Solaris 10 7/07 HW What's New

Solaris Zones Software Partitioning Technology

This feature is new in the Solaris Express 2/04 release. In the Solaris Express 7/04 release, new functionality for Zones has been added.

The Solaris Zones software partitioning technology, a component of the Solaris Containers environment, is a software partitioning technology used to virtualize operating system services and provide an isolated and secure environment for running applications. A zone is a virtualized operating system environment created within a single instance of the Solaris Operating System. Zones basically provide the standard Solaris interfaces and application environment, and do not include a new ABI or API that would require applications to be ported.

Each zone can provide a customized set of services. Zones are ideal for environments that consolidate multiple applications on a single server. Resource management features can be used within zones to further control how applications use available system resources.

A zone can be thought of as a box. One or more applications can run in this box without affecting the rest of the system. This isolation prevents processes that are running in one zone from monitoring or interfering with processes that are running in other zones. Even a process with superuser credentials that is running inside a zone cannot view or affect activity in other zones.

The single instance of the Solaris Operating System is the global zone. The global zone is both the default zone for the system and the zone used for system-wide administrative control. One or more non-global zones can be created by an administrator working in the global zone. Once created, these non-global zones can be administered by individual zone administrators. The privileges of a zone administrator are confined to a non-global zone.

Non-global zones provide isolation at almost any level of granularity you require. A zone does not need a dedicated CPU, a physical device, or a portion of physical memory. These resources can either be multiplexed across several zones running within a single domain or system, or allocated on a per-zone basis using the resource management features available in the operating system. Even a small uniprocessor system can support multiple zones running simultaneously.

To achieve process isolation, a process can see or signal only those processes that exist in the same zone.

Basic communication between zones is provided by giving each zone at least one logical network interface. Applications running in different zones on the same system can bind to the same network port by using the distinct IP addresses associated with each zone or by using the wildcard address. An application running in one zone cannot observe the network traffic of another zone. This isolation is maintained even though the respective streams of packets travel through the same physical interface.

Each zone is given a portion of the file system hierarchy. Because each zone is confined to its subtree of the file system hierarchy, a workload running in a particular zone cannot access the on-disk data of another workload running in a different zone.

Files used by naming services reside within a zone's own root file system view. Thus, naming services in different zones are isolated from one other and can be configured differently.

For information about how to configure and use zones on your system, see the System Administration Guide: Solaris Containers-Resource Management and Solaris Zones.