The Oracle Solaris Zones product virtualizes OS services and provides an isolated and secure environment for running applications. A zone is a virtualized OS environment that is created within a single instance of the Oracle Solaris OS.
When you create a zone, you produce an application execution environment in which processes are isolated from the rest of the system. This isolation prevents processes that are running in one zone from monitoring or affecting processes that are running in other zones. Even a process that runs with root credentials cannot view or affect activity in other zones. With Oracle Solaris Zones, you can maintain the one-application-per-server deployment model while simultaneously sharing hardware resources.
A zone also provides an abstract layer that separates applications from the physical attributes of the machine on which they are deployed. An example of an attribute is the physical device path.
Zones can be used on any machine that runs the Oracle Solaris 10 OS or the Oracle Solaris 11 OS. The number of zones that can be effectively hosted on a single system is determined by the following:
The size of the system
The total resource requirements of the application software that runs in all of the zones
Oracle Solaris Zones and Oracle Solaris 10 Zones are complete runtime environments for applications. A zone provides a virtual mapping from the application to the platform resources. Zones permit application components to be isolated from one another even though the zones share a single instance of the Oracle Solaris OS. The Oracle Solaris resource management feature permits you to explicitly allocate the amount and type of resources that a workload receives.
An Oracle Solaris Kernel Zone runs a zone that has a separate kernel and OS installation from the global zone or the host that runs the kernel zone. Because of the separate kernel and OS installation, kernel zones are more independent than other zones and provide enhanced security of the operating system instances and its applications. System processes are handled in the kernel zone's separate process ID table and are not shared with the global zone.
For more information, see Creating and Using Oracle Solaris Kernel Zones and Chapter 1, Oracle Solaris Zones Introduction, in Introduction to Oracle Solaris Zones .
A zone establishes boundaries for resource consumption, such as CPU usage. You can expand these boundaries to adapt to the changing processing requirements of the application that runs in the zone.
Because zones do not use a hypervisor, they can provide near-native performance. Having no hypervisor means that there is no layer of overhead required to pass virtual I/O requests to physical devices and no emulation of privileged instructions. Also, because there is only one kernel, only one copy of the kernel must be kept on disk and in RAM.
For additional isolation and security, you can configure immutable zones, which are zones that have a read-only root (/) file system. Immutable zones enable you to “lock down” zones, which means that system files cannot be modified, even by a privileged user in a zone.
Oracle Solaris 10 Zones enable you to run Oracle Solaris 10 applications on the Oracle Solaris 11 OS. Applications run unmodified in the secure environment that is provided by the non-global zone. Using a solaris10 branded non-global zone enables you to use an Oracle Solaris 10 system to develop, test, and deploy applications. Workloads that run within these branded zones can take advantage of the enhancements made to the kernel and use some of the innovative technologies available only in the Oracle Solaris 11 release.
For more information about using Oracle Solaris Zones, Oracle Solaris 10 Zones, and resource management, see Oracle Solaris 11.1 Administration: Oracle Solaris Zones, Oracle Solaris 10 Zones, and Resource Management and Resource Management, Oracle Solaris Zones, and Oracle Solaris 10 Zones Developer’s Guide .