I'm a member of
Quicksearch
Codenews Search
Disclaimer
The individual owning this blog works at Sun Microsystems GmbH in Germany, a subsidiary of Oracle. The opinions expressed here are his own, are not necessarily reviewed in advance by anyone but the individual author, and neither Oracle nor any other party necessarily agrees with them.
Navigation
Categories
About this blog- Apple
- iPhone
- Aviation
- Bahn
- Begriffe des Lebens
- Blogosphere
- Braindump
- Business Travel
- CANBOX
- CeBIT
- CEC
- Computing
- del.icio.us
- Fundsache
- General
- HHOSUG
- i hate sundays
- Kochen
- Mindfuck
- Movies
- Music
- On Benchmarketing
- Persoenliches Pech
- Photographie
- policy of ...
- Privacy
- Recommended Blogs
- Security
- Solaris
- Strange Days
- Sun/Oracle
- suncec2007
- suncec2008
- Technology
- The IT Business
- Toolbox
- Travel
- Work
Upcoming Solaris Features: Crossbow - Part 1: Virtualisation
Sunday, March 1. 2009
At the moment ZFS, DTrace or Zones are the well known features of Solaris. But in my opinion there will be a fourth important feature soon. Since Build 105 itīs integrated (many people will already know which feature i want to describe in this artcle) into Solaris. This feature has the project name Crossbow. Itīs the new TCP/IP stack of Opensolaris and was developed with virtualisation in mind from ground up. "Virtualisation in mind" does not only lead to the concept of virtual network interface cards, you can configure virtual switches as well and even more important: You can control the resource usage of a virtual client or managing the load by distributing certain TCP/IP traffic to dedicated CPUs. Iīve already held some talks about Crossbow at different events, thus itīs time to write an article about this topic. I will start with the virtualisation part of Crossbow.
The Virtualisation part
This part is heavily inspired by this blog entry of Ben Rockwood, but he ommited some parts in the course of his article to make a full walk-through out of it, so i extended it a little bit.Normally a network consists out of switches and networking cards, server and router . Itīs easy to replicate this in a single system. Networking cards can be simulated by VNICS, switches are called etherstubs in the namespace of Crossbow. Server can be simulated by zones of course, and as router are not much more than special-purpose servers, we could simulate them by a zone as well.
A simple network
Let us simulate a simple network at first. Just two servers and a router:
At first we create two virtual switches. They are called
etherstub0 and etherstub1# dladm create-etherstub etherstub0
# dladm create-etherstub etherstub1
etherstub0. These virtual nics are called vnic1 and vnic0.
# dladm create-vnic -l etherstub0 vnic1
# dladm create-vnic -l etherstub0 vnic2
# dladm create-vnic -l etherstub1 vnic3
# dladm create-vnic -l etherstub1 vnic4
# dladm showlink
LINK CLASS MTU STATE OVER
ni0 phys 1500 unknown --
etherstub0 etherstub 9000 unknown --
etherstub1 etherstub 9000 unknown --
vnic1 vnic 9000 up etherstub0
vnic2 vnic 9000 up etherstub0
vnic3 vnic 9000 up etherstub1
vnic4 vnic 9000 up etherstub1
vnic5 vnic 1500 up ni0
A template zone
At first we create a template zone. This zone is just used for speeding up the creation of other zones. To enable zone creation based on ZFS snapshots, we have to create a filesystem for our zones and mount it at a nice position in your filesystem:# zfs create rpool/zones
# zfs set compression=on rpool/zones
# zfs set mountpoint=/zones rpool/zones
template in a working directory. All the following steps assume that you are in this directory as i wonīt use absolute paths.
create -b
set zonepath=/zones/template
set ip-type=exclusive
set autoboot=false
add inherit-pkg-dir
set dir=/lib
end
add inherit-pkg-dir
set dir=/platform
end
add inherit-pkg-dir
set dir=/sbin
end
add inherit-pkg-dir
set dir=/usr
end
add inherit-pkg-dir
set dir=/opt
end
commit
# zonecfg -z template -f template
# zoneadm -z template install
A ZFS file system has been created for this zone.
