Delegating a ZFS Dataset to a Non-Global Zone
In Oracle Solaris 11.1 by Alexandre BorgesOracle ACE ,Published June 2014
Part 4 of a series that describes the key features of ZFS in Oracle Solaris 11.1 and provides step-by-step procedures explaining how to use them. This article focuses on how to delegate a dataset, for example, a ZFS file system, to a non-global zone.
- Part 2 - Playing with Swap Monitoring and Increasing Swap Space Using ZFS Volumes
- Part 4 - Delegating a ZFS Dataset to a Non-Global Zone
- Part 5 - Playing with ZFS Encryption
- Part 6 - Playing with ZFS Snapshots
- Part 7 - Configuring SMB Sharing
- Part 8 - Mirroring the ZFS Root Pool (posted on Oracle Community)
When working with Oracle Solaris 11, sometimes the need arises for the global administrator to delegate a dataset (a ZFS file system, for example) to a non-global zone, because the non-global zone administrator needs a dedicated file system in which to install new applications.
The difference between delegating a dataset and adding a dataset or file system to a non-global zone is that when a dataset is delegated, the non-global zone administrator has control over the dataset's properties. When a file system is added to a non-global zone, it is just a way to share file system space with the non-global zone, but the global administrator retains control over the added file system's properties.
Note also that in most cases, dataset is term that can be used interchangeably with file system. The only difference between "delegating a dataset" and "adding a file system" is who has control over the file system. In most cases, you delegate a dataset or add a file system to a non-global zone.
Delegating a dataset to a non-global zone is an easy task and that's what we'll explore here.
Basically, we will split the task into two parts:
- First, we will create a new non-global zone.
- Second, we'll delegate a dataset for the created zone.
To begin, it's advisable to create a dedicated pool and a file system for our new non-global zone:
root@solaris11-1:~# zpool create myzones c8t4d0
root@solaris11-1:~# zpool list
NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT
iscsi_pool 3.97G 2.62M 3.97G 0% 1.00x ONLINE -
myzones 15.9G 126K 15.9G 0% 1.00x ONLINE -
repo_pool 15.9G 7.64G 8.24G 48% 1.00x ONLINE -
rpool 79.5G 37.8G 41.7G 47% 1.00x ONLINE -
root@solaris11-1:~# zfs create myzones/delegated_zone
root@solaris11-1:~# zfs list myzones/delegated_zone
NAME USED AVAIL REFER MOUNTPOINT
myzones/delegated_zone 31K 15.6G 31K /myzones/delegated_zone
Then, do the following to create a non-global zone called delegated_zone:
root@solaris11-1:~# zonecfg -z delegated_zone
Use 'create' to begin configuring a new zone.
zonecfg:delegated_zone> create -b
zonecfg:delegated_zone> set zonepath=/myzones/delegated_zone
zonecfg:delegated_zone> set autoboot=true
zonecfg:delegated_zone> set ip-type=shared
zonecfg:delegated_zone> set brand=solaris
zonecfg:delegated_zone> add net
zonecfg:delegated_zone:net> set physical=net0
zonecfg:delegated_zone:net> set address=192.168.1.198
zonecfg:delegated_zone:net> set defrouter=192.168.1.1
zonecfg:delegated_zone:net> end
zonecfg:delegated_zone> verify
zonecfg:delegated_zone> commit
zonecfg:delegated_zone> exit
root@solaris11-1:~#
By listing the zone summary, we can see that delegated_zone doesn't have an ID yet, because it hasn't been booted yet:
root@solaris11-1:~# zoneadm list -cv
ID NAME STATUS PATH BRAND IP
0 global running / solaris shared
- delegated_zone configured /myzones/delegated_zone solaris shared
Using the zonecfg command, it is possible to gather more information about the new zone:
root@solaris11-1:~# zonecfg -z delegated_zone info
zonename: delegated_zone
zonepath: /myzones/delegated_zone
brand: solaris
autoboot: true
bootargs:
file-mac-profile:
pool:
limitpriv:
scheduling-class:
ip-type: shared
hostid:
fs-allowed:
net:
address: 192.168.1.198
allowed-address not specified
configure-allowed-address: true
physical: net0
defrouter: 192.168.1.1
root@solaris11-1:~#
Next, run the sysconfig create-profile -o command to create a profile file called delegated_zone.xml, which we will use later to install the new zone:
root@solaris11-1:~# sysconfig create-profile -o delegated_zone.xml
When the interactive System Configuration tool appears, use the following to specify the required configuration information:
- For Computer Name, specify delegatedzone, and then specify that the network configuration be done manually.
- For IP Address, specify 192.168.1.198.
- For Netmask, specify 255.255.255.0.
- Choose Configure DNS, and then for DNS Server IP address, specify 8.8.8.8, 8.8.4.4.
