, bank / financial institution, or government / military organization and having to tell my boss: I'm sorry , I couldn't deploy any new OpenSolaris ipkg zones today because we were having trouble connecting to pkg.opensolaris.org ? I would be fired in a heartbeat for being an OpenSolaris evangelist and all my kit would be replaced the next day with a massive pile of IBM gear running RHEL or AIX. What about military data centers that aren't even supposed to be connected to the internet? How are they supposed to be able to deploy new ipkg zones when their security policies don't allow them to go out on the internet and connect to pkg.opensolaris.org ? The basic stop-gap solution to the problem is simple: in January of the year 2010, Joe Unix-Administrator downloads the OpenSolaris "Server Core" version of the OpenSolaris Indiana operating system from genunix.org, and installs it. The installer asks him to put in a static IP address (something the current OpenSolaris installer never does unfortunately), installs a minimal server OS with no GNOME or X-Windows in the global zone, and then comes up after the reboot with a BASH or KSH command line with virtual terminals, SSH and nothing else running. Then Joe Unix-Administrator SSH's into the global zone and types in a command to tell the global zone to clone the opensolaris.org IPS repository, but because this is a server operating system, it will only clone all of the server and developer related packages (i.e. Apache, postfix, Bind / named, MySQL, Erlang... basically anything at pkg.opensolaris.org that's not an X-windows dependant application). The command the sysadmin types in to clone the IPS repository could be something like this: # pkg clone-repository pkg.opensolaris.org/server crossbow Now, the global zone starts downloading all the server packages from pkg.opernsolaris.org and several hours later we have a fully functioning local IPS repository running on an internal network inside the global zone. Now we have to make this local IPS repository the default repository for the entire system (including the non-global zones which haven't been deployed yet). To do this, Joe could type in something like this # pkg set-authority -P global crossbow and voila! Everything is done. The server could even be disconnected from the internet and ipkg zones would still install because they use crossbow to download their packages from the repository in the global zone. Any latency issues with installing IPS packages are now also resolved. We in the OpenSolaris community just need to lobby Sun's developers to implement something like this and I think it would be a huge win for everyone. -- This message posted from opensolaris.org _______________________________________________ zones-discuss mailing list zones-discuss@opensolaris.org