Preparing to install zone .
Creating list of files to copy from the global zone.
Copying <3488> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <1507> packages on the zone.
Initialized <1507> packages on zone.
Zone is initialized.
The file contains a log of the zone installation.
#
site.xml
While waiting for the zone installation to end we can create a few other files. At first you should create a file calledsite.xml. This files controls which services are online after the first boot. You can think of it like an sysidcfg for the Service Management Framework. The file is rather long, so i wonīt post it in the article directly. You can download my version of this file here.
Zone configurations for the testbed
At first we have to create the zone configurations. The files are very similar. The differences are in the zonepath and in the network configuration. The zoneservera is located in /zones/serverA and uses the network interface vnic2. This will is called serverA:
create -b
set zonepath=/zones/serverA
set ip-type=exclusive
set autoboot=false
add inherit-pkg-dir
set dir=/lib
end
add inherit-pkg-dir
set dir=/platform
end
add inherit-pkg-dir
set dir=/sbin
end
add inherit-pkg-dir
set dir=/usr
end
add inherit-pkg-dir
set dir=/opt
end
add net
set physical=vnic2
end
commit
serverb uses the directory /zones/serverB and is configured to bind to the interface vnic4. Obviously iīve named the configuration file serverB
create -b
set zonepath=/zones/serverB
set ip-type=exclusive
set autoboot=false
add inherit-pkg-dir
set dir=/lib
end
add inherit-pkg-dir
set dir=/platform
end
add inherit-pkg-dir
set dir=/sbin
end
add inherit-pkg-dir
set dir=/usr
end
add inherit-pkg-dir
set dir=/opt
end
add net
set physical=vnic4
end
commit
router zone is a little bit longer as we need more network interfaces. I opened a file called router and filled it with the following content:create -b
set zonepath=/zones/router
set ip-type=exclusive
set autoboot=false
add inherit-pkg-dir
set dir=/lib
end
add inherit-pkg-dir
set dir=/platform
end
add inherit-pkg-dir
set dir=/sbin
end
add inherit-pkg-dir
set dir=/usr
end
add inherit-pkg-dir
set dir=/opt
end
add net
set physical=vnic5
end
add net
set physical=vnic1
end
add net
set physical=vnic3
end
commit
sysidcfg files
To speed up installation we create some sysidconfig files for our zones. Without this files, the installation would "go interactive" and you would have to use menus to provide the configuration informations. When you copy place such a file at/etc/sysidcfg the system will be initialized with the information provided in the file.
I will start with the sysidcfg file of router zone:
system_locale=C
terminal=vt100
name_service=none
network_interface=vnic5 {primary hostname=router1 ip_address=10.211.55.10 netmask=255.255.255.0 protocol_ipv6=no default_route=10.211.55.1}
network_interface=vnic1 {hostname=router1-a ip_address=10.211.100.10 netmask=255.255.255.0 protocol_ipv6=no default_route=NONE}
network_interface=vnic3 {hostname=router1-b ip_address=10.211.101.10 netmask=255.255.255.0 protocol_ipv6=no default_route=NONE}
nfs4_domain=dynamic
root_password=cmuL.HSJtwJ.I
security_policy=none
timeserver=localhost
timezone=US/Centralservera_sysidcfg:system_locale=C
terminal=vt100
name_service=none
network_interface=vnic2 {primary hostname=server1 ip_address=10.211.100.11 netmask=255.255.255.0 protocol_ipv6=no default_route=NONE}
nfs4_domain=dynamic
root_password=cmuL.HSJtwJ.I
security_policy=none
timeserver=localhost
timezone=US/Centralserverb_sysidcfg. Itīs the config file for our second server zone:
system_locale=C
terminal=vt100
name_service=none
network_interface=vnic4 {primary hostname=server2 ip_address=10.211.101.11 netmask=255.255.255.0 protocol_ipv6=no default_route=NONE}
nfs4_domain=dynamic
root_password=cmuL.HSJtwJ.I
security_policy=none
timeserver=localhost
timezone=US/CentralFiring up the zones
After creating all this configuration files, we use them to create some zones. The procedure is similar for all zone. At first we do the configuration. After this we clone thetemplate zone. As we located the template zone in a ZFS filesystem, the cloning takes just a second. Before we boot the zone, we place our configuration files we prepared while waiting for the installation of the template zone.