- For Search domain, specify example.com.
- On the Alternate Name Service screen, specify None.
- For Time Zone: Regions, specify Americas.
- For Time Zone: Locations, specify the appropriate location.
- For Time Zone, specify the appropriate time zone.
- For Date and time, specify the current data and time.
- For Root password, specify oracle123!.
- For the registration e-mail address, specify anonymous@oracle.com.
- For Network configuration, specify no proxy.
Before starting the zone installation, we should check the publishers' locations (which can be remote or local) to ensure we have access to a local publisher that can install the Oracle Solaris packages in the zone:
root@solaris11-1:~# pkg publisher
PUBLISHER TYPE STATUS P LOCATION
solaris origin online F http://localhost:9999/
solaris mirror online F http://localhost:9999/
solarisstudio (disabled) origin online F https://pkg.oracle.com/solarisstudio/release/
training (disabled) origin online F http://localhost:8888/
Looks like we have access to local publisher solaris at localhost:9999, so it can be used when we install the zone.
In order to install the zone, the owner of the installation directory must have read, write, and execute permissions (rwx), so run the following command:
root@solaris11-1:/myzones# chmod 700 delegated_zone
We're now ready to install the delegated_zone zone using the delegated_zone.xml file we created earlier:
root@solaris11-1:~# zoneadm -z delegated_zone install -c /root/delegated_zone.xml
The following ZFS file system(s) have been created:
myzones/delegated_zone
Progress being logged to /var/log/zones/zoneadm.20131206T171039Z.delegated_zone.install
Image: Preparing at /myzones/delegated_zone/root.
AI Manifest: /tmp/manifest.xml.2uaWxj
SC Profile: /root/delegated_zone.xml
Zonename: delegated_zone
Installation: Starting ...
Creating IPS image
Startup linked: 1/1 done
Installing packages from:
solaris
origin: http://localhost:9999/
DOWNLOAD PKGS FILES XFER (MB) SPEED
Completed 183/183 33556/33556 222.2/222.2 323k/s
PHASE ITEMS
Installing new actions 46825/46825
Updating package state database Done
Updating image state Done
Creating fast lookup database Done
Installation: Succeeded
Note: Man pages can be obtained by installing pkg:/system/manual
done.
Done: Installation completed in 830.765 seconds.
Next Steps: Boot the zone, then log into the zone console (zlogin -C)
to complete the configuration process.
Log saved in non-global zone as /myzones/delegated_zone/root/var/log/zones/zoneadm.20131206T171039Z.delegated_zone.install
Excellent. Everything seems OK. Let's check the zone status:
root@solaris11-1:~# zoneadm list -iv
ID NAME STATUS PATH BRAND IP
0 global running / solaris shared
- delegated_zone installed /myzones/delegated_zone solaris shared
The status of delegated_zone is now installed.
Boot delegated_zone using the following command:
root@solaris11-1:~# zoneadm -z delegated_zone boot
If we check the zone status again, we should see that now delegated_zone has a zone ID, because the zone is running:
root@solaris11-1:~# zoneadm list -iv
ID NAME STATUS PATH BRAND IP
0 global running / solaris shared
1 delegated_zone running /myzones/delegated_zone solaris shared
Nice. Let's log in to delegated_zone to confirm its installation:
root@solaris11-1:~# zlogin delegated_zone
[Connected to zone 'delegated_zone' pts/4]
Oracle Corporation SunOS 5.11 11.1 September 2012
root@delegatedzone:~# uname -a
SunOS delegatedzone 5.11 11.1 i86pc i386 i86pc
root@delegatedzone:~# zfs list
NAME USED AVAIL REFER MOUNTPOINT
rpool 423M 15.2G 31K /rpool
rpool/ROOT 423M 15.2G 31K legacy
rpool/ROOT/solaris 423M 15.2G 397M /
rpool/ROOT/solaris/var 24.4M 15.2G 23.8M /var
rpool/VARSHARE 39K 15.2G 39K /var/share
rpool/export 63K 15.2G 32K /export
rpool/export/home 31K 15.2G 31K /export/home
root@delegatedzone:~# zpool list
NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT
rpool 15.9G 423M 15.5G 2% 1.00x ONLINE -
root@delegatedzone:~# exit
logout
[Connection to zone 'delegated_zone' pts/4 closed]
root@solaris11-1:~#
An interesting fact is that the IP address associated with delegated_zone (192.168.1.198) appears in the global zone network configuration associated with the net0 interface because we specified ip-type=shared when we created the zone:
root@solaris11-1:/myzones# ipadm show-addr
ADDROBJ TYPE STATE ADDR
lo0/v4 static ok 127.0.0.1/8
lo0/zoneadmd.v4 static ok 127.0.0.1/8
net0/v4 dhcp ok 192.168.1.105/24
net0/zoneadmd.v4 static ok 192.168.1.198/24
lo0/v6 static ok ::1/128
lo0/zoneadmd.v6 static ok ::1/128
net0/v6 addrconf ok fe80::a00:27ff:fe56:85b8/10
The environment is ready. As mentioned earlier, ZFS allows us to delegate a file system (dataset) to a non-global zone and, thereafter, the non-global zone administrator will be able to administer this dataset as the owner.
