12278 Sdiff usr/src/man/man5/zones.5.man

Print this page

12278 nfs-zone needs man page changes
Reviewed by: Peter Tribble <peter.tribble@gmail.com>
Reviewed by: Gordon Ross <gordon.w.ross@gmail.com>

 134        Each zone has its own section of the file system hierarchy, rooted at a
 135        directory known as the zone root. Processes inside the zone can access
 136        only files within that part of the hierarchy, that is, files that are
 137        located beneath the zone root. This prevents processes in one zone from
 138        corrupting or examining file system data associated with another zone.
 139        The chroot(1M) utility can be used within a zone, but can only restrict
 140        the process to a root path accessible within the zone.
 141 
 142 
 143        In order to preserve file system space, sections of the file system can
 144        be mounted into one or more zones using the read-only option of the
 145        lofs(7FS) file system. This allows the same file system data to be
 146        shared in multiple zones, while preserving the security guarantees
 147        supplied by zones.
 148 
 149 
 150        NFS and autofs mounts established within a zone are local to that zone;
 151        they cannot be accessed from other zones, including the global zone.
 152        The mounts are removed when the zone is halted or rebooted.
 153 








 154    Networking
 155        A zone has its own port number space for TCP, UDP, and SCTP
 156        applications and typically one or more separate IP addresses (but some
 157        configurations of Trusted Extensions share IP address(es) between
 158        zones).
 159 
 160 
 161        For the IP layer (IP routing, ARP, IPsec, IP Filter, and so on) a zone
 162        can either share the configuration and state with the global zone (a
 163        shared-IP zone), or have its distinct IP layer configuration and state
 164        (an exclusive-IP zone).
 165 
 166 
 167        If a zone is to be connected to the same datalink, that is, be on the
 168        same IP subnet or subnets as the global zone, then it is appropriate
 169        for the zone to use the shared IP instance.
 170 
 171 
 172        If a zone needs to be isolated at the IP layer on the network, for
 173        instance being connected to different VLANs or different LANs than the

 193        assigned to that zone, that is, it (or they) can not be assigned to
 194        some other running zone, nor can they be used by the global zone.
 195 
 196 
 197        The full IP-level functionality in the form of DHCP client, IPsec and
 198        IP Filter, is available in exclusive-IP zones and not in shared-IP
 199        zones.
 200 
 201    Host Identifiers
 202        A zone is capable of emulating a 32-bit host identifier, which can be
 203        configured via zonecfg(1M), for the purpose of system consolidation. If
 204        a zone emulates a host identifier, then commands such as hostid(1) and
 205        sysdef(1M) as well as C interfaces such as sysinfo(2) and gethostid(3C)
 206        that are executed within the context of the zone will display or return
 207        the zone's emulated host identifier rather than the host machine's
 208        identifier.
 209 
 210 SEE ALSO
 211        hostid(1), zlogin(1), zonename(1), in.rlogind(1M), sshd(1M),
 212        sysdef(1M), zoneadm(1M), zonecfg(1M), kill(2), priocntl(2), sysinfo(2),
 213        gethostid(3C), getzoneid(3C), ucred_get(3C), proc(4), attributes(5),
 214        brands(5), privileges(5), crgetzoneid(9F)
 215 
 216 
 217 
 218                                January 29, 2009                       ZONES(5)

 134        Each zone has its own section of the file system hierarchy, rooted at a
 135        directory known as the zone root. Processes inside the zone can access
 136        only files within that part of the hierarchy, that is, files that are
 137        located beneath the zone root. This prevents processes in one zone from
 138        corrupting or examining file system data associated with another zone.
 139        The chroot(1M) utility can be used within a zone, but can only restrict
 140        the process to a root path accessible within the zone.
 141 
 142 
 143        In order to preserve file system space, sections of the file system can
 144        be mounted into one or more zones using the read-only option of the
 145        lofs(7FS) file system. This allows the same file system data to be
 146        shared in multiple zones, while preserving the security guarantees
 147        supplied by zones.
 148 
 149 
 150        NFS and autofs mounts established within a zone are local to that zone;
 151        they cannot be accessed from other zones, including the global zone.
 152        The mounts are removed when the zone is halted or rebooted.
 153 
 154 
 155        A zone can share filesystems using nfs(4) or smb(4) subject to the
 156        restrictions earlier in this section, plus the additional restriction
 157        that file sharing can only be done from filesystems a zone completely
 158        controls. Some brands(5) do not have the zone root set to a filesystem
 159        boundary.  sharefs(7FS) can instantiate per-zone subject to the brand
 160        restrictions.
 161 
 162    Networking
 163        A zone has its own port number space for TCP, UDP, and SCTP
 164        applications and typically one or more separate IP addresses (but some
 165        configurations of Trusted Extensions share IP address(es) between
 166        zones).
 167 
 168 
 169        For the IP layer (IP routing, ARP, IPsec, IP Filter, and so on) a zone
 170        can either share the configuration and state with the global zone (a
 171        shared-IP zone), or have its distinct IP layer configuration and state
 172        (an exclusive-IP zone).
 173 
 174 
 175        If a zone is to be connected to the same datalink, that is, be on the
 176        same IP subnet or subnets as the global zone, then it is appropriate
 177        for the zone to use the shared IP instance.
 178 
 179 
 180        If a zone needs to be isolated at the IP layer on the network, for
 181        instance being connected to different VLANs or different LANs than the

 201        assigned to that zone, that is, it (or they) can not be assigned to
 202        some other running zone, nor can they be used by the global zone.
 203 
 204 
 205        The full IP-level functionality in the form of DHCP client, IPsec and
 206        IP Filter, is available in exclusive-IP zones and not in shared-IP
 207        zones.
 208 
 209    Host Identifiers
 210        A zone is capable of emulating a 32-bit host identifier, which can be
 211        configured via zonecfg(1M), for the purpose of system consolidation. If
 212        a zone emulates a host identifier, then commands such as hostid(1) and
 213        sysdef(1M) as well as C interfaces such as sysinfo(2) and gethostid(3C)
 214        that are executed within the context of the zone will display or return
 215        the zone's emulated host identifier rather than the host machine's
 216        identifier.
 217 
 218 SEE ALSO
 219        hostid(1), zlogin(1), zonename(1), in.rlogind(1M), sshd(1M),
 220        sysdef(1M), zoneadm(1M), zonecfg(1M), kill(2), priocntl(2), sysinfo(2),
 221        gethostid(3C), getzoneid(3C), ucred_get(3C), nfs(4), proc(4), smb(4),
 222        attributes(5), brands(5), privileges(5), sharefs(7FS), crgetzoneid(9F)
 223 
 224 
 225 
 226                                January 29, 2009                       ZONES(5)