# zonecfg -z router -f router
# zoneadm -z router clone template
Cloning snapshot rpool/zones/template@SUNWzone3
Instead of copying, a ZFS clone has been created for this zone.
# cp router_sysidcfg /zones/router/root/etc/sysidcfg
# cp site.xml /zones/router/root/var/svc/profile
# zoneadm -z router boot
servera.# zonecfg -z servera -f serverA
# zoneadm -z servera clone template
Cloning snapshot rpool/zones/template@SUNWzone3
Instead of copying, a ZFS clone has been created for this zone.
# cp serverA_sysidcfg /zones/serverA/root/etc/sysidcfg
# cp site.xml /zones/serverA/root/var/svc/profile
# zoneadm -z servera boot
serverb again:# zonecfg -z serverb -f serverB
# zoneadm -z serverb clone template
Cloning snapshot rpool/zones/template@SUNWzone3
Instead of copying, a ZFS clone has been created for this zone.
# cp serverb_sysidcfg /zones/serverB/root/etc/sysidcfg
# cp site.xml /zones/serverB/root/var/svc/profile
# zoneadm -z serverb boot
# zoneadm list -v
ID NAME STATUS PATH BRAND IP
0 global running / native shared
13 router running /zones/router native excl
15 servera running /zones/serverA native excl
19 serverb running /zones/serverB native excl
All zones are up and running.
Playing around with our simulated network
At first a basic check. Letīs try to plumb one of the VNICs already used in a zone.# ifconfig vnic2 plumb
vnic2 is used by non-globalzone: servera
# routeadm -e ipv4-forwarding
# routeadm -e ipv4-routing
# routeadm -u
# routeadm
Configuration Current Current
Option Configuration System State
---------------------------------------------------------------
IPv4 routing enabled enabled
IPv6 routing disabled disabled
IPv4 forwarding enabled enabled
IPv6 forwarding disabled disabled
Routing services "route:default ripng:default"
Routing daemons:
STATE FMRI
disabled svc:/network/routing/zebra:quagga
disabled svc:/network/routing/rip:quagga
disabled svc:/network/routing/ripng:default
disabled svc:/network/routing/ripng:quagga
disabled svc:/network/routing/ospf:quagga
disabled svc:/network/routing/ospf6:quagga
disabled svc:/network/routing/bgp:quagga
disabled svc:/network/routing/isis:quagga
disabled svc:/network/routing/rdisc:default
online svc:/network/routing/route:default
disabled svc:/network/routing/legacy-routing:ipv4
disabled svc:/network/routing/legacy-routing:ipv6
online svc:/network/routing/ndp:default# netstat -nr
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ---------- ---------
default 10.211.100.10 UG 1 0 vnic2
10.211.100.0 10.211.100.11 U 1 0 vnic2
127.0.0.1 127.0.0.1 UH 1 49 lo0
/etc/defaultrouter or without being a dhcp client it automatically starts up the router discovery protocol as specified by RPC 1256. By using this protocol the hosts adds all available routers in the subnet as a defaultrouter.The rdisc protocol is implemented by the
in.routed daemon. It implements two different protocols. The first one is the already mentioned rdisc protocol. But it implements the RIP protocol as well. The RIP protocol part is automagically activated when a system has more than one network interface.# ping 10.211.100.11
10.211.100.11 is alive
# traceroute 10.211.100.11
traceroute to 10.211.100.11 (10.211.100.11), 30 hops max, 40 byte packets
1 10.211.101.10 (10.211.101.10) 0.285 ms 0.266 ms 0.204 ms
2 10.211.100.11 (10.211.100.11) 0.307 ms 0.303 ms 0.294 ms
#
Building a more complex network
# dladm create-etherstub etherstub10
# dladm create-vnic -l etherstub1 routerb1
# dladm create-vnic -l etherstub10 routerb10
# dladm create-vnic -l etherstub10 serverc1
# dladm create-vnic -l etherstub1 routerc1
# dladm create-vnic -l etherstub10 routerc2
routerB>: create -b
set zonepath=/zones/routerB
set ip-type=exclusive
set autoboot=false
add inherit-pkg-dir
set dir=/lib
end
add inherit-pkg-dir
set dir=/platform
end
add inherit-pkg-dir
set dir=/sbin
end
add inherit-pkg-dir
set dir=/usr
end
add inherit-pkg-dir
set dir=/opt
end
add net
set physical=routerb1
end
add net
set physical=routerb10
end
commit
sysidcfg even when the system is a router itself. The system boots up with a router and will get itīs routing tables from the RIP protocol.
