> But this is fairly far from the Zones-discuss topic.
I respectfully disagree, I think this is part of the Zones-discuss topic.
The whole reason people want a minimal OpenSolaris install is to have a global
zone with nothing running in it (except for maybe an SSH server and an internal
crossbow "virtual network" based IPS package repository for the non-global
zones) and then have Apache, Postfix / dovecot, BIND, glassfish, database
software, etc. etc. all delegated out to the non-global zones. It seems that
this would be a more secure arrangement and it would also be better for
resource management since OpenSolaris's SUNWrcap resource management
capabilities for zones are superb.
So in a way, this is kind of a "zones-discuss" issue ;-)
It is also partly an installation and package management issue, but the most
important thing is that everything involving package management and a
minimalized global zone "server install" integrates smoothly at the zone level.
Zones / Containers are one of the main reasons Sun customers use Solaris, but
IBM's AIX and Windows Server 2008 are slowly catching up. IBM is trying very
hard to make their AIX WPAR's better than Solaris 10 zones (see link below):
and Microsoft is also pushing Hyper-V on Windows Server 2008 as a replacement
for Solaris Zones (Hyper V can now even run SPARC Solaris workloads- see link
and there's also things like OpenVZ and Virtuozzo VPS on Linux, which are
similar to Solaris zones and have captured a massive mind share and are slowly
taking over the data center that I work in (even though they are, for the most
part, pretty awful products compared to Solaris zones).
So if Solaris is to win the race and stem the stem the migration of UNIX
installations away from Sun and towards IBM and Red Hat, it's critical that we
always remain a few steps ahead of the pack so that pro-Sun sysadmins such as
myself will be able to tell our bosses- why should we ever migrate to Red Hat
or IBM or Microsoft Server 2008 when it's obvious that OpenSolaris is a million
times better in every way! In fact, if things in OpenSolaris continue to get
better, I might be able to make a compelling case for why some of my existing
customers who use Red Hat should migrate away from Linux and towards Sun, but
we still have a ways to go. So how do we get there?
First, in regards to IPS and ipkg zones, I think that this point can't be
CUSTOMERS DO NOT WANT TO BE PROHIBITED FROM DEPLOYING NEW ZONES JUST BECAUSE
THEY ARE HAVING PROBLEMS CONNECTING TO THE OPENSOLARIS IPS REPOSITORY!!!
Could you imagine me working for a major telecom, bank / financial institution,
or government / military organization and having to tell my boss: I'm sorry , I
couldn't deploy any new OpenSolaris ipkg zones today because we were having
trouble connecting to pkg.opensolaris.org ? I would be fired in a heartbeat for
being an OpenSolaris evangelist and all my kit would be replaced the next day
with a massive pile of IBM gear running RHEL or AIX.
What about military data centers that aren't even supposed to be connected to
the internet? How are they supposed to be able to deploy new ipkg zones when
their security policies don't allow them to go out on the internet and connect
to pkg.opensolaris.org ?
The basic stop-gap solution to the problem is simple: in January of the year
2010, Joe Unix-Administrator downloads the OpenSolaris "Server Core" version
of the OpenSolaris Indiana operating system from genunix.org, and installs it.
The installer asks him to put in a static IP address (something the current
OpenSolaris installer never does unfortunately), installs a minimal server OS
with no GNOME or X-Windows in the global zone, and then comes up after the
reboot with a BASH or KSH command line with virtual terminals, SSH and nothing
Then Joe Unix-Administrator SSH's into the global zone and types in a command
to tell the global zone to clone the opensolaris.org IPS repository, but
because this is a server operating system, it will only clone all of the server
and developer related packages (i.e. Apache, postfix, Bind / named, MySQL,
Erlang... basically anything at pkg.opensolaris.org that's not an X-windows
dependant application). The command the sysadmin types in to clone the IPS
repository could be something like this:
# pkg clone-repository pkg.opensolaris.org/server crossbow
Now, the global zone starts downloading all the server packages from
pkg.opernsolaris.org and several hours later we have a fully functioning local
IPS repository running on an internal network inside the global zone. Now we
have to make this local IPS repository the default repository for the entire
system (including the non-global zones which haven't been deployed yet). To do
this, Joe could type in something like this
# pkg set-authority -P global crossbow
and voila! Everything is done. The server could even be disconnected from the
internet and ipkg zones would still install because they use crossbow to
download their packages from the repository in the global zone. Any latency
issues with installing IPS packages are now also resolved. We in the
OpenSolaris community just need to lobby Sun's developers to implement
something like this and I think it would be a huge win for everyone.
This message posted from opensolaris.org
zones-discuss mailing list