Planning for Zones in Trusted Extensions
Trusted Extensions software is added to the Solaris OS in the global zone.
You then configure non-global zones that are labeled. You can create one labeled
zone for every unique label, though you do not need to create a zone for every
label.
Part of zone configuration is configuring the network. Labeled zones
must be configured to communicate with the global zone and with other zones
on the network.
-
The X server that runs the desktop display is available only
from the global zone. Starting
in the Solaris 10 10/08 release, the loopback interface, lo0,
can be used to communicate with the global zone. Therefore, the desktop display
is available to non-global zones over lo0.
-
By default, non-global zones use the global zone to reach
the network. Starting in the Solaris 10 10/08 release, each
non-global zone can be configured with a unique default route that does not
use the global zone.
Trusted Extensions Zones and Solaris Zones
Labeled zones differ from typical Solaris zones. Labeled zones are primarily
used to segregate data. In Trusted Extensions, regular users cannot remotely log
in to a labeled zone. The only interactive interface to a labeled zone is
by using the zone console. Only root can gain access to the zone console.
Zone Creation in Trusted Extensions
To create a labeled zone involves copying the entire Solaris OS, and then starting
the services for the Solaris OS in every zone. The process can be time-consuming.
A faster process is to create one zone, then to copy that zone or clone the
contents of that zone. The following table describes your options for zone
creation in Trusted Extensions.
Zone Creation Method
|
Effort Required
|
Characteristics of This Method
|
Create each labeled zone from scratch.
|
Configure, initialize, install, customize, and boot each labeled zone.
|
-
This method is supported, and is useful for creating one or
two additional zones. The zones can be upgraded.
-
This method is time-consuming.
|
Create additional labeled zones from a copy of the first labeled zone.
|
Configure, initialize, install, and customize one zone. Use this zone
as a template for additional labeled zones.
|
-
This method is supported, and is faster than creating zones
from scratch. The zones can be upgraded. Use the Copy Zone method if you want
Sun Support to help you with any zone difficulties.
-
This method uses UFS. UFS does not offer the additional isolation
for zones that Solaris ZFSTM offers.
|
Create additional labeled zones from
a ZFS snapshot of the first labeled zone.
|
Set up a ZFS pool from a partition that you set aside during Solaris installation.
Configure, initialize, install, and customize one zone. Use this zone
as a ZFS snapshot for additional labeled zones.
|
-
This method uses Solaris ZFS, and is the fastest method.
This method makes every zone a file system, and thus provides more isolation
than UFS. ZFS uses much less disk space.
-
If you are testing Trusted Extensions and can reinstall the zones
rather than upgrade, this method might be a good choice. This method can be
useful on systems whose contents are not volatile, because the system can
quickly be reinstalled to a usable state.
-
This method is not supported. Zones that
are created by using this method cannot be upgraded when
a later version of the OS is released.
|
Solaris zones affect package installation and patching. For more
information, see the following references: