Go to main content

Creating and Using Oracle® Solaris Zones

Exit Print View

Updated: April 2019

Administering Immutable Non-Global Zones

If you do not configure administrative access, you can administer the on-disk non-global zone from the global zone only. Within a running non-global zone, you can only administer the runtime state of an immutable zone. Therefore, modifying MWAC policy in a running zone is temporary. For more information, see SMF Commands Exception to MWAC Security Policy.

Determining Whether a Non-Global Zone Is Immutable

The parsable output of the zoneadm list -p command from the global zone displays an R/W column, and a file-mac-profile column. In the following output, the fixed-configuration running zones, testzone2 and testzone3, are read-only, while the testzone1 running zone is a read-write fixed-configuration zone.

global$ zoneadm list -p
	5:testzone2:running:/export/zones/testzone2:UUID \
	12:testzone3:running:/export/zones/testzone3:UUID \
	13:testzone1:running:/export/zones/testzone1:UUID \
	-:testzone:installed:/export/zones/testzone:UUID \

Administering an Immutable Zone by Making It Writable

The zoneadm boot subcommand provides two options that allow the global zone administrator to manually boot an immutable zone with either a writable root file system or with a transient writable root file system. The zone is in writable mode only until the next reboot.


Manually boot the zone with a writable root file system.


Manually boot the zone with a transient writable root file system. The system is rebooted automatically when the self-assembly-complete milestone is reached. The reboot places the zone under control of the MWAC policy again. This option is permitted when the zone has an MWAC policy of none.

Both the –W and –w options are ignored for zones that are not immutable zones.

The zlogin command provides the –U option for actions such as editing an immutable file or adding a new package. Use of this option requires the authorization solaris.zone.manage/zonename. This option operates in unsafe mode, where unprotected files can be modified. You use this option for zones with the flexible-configuration MWAC security policy.

Note -  These options cannot be used with console login and are ignored for zones that are not immutable zones.