The Oracle Solaris Zones feature virtualizes operating system services and provides an isolated and secure environment for running applications. A zone is a virtualized operating system environment that is created within a single instance of the Oracle Solaris operating system.
When you create a zone, you produce an application execution environment in which processes are isolated from the rest of the system. This isolation prevents processes that are running in one zone from monitoring or affecting processes that are running in other zones. Even a process that runs with root credentials cannot view or affect activity in other zones. With Oracle Solaris Zones, you can maintain the one-application-per-server deployment model while simultaneously sharing hardware resources.
A zone also provides an abstract layer that separates applications from the physical attributes of the machine on which they are deployed. An example of an attribute is the physical device path.
Zones can be used on any machine that runs the Oracle Solaris 10, Oracle Solaris 11, or Oracle Solaris 11.4 operating system. The number of zones that can be effectively hosted on a single system is determined by the following:
The size of the system
The total resource requirements of the application software that runs in all of the zones
Oracle Solaris Zones and Oracle Solaris 10 Zones are complete runtime environments for applications. A zone provides a virtual mapping from the application to the platform resources. Zones permit application components to be isolated from one another even though the zones share a single instance of the Oracle Solaris operating system. The Oracle Solaris resource management feature permits you to explicitly allocate the amount and type of resources that a workload receives.
An Oracle Solaris Kernel Zone runs a zone that has a separate kernel and operating system installation from the global zone or the host that runs the kernel zone. Because of the separate kernel and operating system installation, kernel zones are more independent than other zones and provide enhanced security of the operating system instances and its applications. System processes are handled in the kernel zone's separate process ID table and are not shared with the global zone.
A zone establishes boundaries for resource consumption, such as CPU usage. You can expand these boundaries to adapt to the changing processing requirements of the application that runs in the zone.
solaris branded zones can provide near-native performance. There is no layer of overhead required to pass virtual I/O requests to physical devices and no emulation of privileged instructions. Also, because there is only one kernel, only one copy of the kernel must be kept on disk and in RAM.
For additional isolation and security, you can configure immutable zones, which are zones that have a read-only root (/) file system. Immutable zones enable you to "lock down" zones, which means that system files cannot be modified, even by a privileged user in a zone.
Oracle Solaris 10 Zones enable you to run Oracle Solaris 10 applications on the Oracle Solaris 11 OS. Applications run unmodified in the secure environment that is provided by the non-global zone. Using a solaris10 branded non-global zone enables you to use an Oracle Solaris 10 system to develop, test, and deploy applications. Workloads that run within these branded zones can take advantage of the enhancements made to the kernel and use some of the innovative technologies available only in the Oracle Solaris 11 release.
For more information about using zones, Oracle Solaris 10 Zones, and resource management, see Administering Resource Management in Oracle Solaris 11.3 and Resource Management and Oracle Solaris Zones Developer’s Guide.
For more information about zones and resource management, see the following documents: