There are security restrictions on mounting certain file systems from within a zone. Other file systems exhibit special behavior when mounted in a zone. The list of modified file systems follows.
Autofs is a client-side service that automatically mounts the appropriate file system. When a client attempts to access a file system that is not presently mounted, the AutoFS file system intercepts the request and calls automountd to mount the requested directory. AutoFS mounts established within a zone are local to that zone. The mounts cannot be accessed from other zones, including the global zone. The mounts are removed when the zone is halted or rebooted. For more information on AutoFS, see How Autofs Works in Managing Network File Systems in Oracle Solaris 11.2 .
Each zone runs its own copy of automountd. The auto maps and timeouts are controlled by the zone administrator. You cannot trigger a mount in another zone by crossing an AutoFS mount point for a non-global zone from the global zone.
Certain AutoFS mounts are created in the kernel when another mount is triggered. Such mounts cannot be removed by using the regular umount interface because they must be mounted or unmounted as a group. Note that this functionality is provided for zone shutdown.
MNTFS is a virtual file system that provides read-only access to the table of mounted file systems for the local system. The set of file systems visible by using mnttab from within a non-global zone is the set of file systems mounted in the zone, plus an entry for root (/) . Mount points with a special device that is not accessible from within the zone, such as /dev/rdsk/c0t0d0s0, have their special device set to the same as the mount point. All mounts in the system are visible from the global zone's /etc/mnttab table. For more information on MNTFS, see Mounting File Systems in Managing Network File Systems in Oracle Solaris 11.2 .
NFS mounts established within a zone are local to that zone. The mounts cannot be accessed from other zones, including the global zone. The mounts are removed when the zone is halted or rebooted.
From within a zone, NFS mounts behave as though mounted with the nodevices option.
The nfsstat command output only pertains to the zone in which the command is run. For example, if the command is run in the global zone, only information about the global zone is reported. For more information about the nfsstat command, see nfsstat(1M).
The /proc file system, or PROCFS, provides process visibility and access restrictions as well as information about the zone association of processes. Only processes in the same zone are visible through /proc.
Processes in the global zone can observe processes and other objects in non-global zones. This allows such processes to have system-wide observability.
From within a zone, procfs mounts behave as though mounted with the nodevices option. For more information about procfs, see the proc(4) man page.
The scope of what can be mounted through LOFS is limited to the portion of the file system that is visible to the zone. Hence, there are no restrictions on LOFS mounts in a zone.
When using the zonecfg command to configure storage-based file systems that have an fsck binary, such as UFS, the zone administrator must specify a raw parameter. The parameter indicates the raw (character) device, such as /dev/rdsk/c0t0d0s7. The zoneadmd daemon automatically runs the fsck command in preen mode (fsck –p), which checks and fixes the file system non-interactively, before it mounts the file system. If the fsck fails, zoneadmd cannot bring the zone to the ready state. The path specified by raw cannot be a relative path.
It is an error to specify a device to fsck for a file system that does not provide an fsck binary in /usr/lib/fs/fstype/fsck. It is also an error if you do not specify a device to fsck if an fsck binary exists for that file system.
For more information, see The zoneadmd Daemon and the fsck(1M) command.
In addition to the default dataset described in File Systems Mounted in Zones in Introduction to Oracle Solaris Zones , you can add a ZFS dataset to a non-global zone by using the zonecfg command with the add dataset resource. The dataset is visible and mounted in the non-global zone, and also visible in the global zone. The zone administrator can create and destroy file systems within that dataset, and modify the properties of the dataset.
The zoned attribute of zfs indicates whether a dataset has been added to a non-global zone.
# zfs get zoned tank/sales NAME PROPERTY VALUE SOURCE tank/sales zoned on local
Each dataset that is delegated to a non-global zone through a dataset resource is aliased. The dataset layout is not visible within the zone. Each aliased dataset appears in the zone as if it were a pool. The default alias for a dataset is the last component in the dataset name. For example, if the default alias is used for the delegated dataset tank/sales, the zone will see a virtual ZFS pool named sales. The alias can be customized to be a different value by setting the alias property within the dataset resource.
A dataset named rpool exists within each non-global zone's zonepath dataset. For all non-global zones, this zone rpool dataset is aliased as rpool.
my-zone# zfs list -o name,zoned,mounted,mountpoint NAME ZONED MOUNTED MOUNTPOINT rpool on no /rpool rpool/ROOT on no legacy rpool/ROOT/solaris on yes / rpool/export on no /export rpool/export/home on no /export/home
Dataset aliases are subject to the same name restrictions as ZFS pools. These restrictions are documented in the zpool(1M) man page.
If you want to share a dataset from the global zone, you can add an LOFS-mounted ZFS file system by using the zonecfg command with the add fs subcommand. The global administrator or a user granted the appropriate authorizations is responsible for setting and controlling the properties of the dataset.
For more information on ZFS, see Chapter 9, Oracle Solaris ZFS Advanced Topics, in Managing ZFS File Systems in Oracle Solaris 11.2 .