The SolarisTM Zones facility in the Solaris Operating System provides an isolated environment in which to run applications on your system. Solaris Zones are a component of the Solaris Container environment.
This chapter provides limited information about the ipkg brand for the OpenSolaris 2006.09 release. This design is under development, and the solution for OpenSolaris might change.
The chapter also covers the following general zones topics:
If you are ready to start creating zones on your system, skip to Chapter 16, Non-Global Zone Configuration (Overview).
For information on branded zones, see Part III, Linux Branded Zones.
For information on using zones on a Solaris Trusted Extensions system, see Chapter 16, Managing Zones in Trusted Extensions (Tasks), in Solaris Trusted Extensions Administrator’s Procedures and Zones in Trusted Extensions in Solaris Trusted Extensions Transition Guide.
Zones on the OpenSolaris release are a work in progress; they are evolving as development continues. The software management aspect of zones is changing because OpenSolaris uses IPS instead of SVr4 packaging and patching. Thus, work in still being done where zones are impacted by software management, such as installation and migration.
The Image Packaging System (IPS) is a new model for software management in the OpenSolaris 2009.06 Release, and zones are changing to utilize this model. The following differences should be noted:
The ipkg brand is the default instead of the native brand, which is the default on SX systems.
ipkg branded zones are whole-root type only; inherit-pkg-dir should not be used.
The sparse root type of zone describes a fundamental interaction between zones and the package management system, and IPS doesn't support this concept. Sun is working on providing the positive attributes of sparse root zones in other ways.
Zones have different software management related functionality in these areas:
IPS versus SVR4 packaging
Install, detach/attach, "physical to virtual" (P2V) capability
Zones have different global zone software operations; they employ manual syncing, not patching. Currently, the zones don't automatically update when you pkg image-update the system. You must manually update the zones after rebooting to keep them in sync with the global zone. In a future release, this update should happen automatically.
Until pkg_image-update is fully supported, you can use zoneadmdetach and attach -u as a workaround. Detach the zone before running pkg_image-update, then use attach -u after running pkg_image-update. See About Migrating a Zone for more information on these commands.
Global zones are integrated with beadm and use boot environments as described in beadm Zones Support. In a future release, support for beadm inside zones is planned.
The zone root is a ZFSTM dataset. In a future release, this feature will enable support for beadm inside zones for pkg_image-update, just as you can do in the global zone. To accomplish this, the zone's root dataset must be controlled inside the zone.
Zone software is minimized to start; any additional packages the zone requires must be added. See OpenSolaris Package Repositories for more information.
You must be on the network to install a zone. Installation is from the OpenSolaris Packaging Repository. See OpenSolaris 2009.06 Image Packaging System Guide for more information.
To control the software installed in the ipkg brand zone, use the -e option to the zoneadm install command.
| # zoneadm -z zonename install -e pkgA -e pkgB ... | 
For information on zones in the OpenSolaris release, visit the Zones OpenSolaris Community. This site will be updated to address the latest issues.
The Solaris Zones partitioning technology is used to virtualize operating system services and provide an isolated and secure environment for running applications. A zone is a virtualized operating system environment created within a single instance of the Solaris Operating System. When you create a zone, you produce an application execution environment in which processes are isolated from the rest of the system. This isolation prevents processes that are running in one zone from monitoring or affecting processes that are running in other zones. Even a process running with superuser credentials cannot view or affect activity in other zones.
A zone also provides an abstract layer that separates applications from the physical attributes of the machine on which they are deployed. Examples of these attributes include physical device paths.
Zones can be used on any machine that is running the Solaris 10 or later Solaris release. The upper limit for the number of zones on a system is 8192. The number of zones that can be effectively hosted on a single system is determined by the total resource requirements of the application software running in all of the zones.
There are two types of non-global zone root file system models: sparse and whole root.
Sparse root zones are native branded zones. The sparse root zone model optimizes the sharing of objects. Note that some brands, especially the ipkg brand, do not support the sparse root model.
The whole root zone model provides the maximum configurability.
These concepts are discussed in Chapter 17, Planning and Configuring Non-Global Zones (Tasks).
Branded zones (BrandZ) provide the framework to create containers that contain alternative sets of runtime behaviors. Brand can refer to a wide range of operating environments. For example, the non-global zone can emulate the Solaris 8 Operating System, or an operating environment such as Linux. Every zone is configured with an associated brand.
The brand defines the operating environment that can be installed in the zone and determines how the system will behave within the zone so that the software installed in the zone functions correctly. In addition, a zone's brand is used to identify the correct application type at application launch time. All branded zone management is performed through extensions to the standard zones structure. Most administration procedures are identical for all zones.
