1zones(5) Standards, Environments, and Macros zones(5)
2
6 zones - Solaris application containers
7
9 The zones facility in Solaris provides an isolated environment for run‐
10 ning applications. Processes running in a zone are prevented from moni‐
11 toring or interfering with other activity in the system. Access to
12 other processes, network interfaces, file systems, devices, and inter-
13 process communication facilities are restricted to prevent interaction
14 between processes in different zones.
15 The privileges available within a zone are restricted to prevent opera‐
18 tions with system-wide impact. See privileges(5).
19 You can configure and administer zones with the zoneadm(1M) and
22 zonecfg(1M) utilities. You can specify the configuration details a
23 zone, install file system contents including software packages into the
24 zone, and manage the runtime state of the zone. You can use the zlo‐
25 gin(1) to run commands within an active zone. You can do this without
26 logging in through a network-based login server such as in.rlogind(1M)
27 or sshd(1M).
28 The autobooting of zones is enabled and disabled by the zones service,
31 identified by the FMRI:
32 svc:/system/zones:default
35 See zoneadm(1M). Note that a zone has an autoboot property, which can
38 be set to true (always autoboot). However, if the zones service is dis‐
39 abled, autoboot will not occur, regardless of the setting of the auto‐
40 boot property for a given zone. See zonecfg(1M).
41 An alphanumeric name and numeric ID identify each active zone. Alphanu‐
44 meric names are configured using the zonecfg(1M) utility. Numeric IDs
45 are automatically assigned when the zone is booted. The zonename(1)
46 utility reports the current zone name, and the zoneadm(1M) utility can
47 be used to report the names and IDs of configured zones.
48 A zone can be in one of several states:
51 CONFIGURED Indicates that the configuration for the zone has been
53 completely specified and committed to stable storage.
54 INCOMPLETE Indicates that the zone is in the midst of being
57 installed or uninstalled, or was interrupted in the
58 midst of such a transition.
59 INSTALLED Indicates that the zone's configuration has been
62 instantiated on the system: packages have been
63 installed under the zone's root path.
64 READY Indicates that the "virtual platform" for the zone has
67 been established. For instance, file systems have been
68 mounted, devices have been configured, but no pro‐
69 cesses associated with the zone have been started.
70 RUNNING Indicates that user processes associated with the zone
73 application environment are running.
74 SHUTTING_DOWN Indicates that the zone is being halted. The zone can
77 DOWN become stuck in one of these states if it is unable to
78 tear down the application environment state (such as
79 mounted file systems) or if some portion of the vir‐
80 tual platform cannot be destroyed. Such cases require
81 operator intervention.
82 Process Access Restrictions
85 Processes running inside a zone (aside from the global zone) have
86 restricted access to other processes. Only processes in the same zone
87 are visible through /proc (see proc(4) or through system call inter‐
88 faces that take process IDs such as kill(2) and priocntl(2). Attempts
89 to access processes that exist in other zones (including the global
90 zone) fail with the same error code that would be issued if the speci‐
91 fied process did not exist.
92 Privilege Restrictions
94 Processes running within a non-global zone are restricted to a subset
95 of privileges, in order to prevent one zone from being able to perform
96 operations that might affect other zones. The set of privileges limits
97 the capabilities of privileged users (such as the super-user or root
98 user) within the zone. The list of privileges available within a zone
99 can be displayed using the ppriv(1) utility. For more information about
100 privileges, see privileges(5).
101 Device Restrictions
103 The set of devices available within a zone is restricted, to prevent a
104 process in one zone from interfering with processes in other zones. For
105 example, a process in a zone should not be able to modify kernel memory
106 using /dev/kmem, or modify the contents of the root disk. Thus, by
107 default, only a few pseudo devices considered safe for use within a
108 zone are available. Additional devices can be made available within
109 specific zones using the zonecfg(1M) utility.
110 The device and privilege restrictions have a number of effects on the
113 utilities that can run in a non-global zone. For example, the eep‐
114 rom(1M), prtdiag(1M), and prtconf(1M) utilities do not work in a zone
115 since they rely on devices that are not normally available.
