> But this is fairly far from the Zones-discuss topic.

I respectfully disagree, I think this is part of the Zones-discuss topic. 

The whole reason people want a minimal OpenSolaris install is to have a global 
zone with nothing running in it (except for maybe an SSH server and an internal 
crossbow "virtual network" based IPS package repository for the non-global 
zones) and then have Apache, Postfix / dovecot, BIND, glassfish, database 
software, etc. etc. all delegated out to the non-global zones. It seems that 
this would be a more secure arrangement and it would also be better for 
resource management since OpenSolaris's SUNWrcap resource management 
capabilities for zones are superb.

So in a way, this is kind of a "zones-discuss" issue ;-) 

It is also partly an installation and package management issue, but the most 
important thing is that everything involving package management and a 
minimalized global zone "server install" integrates smoothly at the zone level. 
Zones / Containers are one of the main reasons Sun customers use Solaris, but 
IBM's AIX and Windows Server 2008 are slowly catching up. IBM is trying very 
hard to make their AIX WPAR's better than Solaris 10 zones (see link below):


and Microsoft is also pushing Hyper-V on Windows Server 2008 as a replacement 
for Solaris Zones (Hyper V can now even run SPARC Solaris workloads- see link 


and there's also things like OpenVZ and Virtuozzo VPS on Linux, which are 
similar to Solaris zones and have captured a massive mind share and are slowly 
taking over the data center that I work in (even though they are, for the most 
part, pretty awful products compared to Solaris zones).

So if Solaris is to win the race and stem the stem the migration of UNIX 
installations away from Sun and towards IBM and Red Hat, it's critical that we 
always remain a few steps ahead of the pack so that pro-Sun sysadmins such as 
myself will be able to tell our bosses- why should we ever migrate to Red Hat 
or IBM or Microsoft Server 2008 when it's obvious that OpenSolaris is a million 
times better in every way! In fact, if things in OpenSolaris continue to get 
better, I might be able to make a compelling case for why some of my existing 
customers who use Red Hat should migrate away from Linux and towards Sun, but 
we still have a ways to go. So how do we get there?

First, in regards to IPS and ipkg zones, I think that this point can't be 
emphasized enough: 


Could you imagine me working for a major telecom, bank / financial institution, 
or government / military organization and having to tell my boss: I'm sorry , I 
couldn't deploy any new OpenSolaris ipkg zones today because we were having 
trouble connecting to pkg.opensolaris.org ? I would be fired in a heartbeat for 
being an OpenSolaris evangelist and all my kit would be replaced the next day 
with a massive pile of IBM gear running RHEL or AIX.

What about military data centers that aren't even supposed to be connected to 
the internet? How are they supposed to be able to deploy new ipkg zones when 
their security policies don't allow them to go out on the internet and connect 
to pkg.opensolaris.org ?

The basic stop-gap solution to the problem is simple: in January of the year 
2010, Joe Unix-Administrator  downloads the OpenSolaris "Server Core" version 
of the OpenSolaris Indiana operating system from genunix.org, and installs it. 
The installer asks him to put in a static IP address (something the current 
OpenSolaris installer never does unfortunately), installs a minimal server OS 
with no GNOME or X-Windows in the global zone, and then comes up after the 
reboot with a BASH or KSH command line with virtual terminals, SSH and nothing 
else running.

Then Joe Unix-Administrator SSH's into the global zone and types in a command 
to tell the global zone to clone the opensolaris.org IPS repository, but 
because this is a server operating system, it will only clone all of the server 
and developer related packages (i.e. Apache, postfix, Bind / named, MySQL, 
Erlang... basically anything at pkg.opensolaris.org that's not an X-windows 
dependant application). The command the sysadmin types in to clone the IPS 
repository could be something like this:

  # pkg clone-repository pkg.opensolaris.org/server crossbow

Now, the global zone starts downloading all the server packages from 
pkg.opernsolaris.org and several hours later we have a fully functioning local 
IPS repository running on an internal network inside the global zone. Now we 
have to make this local IPS repository the default repository for the entire 
system (including the non-global zones which haven't been deployed yet). To do 
this, Joe could type in something like this

  # pkg set-authority -P global crossbow

and voila! Everything is done. The server could even be disconnected from the 
internet and ipkg zones would still install because they use crossbow to 
download their packages from the repository in the global zone. Any latency 
issues with installing IPS packages are now also resolved. We in the 
OpenSolaris community just need to lobby Sun's developers to implement 
something like this and I think it would be a huge win for everyone.
This message posted from opensolaris.org
zones-discuss mailing list

Reply via email to