Solaris Containers: Resource Management and Solaris Zones Developer's Guide

Chapter 7 Design Considerations for Resource Management Applications in Solaris Zones

This chapter provides a brief overview of Solaris zones technology and discusses potential problems that may be encountered by developers who are writing resource management applications. For more information on zones, see Part II, Zones, in System Administration Guide: Solaris Containers-Resource Management and Solaris Zones.

Zones Overview

A zone is a virtualized operating system environment that is created within a single instance of the Solaris Operating System. Zones are a partitioning technology that provides an isolated, secure environment for applications. When you create a zone, you produce an application execution environment in which processes are isolated from the rest of the system. This isolation prevents a process that is running in one zone from monitoring or affecting processes that are running in other zones. Even a process running with superuser credentials cannot view or affect activity in other zones. A zone also provides an abstract layer that separates applications from the physical attributes of the machine on which the zone is deployed. Examples of these attributes include physical device paths and network interface names.

By default, all systems have a global zone. The global zone has a global view of the Solaris environment in similar fashion to the superuser model. All other zones are referred to as non-global zones. A non-global zone is analogous to an unprivileged user in the superuser model. Processes in non-global zones can control only the processes and files within that zone. Typically, system administration work is mainly performed in the global zone. In rare cases where a system administrator needs to be isolated, privileged applications can be used in a non-global zone. In general, though, resource management activities take place in the global zone.

IP Networking in Zones

IP networking in a zone can be configured in two different ways, depending on whether the non-global zone is given its own exclusive IP instance or shares the IP layer configuration and state with the global zone. The shared-IP type is the default.

Exclusive-IP zones are assigned zero or more network interface names, and for those network interfaces they can send and receive any packets, snoop, and change the IP configuration, including IP addresses and the routing table. Note that those changes do not affect any of the other IP instances on the system.

Design Considerations for Resource Management Applications in Zones

All applications are fully functional in the global zone as they would be in a conventional Solaris environment. Most applications should run without problem in a non-global environment as long as the application does not need any privileges. If an application does require privileges, then the developer needs to take a close look at which privileges are needed and how a particular privilege is used. If a privilege is required, then a system administrator must assign the appropriate privilege to the application.

General Considerations When Writing Applications for Non-Global Zones

The known situations that a developer needs to investigate are as follows:

Specific Considerations for Shared-IP Non-Global Zones

For non-global zones that are configured to use the shared-IP instance, the following restrictions apply.

Note that these restrictions do not apply to exclusive-IP zones.