BrandZ extends the zones tools in the following ways:
The zonecfg command is used to set a zone's brand type when the zone is configured.
The zoneadm command is used to report a zone's brand type as well as administer the zone.
Although you can configure and install branded zones on a Solaris Trusted Extensions system that has labels enabled, you cannot boot branded zones on this system configuration, unless the brand being booted is the labeled brand on an OpenSolaris system configuration.
Zones are ideal for environments that consolidate a number of applications on a single server. The cost and complexity of managing numerous machines make it advantageous to consolidate several applications on larger, more scalable servers.
The following figure shows a system with four zones. Each of the zones apps, users, and work is running a workload unrelated to the workloads of the other zones, in a sample consolidated environment. This example illustrates that different versions of the same application can be run without negative consequences in different zones, to match the consolidation requirements. Each zone can provide a customized set of services.

Zones enable more efficient resource utilization on your system. Dynamic resource reallocation permits unused resources to be shifted to other containers as needed. Fault and security isolation mean that poorly behaved applications do not require a dedicated and under-utilized system. With the use of zones, these applications can be consolidated with other applications.
Zones allow you to delegate some administrative functions while maintaining overall system security.
A non-global zone can be thought of as a box. One or more applications can run in this box without interacting with the rest of the system. Solaris zones isolate software applications or services by using flexible, software-defined boundaries. Applications that are running in the same instance of the Solaris Operating System can then be managed independently of one other. Thus, different versions of the same application can be run in different zones, to match the requirements of your configuration.
A process assigned to a zone can manipulate, monitor, and directly communicate with other processes that are assigned to the same zone. The process cannot perform these functions with processes that are assigned to other zones in the system or with processes that are not assigned to a zone. Processes that are assigned to different zones are only able to communicate through network APIs.
IP networking can be configured in two different ways, depending on whether the zone has its own exclusive IP instance or shares the IP layer configuration and state with the global zone. For more information about IP types in zones, see Zone Network Interfaces. For configuration information, see How to Configure the Zone.
Every Solaris system contains a global zone. The global zone has a dual function. The global zone is both the default zone for the system and the zone used for system-wide administrative control. All processes run in the global zone if no non-global zones, referred to simply as zones, are created by the global administrator.
The global zone is the only zone from which a non-global zone can be configured, installed, managed, or uninstalled. Only the global zone is bootable from the system hardware. Administration of the system infrastructure, such as physical devices, routing in a shared-IP zone, or dynamic reconfiguration (DR), is only possible in the global zone. Appropriately privileged processes running in the global zone can access objects associated with other zones.
Unprivileged processes in the global zone might be able to perform operations not allowed to privileged processes in a non-global zone. For example, users in the global zone can view information about every process in the system. If this capability presents a problem for your site, you can restrict access to the global zone.
Each zone, including the global zone, is assigned a zone name. The global zone always has the name global. Each zone is also given a unique numeric identifier, which is assigned by the system when the zone is booted. The global zone is always mapped to ID 0. Zone names and numeric IDs are discussed in Using the zonecfg Command.
Each zone also has a node name that is completely independent of the zone name. The node name is assigned by the administrator of the zone. For more information, see Non-Global Zone Node Name.
Each zone has a path to its root directory that is relative to the global zone's root directory. For more information, see Using the zonecfg Command.
The scheduling class for a non-global zone is set to the scheduling class for the system by default. See Scheduling Class for a discussion of methods used to set the scheduling class in a zone.
The following table summarizes the characteristics of global and non-global zones.
A global administrator has superuser privileges or the Primary Administrator role. When logged in to the global zone, the global administrator can monitor and control the system as a whole.
A non-global zone can be administered by a zone administrator. The global administrator assigns the Zone Management profile to the zone administrator. The privileges of a zone administrator are confined to a non-global zone.
The global administrator uses the zonecfg command to configure a zone by specifying various parameters for the zone's virtual platform and application environment. The zone is then installed by the global administrator, who uses the zone administration command zoneadm to install software at the package level into the file system hierarchy established for the zone. The zoneadm command is used to boot the zone. The global administrator can then log in to the installed zone by using the zlogin command. At first login, the internal configuration for the zone is completed.
For information about zone configuration, see Chapter 16, Non-Global Zone Configuration (Overview). For information about zone installation, see Chapter 18, About Installing, Halting, Uninstalling, and Cloning Non-Global Zones (Overview). For information about zone login, see Chapter 20, Non-Global Zone Login (Overview).
A non-global zone can be in one of the following six states:
The zone's configuration is complete and committed to stable storage. However, those elements of the zone's application environment that must be specified after initial boot are not yet present.
