[tptacek]

You're almost making an apples-to-oranges comparison here, albeit a comparison I begged you to make.

Solaris Zones aren't virtualization. They're an isolation feature that tries to find all the shared kernel namespaces between applications to present the illusion of multiple machines. "Zoned" applications share a running kernel instance, and share a number of kernel namespaces that are not carefully isolated.

VMWare images do not share kernels. Their entire running state can be frozen and shipped across a network (or marshalled out to an iSCSI SAN) on demand.

I think Solaris Zones are a pretty crappy answer to "virtualization". It's basically just a stronger version of chroot. It's inferior to VMWare-style virtualization on security (all zones on a single Solaris instance are vulnerable to the same kernel flaws, and kernel flaws have been the majority of Solaris security issues over the past several years), and they're inferior on management and logistics.

[briansmith]

As others have said, VMWare is virtualization and Zones is not. Solaris Zones provides a high degree of isolation that is sufficient for the vast majority of cases that Xen is being used for, with virtually ZERO runtime overhead, simple and fast configuration, and streamlined maintenence. If you need more isolation than Zones offers then you probably have to skip Xen and go with a fully virtualized solution like VMware or similar. The cost of that extra isolation is a notable increase in runtime overhead, setup effort, and maintenance cost.

[tptacek]

Things an enterprise gets with Xen/VMWare that they don't get with Zones:

* A security model that extends through the kernel

* A performance and resource sharing model that extends through the kernel

* Push-button migration

* Support for anything other than Solaris

* "Hardware"-level suspend/resume

* Centralized management

I can go on and on about the security implications of Zones (and Jails) --- I don't think this model is well thought-through. But on the feature-list alone, Zones (and Jails) are a pale shadow of what the "mainstream" OS's offer today.

[briansmith]

What do you mean by "security model that extends through the kernel" and "A performance and resource sharing model that extends through the kernel"?

I don't believe that most people need the suspend/resume/migration feature. If you have a cluster that can handle system failure then you can easily migrate a zone the same way you would deal with a failed system.

Anyway, I agree that VMWare/Xen offers important features for pausing and moving running applications. I use those features of VMWare every day. But, most people will do very well with Zones because they don't need and won't use and didn't learn and don't want to pay for the extra features that VMWare offers.

[tptacek]

Again: any Solaris kernel vulnerability likely allows a non-root zone to compromise the root zone. There are other real and potential problems with pretending that kernel security is just about the filesystem namespace and some additional access control on the process table, but "one kernel memory corruption bug costs you the whole server" is a simple enough security problem to get your head around.

VMWare does not have this problem --- you need both a kernel fault (not rare) and a hypervisor fault (quite rare) to take over a whole VMWare server.

You can say "most people don't need" the features Zones don't offer, but I see my clients using them, and expect they'd mention them immediately if asked why they use VMWare.

Very few people will do well with Zones, because very few people still deploy Solaris. The choice between shelling out for Sun gear and shelling out for ESX is a no-brainer.