This section provides an overview of zone administration information for non-global zones.
You can specify the configuration and installation of non-global zones as part of an Automated Install (AI) client installation. See Installing Oracle Solaris 11.3 Systems for more information. Oracle Solaris Kernel Zones primarily are created using the direct installation method. Kernel zone creation methods are documented in Installing a Kernel Zone in Creating and Using Oracle Solaris Kernel Zones.
To create a zone on an Oracle Solaris system, the administrator uses the zonecfg command to configure a zone by specifying various parameters for the zone's virtual platform and application environment. The zone is then installed by the administrator with the zoneadm command. This installs software at the package level into the file system hierarchy established for the zone. The zoneadm command also boots the zone. An administrator or authorized user can then log in to the installed zone by using the zlogin command. If role-based access control (RBAC) is in use, the zone administrator must be assigned the appropriate rights profile.
For information about rights to administer zones, see Assigning Rights to Non-Root Users to Manage Zones in Creating and Using Oracle Solaris Zones.
For information about zone configuration, see Chapter 1, Configuration Resources for Non-Global Zones in Oracle Solaris Zones Configuration Resources.
For information about zone installation, see Chapter 2, About Installing, Shutting Down, Halting, Uninstalling, and Cloning Non-Global Zones in Creating and Using Oracle Solaris Zones.
For information about zone login, see Chapter 4, About Non-Global Zone Login in Creating and Using Oracle Solaris Zones.
For information aboutq Oracle Solaris Kernel Zones, see Creating and Using Oracle Solaris Kernel Zones.
An administrator can have superuser rights or rights just to administer zones. When logged in to the global zone, an administrator with the appropriate rights can monitor and control the system as a whole.
A non-global zone can be administered by a zone administrator. An administrator in the global zone assigns the required rights to the zone administrator. See Assigning Rights to Non-Root Users to Manage Zones in Creating and Using Oracle Solaris Zones and admin Resource for Zones in Oracle Solaris Zones Configuration Resources. The admin resource privileges of a zone administrator are confined to a specific non-global zone.
A non-global zone can be in one of the following seven states:
The zone's configuration is complete and committed to stable storage. However, those elements of the zone's application environment that must be specified after initial boot are not yet present.
During an install or uninstall operation, zoneadm sets the state of the target zone to incomplete. Upon successful completion of the operation, the state is set to the correct state.
A damaged installed zone can be marked incomplete by using the mark subcommand of zoneadm. Zones in the incomplete state are shown in the output of zoneadm list –iv.
Indicates that the zone has been installed, but cannot be verified, made ready, booted, or moved. A zone enters the unavailable state at the following times:
When the zone's storage is unavailable and svc:/system/zones:default begins, such as during system boot
When the zone's storage is unavailable
When archive-based installations fail after successful archive extraction
When the zone's software is incompatible with the global zone's software, such as after an improper –F (force) attach
The zone's configuration is instantiated on the system. The zoneadm command is used to verify that the configuration can be successfully used on the designated Oracle Solaris system. Packages are installed under the zone's root path. In this state, the zone has no associated virtual platform.
The virtual platform for the zone is established. The kernel creates the zsched process, network interfaces are set up and made available to the zone, file systems are mounted, and devices are configured. A unique zone ID is assigned by the system. At this stage, no processes associated with the zone have been started.
User processes associated with the zone application environment are running. The zone enters the running state as soon as the first user process associated with the application environment (init) is created.
These states are transitional states that are visible while the zone is being halted. However, a zone that is unable to shut down for any reason will stop in one of these states.
Chapter 3, Installing, Booting, Shutting Down, Halting, Uninstalling, and Cloning Non-Global Zones in Creating and Using Oracle Solaris Zones and the zoneadm(1M) man page describe how to use the zoneadm command to initiate transitions between these states.
In addition to the states available to all non-global zones, Oracle Solaris Kernel Zones have auxiliary states which provide the host system with additional information about the current zone state. Auxiliary states are set during migration, debugging, and kernel maintenance operations.
When a kernel zone is suspended with the zoneadm suspend command, the zone is in the installed state with the suspended auxiliary state. In the case of warm migration, zoneadm detach clears the suspended auxiliary state on the source system. The zoneadm attach command on the target system brings the zone from configured to installed with the suspended auxiliary state. The zone will resume on the next boot.
The zone is in the kernel debugger, kmdb. The zone is running, but the zone cannot respond to external events, such as networking. The zlogin command checks for this state and waits until the state is cleared before starting a zlogin session.
The zone has panicked. The zone cannot respond to external events until it is shut down or rebooted. You must use the console login to log into a zone in this state.
The zone is running and being live migrated to another host system.
The zone has been booted on the target host and the zone is receiving the migrated image. The zone will be running when migration is complete.
For additional information, see Creating and Using Oracle Solaris Kernel Zones and the solaris-kz(5) man page.
The zone state determines which zonecfg, zoneadm, and zlogin commands can be used on the zone.
|
A zone provides isolation at almost any level of granularity you require. A zone does not need a dedicated CPU, a physical device, or a portion of physical memory. These resources can either be multiplexed across a number of zones running within a single domain or system, or allocated on a per-zone basis using the resource management features available in the operating system.
Each zone can provide a customized set of services. To enforce basic process isolation, a process can see or signal only those processes that exist in the same zone. Basic communication between zones is accomplished by giving each zone IP network connectivity. An application running in one zone cannot observe the network traffic of another zone. This isolation is maintained even though the respective streams of packets travel through the same physical interface.
Each zone is given a portion of the file system hierarchy. Because each zone is confined to its subtree of the file system hierarchy, a workload running in a particular zone cannot access the on-disk data of another workload running in a different zone.
Files used by naming services reside within a zone's own root file system view. Thus, naming services in different zones are isolated from one other and the services can be configured differently.
If you use resource management features, you should align the boundaries of the resource management controls with those of the zones. This alignment creates a more complete model of a virtual machine, where namespace access, security isolation, and resource usage are all controlled.
Any special requirements for using the various resource management features with zones are addressed in the individual chapters of this manual that document those features.
Zones-related Service Management Facility (SMF) services in the global zone include the following:
Starts each zone that has autoboot=true.
Performs zone installation on first boot, if needed.
Used by the packaging system to provide zones access to the system repository.
Caching proxy server that caches pkg data and metadata used during zone installation and other pkg operations. See the pkg(1) and pkg(5) man pages.
Controls zonestatd.
The svc:/application/pkg/zones-proxy-client:default zones proxy client SMF service runs only in the non-global zone. The service is used by the packaging system to provide zones access to the system repository.
To report on the CPU, memory, and resource control utilization of the currently running zones, see Using the zonestat Utility in a Non-Global Zone in Creating and Using Oracle Solaris Zones. The zonestat utility also reports on network bandwidth utilization in exclusive-IP zones. An exclusive-IP zone has its own IP-related state and one or more dedicated datalinks.
The fsstat utility can be used to report file operations statistics for non-global zones. See the fsstat(1M) man page and Monitoring Non-Global Zones Using the fsstat Utility in Creating and Using Oracle Solaris Zones.