Peter's Solaris Zone

Minimalistic Loopback Zones

My favourite feature in Solaris 10 is zones. (I don't care what Sun marketing call 'em this week, either. They're zones.) Isolated containers that give the appearance of a separate system to applications while being hosted by a master system.

This little test was inspired by the desire to be able to run individual applications in isolated managed environments. I'm thinking of servers such as tomcat or mysql, where you only want enough support to run the one application, and you only need a single network port to gain access.

One of the problems with mysql, tomcat, and other similar servers, is that you can generally only run one instance on a machine. Yes, you can hack it so that you can fiddle port numbers and the like to get multiple copies running, but the idea here was to run the applications inside their own zones. That way, they think they have the machine to themselves and the multiple instances don't conflict with each other. You only need to communicate from the global zone, so you can send all traffic over the loopback.

Zone Creation

OK, so I create a minimal zone:

root@platinum# zonecfg -z zone100
zone100: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:zone100> create
zonecfg:zone100> set zonepath=/opt/zones/zone100
zonecfg:zone100> add net
zonecfg:zone100:net> set physical=lo0
zonecfg:zone100:net> set address=
zonecfg:zone100:net> end
zonecfg:zone100> verify
zonecfg:zone100> commit

and then install it with zoneadm -z zone100 install. This takes a little while (far too long for my liking, to be honest) but eventually it's done.

(Note that in order to talk to it you need to route add in the global zone. I've wondered how this works, actually, as zone100 sends the packets back to and there's one of those in each zone so how does it know which one is which?)

Zone Impact - Disk

How much impact does a zone actually have? I consider the process count below, but in terms of disk my first check was about 220Mbytes.

That's quite a lot, but this is actually quite high. I'm doing this on my own workstation which is set up for testing and so has a much larger install footprint than normal. And while the common stuff in /usr gets loopback mounted into a zone, a lot of stuff is copied.In particular, /opt gets copied across, and most of that stuff isn't needed. It you have apache or tomcat installed then you get stuff in /var. You can strip most of this stuff out, and you end up with about 20Meg for the package system and about 35Meg in /etc - most of that is gconf, and on a server you might not even bother installing the JDS components. So you can dramatically reduce the disk footprint and install time of a zone by trimming the software installed in the global zone.

Zone Impact - Runtime

OK, so I boot the zone, go through the configuration dialog and supply a root password. After the reboot I let it settle down, and see what processes are running:

% ps -z zone100
   PID TTY         TIME CMD
 17719 ?           0:00 rpcbind
 17837 ?           0:01 stfontse
 17849 ?           0:00 dtlogin
 17928 ?           0:00 snmpd
 18019 ?           0:00 smtp-sen
 17640 ?           0:01
 17773 ?           0:00 syslogd
 17876 ?           0:00 cron
 17642 ?           0:07 svc.conf
 17905 ?           0:00 snmpdx
 17946 ?           0:00 sac
 17826 ?           0:00 smcboot
 17638 ?           0:00 init
 17954 ?           0:01 inetd
 17759 zoneconsole    0:00 ttymon
 17947 ?           0:00 ttymon
 17914 ?           0:00 dmispd
 17627 ?           0:00 zsched
 17694 ?           0:00 kcfd
 17827 ?           0:00 smcboot
 17828 ?           0:00 smcboot
 17939 ?           0:00 nscd
 18020 ?           0:00 sendmail
 18017 ?           0:00 automoun
 17723 ?           0:00 statd
 17866 ?           0:00 sshd
 17750 ?           0:00 utmpd
 17915 ?           0:00 snmpXdmi
 17736 ?           0:00 lockd

Urgh. What a load of junk! Most of that lot can go.

# svcadm disable inetd
# svcadm disable smtp
# svcadm disable autofs
# svcadm disable cron
# /etc/init.d/init.sma stop
# /etc/init.d/init.dmi stop
# /etc/init.d/init.snmpdx stop
# /etc/init.d/init.wbem stop
# pkill -u 0 -x dtlogin
# pkill -x stfontserverd
# svcadm disable name-service-cache

At which point I get down to:

   PID TTY         TIME CMD
 17640 ?           0:02
 17773 ?           0:00 syslogd
 17642 ?           0:09 svc.conf
 17946 ?           0:00 sac
 17638 ?           0:00 init
 18299 zoneconsole    0:00 sh
 17947 ?           0:00 ttymon
 17627 ?           0:00 zsched
 17694 ?           0:00 kcfd
 17866 ?           0:00 sshd
 17750 ?           0:00 utmpd

That's 11 processes. I'm not sure I can get much lower than this. I need to retain sshd so that users can get in (only root can use zlogin) and that implies kcfd.

In terms of memory footprint I have a little script that goes through pmap output to get the private and shared pages:

   PID TTY         TIME CMD
 17640 ?           0:02    2216K shared, 4296K private
 17773 ?           0:00 syslogd     1800K shared, 1744K private
 17642 ?           0:09 svc.conf    2208K shared, 5480K private
 17946 ?           0:00 sac         1664K shared, 336K private
 17638 ?           0:00 init        1896K shared, 320K private
 18299 zoneconsole    0:00 sh       1136K shared, 168K private
 17947 ?           0:00 ttymon      1816K shared, 320K private
 17627 ?           0:00 zsched
 17694 ?           0:00 kcfd        3288K shared, 688K private
 17866 ?           0:00 sshd        3448K shared, 536K private
 17750 ?           0:00 utmpd       1056K shared, 224K private

The shared pages really are shared - with identical processes running in other zones, at least. So the total impact is about 15Meg (you can't get any answers out of zsched). And most of the footprint is actually greenline.

Of course, if you run tomcat it's probably going to dwarf the other processes completely. On the other hand, an apache process has about 1200K private and 5216K shared, so if you prefork 3 processes that's about another 10Meg in total. Looking at a simple mysql instance, that's probably 30 or 40Meg.

You can probably page out the 2 greenline processes (possibly...) which takes it down to 5Meg plus the application. If you share the apache binaries between the zones then you can run a minimalist apache server in 10Meg per zone.


A minimalist zone needs about 50Meg of disk and 15Meg of memory to support 10 processes.

Peter's Home | Zone Home