Immutable global zones extend immutable non-global zones to global zones.
To configure an immutable global zone is similar to configuring an immutable non-global zone. The MWAC security policy is set with the zonecfg command, as Setting the MWAC Security Policy describes. After committing the zone configuration, the boot information is written and the boot archive is updated. The global zone becomes immutable immediately. No reboot is necessary.
The following information is specific to immutable global zones:
If the global zone uses DHCP to set network interfaces, the flexible-configuration MWAC policy must be selected.
The rpool dataset is restricted.
You can add an unrestricted sub-dataset by using the zonecfg add dataset command. An immutable global zone can only run zones in unrestricted datasets. All the children of an unrestricted dataset are also unrestricted.
When you run a package update on the immutable global zone, the first boot is read-write. The system needs these permissions to perform the required self-assembly steps. When the self-assembly steps have been performed, the system becomes immutable again.