Immutable zones ensure the integrity of the files on the system. The policy of the zone specifies which files can be modified. Administrators must be authenticated to enter the Trusted Path Domain (TPD) to be able to change files on the system. Oracle Solaris provides several policies for immutable zones that offer trade-offs between flexibility and immutability. The mwac(7) man page describes the policies that can be applied to make a zone immutable, and the tpd(7) man page describes the Trusted Path Domain.
Chapter 12, Configuring and Administering Immutable Zones in Creating and Using Oracle Solaris Zones describes how to configure and administer immutable zones.
You have two options when administering an immutable zone:
If you have access to a terminal window in the global zone, you can change the zone to mutable, administer, then return the zone to immutable.
This option does not use the TPD. Refer to Administering Immutable Non-Global Zones in Creating and Using Oracle Solaris Zones for administering an immutable zone by making it temporarily mutable.
If you have access to a console or a RAD interface, you can leave the zone immutable, enter the zone by the authenticating to the Trusted Path Domain (TPD), administer the zone, then exit the TPD.
This more secure option requires that the zone administrator has the rights to enter the TPD. For RAD access, the RAD process must be running in the trusted path. Refer to Administering an Immutable Zone by Using the Trusted Path Domain in Creating and Using Oracle Solaris Zones
The steps for these methods are described in the following sections:
Mutable zone administration – With the zlogin -T or zoneadm command, see Administering an Immutable Zone by Making It Writable in Creating and Using Oracle Solaris Zones.
Physical or virtual console entry – See How to Enable Administrative Access to an Immutable Zone From the Console in Creating and Using Oracle Solaris Zones.