JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones
search filter icon
search icon

Document Information


Part I Resource Management

1.  Introduction to Solaris 10 Resource Management

2.  Projects and Tasks (Overview)

3.  Administering Projects and Tasks

4.  Extended Accounting (Overview)

5.  Administering Extended Accounting (Tasks)

6.  Resource Controls (Overview)

7.  Administering Resource Controls (Tasks)

8.  Fair Share Scheduler (Overview)

9.  Administering the Fair Share Scheduler (Tasks)

10.  Physical Memory Control Using the Resource Capping Daemon (Overview)

11.  Administering the Resource Capping Daemon (Tasks)

12.  Resource Pools (Overview)

13.  Creating and Administering Resource Pools (Tasks)

14.  Resource Management Configuration Example

15.  Resource Control Functionality in the Solaris Management Console

Part II Zones

16.  Introduction to Solaris Zones

17.  Non-Global Zone Configuration (Overview)

18.  Planning and Configuring Non-Global Zones (Tasks)

19.  About Installing, Halting, Cloning, and Uninstalling Non-Global Zones (Overview)

20.  Installing, Booting, Halting, Uninstalling, and Cloning Non-Global Zones (Tasks)

21.  Non-Global Zone Login (Overview)

22.  Logging In to Non-Global Zones (Tasks)

23.  Moving and Migrating Non-Global Zones (Tasks)

24.  Solaris 10 9/10: Migrating a Physical Solaris System Into a Zone (Tasks)

25.  About Packages and Patches on a Solaris System With Zones Installed (Overview)

26.  Adding and Removing Packages and Patches on a Solaris System With Zones Installed (Tasks)

27.  Solaris Zones Administration (Overview)

What's New in This Chapter?