system_locale=C
terminal=vt100
name_service=none
network_interface=routerb1 {primary hostname=routerb ip_address=10.211.101.254 netmask=255.255.255.0 protocol_ipv6=no default_route=NONE}
network_interface=routerb10 {hostname=routerb-a ip_address=10.211.102.10 netmask=255.255.255.0 protocol_ipv6=no default_route=NONE}
nfs4_domain=dynamic
root_password=cmuL.HSJtwJ.I
security_policy=none
timeserver=localhost
timezone=US/Central# zonecfg -z routerb -f routerb
# zoneadm -z routerb clone template
Cloning snapshot rpool/zones/template@SUNWzone4
Instead of copying, a ZFS clone has been created for this zone.
# cp routerb_sysidcfg /zones/routerb/root/etc/sysidcfg
# cp site.xml /zones/routerB/root/var/svc/profile/
# zoneadm -z routerb boot
routerc zone. We bind it to the matching vnics in the zone configuration:create -b
set zonepath=/zones/routerC
set ip-type=exclusive
set autoboot=false
add inherit-pkg-dir
set dir=/lib
end
add inherit-pkg-dir
set dir=/platform
end
add inherit-pkg-dir
set dir=/sbin
end
add inherit-pkg-dir
set dir=/usr
end
add inherit-pkg-dir
set dir=/opt
end
add net
set physical=routerc1
end
add net
set physical=routerc2
end
commit
routerb apply to the routerc. We will rely on the routing protocols to provide a defaultroute, so we can just insert NONE into the sysidcfg for the default route. # cat routerc_sysidcfg
system_locale=C
terminal=vt100
name_service=none
network_interface=routerc1 {primary hostname=routerb ip_address=10.211.102.254 netmask=255.255.255.0 protocol_ipv6=no default_route=NONE}
network_interface=routerc2 {hostname=routerb-a ip_address=10.211.100.254 netmask=255.255.255.0 protocol_ipv6=no default_route=NONE}
nfs4_domain=dynamic
root_password=cmuL.HSJtwJ.I
security_policy=none
timeserver=localhost
timezone=US/Central# zonecfg -z routerc -f routerC
# zoneadm -z routerc clone template
Cloning snapshot rpool/zones/template@SUNWzone4
Instead of copying, a ZFS clone has been created for this zone.
# cp routerb_sysidcfg /zones/routerC/root/etc/sysidcfg
# cp site.xml /zones/routerC/root/var/svc/profile/
# zoneadm -z routerc boot
serverc:
create -b
set zonepath=/zones/serverC
set ip-type=exclusive
set autoboot=false
add inherit-pkg-dir
set dir=/lib
end
add inherit-pkg-dir
set dir=/platform
end
add inherit-pkg-dir
set dir=/sbin
end
add inherit-pkg-dir
set dir=/usr
end
add inherit-pkg-dir
set dir=/opt
end
add net
set physical=serverc1
end
commit
serverCsystem_locale=C
terminal=vt100
name_service=none
network_interface=serverc1 {primary hostname=server2 ip_address=10.211.102.11 netmask=255.255.255.0 protocol_ipv6=no default_route=NONE}
nfs4_domain=dynamic
root_password=cmuL.HSJtwJ.I
security_policy=none
timeserver=localhost
timezone=US/CentralWell ... itīs zone startup time again ...