Creating a new pool (delegated_pool) and a new file system (delegated_filesystem_1) is easy:
root@solaris11-1:/myzones# zpool create delegated_pool c8t8d0
root@solaris11-1:/myzones# zfs create delegated_pool/delegated_filesystem_1
root@solaris11-1:/myzones# zpool list delegated_pool
NAME SIZE ALLOC FREE CAP DEDUP HEALTH ALTROOT
delegated_pool 3.97G 124K 3.97G 0% 1.00x ONLINE -
root@solaris11-1:/myzones# zfs list delegated_pool/delegated_filesystem_1
NAME USED AVAIL REFER MOUNTPOINT
delegated_pool/delegated_filesystem_1 31K 3.91G 31K /delegated_pool/delegated_filesystem_1
Now it's time to perform the main task. We will use the zonecfg command to delegate delegated_filesystem_1 and, afterwards, well check the result and reboot the zone:
root@solaris11-1:~# zonecfg -z delegated_zone
zonecfg:delegated_zone> add dataset
zonecfg:delegated_zone:dataset> set name=delegated_pool/delegated_filesystem_1
zonecfg:delegated_zone:dataset> end
zonecfg:delegated_zone> verify
zonecfg:delegated_zone> commit
zonecfg:delegated_zone> exit
root@solaris11-1:~# zonecfg -z delegated_zone info
zonename: delegated_zone
zonepath: /myzones/delegated_zone
brand: solaris
autoboot: true
bootargs:
file-mac-profile:
pool:
limitpriv:
scheduling-class:
ip-type: shared
hostid:
fs-allowed:
net:
address: 192.168.1.198
allowed-address not specified
configure-allowed-address: true
physical: net0
defrouter: 192.168.1.1
dataset:
name: delegated_pool/delegated_filesystem_1
alias: delegated_filesystem
root@solaris11-1:~# zoneadm -z delegated_zone reboot
root@solaris11-1:~# zlogin delegated_zone
[Connected to zone 'delegated_zone' pts/4]
Oracle Corporation SunOS 5.11 11.1 September 2012
root@delegatedzone:~# uname -a
SunOS delegatedzone 5.11 11.1 i86pc i386 i86pc
root@delegatedzone:~# zfs list
NAME USED AVAIL REFER MOUNTPOINT
delegated_filesystem 31K 3.91G 31K /delegated_filesystem
rpool 446M 15.2G 31K /rpool
rpool/ROOT 446M 15.2G 31K legacy
rpool/ROOT/solaris 446M 15.2G 416M /
rpool/ROOT/solaris/var 24.5M 15.2G 23.8M /var
rpool/VARSHARE 39K 15.2G 39K /var/share
rpool/export 63K 15.2G 32K /export
rpool/export/home 31K 15.2G 31K /export/home
root@delegatedzone:~#
From the global zone, run the following command to verify that the new file system was delegated successfully:
root@solaris11-1:~# zfs list -r delegated_pool
NAME USED AVAIL REFER MOUNTPOINT
delegated_pool 124K 3.91G 31K /delegated_pool
delegated_pool/delegated_filesystem_1 31.5K 3.91G 31.5K /myzones/delegated_zone/root/delegated_filesystem
Amazing! We've successfully delegated a dataset for the delegated_zone zone.
See Also
Here are some links to other things I've written:
- Alexandre Borges on Twitter
- "Exploring Installation Options and User Roles in Oracle Solaris 11"
- "Exploring Networking, Services, and the New Image Packaging System in Oracle Solaris 11"
And here are some Oracle Solaris 11 resources:
- Download Oracle Solaris 11
- Access Oracle Solaris 11 product documentation
- Access all Oracle Solaris 11 how-to articles
- Learn more with Oracle Solaris 11 training and support
- See the official Oracle Solaris blog
- Check out The Observatory and OTN Garage blogs for Oracle Solaris tips and tricks
- Follow Oracle Solaris on Facebook and Twitter
About the Author
Alexandre Borges is an Oracle ACE and who worked as an employee and contracted instructor at Sun Microsystems from 2001 to 2010 teaching Oracle Solaris, Oracle Solaris Cluster, Oracle Solaris security, Java EE, Sun hardware, and MySQL courses. Nowadays, he teaches classes for Symantec, Oracle partners, Hitachi, and EC-Council, and he teaches several very specialized classes about information security. In addition, he is a regular writer and columnist at Linux Magazine Brazil.