1. Creating and Using Oracle Solaris Kernel Zones
  2. Migrating an Oracle Solaris Kernel Zone
  3. Rights Required to Perform Kernel Zone Migrations

Rights Required to Perform Kernel Zone Migrations

A subset of Zones rights profiles enable a non-root user to perform kernel zone migrations. If you assign one or more of the following profiles to a user in the global zone, the user can migrate all zones on the system:

  • Zone Migration – Enables a zone administrator to perform migration of an installed or running zone.

  • Zone Cold Migration – Enables a zone administrator to perform migration of an installed or suspended zone.

  • Zone Configuration – Enables a zone administrator to configure the target system for a migrating zone.

For information about Zones rights profiles, see Using Rights Profiles to Install and Manage Zones in Creating and Using Oracle Solaris Zones. To assign rights to migrate zones, see the following examples.

Example 5-1 Authorizing a User to Perform All Migrations of an Individual Zone

global1$ pfbash zonecfg -z kzone1
zonecfg:kzone1> add admin
zonecfg:kzone1:admin> set user=jdoe
zonecfg:kzone1:admin> set auths=migrate
zonecfg:kzone1:admin> end
zonecfg:kzone1> commit
Verify the auths and profiles:

global1$ zonecfg -z kzone1 info admin
admin:
user: jdoe
auths: migrate
$ auths jdoe
solaris.admin.wusb.read,solaris.mail.mailq,solaris.network.autoconf.read,solaris.zone.migrate/kzone1
$ profiles jdoe
jdoe:
Zone Migration
Basic Solaris User
All

Example 5-2 Authorizing a User to Migrate All Zones on a Host System

global1$ pfbash usermod -P +"Zone Migration" -A +solaris.zone.migrate jdoe
Verify the auths and profiles:

global1$ auths jdoe
solaris.admin.wusb.read,solaris.mail.mailq,solaris.network.autoconf.read,solaris.zone.migrate
global1$ profiles jdoe
jdoe:
Zone Migration
Basic Solaris User
All

Example 5-3 Authorizing a User to Configure Zones on a Host System

On the target system, this example assigns the user jdoe the required profile and authorization to create the zone configuration. The assigned profile enables the user to create, modify, and delete any zone configuration. 

global2$ pfbash usermod -P +"Zone Configuration" -A +solaris.zone.config jdoe
Verify the auths and profiles:

global2$ auths jdoe
solaris.admin.wusb.read,solaris.mail.mailq,solaris.network.autoconf.read,solaris.zone.config
global2$ profiles jdoe
jdoe:
Zone Configuration
Basic Solaris User
All

For more information about how to assign and manage rights profiles, refer to Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.