Zone Brands Overview
This section describes the types of brands available in this release, compares their features, and describes the BrandZ technology that enables branding.
Native Oracle Solaris Zones
The Oracle Solaris Zones feature is a complete runtime environment for applications. The default solaris branded zone is also known as the native zone. Native zones are managed from the global zone by using the tools zonecfg, zoneadm, and zlogin.
A zone provides a virtual mapping from the application to the platform resources. Zones allow application components to be isolated from one another even though the zones share a single instance of the Oracle Solaris operating system. Zones use resource management components to control how applications use available system resources. For additional information on resource management features, see Administering Resource Management in Oracle Solaris 11.3.
The zone establishes boundaries for resource consumption, such as CPU. These boundaries can be expanded to adapt to changing processing requirements of the application running in the zone.
Native solaris zones cannot contain any other zones within them.
For additional isolation, you can configure zones with a read-only root, called Immutable Zones. See Immutable Zones later in this document for more information.
Oracle Solaris Kernel Zones
The Oracle Solaris Kernel Zones feature provides a full kernel and user environment within a zone, and also increases kernel separation between the host system and the zone. The brand name is solaris-kz. Kernel zones are managed from the global zone by using the existing tools zonecfg, zoneadm, and zlogin. The administrator of a kernel zone has greater flexibility in configuring and managing the zone than the administrator of a default solaris zone. For example, you can fully update and modify the zone's installed packages, including the kernel version, without being limited to the packages installed in the global zone. You can manage storage private to the zone, create and destroy ZFS pools, and configure iSCSI and CIFS. You can install solaris and solaris10 zones within the kernel zone.
A solaris-kz installation is independent of that of the global zone; it is not a pkg(5) linked image and can be modified regardless of the global zone content. A solaris-kz zone can be installed in the same manner as other brands: Directly from the global zone, or by using a boot media.
When specifying a manifest for installation, use a manifest that is suitable for a global zone installation.Because kernel zones always install into a known location for the root pool, an installation target disk should not be specified.
Boot environment (BE) management is independent of the global zone.
Kernel zones support live migration and warm migration using suspend and resume. You can migrate a kernel zone by suspending the zone on the source system and resuming the zone on the target system.These zones also support cold migration.
To use Oracle Solaris Kernel Zones, the package brand-solaris-kz must be installed on your system. To determine whether your system supports kernel zones, see Hardware and Software Requirements for Oracle Solaris Kernel Zones in Creating and Using Oracle Solaris Kernel Zones. You can also run the virtinfo command on your system. For more information about Oracle Solaris Kernel Zones, see Creating and Using Oracle Solaris Kernel Zones and the solaris-kz(5) man page. For more information about the virtinfo command, see How to Verify That a System Can Support Kernel Zones in Creating and Using Oracle Solaris Kernel Zones and the virtinfo(1M) man page.
Oracle Solaris 10 Zones
Oracle Solaris 10 Zones, also known as solaris10 branded non-global zones, use BrandZ technology to run Oracle Solaris 10 applications on the Oracle Solaris 11 operating system. Applications run unmodified in the secure environment provided by the non-global zone. This enables you to use the Oracle Solaris 10 system to develop, test, and deploy applications. Workloads running within these branded zones can take advantage of the enhancements made to the kernel and utilize some of the innovative technologies available only on the Oracle Solaris 11 release. These zones are used to convert Oracle Solaris 10 systems into zones on Oracle Solaris 11. A solaris10 branded zone cannot be an NFS server.
Oracle Solaris 10 Zones cannot contain any other zones within them.
For more information, see Creating and Using Oracle Solaris 10 Zones.
Zone Brand Comparison
Differences between solaris-kz branded zones and solaris and solaris10 branded zones are shown below.
|
About the Branded Zones Framework
By default, a non-global zone on a system runs the same operating system software as the global zone. The branded zone (BrandZ) facility in the Oracle Solaris operating system is a simple extension of Oracle Solaris Zones. The BrandZ framework is used to create non-global branded zones that contain operating environments that are different from that of the global zone. Branded zones are used on the Oracle Solaris operating system to run applications. The BrandZ framework extends the Oracle Solaris Zones infrastructure in a variety of ways. These extensions can be complex, such as providing the capability to run different operating system environments within the zone, or simple, such as enhancing the base zone commands to provide new capabilities. For example, Oracle Solaris 10 Zones are branded non-global zones that can emulate the Oracle Solaris 10 operating system. Even default zones that share the same operating system as the global zone are configured with a brand.
The brand defines the operating environment that can be installed in the zone, and determines how the system will behave within the zone so that the software installed in the zone functions correctly. In addition, a zone's brand is used to identify the correct application type at application launch time. All branded zone management is performed through extensions to the standard zones structure. Most administration procedures are identical for all zones.
The resources included in the configuration by default, such as defined file systems and privileges, are covered in the documentation for the zone brands referenced in For More Information About Zones.
-
The zonecfg command is used to set a zone's brand type when the zone is configured.
-
The zoneadm command is used to report a zone's brand type as well as administer the zone.
BrandZ extends the zones tools in the following ways:
Although you can configure and install branded zones on an Oracle Solaris Trusted Extensions system that has labels enabled, you cannot boot branded zones on this system configuration, unless the brand being booted is the labeled brand on a certified system configuration.
You can change the brand of a zone that is in the configured state. Once a branded zone has been installed, the brand cannot be changed or removed.
 | Caution - If you plan to migrate your existing Oracle Solaris 10 system into a solaris10 branded zone on a system running the Oracle Solaris 11 release, you must migrate any existing zones to the target system first. Because solaris10 zones do not nest, the system migration process renders any existing zones unusable. See Chapter 3, Migrating an Oracle Solaris 10 native Non-Global Zone Into an Oracle Solaris 10 Zone in Creating and Using Oracle Solaris 10 Zones for more information. |
Processes Running in a Branded Zone
-
These points are found in such paths as the syscall path, the process loading path, and the thread creation path.
-
At each of these points, a brand can choose to supplement or replace the standard Oracle Solaris behavior.
Branded zones provide a set of interposition points in the kernel that are only applied to processes executing in a branded zone.
A brand can also provide a plug-in library for librtld_db. The plug-in library allows Oracle Solaris tools such as the debugger, described in mdb(1), and DTrace, described in dtrace(1M), to access the symbol information of processes running inside a branded zone.
Note that zones do not support statically linked binaries.
Zone Brands In Related Oracle Solaris Products
This section provides information about Oracle Solaris Zones used in other Oracle Solaris family products.
Oracle Solaris Zones on an Oracle Solaris Trusted Extensions System
Oracle Solaris Trusted Extensions use a zone brand called labeled.
For information about using zones on an Oracle Solaris Trusted Extensions system, see Chapter 13, Managing Zones in Trusted Extensions in Trusted Extensions Configuration and Administration. Note that only the labeled brand can be booted on an Oracle Solaris Trusted Extensions system.
Oracle Solaris Cluster Zone Clusters
Zone clusters are a feature of Oracle Solaris Cluster software. A zone cluster is a group of non-global zones that serve as the nodes of the zone cluster. One non-global zone is created on each global cluster node that is configured with the zone cluster. The nodes of a zone cluster can be of either the solaris brand or the solaris10 brand, and use the cluster attribute. No other brand type is permitted except labeled if the cluster is using Oracle Solaris Trusted Extensions. You can run supported services on the zone cluster in the same way as on a global cluster, with the isolation that is provided by zones. For more information, see the Oracle Solaris Cluster 4.3 System Administration Guide.