Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Papers We Love: Jails and Zones

Papers We Love: Jails and Zones

Slides for my @papers_we_love talk at @paperswelovenyc on February 11, 2016. Video: https://paperswelove.org/2016/video/bryan-cantrill-jails-and-solaris-zones/

Bryan Cantrill

February 12, 2016
Tweet

More Decks by Bryan Cantrill

Other Decks in Technology

Transcript

  1. Papers We Love:
    Jails and Zones
    CTO
    [email protected]
    Bryan Cantrill
    @bcantrill

    View full-size slide

  2. Papers we love: Jails and Zones
    • Discussing two important papers that form the foundation of
    thinking about OS-based virtualization and containers:
    • Jails: Confining the Omnipotent Root by Poul-Henning Kamp
    and Robert Watson, presented at SANE 2000
    • Solaris Zones: Operating System Support for Consolidating
    Commercial Workloads by Dan Price and Andy Tucker,
    presented at LISA 2004
    • As much as possible, want to let these papers speak for
    themselves — and provoke discussion!

    View full-size slide

  3. Jails: Problem statement

    View full-size slide

  4. Jails: Prior work

    View full-size slide

  5. Jails aside: chroot(2)

    View full-size slide

  6. Jails: Proposed solution

    View full-size slide

  7. Jails: Advantages

    View full-size slide

  8. Jails: jail(2)

    View full-size slide

  9. Jails: Confining the filesystem

    View full-size slide

  10. Jails: Confining the network

    View full-size slide

  11. Jails: Implementation

    View full-size slide

  12. Jails: Network management complexities

    View full-size slide

  13. Jails: Filesystem management complexities

    View full-size slide

  14. Jails: User management complexities

    View full-size slide

  15. Jails: Unintended consequences

    View full-size slide

  16. Jails: Networking limitations

    View full-size slide

  17. Jails: Resource management limitations

    View full-size slide

  18. Jails: Management limitations

    View full-size slide

  19. Jails: Epilogue
    • Jails became easier to manage with jls/jps/ezjail/iocage
    • Jails were allowed to have multiple IPv4 addresses
    • Some jail-based resource management was added, including
    CPU binding and
    • System V IPC was virtualized, but remains out-of-tree
    • VIMAGE added exclusive IP stacks to jails, but it remains a build-
    time option and “is considered experimental”

    View full-size slide

  20. Zones: Problem statement

    View full-size slide

  21. Zones: Problem statement detail

    View full-size slide

  22. Zones: Proposed solution

    View full-size slide

  23. Zones: Block diagram

    View full-size slide

  24. Zones: Design principles

    View full-size slide

  25. Zones: Design principles, cont.

    View full-size slide

  26. Zones: State model

    View full-size slide

  27. Zones: Configuration

    View full-size slide

  28. Zones: Installation

    View full-size slide

  29. Zones: Application environment

    View full-size slide

  30. Zones: Virtual platform

    View full-size slide

  31. Zones: Console

    View full-size slide

  32. Zones: Process model

    View full-size slide

  33. Zones: Process model, cont.

    View full-size slide

  34. Zones: System V IPC

    View full-size slide

  35. Zones: Networking

    View full-size slide

  36. Zones: Filesystem

    View full-size slide

  37. Zones: Resource management

    View full-size slide

  38. Zones: Observability and debugging

    View full-size slide

  39. Zones: Security experience

    View full-size slide

  40. Zones: Workloads

    View full-size slide

  41. Zones: Epilogue
    • Crossbow added virtual NICs and exclusive IP stacks — and anti-
    spoof allowed exclusive IP stacks to be deployed safely
    • Resource management became much more complete, adding
    memory capping, CPU capping, I/O throttling
    • ZFS revolutionized zone installation/configuration
    • With introduction of IPS packaging, Solaris got rid of so-called
    “sparse root” zones...
    • ...and Joyent added sparse root zones back to SmartOS (thanks
    to no IPS and no global zone package management)

    View full-size slide

  42. Zones: Epilogue, cont.
    • Sun added notion of branded zones in 2006, including a nascent
    Linux brand (LX) — and then ripped LX out in 2010
    • LX brand revived by Joyent in 2014 in SmartOS and completed
    (first deployed into production in early 2015)
    • Overlay network support added to SmartOS by Joyent, allowing
    software-defined VXLAN-based networks in non-global zones

    View full-size slide

  43. Jails and Zones: Conclusions
    • Each of these technologies has served to inspire the other: zones
    was explicitly inspired by jails — and the jails networking work
    has been explicitly inspired by Crossbow
    • These two papers are important because they capture not just the
    what, but the why of their respective works
    • These technologies were both ahead of their time; it’s invaluable
    now to be able to understand their motivations!
    • In the words of the late, great Jim Gray: You need to write more!

    View full-size slide