1 '\" te
2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 .TH ZONES 5 "Jan 29, 2009"
7 .SH NAME
8 zones \- Solaris application containers
9 .SH DESCRIPTION
10 .sp
11 .LP
12 The zones facility in Solaris provides an isolated environment for running
13 applications. Processes running in a zone are prevented from monitoring or
14 interfering with other activity in the system. Access to other processes,
15 network interfaces, file systems, devices, and inter-process communication
16 facilities are restricted to prevent interaction between processes in different
17 zones.
18 .sp
19 .LP
20 The privileges available within a zone are restricted to prevent operations
21 with system-wide impact. See \fBprivileges\fR(5).
22 .sp
23 .LP
24 You can configure and administer zones with the \fBzoneadm\fR(1M) and
25 \fBzonecfg\fR(1M) utilities. You can specify the configuration details a zone,
26 install file system contents including software packages into the zone, and
27 manage the runtime state of the zone. You can use the \fBzlogin\fR(1) to run
28 commands within an active zone. You can do this without logging in through a
29 network-based login server such as \fBin.rlogind\fR(1M) or \fBsshd\fR(1M).
30 .sp
31 .LP
101 are running.
102 .RE
103
104 .sp
105 .ne 2
106 .na
107 \fB\fBSHUTTING_DOWN\fR\fR
108 .ad
109 .br
110 .na
111 \fB\fBDOWN\fR\fR
112 .ad
113 .RS 17n
114 Indicates that the zone is being halted. The zone can become stuck in one of
115 these states if it is unable to tear down the application environment state
116 (such as mounted file systems) or if some portion of the virtual platform
117 cannot be destroyed. Such cases require operator intervention.
118 .RE
119
120 .SS "Process Access Restrictions"
121 .sp
122 .LP
123 Processes running inside a zone (aside from the global zone) have restricted
124 access to other processes. Only processes in the same zone are visible through
125 \fB/proc\fR (see \fBproc\fR(4) or through system call interfaces that take
126 process IDs such as \fBkill\fR(2) and \fBpriocntl\fR(2). Attempts to access
127 processes that exist in other zones (including the global zone) fail with the
128 same error code that would be issued if the specified process did not exist.
129 .SS "Privilege Restrictions"
130 .sp
131 .LP
132 Processes running within a non-global zone are restricted to a subset of
133 privileges, in order to prevent one zone from being able to perform operations
134 that might affect other zones. The set of privileges limits the capabilities of
135 privileged users (such as the super-user or root user) within the zone. The
136 list of privileges available within a zone can be displayed using the
137 \fBppriv\fR(1) utility. For more information about privileges, see
138 \fBprivileges\fR(5).
139 .SS "Device Restrictions"
140 .sp
141 .LP
142 The set of devices available within a zone is restricted, to prevent a process
143 in one zone from interfering with processes in other zones. For example, a
144 process in a zone should not be able to modify kernel memory using
145 \fB/dev/kmem\fR, or modify the contents of the root disk. Thus, by default,
146 only a few pseudo devices considered safe for use within a zone are available.
147 Additional devices can be made available within specific zones using the
148 \fBzonecfg\fR(1M) utility.
149 .sp
150 .LP
151 The device and privilege restrictions have a number of effects on the utilities
152 that can run in a non-global zone. For example, the \fBeeprom\fR(1M),
153 \fBprtdiag\fR(1M), and \fBprtconf\fR(1M) utilities do not work in a zone since
154 they rely on devices that are not normally available.
155 .SS "Brands"
156 .sp
157 .LP
158 A zone may be assigned a brand when it is initially created. A branded zone is
159 one whose software does not match that software found in the global zone. The
160 software may include Solaris software configured or laid out differently, or it
161 may include non-Solaris software. The particular collection of software is
162 called a "brand" (see \fBbrands\fR(5)). Once installed, a zone's brand may not
163 be changed unless the zone is first uninstalled.
164 .SS "File Systems"
165 .sp
166 .LP
167 Each zone has its own section of the file system hierarchy, rooted at a
168 directory known as the zone root. Processes inside the zone can access only
169 files within that part of the hierarchy, that is, files that are located
170 beneath the zone root. This prevents processes in one zone from corrupting or
171 examining file system data associated with another zone. The \fBchroot\fR(1M)
172 utility can be used within a zone, but can only restrict the process to a root
173 path accessible within the zone.
174 .sp
175 .LP
176 In order to preserve file system space, sections of the file system can be
177 mounted into one or more zones using the read-only option of the
178 \fBlofs\fR(7FS) file system. This allows the same file system data to be shared
179 in multiple zones, while preserving the security guarantees supplied by zones.
180 .sp
181 .LP
182 NFS and autofs mounts established within a zone are local to that zone; they
183 cannot be accessed from other zones, including the global zone. The mounts are
184 removed when the zone is halted or rebooted.