116 Brands
118 A zone may be assigned a brand when it is initially created. A branded
119 zone is one whose software does not match that software found in the
120 global zone. The software may include Solaris software configured or
121 laid out differently, or it may include non-Solaris software. The par‐
122 ticular collection of software is called a "brand" (see brands(5)).
123 Once installed, a zone's brand may not be changed unless the zone is
124 first uninstalled.
125 File Systems
127 Each zone has its own section of the file system hierarchy, rooted at a
128 directory known as the zone root. Processes inside the zone can access
129 only files within that part of the hierarchy, that is, files that are
130 located beneath the zone root. This prevents processes in one zone from
131 corrupting or examining file system data associated with another zone.
132 The chroot(1M) utility can be used within a zone, but can only restrict
133 the process to a root path accessible within the zone.
134 In order to preserve file system space, sections of the file system can
137 be mounted into one or more zones using the read-only option of the
138 lofs(7FS) file system. This allows the same file system data to be
139 shared in multiple zones, while preserving the security guarantees sup‐
140 plied by zones.
141 NFS and autofs mounts established within a zone are local to that zone;
144 they cannot be accessed from other zones, including the global zone.
145 The mounts are removed when the zone is halted or rebooted.
146 Networking
148 A zone has its own port number space for TCP, UDP, and SCTP applica‐
149 tions and typically one or more separate IP addresses (but some config‐
150 urations of Trusted Extensions share IP address(es) between zones).
151 For the IP layer (IP routing, ARP, IPsec, IP Filter, and so on) a zone
154 can either share the configuration and state with the global zone (a
155 shared-IP zone), or have its distinct IP layer configuration and state
156 (an exclusive-IP zone).
157 If a zone is to be connected to the same datalink, that is, be on the
160 same IP subnet or subnets as the global zone, then it is appropriate
161 for the zone to use the shared IP instance.
162 If a zone needs to be isolated at the IP layer on the network, for
165 instance being connected to different VLANs or different LANs than the
166 global zone and other non-global zones, then for isolation reasons the
167 zone should have its exclusive IP.
168 A shared-IP zone is prevented from doing certain things towards the
171 network (such as changing its IP address or sending spoofed IP or Eth‐
172 ernet packets), but an exclusive-IP zone has more or less the same
173 capabilities towards the network as a separate host that is connected
174 to the same network interface. In particular, the superuser in such a
175 zone can change its IP address and spoof ARP packets.
176 The shared-IP zones are assigned one or more network interface names
179 and IP addresses in zonecfg(1M). The network interface name(s) must
180 also be configured in the global zone.
181 The exclusive-IP zones are assigned one or more network interface names
184 in zonecfg(1M). The network interface names must be exclusively
185 assigned to that zone, that is, it (or they) can not be assigned to
186 some other running zone, nor can they be used by the global zone.
187 The full IP-level functionality in the form of DHCP client, IPsec and
190 IP Filter, is available in exclusive-IP zones and not in shared-IP
191 zones.
192 Host Identifiers
194 A zone is capable of emulating a 32-bit host identifier, which can be
195 configured via zonecfg(1M), for the purpose of system consolidation. If
196 a zone emulates a host identifier, then commands such as hostid(1) and
197 sysdef(1M) as well as C interfaces such as sysinfo(2) and gethostid(3C)
198 that are executed within the context of the zone will display or return
199 the zone's emulated host identifier rather than the host machine's
200 identifier.
201
203 See attributes(5) for descriptions of the following attributes:
204 ┌─────────────────────────────┬─────────────────────────────┐
209 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
210 ├─────────────────────────────┼─────────────────────────────┤
211 │Availability │SUNWcsu │
212 └─────────────────────────────┴─────────────────────────────┘
213
215 hostid(1), zlogin(1), zonename(1), in.rlogind(1M), sshd(1M), sys‐
216 def(1M), zoneadm(1M), zonecfg(1M), kill(2), priocntl(2), sysinfo(2),
217 gethostid(3C), getzoneid(3C), ucred_get(3C), proc(4), attributes(5),
218 brands(5), privileges(5), crgetzoneid(9F)
219SunOS 5.11 29 Jan 2009 zones(5)