JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource Management     Oracle Solaris 11 Information Library
search filter icon
search icon

Document Information

Preface

Part I Oracle Solaris Resource Management

1.  Introduction to Resource Management

2.  Projects and Tasks (Overview)

3.  Administering Projects and Tasks

4.  Extended Accounting (Overview)

5.  Administering Extended Accounting (Tasks)

6.  Resource Controls (Overview)

7.  Administering Resource Controls (Tasks)

8.  Fair Share Scheduler (Overview)

9.  Administering the Fair Share Scheduler (Tasks)

10.  Physical Memory Control Using the Resource Capping Daemon (Overview)

11.  Administering the Resource Capping Daemon (Tasks)

12.  Resource Pools (Overview)

13.  Creating and Administering Resource Pools (Tasks)

14.  Resource Management Configuration Example

Part II Oracle Solaris Zones

15.  Introduction to Oracle Solaris Zones

Zones Overview

About Oracle Solaris Zones in This Release

Read-Only solaris Non-Global Zones

About Converting ipkg Zones to solaris Zones

About Branded Zones

Processes Running in a Branded Zone

Non-Global Zones Available in This Release

When to Use Zones

How Zones Work

Summary of Zones by Function

How Non-Global Zones Are Administered

How Non-Global Zones Are Created

Non-Global Zone State Model

Non-Global Zone Characteristics

Using Resource Management Features With Non-Global Zones

Monitoring Non-Global Zones

Capabilities Provided by Non-Global Zones

Setting Up Zones on Your System (Task Map)

16.  Non-Global Zone Configuration (Overview)

17.  Planning and Configuring Non-Global Zones (Tasks)

18.  About Installing, Shutting Down, Halting, Uninstalling, and Cloning Non-Global Zones (Overview)

19.  Installing, Booting, Shutting Down, Halting, Uninstalling, and Cloning Non-Global Zones (Tasks)

20.  Non-Global Zone Login (Overview)

21.  Logging In to Non-Global Zones (Tasks)

22.  About Zone Migrations and the zonep2vchk Tool

23.  Migrating Oracle Solaris Systems and Migrating Non-Global Zones (Tasks)

24.  About Automatic Installation and Packages on an Oracle Solaris 11 System With Zones Installed

25.  Oracle Solaris Zones Administration (Overview)

26.  Administering Oracle Solaris Zones (Tasks)

27.  Configuring and Administering Immutable Zones

28.  Troubleshooting Miscellaneous Oracle Solaris Zones Problems

Part III Oracle Solaris 10 Zones

29.  Introduction to Oracle Solaris 10 Zones

30.  Assessing an Oracle Solaris 10 System and Creating an Archive

31.  (Optional) Migrating an Oracle Solaris 10 native Non-Global Zone Into an Oracle Solaris 10 Zone

32.  Configuring the solaris10 Branded Zone

33.  Installing the solaris10 Branded Zone

34.  Booting a Zone, Logging in, and Zone Migration

Glossary

Index

How Zones Work

A non-global zone can be thought of as a box. One or more applications can run in this box without interacting with the rest of the system. Zones isolate software applications or services by using flexible, software-defined boundaries. Applications that are running in the same instance of the Oracle Solaris operating system can then be managed independently of one other. Thus, different versions of the same application can be run in different zones, to match the requirements of your configuration.

A process assigned to a zone can manipulate, monitor, and directly communicate with other processes that are assigned to the same zone. The process cannot perform these functions with processes that are assigned to other zones in the system or with processes that are not assigned to a zone. Processes that are assigned to different zones are only able to communicate through network APIs.

IP networking can be configured in two different ways, depending on whether the zone has its own exclusive IP instance or shares the IP layer configuration and state with the global zone. Exclusive IP is the default type. For more information about IP types in zones, see Zone Network Interfaces. For configuration information, see How to Configure the Zone.

Every Oracle Solaris system contains a global zone. The global zone has a dual function. The global zone is both the default zone for the system and the zone used for system-wide administrative control. All processes run in the global zone if no non-global zones, referred to simply as zones, are created by the global administrator or a user with the Zone Security profile.

The global zone is the only zone from which a non-global zone can be configured, installed, managed, or uninstalled. Only the global zone is bootable from the system hardware. Administration of the system infrastructure, such as physical devices, routing in a shared-IP zone, or dynamic reconfiguration (DR), is only possible in the global zone. Appropriately privileged processes running in the global zone can access objects associated with other zones.