185 .SS "Networking"
186 .sp
187 .LP
188 A zone has its own port number space for \fBTCP\fR, \fBUDP\fR, and \fBSCTP\fR
189 applications and typically one or more separate \fBIP\fR addresses (but some
190 configurations of Trusted Extensions share IP address(es) between zones).
191 .sp
192 .LP
193 For the \fBIP\fR layer (\fBIP\fR routing, \fBARP\fR, \fBIPsec\fR, \fBIP\fR
194 Filter, and so on) a zone can either share the configuration and state with the
195 global zone (a shared-\fBIP\fR zone), or have its distinct \fBIP\fR layer
196 configuration and state (an exclusive-\fBIP\fR zone).
197 .sp
198 .LP
199 If a zone is to be connected to the same datalink, that is, be on the same
200 \fBIP\fR subnet or subnets as the global zone, then it is appropriate for the
201 zone to use the shared \fBIP\fR instance.
202 .sp
203 .LP
204 If a zone needs to be isolated at the \fBIP\fR layer on the network, for
205 instance being connected to different \fBVLAN\fRs or different \fBLAN\fRs than
206 the global zone and other non-global zones, then for isolation reasons the zone
207 should have its exclusive \fBIP\fR.
213 capabilities towards the network as a separate host that is connected to the
214 same network interface. In particular, the superuser in such a zone can change
215 its \fBIP\fR address and spoof \fBARP\fR packets.
216 .sp
217 .LP
218 The shared-\fBIP\fR zones are assigned one or more network interface names and
219 \fBIP\fR addresses in \fBzonecfg\fR(1M). The network interface name(s) must
220 also be configured in the global zone.
221 .sp
222 .LP
223 The exclusive-\fBIP\fR zones are assigned one or more network interface names
224 in \fBzonecfg\fR(1M). The network interface names must be exclusively assigned
225 to that zone, that is, it (or they) can not be assigned to some other running
226 zone, nor can they be used by the global zone.
227 .sp
228 .LP
229 The full \fBIP\fR-level functionality in the form of \fBDHCP\fR client,
230 \fBIPsec\fR and \fBIP\fR Filter, is available in exclusive-\fBIP\fR zones and
231 not in shared-\fBIP\fR zones.
232 .SS "Host Identifiers"
233 .sp
234 .LP
235 A zone is capable of emulating a 32-bit host identifier, which can be
236 configured via \fBzonecfg\fR(1M), for the purpose of system consolidation. If a
237 zone emulates a host identifier, then commands such as \fBhostid\fR(1) and
238 \fBsysdef\fR(1M) as well as C interfaces such as \fBsysinfo\fR(2) and
239 \fBgethostid\fR(3C) that are executed within the context of the zone will
240 display or return the zone's emulated host identifier rather than the host
241 machine's identifier.
242 .SH SEE ALSO
243 .sp
244 .LP
245 \fBhostid\fR(1), \fBzlogin\fR(1), \fBzonename\fR(1), \fBin.rlogind\fR(1M),
246 \fBsshd\fR(1M), \fBsysdef\fR(1M), \fBzoneadm\fR(1M), \fBzonecfg\fR(1M),
247 \fBkill\fR(2), \fBpriocntl\fR(2), \fBsysinfo\fR(2), \fBgethostid\fR(3C),
248 \fBgetzoneid\fR(3C), \fBucred_get\fR(3C), \fBproc\fR(4), \fBattributes\fR(5),
249 \fBbrands\fR(5), \fBprivileges\fR(5), \fBcrgetzoneid\fR(9F)
|
1 '\" te
2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
3 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
4 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
5 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 .\"
7 .\" Copyright 2020 Joyent, Inc.
8 .TH ZONES 5 "Jan 29, 2009"
9 .SH NAME
10 zones \- Solaris application containers
11 .SH DESCRIPTION
12 The zones facility in Solaris provides an isolated environment for running
13 applications. Processes running in a zone are prevented from monitoring or
14 interfering with other activity in the system. Access to other processes,
15 network interfaces, file systems, devices, and inter-process communication
16 facilities are restricted to prevent interaction between processes in different
17 zones.
18 .sp
19 .LP
20 The privileges available within a zone are restricted to prevent operations
21 with system-wide impact. See \fBprivileges\fR(5).
22 .sp
23 .LP
24 You can configure and administer zones with the \fBzoneadm\fR(1M) and
25 \fBzonecfg\fR(1M) utilities. You can specify the configuration details a zone,
26 install file system contents including software packages into the zone, and
27 manage the runtime state of the zone. You can use the \fBzlogin\fR(1) to run
28 commands within an active zone. You can do this without logging in through a
29 network-based login server such as \fBin.rlogind\fR(1M) or \fBsshd\fR(1M).
30 .sp
31 .LP
101 are running.