# zonecfg -z serverc -f routerC
# zoneadm -z serverc clone template
Cloning snapshot rpool/zones/template@SUNWzone4
Instead of copying, a ZFS clone has been created for this zone.
# cp serverc_sysidcfg /zones/serverC/root/etc/sysidcfg
# cp site.xml /zones/serverC/root/var/svc/profile/
# zoneadm -z serverC boot
routerb:# routeadm -e ipv4-forwarding
# routeadm -e ipv4-routing
# routeadm -u
routerc. The command sequence is identical.# routeadm -e ipv4-forwarding
# routeadm -e ipv4-routing
# routeadm -u
servera# netstat -nr
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ---------- ---------
default 10.211.100.10 UG 1 0 vnic2
default 10.211.100.254 UG 1 0 vnic2
10.211.100.0 10.211.100.11 U 1 0 vnic2
127.0.0.1 127.0.0.1 UH 1 49 lo0
As you see, there are two default routers in the routing table. The host receives router advertisments from two routers, thus it adds both into the routing table. Now letīs have a closer at the routing table of the
routerb system.routerb# netstat -nr
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
-------------------- -------------------- ----- ----- ---------- ---------
default 10.211.101.10 UG 1 0 routerb1
10.211.100.0 10.211.102.254 UG 1 0 routerb10
10.211.101.0 10.211.101.254 U 1 0 routerb1
10.211.102.0 10.211.102.10 U 1 0 routerb10
127.0.0.1 127.0.0.1 UH 1 23 lo0
Conclusion
This part of the tutorial just covers a small part of Crossbow. In the next part i will talk about the capabilities in regard of managing flows of network traffic with crossbow. The scope of the virtualisation part is wider than just testing. Imagine the following situation: You want to consolidate several servers in a complex networks, but you want or you cant change a configuration file. In regard of the networking configuration you just could simulate it in one machine. And as itīs part of a single operating system kernel it is a very efficent way to do it. You donīt need virtual I/O servers or something like that. Itīs the single underlying kernel of Solaris itself doing this job. Another interesting use case for Crossbow was introduced by Glenn Brunette in his concept for the immutable service containers.
Posted by Joerg Moellenkamp
in English, Solaris
at
21:20
| Comments (9)
| Trackbacks (2)
View as PDF: This entry | This month | Full blog
View as PDF: This entry | This month | Full blog
Comments
Display comments as
(Linear | Threaded)
Found a reference thru the lksf book
http://www.c0t0d0s0.org/pages/sitexml.html
http://www.c0t0d0s0.org/pages/sitexml.html
You mentioned firewall/nat. Is there a new firewall feature build
into Crossbow (Solaris 10 includes IP filter)? As far as I remember
ipf requires some devices (e.g. /dev/ipauth, /dev/ipstate).
Must your firewall/nat zone have access to these devices?
into Crossbow (Solaris 10 includes IP filter)? As far as I remember
ipf requires some devices (e.g. /dev/ipauth, /dev/ipstate).
Must your firewall/nat zone have access to these devices?
Could you post the reference please to the site.xml file.
Thanks
Thanks
I also noticed that the link to site.xml is broken. Could you kindly port that link?
Small error in the text. It says
Okay, now we create virtual nics that are bound to the virtual switch etherstub0. These virtual nics are called vnic1 and vnic0.
# dladm create-vnic -l etherstub0 vnic1
# dladm create-vnic -l etherstub0 vnic2
The 2nd sentence should read "These virtual nics are called vnic1 and vnic2"
Okay, now we create virtual nics that are bound to the virtual switch etherstub0. These virtual nics are called vnic1 and vnic0.
# dladm create-vnic -l etherstub0 vnic1
# dladm create-vnic -l etherstub0 vnic2
The 2nd sentence should read "These virtual nics are called vnic1 and vnic2"
I was trying the above setup on OpenSolaris 2009.06 but discovered that routing protocols don't seem to be available (routeadm -e ipv4-routing didn't work) and also within each guest the router discovery isn't happening either. Are these observations expected and is the only workaround SCXE (I presume the above was tested using SCXE) ?
Great article Joerg.
I'm happy to announce that Crossbow was featured in the last JavaOne/Community One conference, It was featured at the keynote speaker.