Unprivileged processes in the global zone might be able to perform operations not allowed to privileged processes in a non-global zone. For example, users in the global zone can view information about every process in the system. If this capability presents a problem for your site, you can restrict access to the global zone.

Each zone, including the global zone, is assigned a zone name. The global zone always has the name global. Each zone is also given a unique numeric identifier, which is assigned by the system when the zone is booted. The global zone is always mapped to ID 0. Zone names and numeric IDs are discussed in Using the zonecfg Command.

Each zone also has a node name that is completely independent of the zone name. The node name is assigned by the administrator of the zone. For more information, see Non-Global Zone Node Name.

Each zone has a path to its root directory that is relative to the global zone's root directory. For more information, see Using the zonecfg Command.

The scheduling class for a non-global zone is set to the scheduling class for the system by default. See Scheduling Class for a discussion of methods used to set the scheduling class in a zone.

Summary of Zones by Function

The following table summarizes the characteristics of global and non-global zones.

Type of Zone
Characteristic
Global
  • Is assigned ID 0 by the system

  • Provides the single instance of the Oracle Solaris kernel that is bootable and running on the system

  • Contains a complete installation of the Oracle Solaris system software packages

  • Can contain additional software packages or additional software, directories, files, and other data not installed through packages

  • Provides a complete and consistent product database that contains information about all software components installed in the global zone

  • Holds configuration information specific to the global zone only, such as the global zone host name and file system table

  • Is the only zone that is aware of all devices and all file systems

  • Is the only zone with knowledge of non-global zone existence and configuration

  • Is the only zone from which a non-global zone can be configured, installed, managed, or uninstalled

Non-Global
  • Is assigned a zone ID by the system when the zone is booted

  • Shares operation under the Oracle Solaris kernel booted from the global zone

  • Contains an installed subset of the complete Oracle Solaris operating system software packages

  • Can contain additional installed software packages

  • Can contain additional software, directories, files, and other data created on the non-global zone that are not installed through packages

  • Has a complete and consistent product database that contains information about all software components installed on the zone

  • Is not aware of the existence of any other zones

  • Cannot install, manage, or uninstall other zones, including itself

  • Has configuration information specific to that non-global zone only, such as the non-global zone host name and file system table

  • Can have its own time zone setting

How Non-Global Zones Are Administered

A global administrator has superuser privileges or equivalent administrative rights. When logged in to the global zone, the global administrator can monitor and control the system as a whole.

A non-global zone can be administered by a zone administrator. The global administrator assigns the required authorizations to the zone administrator as described in admin Resource. The privileges of a zone administrator are confined to a specific non-global zone.

How Non-Global Zones Are Created

You can specify the configuration and installation of non-global zones as part of an Automated Install (AI) client installation. See Installing Oracle Solaris 11 Systems for more information.

To create a zone on an Oracle Solaris 11 system, the global administrator uses the zonecfg command to configure a zone by specifying various parameters for the zone's virtual platform and application environment. The zone is then installed by the global administrator, who uses the zone administration command zoneadm to install software at the package level into the file system hierarchy established for the zone. The zoneadm command is used to boot the zone. The global administrator or authorized user can then log in to the installed zone by using the zlogin command. If role-based access control (RBAC) is in use, the zone administrator must have the authorization solaris.zone.manage/zonename.

For information about zone configuration, see Chapter 16, Non-Global Zone Configuration (Overview). For information about zone installation, see Chapter 18, About Installing, Shutting Down, Halting, Uninstalling, and Cloning Non-Global Zones (Overview). For information about zone login, see Chapter 20, Non-Global Zone Login (Overview).

Non-Global Zone State Model

A non-global zone can be in one of the following six states:

Configured

The zone's configuration is complete and committed to stable storage. However, those elements of the zone's application environment that must be specified after initial boot are not yet present.

Incomplete

During an install or uninstall operation, zoneadm sets the state of the target zone to incomplete. Upon successful completion of the operation, the state is set to the correct state.

A damaged installed zone can be marked incomplete by using the mark subcommand of zoneadm. Zones in the incomplete state are shown in the output of zoneadm list -iv.

