Oracle Solaris Virtualization Frequently Asked Questions

Fr eq u e n t ly As k ed Que sti ons * Multiple applications can share a single system but still
remain completely isolated from one another
Oracle Solaris Virtualization
* Restarting a Container is much quicker because you are not
1. What is new with Containers and utilization in Oracle rebooting the entire operating system
Solaris 10?
* Allows a system administrator to create an environment that
As an integral part of the Oracle Solaris 10 Operating System, the Container Administrator can customize for the application
Oracle Solaris Containers isolate software applications and
services using flexible, software-defined boundaries. A 3. What is an Oracle Solaris Zone?
breakthrough approach to virtualization and workload
management, Oracle Solaris Containers let many private An Oracle Solaris Zone is a virtual environment that has

execution environments be created within a single instance of security and application fault containment, and its own name

the Oracle Solaris OS. Each environment has its own identity, space that can be tailored to the application that will run in it.

separate from the underlying hardware, yet behaves as if it is It is possible to give an Oracle Solaris Zone its own node

running on its own system, making consolidation simple, safe, name, IP address(es), users, groups, disk space, network ports,

and secure. name server, and so on. The security and fault containment
mean that users working inside the Oracle Solaris Zone have
A key thing to note is that in Oracle Solaris 10, Oracle Solaris no way to compromise or even look out of their own
Containers focus on application/workload management. They environment other than what would be the case with separate
deliver tools to “shrink wrap” your application in its own systems—through the network or shared disk.
environment that has the right attributes such as CPU and
memory quantity, IP address, and users. This way it's easier to 4. What is the difference between Oracle Solaris Containers

deploy an application on a shared system. and Oracle Solaris Zones?

2. What are the benefits of Oracle Solaris Containers? Oracle Solaris Zones are part of an Oracle Solaris Container,
delivering security, application fault, and namespace isolation.
The benefits of Oracle Solaris Containers include the The addition of Oracle Solaris Zone functionality to Oracle
following: Solaris Containers allows the creation of an Oracle Solaris
Container that is fully customized for an application.
* Higher system utilization through ease of consolidation
5. What are the other components of Oracle Solaris
Containers?
Oracle Solaris Virtualization Frequently Asked Questions

The other components are the resource management tools in over across unlimited distances providing a Disaster Recovery
the Oracle Solaris OS. They control the amount of resources an set-up. For more info, visit the Oracle Solaris Cluster site.
application receives, such as CPU cycles, physical memory,
and network bandwidth. Resource management tools also help 10. Can I schedule Oracle Solaris Container utilization to be

with measuring the usage of an application. This could be used different at different times of the day?

for health monitoring and capacity planning, as well as billing

Yes. You can change the settings at any time directly through
and charge back.
the command line interface or by using scripts or cron.

6. When will Oracle Solaris Zones be released?

11. Can Oracle Solaris Containers interact directly?

Oracle Solaris Zones is already available as part of Oracle

They interact as if they are on different systems, through the
Solaris 10.
network or shared disk. For example, if they interact through

7. What is the overhead in running a Container? the network, the system knows that one Oracle Solaris
Container is talking to another, so communications will go
Generally very low, at less than 1 percent per Oracle Solaris through the network stack. Communication between Oracle
Container. Solaris Containers is very fast because it never leaves the
system or even hits the network interface card.
8. Can a Container span across different boxes?
12. What is the difference between Oracle Solaris Containers
No, Oracle Solaris Containers cannot span across Oracle and N1 Grid Container software?
Solaris instances.
There is no difference. N1 Grid Container was the name
9. Does the Oracle Solaris Cluster software support Oracle previously used to describe the container functionality in
Solaris Containers? Oracle Solaris 10. The “N1 Grid Container” name has been
replaced by the name “Oracle Solaris Containers.”
The Oracle Solaris Cluster software does support Oracle
Solaris Containers, both the resource management parts as well 13. Is there a Trusted Oracle Solaris 10 product? What is
as Oracle Solaris Zones. In a Oracle Solaris Cluster Oracle Solaris Trusted Extensions?
configuration applications can run inside zones which are
considered as virtual nodes. With Oracle Solaris Cluster The term "Trusted Oracle Solaris" refers to earlier, specially
Geographic Edition, Oracle Solaris Containers can be failed- developed versions of the Oracle Solaris Operating System
that were modified to include labels and mandatory access
Oracle Solaris Virtualization Frequently Asked Questions

control technology. The last release of a separate Trusted authentication databases, security configuration, file system
Oracle Solaris OS was Trusted Oracle Solaris 8. and network interfaces. Communication between Oracle
Solaris Containers is generally dissallowed by default when
As of Oracle Solaris 10 11/06, Sun has included labels and Trusted Extensions is enabled, and permitted only by explicit
mandatory access controls as a standard part of the Oracle specification.
Solaris OS. The collective features providing this functionality
are known as Oracle Solaris Trusted Extensions. Thus, there is In summary, customers running with Trusted Extensions
no separate "Trusted Oracle Solaris 10" release as the enabled use labeled Oracle Solaris Containers to provide a
functionality of this kind required by customers is now security boundary for their file systems, data, applications and
integrated into Oracle Solaris 10. users.

