Zones

Zones provide an isolated and secure environment for running applications. Zones give you a way to create virtualized operating system environments within an instance of Solaris. Zones allow one or more processes to run in isolation from other processes on the system. For example, a process that runs in a zone can send signals only to other processes in the same zone, regardless of user ID and other credential information. If an error occurs, it affects only the processes that run within the zone.

Global Zones

Every Solaris 10 system contains a general global environment, like previous versions of the OS, called a global zone. The global zone has two functions: it is the default zone for the system and the zone used for system-wide administrative control. All processes run in the global zone if no non-global zones, referred to simply as zones, are created by the global administrator.

The global zone is the only zone from which a non-global zone can be configured, installed, managed, or uninstalled. Only the global zone is bootable from the system hardware. Administrative functions, such as physical devices, routing, or dynamic reconfiguration (DR) are only possible in the global zone. Appropriately privileged processes or users that run in the global zone can access objects associated with other zones.

Unprivileged processes or users in the global zone might be able to perform operations not allowed to privileged processes or users in a non-global zone. For example, users in the global zone can view information about every process in the system. Zones allow the administrator to delegate some administrative functions while maintaining overall system security.

Non-Global Zones

A non-global zone does not need a dedicated CPU, a physical device, or a portion of physical memory. These resources can be shared across a number of zones that run within a single domain or system. Zones can be booted and rebooted without affecting other zones on the system. Each zone can provide a customized set of services. To enforce basic process isolation, a process can “see” or signal only those processes that exist in the same zone. Basic communication between zones is enabled by giving each zone at least one logical network interface. An application running in one zone cannot see the network traffic of another zone even though the respective streams of packets travel through the same physical interface.

Each zone that requires network connectivity is configured with one or more dedicated IP addresses.

For more information about zones, see System Administration Guide: Solaris Containers-Resource Management and Solaris Zones.