Installed

The zone's configuration is instantiated on the system. The zoneadm command is used to verify that the configuration can be successfully used on the designated Oracle Solaris system. Packages are installed under the zone's root path. In this state, the zone has no associated virtual platform.

Ready

The virtual platform for the zone is established. The kernel creates the zsched process, network interfaces are set up and made available to the zone, file systems are mounted, and devices are configured. A unique zone ID is assigned by the system. At this stage, no processes associated with the zone have been started.

Running

User processes associated with the zone application environment are running. The zone enters the running state as soon as the first user process associated with the application environment (init) is created.

Shutting down and Down

These states are transitional states that are visible while the zone is being halted. However, a zone that is unable to shut down for any reason will stop in one of these states.

Chapter 19, Installing, Booting, Shutting Down, Halting, Uninstalling, and Cloning Non-Global Zones (Tasks) and the zoneadm(1M) man page describe how to use the zoneadm command to initiate transitions between these states.

Table 15-1 Commands That Affect Zone State

Current Zone State
Applicable Commands
Configured
zonecfg -z zonename verify

zonecfg -z zonename commit

zonecfg -z zonename delete

zoneadm -z zonename attach

zoneadm -z zonename verify

zoneadm -z zonename install

zoneadm -z zonename clone

You can also use zonecfg to rename a zone in the configured or installed state.

Incomplete
zoneadm -z zonename uninstall
Installed
zoneadm -z zonename ready (optional)

zoneadm -z zonename boot

zoneadm -z zonename uninstall uninstalls the configuration of the specified zone from the system.

zoneadm -z zonename move path

zoneadm -z zonename detach

zonecfg -z zonename can be used to add or remove an attr, bootargs, capped-memory, dataset, capped-cpu, dedicated-cpu, device, fs, ip-type, limitpriv, net, rctl, or scheduling-class property. You can also rename a zone in the installed state.

Ready
zoneadm -z zonename boot

zoneadm halt and system reboot return a zone in the ready state to the installed state.

zonecfg -z zonename can be used to add or remove attr, bootargs, capped-memory, dataset, capped-cpu, dedicated-cpu, device, fs, ip-type, limitpriv, net, rctl, or scheduling-class property.

Running
zlogin options zonename

zoneadm -z zonename reboot

zoneadm -z zonename halt returns a ready zone to the installed state.

zoneadm halt and system reboot return a zone in the running state to the installed state.

zoneadm -z shutdown cleanly shuts down the zone.

zonecfg -z zonename can be used to add or remove an attr, bootargs, capped-memory, dataset, capped-cpu, dedicated-cpu, device, fs, ip-type, limitpriv, anet, net, rctl, or scheduling-class property. The zonepath resource cannot be changed.


Note - Parameters changed through zonecfg do not affect a running zone. The zone must be rebooted for the changes to take effect.


Non-Global Zone Characteristics

A zone provides isolation at almost any level of granularity you require. A zone does not need a dedicated CPU, a physical device, or a portion of physical memory. These resources can either be multiplexed across a number of zones running within a single domain or system, or allocated on a per-zone basis using the resource management features available in the operating system.

Each zone can provide a customized set of services. To enforce basic process isolation, a process can see or signal only those processes that exist in the same zone. Basic communication between zones is accomplished by giving each zone IP network connectivity. An application running in one zone cannot observe the network traffic of another zone. This isolation is maintained even though the respective streams of packets travel through the same physical interface.

Each zone is given a portion of the file system hierarchy. Because each zone is confined to its subtree of the file system hierarchy, a workload running in a particular zone cannot access the on-disk data of another workload running in a different zone.

Files used by naming services reside within a zone's own root file system view. Thus, naming services in different zones are isolated from one other and the services can be configured differently.

Using Resource Management Features With Non-Global Zones

If you use resource management features, you should align the boundaries of the resource management controls with those of the zones. This alignment creates a more complete model of a virtual machine, where namespace access, security isolation, and resource usage are all controlled.

Any special requirements for using the various resource management features with zones are addressed in the individual chapters of this manual that document those features.

Monitoring Non-Global Zones

To report on the CPU, memory, and resource control utilization of the currently running zones, see Using the zonestat Utility in a Non-Global Zone. The zonestat utility also reports on network bandwidth utilization in exclusive-IP zones. An exclusive-IP zone has its own IP-related state and one or more dedicated data-links.