This is a continuation of a series of posts. While this one may be interesting all on its own, you may want to start from the top to get the context.
The diagram above shows one global zone with a few zones in it. That's not very exciting in a world where we need to rapidly provision new instances that are preconfigured and as hack-proof as we can make them. This post will show how to create a unified archive that includes the kernel zone configuration and content that makes for a hard-to-compromise web server. I'd like to say impossible, but history has shown us that software has bugs that affects everyone across the industry.
We'll start of by configuring and installing a kernel zone called web. It will have two automatic networks, each attached to the appropriate etherstubs. Notice the use of template properties - using %{zonename} and %{id} make it so that we don't have to futz with so much of the configuration when we configure the next zone based on this one.
At this point, networking inside the zone should look like this:
Configure the NFS mounts for web content (/web) and IPS repos (/repo).
Now, update the pkg image configuration so that it uses the repository from the correct path.
Update the apache configuration so that it looks to /web for the document root.
This involves (at a minimum) changing DocumentRoot to "/web" and changing the <Directory "/var/apache/2.2/htdocs"> line to <Directory "/web">. Your needs will be different and probably more complicated. This is not an Apache tutorial and I'm not qualified to give it. After modifying the configuration file, start the web server.
This is a good time to do any other configuration (users, other software, etc.) that you need. If you did the changes above really quickly, you may also want to wait for first boot tasks like man-index to complete. Allowing it to complete now will mean that it doesn't need to be redone for every instance of this zone that you create.
Since this is a type of a zone that shouldn't need to have its configuration changed a whole lot, let's use the immutable global zone (IMGZ) feature to lock down the web zone. Note that we use IMGZ inside a kernel zone because a kernel zone is another global zone.
Back in the global zone, we are ready to create a clone archive once the zone reboots.
Now that the web clone unified archive has been created, it can be used on this machine or any other with a similar global zone configuration (etherstubs of same names, dhcp server, same nfs exports, etc.) to quickly create new web servers that fit the model described in the diagram at the top of this post. To create the free kernel zone:
If I were doing this for a purpose other than this blog post, I would have also created a sysconfig profile and passed it to zoneadm install. This would have made the first boot completely hands-off.
Once we log into free, we see that there's no more setup to do.
Nearly identical steps can be taken with the deployment of premium. The key difference there is that we are dedicating two cores (add dedicated-cpu; set cores=...) rather than allocating to virtual-cpus (add virtual-cpu; set ncpus=...). That is, no one else can use any of the cpus on premium's cores but free has to compete with the rest of the system for cpu time.
The install and boot of premium will then be the same as that of free. After both zones are up, we can see that psrinfo reports the number of cores for premium but not for free.
That's enough for this post. Next time, we'll get teeter going.