Isolating Applications using Solaris 10 Containers
Most of us have faced challenges whenever we had to connect a server to an unsecure network, or even the internet. Traditionally, firewalls or other IP filter software tools were needed to help us protect the server from harm's way.
Nowadays, with Solaris 10 newest technologies, we can save some time and effort, by using a Solaris Container to isolate the external facing programs and network interfaces from the rest of our server. This can be accomplished by using just a few commands, as I'll demonstrate using a small example.
First, we start by enabling the use of Resource Pools in Solaris:
# pooladm -e
Now we create a Processor Set specifically for our isolated environment and assign it to a pool:
# pooladm -c 'create pset set1 (uint pset.min=1; uint pset.max=1)
# pooladm -c 'create pool pool1'
# pooladm -c 'associate pool pool1 (pset set1)'
We can now proceed to saving and enabling this new configuration:
# pooladm -s
# pooladm -c
We want to make sure our isolated environment will be prevented from using more resources than intended, so we'll create a zone and assign our pool to it:
# zonecfg -z zone1
zonecfg:zone1> create
zonecfg:zone1> set zonepath=/export/home/zones/zone1
zonecfg:zone1> set pool=pool1
zonecfg:zone1> add net
zonecfg:zone1:net> set address=<IP_address>
zonecfg:zone1:net> set physical=e1000g1
zonecfg:zone1:net> end
zonecfg:zone1> verify
zonecfg:zone1> commit
zonecfg:zone1> exit
We have just defined a new sparse zone, associated with our new resource pool, thus providing a single CPU to this environment. This zone's root file system will be mounted under "/export/home/zones/zone1" and will have a virtual interface on the "e1000g1" adapter, featuring your choice of IP address, connected to the unsecure network.
Now we have to install the zone, boot it, and connect to the console to setup the administrator's password:
# zoneadm -z zone1 install
# zoneadm -z zone1 boot
# zlogin -C zone1
That's it! We have a virtual Solaris system running, in an isolated environment. We can monitor and manage this new environment from the global zone (i.e., the "real" system). Now it's time to install the applications, and probably add more devices to this container. For that, you'll have to read more here.
