Anon Y Mous wrote:
But this is fairly far from the Zones-discuss topic.

I respectfully disagree, I think this is part of the Zones-discuss topic.
The whole reason people want a minimal OpenSolaris install is to have a global zone with 
nothing running in it (except for maybe an SSH server and an internal crossbow 
"virtual network" based IPS package repository for the non-global zones) and 
then have Apache, Postfix / dovecot, BIND, glassfish, database software, etc. etc. all 
delegated out to the non-global zones. It seems that this would be a more secure 
arrangement and it would also be better for resource management since OpenSolaris's 
SUNWrcap resource management capabilities for zones are superb.

So in a way, this is kind of a "zones-discuss" issue ;-)
It is also partly an installation and package management issue, but the most important 
thing is that everything involving package management and a minimalized global zone 
"server install" integrates smoothly at the zone level. Zones / Containers are 
one of the main reasons Sun customers use Solaris, but IBM's AIX and Windows Server 2008 
are slowly catching up. IBM is trying very hard to make their AIX WPAR's better than 
Solaris 10 zones (see link below):

and Microsoft is also pushing Hyper-V on Windows Server 2008 as a replacement 
for Solaris Zones (Hyper V can now even run SPARC Solaris workloads- see link 

and there's also things like OpenVZ and Virtuozzo VPS on Linux, which are 
similar to Solaris zones and have captured a massive mind share and are slowly 
taking over the data center that I work in (even though they are, for the most 
part, pretty awful products compared to Solaris zones).

So if Solaris is to win the race and stem the stem the migration of UNIX 
installations away from Sun and towards IBM and Red Hat, it's critical that we 
always remain a few steps ahead of the pack so that pro-Sun sysadmins such as 
myself will be able to tell our bosses- why should we ever migrate to Red Hat 
or IBM or Microsoft Server 2008 when it's obvious that OpenSolaris is a million 
times better in every way! In fact, if things in OpenSolaris continue to get 
better, I might be able to make a compelling case for why some of my existing 
customers who use Red Hat should migrate away from Linux and towards Sun, but 
we still have a ways to go. So how do we get there?

Could you imagine me working for a major telecom, bank / financial institution, 
or government / military organization and having to tell my boss: I'm sorry , I 
couldn't deploy any new OpenSolaris ipkg zones today because we were having 
trouble connecting to ? I would be fired in a heartbeat for 
being an OpenSolaris evangelist and all my kit would be replaced the next day 
with a massive pile of IBM gear running RHEL or AIX.

What about military data centers that aren't even supposed to be connected to 
the internet? How are they supposed to be able to deploy new ipkg zones when 
their security policies don't allow them to go out on the internet and connect 
to ?

The basic stop-gap solution to the problem is simple: in January of the year 2010, Joe 
Unix-Administrator  downloads the OpenSolaris "Server Core" version of the 
OpenSolaris Indiana operating system from, and installs it. The installer 
asks him to put in a static IP address (something the current OpenSolaris installer never 
does unfortunately), installs a minimal server OS with no GNOME or X-Windows in the 
global zone, and then comes up after the reboot with a BASH or KSH command line with 
virtual terminals, SSH and nothing else running.

Then Joe Unix-Administrator SSH's into the global zone and types in a command 
to tell the global zone to clone the IPS repository, but 
because this is a server operating system, it will only clone all of the server 
and developer related packages (i.e. Apache, postfix, Bind / named, MySQL, 
Erlang... basically anything at that's not an X-windows 
dependant application). The command the sysadmin types in to clone the IPS 
repository could be something like this:

  # pkg clone-repository crossbow

Now, the global zone starts downloading all the server packages from and several hours later we have a fully functioning local 
IPS repository running on an internal network inside the global zone. Now we 
have to make this local IPS repository the default repository for the entire 
system (including the non-global zones which haven't been deployed yet). To do 
this, Joe could type in something like this

  # pkg set-authority -P global crossbow

and voila! Everything is done. The server could even be disconnected from the 
internet and ipkg zones would still install because they use crossbow to 
download their packages from the repository in the global zone. Any latency 
issues with installing IPS packages are now also resolved. We in the 
OpenSolaris community just need to lobby Sun's developers to implement 
something like this and I think it would be a huge win for everyone.

Then the just released OpenSolaris Release Repository Image would be of interest to you:


OpenSolarisTM 2009.06 Release Repository Image

1.  Overview

    For some deployments, direct access to the repository at is not possible, or provides
    insufficient performance.  This product contains the package
    metadata and content to allow the construction of a local copy of the
    release/ repository, which can then be made available on the local
    system or over a private network to other systems.  It can be installed
    on multiple systems, which can in turn be configured as mirrors, to
    increase the available aggregate resources available to packaging


More at

Menno Lageman - Sun Microsystems -
zones-discuss mailing list

Reply via email to