1zones(5)              Standards, Environments, and Macros             zones(5)
2
3
4

NAME

6       zones - Solaris application containers
7

DESCRIPTION

9       The zones facility in Solaris provides an isolated environment for run‐
10       ning applications. Processes running in a zone are prevented from moni‐
11       toring  or  interfering  with  other  activity in the system. Access to
12       other processes, network interfaces, file systems, devices, and  inter-
13       process  communication facilities are restricted to prevent interaction
14       between processes in different zones.
15
16
17       The privileges available within a zone are restricted to prevent opera‐
18       tions with system-wide impact. See privileges(5).
19
20
21       You  can  configure  and  administer  zones  with  the  zoneadm(1M) and
22       zonecfg(1M) utilities. You can  specify  the  configuration  details  a
23       zone, install file system contents including software packages into the
24       zone, and manage the runtime state of the zone. You can  use  the  zlo‐
25       gin(1)  to  run commands within an active zone. You can do this without
26       logging in through a network-based login server such as  in.rlogind(1M)
27       or sshd(1M).
28
29
30       The  autobooting of zones is enabled and disabled by the zones service,
31       identified by the FMRI:
32
33
34       svc:/system/zones:default
35
36
37       See zoneadm(1M). Note that a zone has an autoboot property,  which  can
38       be set to true (always autoboot). However, if the zones service is dis‐
39       abled, autoboot will not occur, regardless of the setting of the  auto‐
40       boot property for a given zone. See zonecfg(1M).
41
42
43       An alphanumeric name and numeric ID identify each active zone. Alphanu‐
44       meric names are configured using the zonecfg(1M) utility.  Numeric  IDs
45       are  automatically  assigned  when  the zone is booted. The zonename(1)
46       utility reports the current zone name, and the zoneadm(1M) utility  can
47       be used to report the names and IDs of configured zones.
48
49
50       A zone can be in one of several states:
51
52       CONFIGURED       Indicates that the configuration for the zone has been
53                        completely specified and committed to stable storage.
54
55
56       INCOMPLETE       Indicates that the zone  is  in  the  midst  of  being
57                        installed  or  uninstalled,  or was interrupted in the
58                        midst of such a transition.
59
60
61       INSTALLED        Indicates  that  the  zone's  configuration  has  been
62                        instantiated   on   the  system:  packages  have  been
63                        installed under the zone's root path.
64
65
66       READY            Indicates that the "virtual platform" for the zone has
67                        been established. For instance, file systems have been
68                        mounted, devices have been  configured,  but  no  pro‐
69                        cesses associated with the zone have been started.
70
71
72       RUNNING          Indicates that user processes associated with the zone
73                        application environment are running.
74
75
76       SHUTTING_DOWN    Indicates that the zone is being halted. The zone  can
77       DOWN             become stuck in one of these states if it is unable to
78                        tear down the application environment state  (such  as
79                        mounted  file  systems) or if some portion of the vir‐
80                        tual platform cannot be destroyed. Such cases  require
81                        operator intervention.
82
83
84   Process Access Restrictions
85       Processes  running  inside  a  zone  (aside  from the global zone) have
86       restricted access to other processes. Only processes in the  same  zone
87       are  visible  through  /proc (see proc(4) or through system call inter‐
88       faces that take process IDs such as kill(2) and  priocntl(2).  Attempts
89       to  access  processes  that  exist in other zones (including the global
90       zone) fail with the same error code that would be issued if the  speci‐
91       fied process did not exist.
92
93   Privilege Restrictions
94       Processes  running  within a non-global zone are restricted to a subset
95       of privileges, in order to prevent one zone from being able to  perform
96       operations  that might affect other zones. The set of privileges limits
97       the capabilities of privileged users (such as the  super-user  or  root
98       user)  within  the zone. The list of privileges available within a zone
99       can be displayed using the ppriv(1) utility. For more information about
100       privileges, see privileges(5).
101
102   Device Restrictions
103       The  set of devices available within a zone is restricted, to prevent a
104       process in one zone from interfering with processes in other zones. For
105       example, a process in a zone should not be able to modify kernel memory
106       using /dev/kmem, or modify the contents of  the  root  disk.  Thus,  by
107       default,  only  a  few  pseudo devices considered safe for use within a
108       zone are available. Additional devices can  be  made  available  within
109       specific zones using the zonecfg(1M) utility.
110
111
112       The  device  and privilege restrictions have a number of effects on the
113       utilities that can run in a non-global  zone.  For  example,  the  eep‐