Oracle Solaris Trusted Extensions extends the existing security 15. Is there a white paper on Oracle Solaris Containers?
features of Oracle Solaris 10 to include labeling and mandatory
access controls. It is not a separate operating system, it does Yes, a white paper is available.

not require a separate support contract and all applications that

16. Will Oracle Solaris Zones partitioning technology work
run with Oracle Solaris 10 and Oracle Solaris Containers will
with the Oracle Solaris 9 Resource Manager functionality that
work when Oracle Solaris Trusted Extensions is enabled. Since
was introduced with Oracle Solaris 9?
it is an integrated feature of Oracle Solaris 10, it is supported
on all systems that Oracle Solaris 10 runs on, x86 or SPARC. Yes. Oracle Solaris Zones and the Oracle Solaris resource
management feature are both part of Oracle Solaris Containers
14. What is the difference between running Oracle Solaris
and are designed to work together.
Containers with or without Oracle Solaris Trusted Extensions
enabled? 17. What type of isolation do Oracle Solaris Containers
provide?
Oracle Solaris Containers provide virtualized environments to
host multiple applications and is great for performing server Oracle Solaris Containers provide security, application fault,
consolidation. The Oracle Solaris Trusted Extensions feature and name space isolation. This means that once working in
utilizes Oracle Solaris Containers extensively to provide Oracle Solaris Containers, users cannot compromise or even
security boundaries and to enforce Mandatory Access Control see outside of their Oracle Solaris Containers other than the
by labeling a Container. Oracle Solaris Containers behave regular ways, such as through the network or shared file
slightly differently when running with Trusted Extensions systems. The name space isolation allows Oracle Solaris
enabled, providing a single system view of services such as Containers to have their own users, and even their own root
Oracle Solaris Virtualization Frequently Asked Questions

user, who only has authority inside the root user's own Oracle There is no change in the patch process.
Solaris Container.
23. Can an Oracle Solaris Container access a raw device?
18. Can every Oracle Solaris Container have its own root user?
Yes, however, this is not the default behavior, as access to a
Yes, and the Oracle Solaris Container root user only has raw device can compromise the security isolation. The global
authority to change/configure things inside its own Oracle administrator can choose to separately add the raw device to
Solaris Container. the Oracle Solaris Container.

19. Can every Oracle Solaris Container have its own name 24. How is an Oracle Solaris Container different from a
server? Dynamic System Domain?

Yes. You can even have different Oracle Solaris Containers Dynamic System Domains are based on hardware. They offer
listening to different name server types. One Oracle Solaris electrical separation with different versions of the operating
Container could be listening to an NIS server, while another system possible per domain. The number of domains is limited
could be listening to an LDAP server. per system. Oracle Solaris Containers are based on software.
They offer logical separation with the same operating system
20. How do I log in to a Oracle Solaris Container? in each Oracle Solaris Container. The Oracle Solaris
Containers offer enormous scalability: while there is no hard-
Through standard protocols such as ssh, telnet, or rlogin. There
coded limit, up to 8000 per OS image are available, well
is also a specific way to log in to an Oracle Solaris Container
exceeding today's normal requirements.
called zlogin if the user is in the base operating system (called
the global Zone). With zlogin, a user can log directly in to a 25. When do I use a Dynamic System Domain and when do I
Oracle Solaris Container. use an Oracle Solaris Container?

21. How do I install software in an Oracle Solaris Container? Dynamic System Domain features include the ability to hot-
plug hardware and run different versions of the Oracle Solaris
There is no change in the installation process. The same tools
Operating System per domain. Oracle Solaris Containers
and the same process apply in an Oracle Solaris Container.
provide very fine-grained control over what an application can
However, you now have a choice to install in a particular
do and see. If your applications require the type of separation
Oracle Solaris Container or to install system-wide.
that separate operating systems can give you, then you should

22. How do I patch a system with Oracle Solaris Containers? use a Dynamic System Domain; otherwise, you can use Oracle
Oracle Solaris Virtualization Frequently Asked Questions

Solaris Containers. The real benefit comes when you use and quickly create an identical Container with the same set of
Oracle Solaris Containers within a Dynamic System Domain. applications and tools for every new developer.

26. What new Oracle Solaris Container features have been 28. Can you give an example on how you would use the
introduced since Oracle Solaris 10 was initially released? Migration feature for Oracle Solaris Containers?

Solaris 10 now new tools to more easily manage Containers. It's really useful for moving your application from your testing
You can clone them, rename them, and move them on the and staging systems to your production systems. This allows
same system. You can also migrate them from one system to you to prepare the application and its environment in testing
another. and then move over as is, greatly decreasing the installation
and deployment time for the production systems. You can also
Additionally you can now customize the security level which pre-harden the Container by turning off all the network
the Container boots to better suit application requirements. services you don't need.

Starting in Oracle Solaris 10 10/08, when a Container is 29. Is Oracle Solaris Live Upgrade compatible with Oracle
detached and then reattached to a new system, it is Solaris Containers?
automatically upgraded to the latest patches and packages
associated with the new system. This allows for flexibility Yes, with Oracle Solaris 10 8/07 you can use Oracle Solaris
when performing rolling upgrades of systems and ensures Live Upgrade for patching and upgrading systems with Oracle
consistency of systems when moving workloads. Also new in Solaris Containers. This offers two important operational
Oracle Solaris 10 10/08 is the ability for Oracle Solaris advantages, particularly around patching.
Containers to officially utilize a ZFS file system as their root.
Upgrading an Oracle Solaris 10 system that has Containers 1. You can patch without taking the system offline because

with ZFS-based roots is also supported. you patch a copy of the system. Patching Containers is a serial
operation, so patching without taking the system off-line is a
27. Can you give an example on how you would use the major advantage.
Cloning feature for Oracle Solaris Containers?
2. After patching the copy, you then can boot from that copy.
If you plan to have several developers on the same system, you Should you experience a problem, you can easily revert back
could, for example, create a Container with all the right to the original environment
applications and developer tools as a golden master. You can
then use the new cloning feature to replicate this golden master