Skip Navigation Links | |
Exit Print View | |
Oracle Solaris Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource Management Oracle Solaris 11 Information Library |
Part I Oracle Solaris Resource Management
1. Introduction to Resource Management
2. Projects and Tasks (Overview)
3. Administering Projects and Tasks
4. Extended Accounting (Overview)
5. Administering Extended Accounting (Tasks)
6. Resource Controls (Overview)
7. Administering Resource Controls (Tasks)
8. Fair Share Scheduler (Overview)
9. Administering the Fair Share Scheduler (Tasks)
10. Physical Memory Control Using the Resource Capping Daemon (Overview)
11. Administering the Resource Capping Daemon (Tasks)
13. Creating and Administering Resource Pools (Tasks)
14. Resource Management Configuration Example
15. Introduction to Oracle Solaris Zones
About Oracle Solaris Zones in This Release
Read-Only solaris Non-Global Zones
About Converting ipkg Zones to solaris Zones
Processes Running in a Branded Zone
Non-Global Zones Available in This Release
How Non-Global Zones Are Administered
How Non-Global Zones Are Created
Non-Global Zone Characteristics
Using Resource Management Features With Non-Global Zones
Setting Up Zones on Your System (Task Map)
16. Non-Global Zone Configuration (Overview)
17. Planning and Configuring Non-Global Zones (Tasks)
18. About Installing, Shutting Down, Halting, Uninstalling, and Cloning Non-Global Zones (Overview)
19. Installing, Booting, Shutting Down, Halting, Uninstalling, and Cloning Non-Global Zones (Tasks)
20. Non-Global Zone Login (Overview)
21. Logging In to Non-Global Zones (Tasks)
22. About Zone Migrations and the zonep2vchk Tool
23. Migrating Oracle Solaris Systems and Migrating Non-Global Zones (Tasks)
24. About Automatic Installation and Packages on an Oracle Solaris 11 System With Zones Installed
25. Oracle Solaris Zones Administration (Overview)
26. Administering Oracle Solaris Zones (Tasks)
27. Configuring and Administering Immutable Zones
28. Troubleshooting Miscellaneous Oracle Solaris Zones Problems
Part III Oracle Solaris 10 Zones
29. Introduction to Oracle Solaris 10 Zones
30. Assessing an Oracle Solaris 10 System and Creating an Archive
31. (Optional) Migrating an Oracle Solaris 10 native Non-Global Zone Into an Oracle Solaris 10 Zone
32. Configuring the solaris10 Branded Zone
33. Installing the solaris10 Branded Zone
Non-global zones provide the following features:
Once a process has been placed in a zone other than the global zone, neither the process nor any of its subsequent children can change zones.
Network services can be run in a zone. By running network services in a zone, you limit the damage possible in the event of a security violation. An intruder who successfully exploits a security flaw in software running within a zone is confined to the restricted set of actions possible within that zone. The privileges available within a zone are a subset of those available in the system as a whole.
Zones allow the deployment of multiple applications on the same machine, even if those applications operate in different trust domains, require exclusive access to a global resource, or present difficulties with global configurations. For example, multiple applications running in different shared-IP zones on the same system can bind to the same network port by using the distinct IP addresses associated with each zone or by using the wildcard address. The applications are also prevented from monitoring or intercepting each other's network traffic, file system data, or process activity.
Zones are configured as exclusive-IP type by default. The zones are isolated from the global zone and from each other at the IP layer. This isolation is useful for both operational and security reasons. Zones can be used to consolidate applications that must communicate on different subnets using their own LANs or VLANs. Each zone can also define its own IP layer security rules.
Zones provide a virtualized environment that can hide details such as physical devices and the system's primary IP address and host name from applications. The same application environment can be maintained on different physical machines. The virtualized environment allows separate administration of each zone. Actions taken by a zone administrator in a non-global zone do not affect the rest of the system.
A zone can provide isolation at almost any level of granularity. See Non-Global Zone Characteristics for more information.
Zones do not change the environment in which applications execute except when necessary to achieve the goals of security and isolation. Zones do not present a new API or ABI to which applications must be ported. Instead, zones provide the standard Oracle Solaris interfaces and application environment, with some restrictions. The restrictions primarily affect applications that attempt to perform privileged operations.
Applications in the global zone run without modification, whether or not additional zones are configured.