Apologies for any duplicates you might receive. This
was sent to caiman-discuss, but for those who don't follow
that list, I wanted to send this out here.
Thanks,
Jerry
----
Zones/SNAP Design
8/25/2008
I. Overview
This specification describes how ZFS datasets will be used with zones for
supporting software management operations with ipkg branded zones on
OpenSolaris. Software management includes tasks such as a SNAP upgrade or
installing/removing pkgs.
Issues are summarized in Part III.
One goal is that sw management behavior within the zone should be as similar
as possible to the behavior in the global zone. That is, when the zone admin
does sw management, the tools running within the zone should be able to take a
snapshot of the zone root, clone it, and the zone admin should be able to
roll-back if the sw installation was problematic. This implies that the zone
root itself must be a delegated dataset. Up to now, zones does not support
this, so we must extend zones to provide this capability.
(Note that these software management features within a zone are not a
requirement for the 2008.11 release, however, this proposal lays the
groundwork to enable that capability moving forward.)
There are some issues with delegating the zone root dataset to the zone. The
way zones work, it is fundamental that the zone root be mounted in the global
zone so that the system can set up the chrooted environment when the zone
boots or when a process enters the zone. However, the ZFS mountpoint property
cannot be interpreted from the global zone when a dataset is delegated,
since this could lead to security problems.
(Note that the zone root is {zonepath}/root as seen in the global zone}
To address this, the zones code must be enhanced to explicitly manage the zone
root mounts. This naturally falls out of the basic design described here.
There were two alternative proposal considered; a two-level zone layout and a
single-level zone layout. After much discussion, the single-level approach
was chosen. The two-level approach is not described further here.
II. Description
To support the management of boot environments (BEs) for zones within both the
global zone context as well as the non-global zone context, a nested,
two-level, BE dataset naming scheme is used so that there is a top-level
global zone BE namespace, as well as a zone-level BE namespace for the zone's
own use. Properties on the zone's datasets are used to manage which dataset
is active and which datasets are associated with a specific global zone BE.
There are two properties on a zone's datasets that are used to manage the
datasets; "org.opensolaris.libbe:parentbe" and "org.opensolaris.libbe:active".
The "org.opensolaris.libbe:parentbe" property is set to the UUID of the global
zone BE that is active when the non-global zone BE is created. The
"org.opensolaris.libbe:active" property is set to "on" or "off" to indicate
that the dataset is the one that should be mounted.
We leave the "org.opensolaris.libbe:active" property set to "on" to
correspond with older, inactive global zone BEs, and use the combination of
this property, along with the matching "org.opensolaris.libbe:parentbe" to
determine which dataset to mount on the zone root. Thus, rolling back to an
earlier global zone BE would cause the last active zone BE to be mounted for
that global zone BE.
When a global zone BE is deleted, all corresponding zone-specific BEs with the
matching "org.opensolaris.libbe:parentbe" property should also be deleted.
When a non-global zone is deleted, all of zone-specific BEs with the
matching "org.opensolaris.libbe:parentbe" property for the current global zone
BE UUID should be deleted, however, any zone-specific BEs for other
global zone BEs must be preserved.
The following example illustrates the dataset layout and management for zone
z1 while the global zone is running BE1. The zones code must be enhanced to
automatically create these datasets when the zone is installed.
(For clarity, the global zone "GBE" string is used instead of the global zone
BE UUID in the following examples. Likewise, the "ZBE" string is used to for
the non-global zone BE name.)
The zone has zonepath: /export/zones/z1
The relevant dataset that exists before the zone is installed:
dataset mountpoint prop. zoned prop.
rpool/export/zones /export/zones off
The datasets that must be automatically created during zone installation:
dataset mountpoint prop. zoned prop.
rpool/export/zones/z1/rpool legacy on
rpool/export/zones/z1/rpool/ZBE1 legacy on
The equivalent commands to create these datasets:
# zfs create -o mountpoint=legacy -o zoned=on rpool/export/zones/z1/rpool
# zfs create -o org.opensolaris.libbe:active=on \
-o org.opensolaris.libbe:parentbe=GBE1 rpool/export/zones/z1/rpool/ZBE1
During the zone installation and after the zone is installed, the zone's ZBE1
dataset is explicitly mounted by the global zone onto the zone root (note, the
dataset is a ZFS legacy mount so zones infrastructure itself must manage the
mounting. It uses the dataset properties to determine which dataset to
mount, as described below.): e.g.
