Using Docker on SmartOS Hypervisors
SmartOS is a OpenSolaris based hypervisor consisting of a stripped down Illumos environment, QEMU and a port of the Linux KVM module to Solaris. With the no anymore so recent addition of LX-branded zones and docker to SmartOS, it is possible to conveniently provision docker containers on SmartOS.
The SmartOS documentation is rather sparse in the are on how to efficiently run docker containers in a SmartOS environment. The use case for me is that I run my “lab” using SmartOS zones, a KVM-virtualized firewall appliance and various Linuxes. It is rather efficient to separate services Linuxes using docker, which is why I do it.
To effectively operate on docker containers in a lab setting, it is necessary to have
- a provisioned SmartOS host,
- dockerized zone manifests and
- a private, insecure docker registry for the use by SmartOS.
Optionally, you might wish to provide for
- a web interface to the docker registry,
- an SSL-terminating proxy to the docker registry and possibly
- a different, secured docker registry for the use from the “outside”.
The last two are deferred to the interested reader as an exercise or possibly to a later post.
On SmartOS, LX-branded zones are zones which use a Linux to Solaris system call translation layer. As special zones, they profit having storage from dedicated ZFS datasets, having CPU and I/O limits set by the Solaris resource consumption controls and having a “private” networking stack from the Crossbow framework.
Configuration of SmartOS Hypervisor Host
Assuming a otherwise running and configured SmartOS hypervisor, docker
image sources are configured as dataset sources using
imgadm. It is necessary to configure additional image
sources for docker images and consequently import the corresponding images
as datasets. imgadm(1M) has the details.
Creating a Private Docker Registry
Having successfully imported the dataset, a private registry can be provisioned using the following json-manifest:
I cannot say if the image UUID is deterministically set. It might be best
to closely monitor the output of
imgadm import <imgname>.
Very possibly and unless you are planning for a large installation, zfs_io_priority, max_lwps, memory, swap and tmpfs sizes can be set considerably smaller.
Observe that in contrast to usual docker operations, we are able to give the docker container an own private IP. This might be a nice feature if you want to give mutually untrusting parties docker containers on the same hypervisor.
The docker container is provisioned calling
vmadm(1M) has the details.
Pulling and Using Images from Private Docker Registry
Image sources such as the newly created private docker registry can be added (docker registries commonly listen on port 5000) and subsequently imported as such:
Provisioning a Web Interface
curl as an interface to http
can be considered inconvenient. Usually, users are spoiled to expect
www-interfaces accessible by browser. Konrad Kleine publishes a
docker registry GUI downloadable and runnable as docker container
Again, note that resource consumption controls are heavily over-provisioned.
I have not found a solution to have SmartOS pull docker images from a private and possibly secured v2 registry. For internal use, a v1 registry is sufficient. For external use, nothing prevents you to provision a secured v2 registry separately.