That was a different discussion, where I was simply pointing out the reasons I didn't like Zones. But this discussion is harder for Solaris to win, because you have to line Zones up against the very real and powerful virtualization systems Linux already has, like Xen.
We consult all the time for F500 companies with pools of Solaris boxes. Some of them use Zones. None of them virtualize Solaris. All of them virtualize Linux, and can move entire Linux servers from machine to machine from a UI. It is hard to convince me that Solaris has any kind of edge in the server market.
I sincerely would love to hear of the concrete problems with Solaris Zones, because I am deploying a system based on Solaris Zones very soon.
I don't think security is an issue--it is true that there could be a security bug that would let some malicious code escape from a non-global zone to the global zone. But, AFAICT, that could happen with Xen too. Plus, if there is malicious code executing in a non-global zone then I'm already screwed since that is where my applications and data are.
Xen's live migration requires shared storage (AFAICT), which I don't have. That means that for my systems, Xen migration would work exactly the same as Zones migration (shut down the guest, move it to the new system, and start it up).
I chose Solaris Zones because (1) Zones have extremely low resource consumption, (2) they are extremely simple to manage, (3) they are extremely simple to backup and restore when the zone is on ZFS, and (4) I get to use all the Solaris manageability features.
Let's start with I have a documented security finding in Zones; I'm not sure if it's been published and patched yet, and I'm not pointing it out, but you can track me down on LinkedIn or, I don't know, a lot of other places if you need bona fides.
Then think about the difference between Xen and Zones:
Zones share a kernel.
Xen machines do not.
This has two security implications:
* It is possible for there to be bugs that will allow one zone to see kernel resources (files, sockets, pids, IPC descriptors, etc) from another zone. It is impossible for that to happen with Xen, because VMs don't even know about each other.
* The majority of Solaris (and Linux) kernel vulnerabilities in the last several years have been kernel vulnerabilities, which Zones don't protect you from. The Xen hypervisor is significantly smaller than the Solaris kernel, and has had a far better security track record.
We consult all the time for F500 companies with pools of Solaris boxes. Some of them use Zones. None of them virtualize Solaris. All of them virtualize Linux, and can move entire Linux servers from machine to machine from a UI. It is hard to convince me that Solaris has any kind of edge in the server market.