During an install or uninstall operation, zoneadm sets the state of the target zone to incomplete. Upon successful completion of the operation, the state is set to the correct state.
A damaged installed zone can be marked incomplete by using the mark subcommand of zoneadm. Zones in the incomplete state are shown in the output of zoneadm list -iv.
The zone's configuration is instantiated on the system. The zoneadm command is used to verify that the configuration can be successfully used on the designated Solaris system. Packages are installed under the zone's root path. In this state, the zone has no associated virtual platform.
The virtual platform for the zone is established. The kernel creates the zsched process, network interfaces are set up and made available to the zone, file systems are mounted, and devices are configured. A unique zone ID is assigned by the system. At this stage, no processes associated with the zone have been started.
User processes associated with the zone application environment are running. The zone enters the running state as soon as the first user process associated with the application environment (init) is created.
These states are transitional states that are visible while the zone is being halted. However, a zone that is unable to shut down for any reason will stop in one of these states.
Chapter 19, Installing, Booting, Halting, Uninstalling, and Cloning Non-Global Zones (Tasks) and the zoneadm(1M) man page describe how to use the zoneadm command to initiate transitions between these states.
Table 15–1 Commands That Affect Zone State| Current Zone State | Applicable Commands | 
|---|---|
| Configured | zonecfg -z zonename verify zonecfg -z zonename commit zonecfg -z zonename delete zoneadm -z zonename attach zoneadm -z zonename verify zoneadm -z zonename install zoneadm -z zonename clone You can also use zonecfg to rename a zone in the configured or installed state. | 
| Incomplete | zoneadm -z zonename uninstall | 
| Installed | zoneadm -z zonename ready (optional) zoneadm -z zonename boot zoneadm -z zonename uninstall uninstalls the configuration of the specified zone from the system. zoneadm -z zonename move path zoneadm -z zonename detach zonecfg -z zonename can be used to add or remove an attr, bootargs, capped-memory, dataset, capped-cpu, dedicated-cpu, device, fs, ip-type, limitpriv, net, rctl, or scheduling-class property. You can also rename a zone in the installed state. The inherit-pkg-dir resources cannot be changed. | 
| Ready | zoneadm -z zonename boot zoneadm halt and system reboot return a zone in the ready state to the installed state. zonecfg -z zonename can be used to add or remove attr, bootargs, capped-memory, dataset, capped-cpu, dedicated-cpu, device, fs, ip-type, limitpriv, net, rctl, or scheduling-class property. The inherit-pkg-dir resources cannot be changed. | 
| Running | zlogin options zonename zoneadm -z zonename reboot zoneadm -z zonename halt returns a ready zone to the installed state. zoneadm halt and system reboot return a zone in the running state to the installed state. zonecfg -z zonename can be used to add or remove an attr, bootargs, capped-memory, dataset, capped-cpu, dedicated-cpu, device, fs, ip-type, limitpriv, net, rctl, or scheduling-class property. The zonepath and inherit-pkg-dir resources cannot be changed. | 
Parameters changed through zonecfg do not affect a running zone. The zone must be rebooted for the changes to take effect.
A zone provides isolation at almost any level of granularity you require. A zone does not need a dedicated CPU, a physical device, or a portion of physical memory. These resources can either be multiplexed across a number of zones running within a single domain or system, or allocated on a per-zone basis using the resource management features available in the operating system.
Each zone can provide a customized set of services. To enforce basic process isolation, a process can see or signal only those processes that exist in the same zone. Basic communication between zones is accomplished by giving each zone IP network connectivity. An application running in one zone cannot observe the network traffic of another zone. This isolation is maintained even though the respective streams of packets travel through the same physical interface.
Each zone is given a portion of the file system hierarchy. Because each zone is confined to its subtree of the file system hierarchy, a workload running in a particular zone cannot access the on-disk data of another workload running in a different zone.
Files used by naming services reside within a zone's own root file system view. Thus, naming services in different zones are isolated from one other and the services can be configured differently.
If you use resource management features, you should align the boundaries of the resource management controls with those of the zones. This alignment creates a more complete model of a virtual machine, where namespace access, security isolation, and resource usage are all controlled.
Any special requirements for using the various resource management features with zones are addressed in the individual chapters of this manual that document those features.
Non-global zones provide the following features:
Once a process has been placed in a zone other than the global zone, neither the process nor any of its subsequent children can change zones.
Network services can be run in a zone. By running network services in a zone, you limit the damage possible in the event of a security violation. An intruder who successfully exploits a security flaw in software running within a zone is confined to the restricted set of actions possible within that zone. The privileges available within a zone are a subset of those available in the system as a whole.
