Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones Oracle Solaris Legacy Containers |
1. Introduction to Solaris 10 Resource Management
2. Projects and Tasks (Overview)
3. Administering Projects and Tasks
4. Extended Accounting (Overview)
5. Administering Extended Accounting (Tasks)
6. Resource Controls (Overview)
7. Administering Resource Controls (Tasks)
8. Fair Share Scheduler (Overview)
9. Administering the Fair Share Scheduler (Tasks)
10. Physical Memory Control Using the Resource Capping Daemon (Overview)
11. Administering the Resource Capping Daemon (Tasks)
13. Creating and Administering Resource Pools (Tasks)
14. Resource Management Configuration Example
15. Resource Control Functionality in the Solaris Management Console
16. Introduction to Solaris Zones
17. Non-Global Zone Configuration (Overview)
18. Planning and Configuring Non-Global Zones (Tasks)
19. About Installing, Halting, Cloning, and Uninstalling Non-Global Zones (Overview)
20. Installing, Booting, Halting, Uninstalling, and Cloning Non-Global Zones (Tasks)
21. Non-Global Zone Login (Overview)
22. Logging In to Non-Global Zones (Tasks)
23. Moving and Migrating Non-Global Zones (Tasks)
24. Oracle Solaris 10 9/10: Migrating a Physical Oracle Solaris System Into a Zone (Tasks)
25. About Packages and Patches on an Oracle Solaris System With Zones Installed (Overview)
27. Oracle Solaris Zones Administration (Overview)
Global Zone Visibility and Access
Process ID Visibility in Zones
File Systems and Non-Global Zones
Mounting File Systems in Zones
Unmounting File Systems in Zones
Security Restrictions and File System Behavior
Non-Global Zones as NFS Clients
Use of mknod Prohibited in a Zone
Restriction on Accessing A Non-Global Zone From the Global Zone
Networking in Shared-IP Non-Global Zones
IP Traffic Between Shared-IP Zones on the Same Machine
Oracle Solaris IP Filter in Shared-IP Zones
IP Network Multipathing in Shared-IP Zones
Oracle Solaris 10 8/07: Networking in Exclusive-IP Non-Global Zones
Exclusive-IP Zone Partitioning
Exclusive-IP Data-Link Interfaces
IP Traffic Between Exclusive-IP Zones on the Same Machine
Oracle Solaris IP Filter in Exclusive-IP Zones
IP Network Multipathing in Exclusive-IP Zones
Device Use in Non-Global Zones
/dev and the /devices Namespace
Utilities That Do Not Work or Are Modified in Non-Global Zones
Running Applications in Non-Global Zones
Resource Controls Used in Non-Global Zones
Fair Share Scheduler on an Oracle Solaris System With Zones Installed
FSS Share Division in a Non-Global Zone
Extended Accounting on an Oracle Solaris System With Zones Installed
Privileges in a Non-Global Zone
Using IP Security Architecture in Zones
IP Security Architecture in Shared-IP Zones
Oracle Solaris 10 8/07: IP Security Architecture in Exclusive-IP Zones
Using Oracle Solaris Auditing in Zones
Configuring Audit in the Global Zone
Configuring User Audit Characteristics in a Non-Global Zone
Providing Audit Records for a Specific Non-Global Zone
Running DTrace in a Non-Global Zone
About Backing Up an Oracle Solaris System With Zones Installed
Backing Up Loopback File System Directories
Backing Up Your System From the Global Zone
Backing Up Individual Non-Global Zones on Your System
Determining What to Back Up in Non-Global Zones
Backing Up Application Data Only
General Database Backup Operations
About Restoring Non-Global Zones
Commands Used on an Oracle Solaris System With Zones Installed
28. Oracle Solaris Zones Administration (Tasks)
29. Upgrading an Oracle Solaris 10 System That Has Installed Non-Global Zones
30. Troubleshooting Miscellaneous Oracle Solaris Zones Problems
31. About Branded Zones and the Linux Branded Zone
32. Planning the lx Branded Zone Configuration (Overview)
33. Configuring the lx Branded Zone (Tasks)
34. About Installing, Booting, Halting, Cloning, and Uninstalling lx Branded Zones (Overview)
35. Installing, Booting, Halting, Uninstalling and Cloning lx Branded Zones (Tasks)
36. Logging In to lx Branded Zones (Tasks)
37. Moving and Migrating lx Branded Zones (Tasks)
38. Administering and Running Applications in lx Branded Zones (Tasks)
The set of devices available within a zone is restricted to prevent a process in one zone from interfering with processes running in other zones. For example, a process in a zone cannot modify kernel memory or modify the contents of the root disk. Thus, by default, only certain pseudo-devices that are considered safe for use in a zone are available. Additional devices can be made available within specific zones be using the zonecfg utility.
The devfs file system described in the devfs(7FS) man page is used by the Oracle Solaris system to manage /devices. Each element in this namespace represents the physical path to a hardware device, pseudo-device, or nexus device. The namespace is a reflection of the device tree. As such, the file system is populated by a hierarchy of directories and device special files.
The /dev file hierarchy, which is today part of the / (root) file system, consists of symbolic links, or logical paths, to the physical paths present in /devices. Applications reference the logical path to a device presented in /dev. The /dev file system is loopback-mounted into the zone using a read-only mount.
The /dev file hierarchy is managed by a system comprised of the components in the following list:
devfsadm (see the devfsadm(1M) man page)
syseventd (see the syseventd(1M) man page)
libdevinfo device information library (see the libdevinfo(3LIB) man page)
devinfo driver (see the devinfo(7D) man page)
Reconfiguration Coordination Manager (RCM) (see Reconfiguration Coordination Manager (RCM) Script Overview in System Administration Guide: Devices and File Systems)
Caution - Subsystems that rely on /devices path names are not able to run in non-global zones until /dev path names are established. |
You might have devices that you want to assign to specific zones. Allowing unprivileged users to access block devices could permit those devices to be used to cause system panic, bus resets, or other adverse effects. Before making such assignments, consider the following issues:
Before assigning a SCSI tape device to a specific zone, consult the sgen(7D) man page.
Placing a physical device into more than one zone can create a covert channel between zones. Global zone applications that use such a device risk the possibility of compromised data or data corruption by a non-global zone.
In a non-global zone, you can use the modinfo command described in the modinfo(1M) man page to examine the list of loaded kernel modules.
Most operations concerning kernel, device, and platform management will not work inside a non-global zone because modifying platform hardware configurations violates the zone security model. These operations include the following:
Adding and removing drivers
Explicitly loading and unloading kernel modules
Initiating dynamic reconfiguration (DR) operations
Using facilities that affect the state of the physical platform
The following utilities do not work in a zone because they rely on devices that are not normally available:
cdrecord (See the man page in the /usr/share/man/man1 directory. )
cdrw (see the cdrw(1) man page)
rmformat (see the rmformat(1) man page)
add_drv (see the add_drv(1M) man page)
disks (see the disks(1M) man page)
prtconf (see the prtconf(1M) man page)
prtdiag (see the prtdiag(1M) man page)
rem_drv (see the rem_drv(1M) man page)
The eeprom utility can be used in a zone to view settings. The utility cannot be used to change settings. For more information, see the eeprom(1M) and openprom(7D) man pages.