JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource Management     Oracle Solaris 11 Information Library
search filter icon
search icon

Document Information

Preface

Part I Oracle Solaris Resource Management

1.  Introduction to Resource Management

2.  Projects and Tasks (Overview)

3.  Administering Projects and Tasks

4.  Extended Accounting (Overview)

5.  Administering Extended Accounting (Tasks)

6.  Resource Controls (Overview)

7.  Administering Resource Controls (Tasks)

8.  Fair Share Scheduler (Overview)

9.  Administering the Fair Share Scheduler (Tasks)

10.  Physical Memory Control Using the Resource Capping Daemon (Overview)

11.  Administering the Resource Capping Daemon (Tasks)

12.  Resource Pools (Overview)

13.  Creating and Administering Resource Pools (Tasks)

14.  Resource Management Configuration Example

Part II Oracle Solaris Zones

15.  Introduction to Oracle Solaris Zones

Zones Overview

About Oracle Solaris Zones in This Release

Read-Only solaris Non-Global Zones

About Converting ipkg Zones to solaris Zones

About Branded Zones

Processes Running in a Branded Zone

Non-Global Zones Available in This Release

When to Use Zones

How Zones Work

Summary of Zones by Function

How Non-Global Zones Are Administered

How Non-Global Zones Are Created

Non-Global Zone State Model

Non-Global Zone Characteristics

Using Resource Management Features With Non-Global Zones

Monitoring Non-Global Zones

Capabilities Provided by Non-Global Zones

Setting Up Zones on Your System (Task Map)

16.  Non-Global Zone Configuration (Overview)

17.  Planning and Configuring Non-Global Zones (Tasks)

18.  About Installing, Shutting Down, Halting, Uninstalling, and Cloning Non-Global Zones (Overview)

19.  Installing, Booting, Shutting Down, Halting, Uninstalling, and Cloning Non-Global Zones (Tasks)

20.  Non-Global Zone Login (Overview)

21.  Logging In to Non-Global Zones (Tasks)

22.  About Zone Migrations and the zonep2vchk Tool

23.  Migrating Oracle Solaris Systems and Migrating Non-Global Zones (Tasks)

24.  About Automatic Installation and Packages on an Oracle Solaris 11 System With Zones Installed

25.  Oracle Solaris Zones Administration (Overview)

26.  Administering Oracle Solaris Zones (Tasks)

27.  Configuring and Administering Immutable Zones

28.  Troubleshooting Miscellaneous Oracle Solaris Zones Problems

Part III Oracle Solaris 10 Zones

29.  Introduction to Oracle Solaris 10 Zones

30.  Assessing an Oracle Solaris 10 System and Creating an Archive

31.  (Optional) Migrating an Oracle Solaris 10 native Non-Global Zone Into an Oracle Solaris 10 Zone

32.  Configuring the solaris10 Branded Zone

33.  Installing the solaris10 Branded Zone

34.  Booting a Zone, Logging in, and Zone Migration

Glossary

Index

Capabilities Provided by Non-Global Zones

Non-global zones provide the following features:

Security

Once a process has been placed in a zone other than the global zone, neither the process nor any of its subsequent children can change zones.

Network services can be run in a zone. By running network services in a zone, you limit the damage possible in the event of a security violation. An intruder who successfully exploits a security flaw in software running within a zone is confined to the restricted set of actions possible within that zone. The privileges available within a zone are a subset of those available in the system as a whole.

Isolation

Zones allow the deployment of multiple applications on the same machine, even if those applications operate in different trust domains, require exclusive access to a global resource, or present difficulties with global configurations. For example, multiple applications running in different shared-IP zones on the same system can bind to the same network port by using the distinct IP addresses associated with each zone or by using the wildcard address. The applications are also prevented from monitoring or intercepting each other's network traffic, file system data, or process activity.

Network Isolation

Zones are configured as exclusive-IP type by default. The zones are isolated from the global zone and from each other at the IP layer. This isolation is useful for both operational and security reasons. Zones can be used to consolidate applications that must communicate on different subnets using their own LANs or VLANs. Each zone can also define its own IP layer security rules.

Virtualization

Zones provide a virtualized environment that can hide details such as physical devices and the system's primary IP address and host name from applications. The same application environment can be maintained on different physical machines. The virtualized environment allows separate administration of each zone. Actions taken by a zone administrator in a non-global zone do not affect the rest of the system.

Granularity

A zone can provide isolation at almost any level of granularity. See Non-Global Zone Characteristics for more information.

Environment

Zones do not change the environment in which applications execute except when necessary to achieve the goals of security and isolation. Zones do not present a new API or ABI to which applications must be ported. Instead, zones provide the standard Oracle Solaris interfaces and application environment, with some restrictions. The restrictions primarily affect applications that attempt to perform privileged operations.

Applications in the global zone run without modification, whether or not additional zones are configured.