I'll be making the demo presented during the launch available for the rest of the OpenSolaris community soon.
I'm happy to announce that Crossbow was featured in the last JavaOne/Community One conference, It was featured at the keynote speaker.
I'll be making the demo presented during the launch available for the rest of the OpenSolaris community soon.
Links in this article
The LKSF book
The book with the consolidated Less known Solaris Tutorials is available for download here
Twitterfeeds
twitter.com/c0t0d0s0
just blogged: links for 2010-03-19: Gedanken eines Fliegenden: Freikoerperkultur ... http://bit.ly/c21ARU
twitter.com/codenews
6934123 elfdump -d coredumps on PA-RISC elf http://bit.ly/byckAe
twitter.com/SunPatches
Security patch: 120228-40 - Messaging Server 6.3-11.01: core patch. Available for SPARC since Mar/17/10. http://bit.ly/bk1hw3
twitter.com/SolPatchesX86
122301-49 - SunOS 5.9_x86: Kernel Patch. Available since Mar/17/10. http://bit.ly/9ETInV
twitter.com/SolPatchesSPARC
122300-49 - SunOS 5.9: Kernel Patch. Available since Mar/17/10. http://bit.ly/b9ZvRJ
just blogged: links for 2010-03-19: Gedanken eines Fliegenden: Freikoerperkultur ... http://bit.ly/c21ARU
twitter.com/codenews
6934123 elfdump -d coredumps on PA-RISC elf http://bit.ly/byckAe
twitter.com/SunPatches
Security patch: 120228-40 - Messaging Server 6.3-11.01: core patch. Available for SPARC since Mar/17/10. http://bit.ly/bk1hw3
twitter.com/SolPatchesX86
122301-49 - SunOS 5.9_x86: Kernel Patch. Available since Mar/17/10. http://bit.ly/9ETInV
twitter.com/SolPatchesSPARC
122300-49 - SunOS 5.9: Kernel Patch. Available since Mar/17/10. http://bit.ly/b9ZvRJ
Web 2.0
Contact
Networking
open.bc
LinkedIn
Facebook
My photos
- mail: joerg@c0t0d0s0.org
- icq: 144000169
- Me, myself and I
- openBC
- My del.icio.us
- c0t0d0s0@twitter
- c0t0d0s0@last.fm
- wiki@c0t0d0s0
- Amazon Wishlist
Networking
open.bc
My photos
Syndication
Tagged articles
AMD Apple avs Bahn Blogging Blogosphere braindump Business Travel CeBIT cec cec2006 CMT del.icio.us deutsch dtrace fliegen Fundsache General Hamburg IBM i hate sundays Intel iscsi jumpstart Links Linux lksf Mindfuck Movies Music Musik Niagara Opensolaris Opteron Photographie policy of ... Politik Security Solaris storage Sun suncec2007 sunw t1 The IT Business Ultrasparc ultrasparc t1 Wirtschaft Work ZFS
Comments
Fri, 19.03.2010 17:36
Actually I am curious to know
what would have happened if th
ey objected.
Fri, 19.03.2010 17:31
I agree, it has been a very il
l and stupid waiting...full of
stupid statements...I was so
much waiting for them to [...]
Fri, 19.03.2010 17:05
A little bit late maybe. Don't
think Larry would have cared
if they objected... 
about Ich bin angewidert ....
Fri, 19.03.2010 09:52
@NoTarget:
Heinsohn ist ein
kluger Mann (siehe hier: http
://bit.ly/drhRLA). Das heisst
aber nicht, dass er *nur [...]
about Ich bin angewidert ....
Fri, 19.03.2010 07:38
1. Zum einen habe ich einen Ge
genvorschlag formuliert (bitte
Text zu Ende lesen). Es ersch
eint mir sinnvoller, Gel [...]
Buttons
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 Germany License
In "Upcoming Solaris Features: Crossbow - Part 1: Virtualisation" i forgot to provide the site.xml file and got some questions about it. Well ... now you can download it here.
Tracked: Apr 24, 20:21
Tracked: Jan 28, 02:56