1 ZONES(5) Standards, Environments, and Macros ZONES(5) 2 3 4 5 NAME 6 zones - Solaris application containers 7 8 DESCRIPTION 9 The zones facility in Solaris provides an isolated environment for 10 running applications. Processes running in a zone are prevented from 11 monitoring or interfering with other activity in the system. Access to 12 other processes, network interfaces, file systems, devices, and inter- 13 process communication facilities are restricted to prevent interaction 14 between processes in different zones. 15 16 17 The privileges available within a zone are restricted to prevent 18 operations with system-wide impact. See privileges(5). 19 20 21 You can configure and administer zones with the zoneadm(1M) and 22 zonecfg(1M) utilities. You can specify the configuration details a 23 zone, install file system contents including software packages into the 24 zone, and manage the runtime state of the zone. You can use the 25 zlogin(1) to run commands within an active zone. You can do this 26 without logging in through a network-based login server such as 27 in.rlogind(1M) or sshd(1M). 28 29 30 The autobooting of zones is enabled and disabled by the zones service, 31 identified by the FMRI: 32 33 34 svc:/system/zones:default 35 36 37 See zoneadm(1M). Note that a zone has an autoboot property, which can 38 be set to true (always autoboot). However, if the zones service is 39 disabled, autoboot will not occur, regardless of the setting of the 40 autoboot property for a given zone. See zonecfg(1M). 41 42 43 An alphanumeric name and numeric ID identify each active zone. 44 Alphanumeric names are configured using the zonecfg(1M) utility. 45 Numeric IDs are automatically assigned when the zone is booted. The 46 zonename(1) utility reports the current zone name, and the zoneadm(1M) 47 utility can be used to report the names and IDs of configured zones. 48 49 50 A zone can be in one of several states: 51 52 CONFIGURED 53 Indicates that the configuration for the zone has been 54 completely specified and committed to stable storage. 55 56 57 INCOMPLETE 58 Indicates that the zone is in the midst of being 59 installed or uninstalled, or was interrupted in the 60 midst of such a transition. 61 62 63 INSTALLED 64 Indicates that the zone's configuration has been 65 instantiated on the system: packages have been 66 installed under the zone's root path. 67 68 69 READY 70 Indicates that the "virtual platform" for the zone has 71 been established. For instance, file systems have been 72 mounted, devices have been configured, but no 73 processes associated with the zone have been started. 74 75 76 RUNNING 77 Indicates that user processes associated with the zone 78 application environment are running. 79 80 81 SHUTTING_DOWN 82 DOWN 83 Indicates that the zone is being halted. The zone can 84 become stuck in one of these states if it is unable to 85 tear down the application environment state (such as 86 mounted file systems) or if some portion of the 87 virtual platform cannot be destroyed. Such cases 88 require operator intervention. 89 90 91 Process Access Restrictions 92 Processes running inside a zone (aside from the global zone) have 93 restricted access to other processes. Only processes in the same zone 94 are visible through /proc (see proc(4) or through system call 95 interfaces that take process IDs such as kill(2) and priocntl(2). 96 Attempts to access processes that exist in other zones (including the 97 global zone) fail with the same error code that would be issued if the 98 specified process did not exist. 99 100 Privilege Restrictions 101 Processes running within a non-global zone are restricted to a subset 102 of privileges, in order to prevent one zone from being able to perform 103 operations that might affect other zones. The set of privileges limits 104 the capabilities of privileged users (such as the super-user or root 105 user) within the zone. The list of privileges available within a zone 106 can be displayed using the ppriv(1) utility. For more information about 107 privileges, see privileges(5). 108 109 Device Restrictions 110 The set of devices available within a zone is restricted, to prevent a 111 process in one zone from interfering with processes in other zones. For 112 example, a process in a zone should not be able to modify kernel memory 113 using /dev/kmem, or modify the contents of the root disk. Thus, by 114 default, only a few pseudo devices considered safe for use within a 115 zone are available. Additional devices can be made available within 116 specific zones using the zonecfg(1M) utility. 117 118 119 The device and privilege restrictions have a number of effects on the 120 utilities that can run in a non-global zone. For example, the 121 eeprom(1M), prtdiag(1M), and prtconf(1M) utilities do not work in a 122 zone since they rely on devices that are not normally available. 