1. Creating and Using Oracle Solaris Zones
  2. Configuring and Administering Immutable Zones
  3. Immutable Global Zones
  4. Maintaining an Immutable Global Zone

Maintaining an Immutable Global Zone

The most secure method of maintaining the global zone is by using the trusted path. Trusted path is only available on the console, so ensure that the console is accessible through the ILOM, a serial connection or through the graphical console.

After a system is configured to be immutable, configure the console login with the trusted path. For the procedure, see How to Enable Administrative Access to an Immutable Zone From the Console. After you have configured the console login, the root account cannot log in and administer the zone. You must log in as a user who is authorized to use the trusted path. After logging in, you can then assume a role.

When you run the pkg update command in an immutable global zone, the first boot is read-write. The system needs these permissions to perform the required self-assembly steps. When the self-assembly steps have been performed, the system becomes immutable again.