Global Zone Visibility and Access

Process ID Visibility in Zones

System Observability in Zones

Non-Global Zone Node Name

File Systems and Non-Global Zones

The -o nosuid Option

Mounting File Systems in Zones

Unmounting File Systems in Zones

Security Restrictions and File System Behavior

Non-Global Zones as NFS Clients

Use of mknod Prohibited in a Zone

Traversing File Systems

Restriction on Accessing A Non-Global Zone From the Global Zone

Networking in Shared-IP Non-Global Zones

Shared-IP Zone Partitioning

Shared-IP Network Interfaces

IP Traffic Between Shared-IP Zones on the Same Machine

Solaris IP Filter in Shared-IP Zones

IP Network Multipathing in Shared-IP Zones

Solaris 10 8/07: Networking in Exclusive-IP Non-Global Zones

Exclusive-IP Zone Partitioning

Exclusive-IP Data-Link Interfaces

IP Traffic Between Exclusive-IP Zones on the Same Machine

Solaris IP Filter in Exclusive-IP Zones

IP Network Multipathing in Exclusive-IP Zones

Device Use in Non-Global Zones

/dev and the /devices Namespace

Exclusive-Use Devices

Device Driver Administration

Utilities That Do Not Work or Are Modified in Non-Global Zones

Utilities That Do Not Work in Non-Global Zones

SPARC: Utility Modified for Use in a Non-Global Zone

Running Applications in Non-Global Zones

Resource Controls Used in Non-Global Zones

Fair Share Scheduler on a Solaris System With Zones Installed

FSS Share Division in a Non-Global Zone

Share Balance Between Zones

Extended Accounting on a Solaris System With Zones Installed

Privileges in a Non-Global Zone

Using IP Security Architecture in Zones

IP Security Architecture in Shared-IP Zones

Solaris 10 8/07: IP Security Architecture in Exclusive-IP Zones

Using Solaris Auditing in Zones

Configuring Audit in the Global Zone

Configuring User Audit Characteristics in a Non-Global Zone

Providing Audit Records for a Specific Non-Global Zone

Core Files in Zones

Running DTrace in a Non-Global Zone

About Backing Up a Solaris System With Zones Installed

Backing Up Loopback File System Directories

Backing Up Your System From the Global Zone

Backing Up Individual Non-Global Zones on Your System

Determining What to Back Up in Non-Global Zones

Backing Up Application Data Only

General Database Backup Operations

Tape Backups

About Restoring Non-Global Zones

Commands Used on a Solaris System With Zones Installed

28.  Solaris Zones Administration (Tasks)

29.  Upgrading a Solaris 10 System That Has Installed Non-Global Zones

30.  Troubleshooting Miscellaneous Solaris Zones Problems

Part III lx Branded Zones

31.  About Branded Zones and the Linux Branded Zone

32.  Planning the lx Branded Zone Configuration (Overview)

33.  Configuring the lx Branded Zone (Tasks)

34.  About Installing, Booting, Halting, Cloning, and Uninstalling lx Branded Zones (Overview)

35.  Installing, Booting, Halting, Uninstalling and Cloning lx Branded Zones (Tasks)

36.  Logging In to lx Branded Zones (Tasks)

37.  Moving and Migrating lx Branded Zones (Tasks)

38.  Administering and Running Applications in lx Branded Zones (Tasks)



Networking in Shared-IP Non-Global Zones

On a Solaris system with zones installed, the zones can communicate with each other over the network. The zones all have separate bindings, or connections, and the zones can all run their own server daemons. These daemons can listen on the same port numbers without any conflict. The IP stack resolves conflicts by considering the IP addresses for incoming connections. The IP addresses identify the zone.

Shared-IP Zone Partitioning

The IP stack in a system supporting zones implements the separation of network traffic between zones. Applications that receive IP traffic can only receive traffic sent to the same zone.

Each logical interface on the system belongs to a specific zone, the global zone by default. Logical network interfaces assigned to zones though the zonecfg utility are used to communicate over the network. Each stream and connection belongs to the zone of the process that opened it.

Bindings between upper-layer streams and logical interfaces are restricted. A stream can only establish bindings to logical interfaces in the same zone. Likewise, packets from a logical interface can only be passed to upper-layer streams in the same zone as the logical interface.

Each zone has its own set of binds. Each zone can be running the same application listening on the same port number without binds failing because the address is already in use. Each zone can run its own version of the following services:

Zones other than the global zone have restricted access to the network. The standard TCP and UDP socket interfaces are available, but SOCK_RAW socket interfaces are restricted to Internet Control Message Protocol (ICMP). ICMP is necessary for detecting and reporting network error conditions or using the ping command.

Shared-IP Network Interfaces

Each non-global zone that requires network connectivity has one or more dedicated IP addresses. These addresses are associated with logical network interfaces that can be placed in a zone by using the ifconfig command. Zone network interfaces configured by zonecfg will automatically be set up and placed in the zone when it is booted. The ifconfig command can be used to add or remove logical interfaces when the zone is running. Only the global administrator can modify the interface configuration and the network routes.

Within a non-global zone, only that zone's interfaces will be visible to ifconfig.

For more information, see the ifconfig(1M) and if_tcp(7P) man pages.

IP Traffic Between Shared-IP Zones on the Same Machine

Between two zones on the same machine, packet delivery is only allowed if there is a “matching route” for the destination and the zone in the forwarding table.

The matching information is implemented as follows:

Solaris IP Filter in Shared-IP Zones

Solaris IP Filter provides stateful packet filtering and network address translation (NAT). A stateful packet filter can monitor the state of active connections and use the information obtained to determine which network packets to allow through the firewall. Solaris IP Filter also includes stateless packet filtering and the ability to create and manage address pools. See Chapter 25, Oracle Solaris IP Filter (Overview), in System Administration Guide: IP Services for additional information.

Solaris IP Filter can be enabled in non-global zones by turning on loopback filtering as described in Chapter 26, Oracle Solaris IP Filter (Tasks), in System Administration Guide: IP Services.

Solaris IP Filter is derived from open source IP Filter software.

IP Network Multipathing in Shared-IP Zones

IP network multipathing (IPMP) provides physical interface failure detection and transparent network access failover for a system with multiple interfaces on the same IP link. IPMP also provides load spreading of packets for systems with multiple interfaces.

All network configuration is done in the global zone. You can configure IPMP in the global zone, then extend the functionality to non-global zones. The functionality is extended by placing the zone's address in an IPMP group when you configure the zone. Then, if one of the interfaces in the global zone fails, the non-global zone addresses will migrate to another network interface card. A shared-IP zone can have multiple IP addresses, it can be part of multiple IPMP groups, and a given IPMP group can be used by multiple shared-IP zones.

In a given non-global zone, only the interfaces associated with the zone are visible through the ifconfig command.

See How to Extend IP Network Multipathing Functionality to Shared-IP Non-Global Zones. The zones configuration procedure is covered in How to Configure the Zone. For information on IPMP features, components, and usage, see Chapter 30, Introducing IPMP (Overview), in System Administration Guide: IP Services.