# mount -f zfs rpool/export/zones/z1/rpool/ZBE1 /export/zones/z1/root
The rpool dataset (and by default, its child datasets) will be implicitly
delegated to the zone. That is, the zonecfg for the zone does not need to
explicitly mention this as a delegated dataset. The zones code must be
enhanced to delegate this automatically:
rpool/export/zones/z1/rpool
Once the zone is booted, running a sw management operation within the zone
does the equivalent of the following sequence of commands:
1) Create the snapshot and clone
# zfs snapshot rpool/export/zones/z1/rpool/[EMAIL PROTECTED]
# zfs clone rpool/export/zones/z1/rpool/[EMAIL PROTECTED] \
rpool/export/zones/z1/rpool/ZBE2
2) Mount the clone and install sw into ZBE2
# mount -f zfs rpool/export/zones/z1/rpool/ZBE2 /a
3) Install sw
4) Finish
# unmount /a
Within the zone, the admin then makes the new BE active by the equivalent of
the following sequence of commands:
# zfs set org.opensolaris.libbe:active=off rpool/export/zones/z1/rpool/ZBE1
# zfs set org.opensolaris.libbe:active=on rpool/export/zones/z1/rpool/ZBE2
Note that these commands will not need to be explicitly performed by the
zone admin. Instead, a utility such as beadm does this work (see issue #2).
When the zone boots, the zones infrastructure code in the global zone will look
for the zone's dataset that has the "org.opensolaris.libbe:active" property set
to "on" and explicitly mount it on the zone root, as with the following
commands to mount the new BE based on the sw management task just performed
within the zone:
# umount /export/zones/z1/root
# mount -f zfs rpool/export/zones/z1/rpool/ZBE2 /export/zones/z1/root
Note that the global zone is still running GBE1 but the non-global zone is
now using its own ZBE2.
If there is more than one dataset with a matching
"org.opensolaris.libbe:parentbe" property and the
"org.opensolaris.libbe:active" property set to "on", the zone won't boot.
Likewise, if none of the datasets have this property set.
When global zone sw management takes place, the following will happen.
Only the active zone BE will be cloned. This is the equivalent of the
following commands:
# zfs snapshot -r rpool/export/zones/z1/[EMAIL PROTECTED]
# zfs clone rpool/export/zones/z1/[EMAIL PROTECTED]
rpool/export/zones/z1/ZBE3
(Note that this is using the zone's ZBE2 dataset created in the previous
example to create a zone ZBE3 dataset, even though the global zone is
going from GBE1 to GBE2.)
When global zone BE is activated and the system reboots, the zone root must
be explicitly mounted by the zones code:
# mount -f zfs rpool/export/zones/z1/rpool/ZBE3 /export/zones/z1/root
Note that the global zone and non-global zone BE names move along independently
as sw management operations are performed in the global and non-global
zone and the different BEs are activated, again by the global and non-global
zone.
One concern with this design is that the zone has access to its datasets that
correspond to a global zone BE which is not active. The zone admin could
delete the zone's inactive BE datasets which are associated with a non-active
global zone BE, causing the zone to be unusable if the global zone boots back
to an earlier global BE.
One solution is for the global zone to turn off the "zoned" property on
the datasets that correspond to a non-active global zone BE. However, there
seems to be a bug in ZFS, since these datasets can still be mounted within
the zone. This is being looked at by the ZFS team. If necessary, we can work
around this by using a combination of a mountpoint along with turning off
the "canmount" property, although a ZFS fix is the preferred solution.
Another concern is that the zone must be able to promote one of its datasets
that is associated with a non-active global zone BE. This can occur if the
global zone boots back to one of its earlier BEs. This would then cause an
earlier non-global zone BE to become the active BE for that zone. If the zone
then wants to destroy one of its inactive zone BEs it needs to be able to
promote any children of that dataset. We must make sure that any restrictions
we use with the ZFS "zoned" attribute doesn't prevent this. This may require
an enhancement in ZFS itself.
III. Issues and Tasks:
-----------------------
1) We will not allow zones in the ROOT dataset. When installing a zone,
this will be validated and result in an error if the zonepath is under
the ROOT dataset.
If necessary, we can always relax this restriction later. This proposal
does not discuss a namespace or layout for zones in the ROOT dataset.
2) We need some sort of tool to manage BE activation within the zone. This
would automatically set the value for the ZFS "org.opensolaris.libbe:active"
property for the different datasets. This most likely would be an extension
to beadm to make it work inside of a zone. (Not required for 2008.11)
3) The sw management commands must be extended to be zone aware so that
they can create the correct snapshot and clone when they are running
inside the zone. (Not required for 2008.11)
4) Zones must always live in ZFS datasets. When installing a zone,
this will be validated and result in an error if the zonepath is not under
a dataset.
If necessary, we can always relax this restriction later. This proposal
does not discuss how to handle zones that do not have their own BE dataset.
5) We must either fix the zone dev to be part of the zone root and not
a separate mount or we need to manage it as its own dataset that is
cloned and mounted as part of the global zone BE management. Fixing this
implies some devfs changes. This is assumed in the example above.
6) Global zone BEs need a UUID.
7) The zones code needs some way to determine the active global zone BE UUID
for use in creating the zone datasets and for managing the explicit mounts.
_______________________________________________
zones-discuss mailing list
zones-discuss@opensolaris.org