Zones allow the deployment of multiple applications on the same machine, even if those applications operate in different trust domains, require exclusive access to a global resource, or present difficulties with global configurations. For example, multiple applications running in different shared-IP zones on the same system can bind to the same network port by using the distinct IP addresses associated with each zone or by using the wildcard address. The applications are also prevented from monitoring or intercepting each other's network traffic, file system data, or process activity.
If a zone needs to be isolated at the IP layer on the network, for example, by being connected to different VLANs or different LANs than the global zone and other non-global zones, then for security reasons the zone can have an exclusive IP. The exclusive-IP zone can be used to consolidate applications that must communicate on different subnets that are on different VLANs or different LANs.
Zones can also be configured as shared-IP zones. These zones connect to the same VLANs or same LANs as the global zone and share the IP routing configuration with the global zone. Shared-IP zones have separate IP addresses, but share the other parts of IP.
Zones provide a virtualized environment that can hide details such as physical devices and the system's primary IP address and host name from applications. The same application environment can be maintained on different physical machines. The virtualized environment allows separate administration of each zone. Actions taken by a zone administrator in a non-global zone do not affect the rest of the system.
A zone can provide isolation at almost any level of granularity. See Non-Global Zone Characteristics for more information.
Zones do not change the environment in which applications execute except when necessary to achieve the goals of security and isolation. Zones do not present a new API or ABI to which applications must be ported. Instead, zones provide the standard Solaris interfaces and application environment, with some restrictions. The restrictions primarily affect applications that attempt to perform privileged operations.
Applications in the global zone run without modification, whether or not additional zones are configured.
The following table provides a basic overview of the tasks that are involved in setting up zones on your system for the first time.
| Task | Description | For Instructions | 
|---|---|---|
| Identify the applications that you would like to run in zones. | Review the applications running on your system: 
 | Refer to your business goals and to your system documentation if necessary. | 
| Determine how many zones to configure. | Assess: 
 
 | |
| Determine whether you will use resource pools with your zone to create a container. | If you are also using resource management features on your system, align the zones with the resource management boundaries. Configure resource pools before you configure zones. Note that you can add zone-wide resource controls and pool functionality to a zone quickly by using zonecfg properties. | See How to Configure the Zone, and Chapter 13, Creating and Administering Resource Pools (Tasks). | 
| Perform the preconfiguration tasks. | Determine the zone name and the zone path. Determine whether the zone will be a shared-IP zone or an exclusive-IP zone, and obtain IP addresses or the data-link name. Determine the required file systems and devices for each zone. Determine the scheduling class for the zone. Determine the set of privileges that processes inside the zone should be limited to, if the standard default set is not sufficient. Note that some zonecfg settings automatically add privileges. For example, ip-type=exclusive automatically adds multiple privileges required to configure and manage network stacks. | For information on the zone name and path, IP types, IP addresses, file systems, devices, scheduling class, and privileges, see Chapter 16, Non-Global Zone Configuration (Overview) and Evaluating the Current System Setup. For a listing of default privileges and privileges that can be configured in a non-global zone, see Privileges in a Non-Global Zone. For information about IP feature availability, see Networking in Shared-IP Non-Global Zones and Networking in Exclusive-IP Non-Global Zones. | 
| Develop configurations. | Configure non-global zones. | See Configuring, Verifying, and Committing a Zone and the zonecfg(1M) man page. | 
| As global administrator, verify and install configured zones. | Zones must be verified and installed prior to login. | See Chapter 18, About Installing, Halting, Uninstalling, and Cloning Non-Global Zones (Overview) and Chapter 19, Installing, Booting, Halting, Uninstalling, and Cloning Non-Global Zones (Tasks). | 
| As global administrator, boot the non-global zones. | Boot each zone to place the zone in the running state. | See Chapter 18, About Installing, Halting, Uninstalling, and Cloning Non-Global Zones (Overview) and Chapter 19, Installing, Booting, Halting, Uninstalling, and Cloning Non-Global Zones (Tasks). | 
| As global administrator, perform the initial internal configuration of the zone. | Place a sysidcfg file in the zone's /etc directory or log in to each non-global zone using the zlogin command with the -C option and enter the requested information, including assigning the zone root password. | See Chapter 20, Non-Global Zone Login (Overview) and Chapter 21, Logging In to Non-Global Zones (Tasks). | 
| Prepare the new zone for production use. | Create user accounts, add additional software, and customize the zone's configuration. | Refer to the documentation you use to set up a newly installed machine. Special considerations applicable to a system with zones installed are covered in this guide. |