# OpenSolaris Zones/Containers FreeBSD Port?



## z3R0 (May 10, 2009)

I would like to see OpenSolaris Zones/Containers ported over to FreeBSD.

It's an important resource management and security feature that is a lot better then chroot and jails. If you look a Zones or Linux vServer you will see that Jails pale in comparison.

ZFS and Dtrace are excellent tools/features. Please bring in Zones!


----------



## vermaden (May 10, 2009)

What for?

FreeBSD provides the same functionality (OS level virtualization) with FreeBSD Jails.

Check latest improovements in Jails in latest FreeBSD 7.2 release.


----------



## lme@ (May 10, 2009)

moved to 'general' section.


----------



## z3R0 (May 10, 2009)

vermaden said:
			
		

> What for?
> 
> FreeBSD provides the same functionality (OS level virtualization) with FreeBSD Jails.
> 
> Check latest improvements in Jails in latest FreeBSD 7.2 release.



Why not? Zones are FreeBSD Jails on steroids, easier to manage not to mention better integrated with ZFS.

OpenVS and VServer might be ahead though.
http://en.wikipedia.org/wiki/Jail_(computer_security)#Implementations

Would anyone care highlight a detailed feature by feature comparison of Zones vs Jails, throw in OpenVS

Interesting.


----------



## gordon@ (May 10, 2009)

I eagerly anticipate your detailed analysis followed by patches to implement zones on FreeBSD.

Seriously, while there are some nice things about zones (memory limits, cpu limits), very few people are paid to work on FreeBSD while all the developers for Solaris are paid. Sitting around and saying "X should be done" is only going to cause people (like me) of calling you an armchair general.


----------



## z3R0 (May 10, 2009)

gordon@ said:
			
		

> I eagerly anticipate your detailed analysis followed by patches to implement zones on FreeBSD.
> 
> Seriously, while there are some nice things about zones (memory limits, cpu limits), very few people are paid to work on FreeBSD while all the developers for Solaris are paid. Sitting around and saying "X should be done" is only going to cause people (like me) of calling you an armchair general.



Well it is merely a feature I would love to see in FreeBSD the "armchair general" comment was not necessary. I appreciate the hard work that FreeBSD developers carryout.

I just don't see what is wrong with making a suggestion to incorporate Solaris Zones. For example ZFS, Dtrace are being incorporated from Solaris, PF from OpenBSD, launchd from Darwin and I'm sure other features from other OS's.

Zones is a feature that shouldn't be overlooked.

I don't mind helping out with patches either but I'm curious to see how others feel about it and where to start.


----------



## z3R0 (May 10, 2009)

Other features to consider are: 
1) Building the Sun grid engine into the kernel 
2) Adding clustering into ZFS and 
3) Bootable ZFS

Just a thought.


----------



## lme@ (May 11, 2009)

Both DTrace and ZFS ports to FreeBSD were paid work by Cisco resp. a big polish ISP.
You're free to add a bounty for porting Zones at http://www.freebsdbounties.info/bounties or http://www.SponsorBSD.org


----------



## phoenix (May 11, 2009)

gordon@ said:
			
		

> I eagerly anticipate your detailed analysis followed by patches to implement zones on FreeBSD.
> 
> Seriously, while there are some nice things about zones (memory limits, cpu limits), very few people are paid to work on FreeBSD while all the developers for Solaris are paid. Sitting around and saying "X should be done" is only going to cause people (like me) of calling you an armchair general.



I don't remember where I saw it (most likely a mailing list posting), but there's someone working on implementing resource limits for jails.


----------



## anomie (May 11, 2009)

z3R0 said:
			
		

> If you look a Zones or Linux vServer you will see that Jails pale in comparison.



Please elaborate. 



			
				z3R0 said:
			
		

> Zones are FreeBSD Jails on steroids, easier to manage not to mention better integrated with ZFS.



I'm curious what you mean exactly by "easier to manage". I haven't had problems managing FreeBSD Jails. 



			
				z3R0 said:
			
		

> I don't mind helping out with patches either but I'm curious to see how others feel about it and where to start.



I have not worked with Zones (but I've compared notes with Solaris sysadmins at work). Frankly I have zero interest (intentional pun ) in seeing Zones ported to FreeBSD. But I'm hoping you will have a compelling argument that will pique my interest in the possibility.


----------



## vermaden (May 11, 2009)

lme@ said:
			
		

> Both DTrace and ZFS ports to FreeBSD were paid work by Cisco resp. a big polish ISP.