123 124 Brands 125 A zone may be assigned a brand when it is initially created. A branded 126 zone is one whose software does not match that software found in the 127 global zone. The software may include Solaris software configured or 128 laid out differently, or it may include non-Solaris software. The 129 particular collection of software is called a "brand" (see brands(5)). 130 Once installed, a zone's brand may not be changed unless the zone is 131 first uninstalled. 132 133 File Systems 134 Each zone has its own section of the file system hierarchy, rooted at a 135 directory known as the zone root. Processes inside the zone can access 136 only files within that part of the hierarchy, that is, files that are 137 located beneath the zone root. This prevents processes in one zone from 138 corrupting or examining file system data associated with another zone. 139 The chroot(1M) utility can be used within a zone, but can only restrict 140 the process to a root path accessible within the zone. 141 142 143 In order to preserve file system space, sections of the file system can 144 be mounted into one or more zones using the read-only option of the 145 lofs(7FS) file system. This allows the same file system data to be 146 shared in multiple zones, while preserving the security guarantees 147 supplied by zones. 148 149 150 NFS and autofs mounts established within a zone are local to that zone; 151 they cannot be accessed from other zones, including the global zone. 152 The mounts are removed when the zone is halted or rebooted. 153 154 155 A zone can share filesystems using nfs(4) or smb(4) subject to the 156 restrictions earlier in this section, plus the additional restriction 157 that file sharing can only be done from filesystems a zone completely 158 controls. Some brands(5) do not have the zone root set to a filesystem 159 boundary. sharefs(7FS) can instantiate per-zone subject to the brand 160 restrictions. 161 162 Networking 163 A zone has its own port number space for TCP, UDP, and SCTP 164 applications and typically one or more separate IP addresses (but some 165 configurations of Trusted Extensions share IP address(es) between 166 zones). 167 168 169 For the IP layer (IP routing, ARP, IPsec, IP Filter, and so on) a zone 170 can either share the configuration and state with the global zone (a 171 shared-IP zone), or have its distinct IP layer configuration and state 172 (an exclusive-IP zone). 173 174 175 If a zone is to be connected to the same datalink, that is, be on the 176 same IP subnet or subnets as the global zone, then it is appropriate 177 for the zone to use the shared IP instance. 178 179 180 If a zone needs to be isolated at the IP layer on the network, for 181 instance being connected to different VLANs or different LANs than the 182 global zone and other non-global zones, then for isolation reasons the 183 zone should have its exclusive IP. 184 185 186 A shared-IP zone is prevented from doing certain things towards the 187 network (such as changing its IP address or sending spoofed IP or 188 Ethernet packets), but an exclusive-IP zone has more or less the same 189 capabilities towards the network as a separate host that is connected 190 to the same network interface. In particular, the superuser in such a 191 zone can change its IP address and spoof ARP packets. 192 193 194 The shared-IP zones are assigned one or more network interface names 195 and IP addresses in zonecfg(1M). The network interface name(s) must 196 also be configured in the global zone. 197 198 199 The exclusive-IP zones are assigned one or more network interface names 200 in zonecfg(1M). The network interface names must be exclusively 201 assigned to that zone, that is, it (or they) can not be assigned to 202 some other running zone, nor can they be used by the global zone. 203 204 205 The full IP-level functionality in the form of DHCP client, IPsec and 206 IP Filter, is available in exclusive-IP zones and not in shared-IP 207 zones. 208 209 Host Identifiers 210 A zone is capable of emulating a 32-bit host identifier, which can be 211 configured via zonecfg(1M), for the purpose of system consolidation. If 212 a zone emulates a host identifier, then commands such as hostid(1) and 213 sysdef(1M) as well as C interfaces such as sysinfo(2) and gethostid(3C) 214 that are executed within the context of the zone will display or return 215 the zone's emulated host identifier rather than the host machine's 216 identifier. 217 218 SEE ALSO 219 hostid(1), zlogin(1), zonename(1), in.rlogind(1M), sshd(1M), 220 sysdef(1M), zoneadm(1M), zonecfg(1M), kill(2), priocntl(2), sysinfo(2), 221 gethostid(3C), getzoneid(3C), ucred_get(3C), nfs(4), proc(4), smb(4), 222 attributes(5), brands(5), privileges(5), sharefs(7FS), crgetzoneid(9F) 223 224 225 226 January 29, 2009 ZONES(5)