A multi-zone environment consists of a global zone (the default operating system) and one or more non-global zones. The global zone contains resources that can be allocated among non-global zones by a global (zone) administrator. Non-global zones provide the following features:
Security. By running distributed services in non-global zones, you limit the damage possible in the event of a security violation. An intruder who successfully exploits a security flaw in software within one zone is confined to that zone. The privileges available within a non-global zone are a subset of those available in the global zone.
Runtime isolation. Non-global zones allow for the deployment of multiple applications on the same computer even if those applications require different levels of security, require exclusive access to global resources, or require individualized configuration. For example, multiple applications running in different zones can bind to the same network port by using the distinct IP addresses associated with each non-global zone. The applications are prevented from monitoring or intercepting each others network traffic, file system data, or process activity.
Administrative isolation. The virtualized operating system environment allows for separate administration of each non-global zone. Actions taken by a zone administrator (as opposed to the global administrator) in a non-global zone, such as creating user accounts, installing and configuring software, and managing processes, do not affect other zones.
There are two types of non-global zones: whole root zones and sparse root zones:
Whole root zones. Contain a read/write copy of the file system existing on the global zone. When a whole root zone is created, all packages that are installed on the global zone are made available to the whole root zone: a package database is created and all files are copied onto the whole root zone for the dedicated and independent use of the zone.
Sparse root zones. Contain a read/write copy of only a portion of the file system existing on the global zone (hence the name sparse root) while other file systems are mounted read-only from the global zone as loop-back virtual file systems. When a sparse root zone is created, the global administrator selects which file systems to share with the sparse root zone (by default, the /usr, /lib, /sbin, and /platform directories are shared as read-only file systems). All packages that are installed on the global zone are made available to the sparse root zone: a package database is created and all files in the mounted file system are shared with the zone.