Can you share any more details about that please?


----------



## swills@ (May 11, 2009)

There was some work done on CPU and memory limits for jails:

http://wiki.freebsd.org/JailResourceLimits


----------



## lme@ (May 12, 2009)

vermaden said:
			
		

> Can you share any more details about that please?



For ZFS see: http://lists.freebsd.org/pipermail/freebsd-current/2007-April/070544.html

For DTrace see: http://www.nabble.com/DTrace-for-FreeBSD---status-p15055963.html


----------



## vermaden (May 12, 2009)

@lme

Thank you.


----------



## z3R0 (May 12, 2009)

anomie said:
			
		

> I'm curious what you mean exactly by "easier to manage". I haven't had problems managing FreeBSD Jails.



OpenSolaris provides easier to use tools for the creation and management of Zones (zonecfg, zoneadm, zlogin, etc...)

Though some work has been done on JailResourceLimits as mentioned above
http://wiki.freebsd.org/JailResourceLimits

Zones are stronger in this area so why reinvent the wheel? (And if you try to reinvent the wheel why not see how its done in Zones? You might learn a thing or two.


----------



## phoenix (May 12, 2009)

Jails already exist, how is it "re-inventing the wheel" to continue to use jails?  It would be "re-inventing the wheel" to drop jails, and try to port zones.  Better to improve jails, perhaps looking at how openvz/vserver and zones work.


----------



## SirDice (May 13, 2009)

Freebsd's jail existed long before Solaris' Zones.


----------



## z3R0 (May 13, 2009)

phoenix said:
			
		

> Jails already exist, how is it "re-inventing the wheel" to continue to use jails?  It would be "re-inventing the wheel" to drop jails, and try to port zones.  Better to improve jails, perhaps looking at how openvz/vserver and zones work.



In the sense that Zones are an extension of Jails. So instead of having to add functionality that is already in Zones(or that has already been extended for you) to Jails, why not just incorporate the code in Zones? Or better yet merge both, and simplify the management of Jails with better utilities.


----------



## vermaden (May 13, 2009)

@z3R0

*phoenix* propably had in mind that adding these features to Jails will take a lot less time then porting whole Zones to FreeBSD.

BTW, have you tried *ezjail* from Ports?


----------



## phoenix (May 13, 2009)

Exactly.

What z3R0 is recommending is to rip out jails, and import Zones.  IOW, re-invent the wheel (jails), start from scratch (zones)/do something new, abandon many many years of work (jails), and import a whole new class of undiscovered bugs (zones).

What I'm recommending is keeping jails, and use that as a basis to extend outward until all/most of the desired features from Solaris Zones (or Linux-VServer or any other container software) are included.  IOW, exactly what the FreeBSD devs are doing.


----------



## fronclynne (May 14, 2009)

I think we should buy solaris 10 cds and put freebsd stickers on them, to make the solaris mavens happy.  We can do that with ubunutu cds too.  Hell, go whole hog and sticker up some bootleg botnet pre-infected winders7 cds as freebsd server edition 1999.


----------



## SirDice (May 14, 2009)

fronclynne said:
			
		

> I think we should buy solaris 10 cds and put freebsd stickers on them, to make the solaris mavens happy.


We could entice Sun to revert back to 4.4BSD for Solaris 12 or 13, just like the olden days with SunOS :e



> We can do that with ubunutu cds too.  Hell, go whole hog and sticker up some bootleg botnet pre-infected winders7 cds as freebsd server edition 1999.


The horror x(


----------



## DutchDaemon (May 14, 2009)

You're not getting in on my business.


----------



## z3R0 (May 14, 2009)

phoenix said:
			
		

> Exactly.
> 
> What z3R0 is recommending is to rip out jails, and import Zones.  IOW, re-invent the wheel (jails), start from scratch (zones)/do something new, abandon many many years of work (jails), and import a whole new class of undiscovered bugs (zones).
> 
> What I'm recommending is keeping jails, and use that as a basis to extend outward until all/most of the desired features from Solaris Zones (or Linux-VServer or any other container software) are included.  IOW, exactly what the FreeBSD devs are doing.



Never said anything about ripping out Jails. I suggested adding Zones. For example FreeBSD has added PF, yet they also have IPFW and IPFilter. Nothing wrong with having multiple mechanisms.


----------



## z3R0 (May 14, 2009)

This looks even more interesting then Jails or Zones:

Jump to 40:46 in the video:

BitFrost
http://video.google.com/videoplay?docid=-4285568518538296189


----------