114       rom(1M),  prtdiag(1M),  and prtconf(1M) utilities do not work in a zone
115       since they rely on devices that are not normally available.
116
117   Brands
118       A zone may be assigned a brand when it is initially created. A  branded
119       zone  is  one  whose software does not match that software found in the
120       global zone. The software may include Solaris  software  configured  or
121       laid  out differently, or it may include non-Solaris software. The par‐
122       ticular collection of software is called  a  "brand"  (see  brands(5)).
123       Once  installed,  a  zone's brand may not be changed unless the zone is
124       first uninstalled.
125
126   File Systems
127       Each zone has its own section of the file system hierarchy, rooted at a
128       directory  known as the zone root. Processes inside the zone can access
129       only files within that part of the hierarchy, that is, files  that  are
130       located beneath the zone root. This prevents processes in one zone from
131       corrupting or examining file system data associated with another  zone.
132       The chroot(1M) utility can be used within a zone, but can only restrict
133       the process to a root path accessible within the zone.
134
135
136       In order to preserve file system space, sections of the file system can
137       be  mounted  into  one  or more zones using the read-only option of the
138       lofs(7FS) file system. This allows the same  file  system  data  to  be
139       shared in multiple zones, while preserving the security guarantees sup‐
140       plied by zones.
141
142
143       NFS and autofs mounts established within a zone are local to that zone;
144       they  cannot  be  accessed from other zones, including the global zone.
145       The mounts are removed when the zone is halted or rebooted.
146
147   Networking
148       A zone has its own port number space for TCP, UDP,  and  SCTP  applica‐
149       tions and typically one or more separate IP addresses (but some config‐
150       urations of Trusted Extensions share IP address(es) between zones).
151
152
153       For the IP layer (IP routing, ARP, IPsec, IP Filter, and so on) a  zone
154       can  either  share  the configuration and state with the global zone (a
155       shared-IP zone), or have its distinct IP layer configuration and  state
156       (an exclusive-IP zone).
157
158
159       If  a  zone is to be connected to the same datalink, that is, be on the
160       same IP subnet or subnets as the global zone, then  it  is  appropriate
161       for the zone to use the shared IP instance.
162
163
164       If  a  zone  needs  to  be isolated at the IP layer on the network, for
165       instance being connected to different VLANs or different LANs than  the
166       global  zone and other non-global zones, then for isolation reasons the
167       zone should have its exclusive IP.
168
169
170       A shared-IP zone is prevented from doing  certain  things  towards  the
171       network  (such as changing its IP address or sending spoofed IP or Eth‐
172       ernet packets), but an exclusive-IP zone has  more  or  less  the  same
173       capabilities  towards  the network as a separate host that is connected
174       to the same network interface. In particular, the superuser in  such  a
175       zone can change its IP address and spoof ARP packets.
176
177
178       The  shared-IP  zones  are assigned one or more network interface names
179       and IP addresses in zonecfg(1M). The  network  interface  name(s)  must
180       also be configured in the global zone.
181
182
183       The exclusive-IP zones are assigned one or more network interface names
184       in  zonecfg(1M).  The  network  interface  names  must  be  exclusively
185       assigned  to  that  zone,  that is, it (or they) can not be assigned to
186       some other running zone, nor can they be used by the global zone.
187
188
189       The full IP-level functionality in the form of DHCP client,  IPsec  and
190       IP  Filter,  is  available  in  exclusive-IP zones and not in shared-IP
191       zones.
192
193   Host Identifiers
194       A zone is capable of emulating a 32-bit host identifier, which  can  be
195       configured via zonecfg(1M), for the purpose of system consolidation. If
196       a zone emulates a host identifier, then commands such as hostid(1)  and
197       sysdef(1M) as well as C interfaces such as sysinfo(2) and gethostid(3C)
198       that are executed within the context of the zone will display or return
199       the  zone's  emulated  host  identifier  rather than the host machine's
200       identifier.
201

ATTRIBUTES

203       See attributes(5) for descriptions of the following attributes:
204
205
206
207
208       ┌─────────────────────────────┬─────────────────────────────┐
209       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
210       ├─────────────────────────────┼─────────────────────────────┤
211       │Availability                 │SUNWcsu                      │
212       └─────────────────────────────┴─────────────────────────────┘
213

SEE ALSO

215       hostid(1),  zlogin(1),  zonename(1),  in.rlogind(1M),  sshd(1M),   sys‐
216       def(1M),  zoneadm(1M),  zonecfg(1M),  kill(2), priocntl(2), sysinfo(2),
217       gethostid(3C), getzoneid(3C),  ucred_get(3C),  proc(4),  attributes(5),
218       brands(5), privileges(5), crgetzoneid(9F)
219
220
221
222SunOS 5.11                        29 Jan 2009                         zones(5)
Impressum