102 .RE
103
104 .sp
105 .ne 2
106 .na
107 \fB\fBSHUTTING_DOWN\fR\fR
108 .ad
109 .br
110 .na
111 \fB\fBDOWN\fR\fR
112 .ad
113 .RS 17n
114 Indicates that the zone is being halted. The zone can become stuck in one of
115 these states if it is unable to tear down the application environment state
116 (such as mounted file systems) or if some portion of the virtual platform
117 cannot be destroyed. Such cases require operator intervention.
118 .RE
119
120 .SS "Process Access Restrictions"
121 Processes running inside a zone (aside from the global zone) have restricted
122 access to other processes. Only processes in the same zone are visible through
123 \fB/proc\fR (see \fBproc\fR(4) or through system call interfaces that take
124 process IDs such as \fBkill\fR(2) and \fBpriocntl\fR(2). Attempts to access
125 processes that exist in other zones (including the global zone) fail with the
126 same error code that would be issued if the specified process did not exist.
127 .SS "Privilege Restrictions"
128 Processes running within a non-global zone are restricted to a subset of
129 privileges, in order to prevent one zone from being able to perform operations
130 that might affect other zones. The set of privileges limits the capabilities of
131 privileged users (such as the super-user or root user) within the zone. The
132 list of privileges available within a zone can be displayed using the
133 \fBppriv\fR(1) utility. For more information about privileges, see
134 \fBprivileges\fR(5).
135 .SS "Device Restrictions"
136 The set of devices available within a zone is restricted, to prevent a process
137 in one zone from interfering with processes in other zones. For example, a
138 process in a zone should not be able to modify kernel memory using
139 \fB/dev/kmem\fR, or modify the contents of the root disk. Thus, by default,
140 only a few pseudo devices considered safe for use within a zone are available.
141 Additional devices can be made available within specific zones using the
142 \fBzonecfg\fR(1M) utility.
143 .sp
144 .LP
145 The device and privilege restrictions have a number of effects on the utilities
146 that can run in a non-global zone. For example, the \fBeeprom\fR(1M),
147 \fBprtdiag\fR(1M), and \fBprtconf\fR(1M) utilities do not work in a zone since
148 they rely on devices that are not normally available.
149 .SS "Brands"
150 A zone may be assigned a brand when it is initially created. A branded zone is
151 one whose software does not match that software found in the global zone. The
152 software may include Solaris software configured or laid out differently, or it
153 may include non-Solaris software. The particular collection of software is
154 called a "brand" (see \fBbrands\fR(5)). Once installed, a zone's brand may not
155 be changed unless the zone is first uninstalled.
156 .SS "File Systems"
157 Each zone has its own section of the file system hierarchy, rooted at a
158 directory known as the zone root. Processes inside the zone can access only
159 files within that part of the hierarchy, that is, files that are located
160 beneath the zone root. This prevents processes in one zone from corrupting or
161 examining file system data associated with another zone. The \fBchroot\fR(1M)
162 utility can be used within a zone, but can only restrict the process to a root
163 path accessible within the zone.
164 .sp
165 .LP
166 In order to preserve file system space, sections of the file system can be
167 mounted into one or more zones using the read-only option of the
168 \fBlofs\fR(7FS) file system. This allows the same file system data to be shared
169 in multiple zones, while preserving the security guarantees supplied by zones.
170 .sp
171 .LP
172 NFS and autofs mounts established within a zone are local to that zone; they
173 cannot be accessed from other zones, including the global zone. The mounts are
174 removed when the zone is halted or rebooted.
175 .sp
176 .LP
177 A zone can share filesystems using \fBnfs\fR(4) or \fBsmb\fR(4)
178 subject to the restrictions earlier in this section, plus the additional
179 restriction that file sharing can only be done from filesystems a zone
180 completely controls. Some \fBbrands\fR(5) do not have the zone root set to a
181 filesystem boundary. \fBsharefs\fR(7FS) can instantiate per-zone subject to
182 the brand restrictions.
183 .SS "Networking"
184 A zone has its own port number space for \fBTCP\fR, \fBUDP\fR, and \fBSCTP\fR
185 applications and typically one or more separate \fBIP\fR addresses (but some
186 configurations of Trusted Extensions share IP address(es) between zones).
187 .sp
188 .LP
189 For the \fBIP\fR layer (\fBIP\fR routing, \fBARP\fR, \fBIPsec\fR, \fBIP\fR
190 Filter, and so on) a zone can either share the configuration and state with the
191 global zone (a shared-\fBIP\fR zone), or have its distinct \fBIP\fR layer
192 configuration and state (an exclusive-\fBIP\fR zone).
193 .sp
194 .LP
195 If a zone is to be connected to the same datalink, that is, be on the same
196 \fBIP\fR subnet or subnets as the global zone, then it is appropriate for the
197 zone to use the shared \fBIP\fR instance.
198 .sp
199 .LP
200 If a zone needs to be isolated at the \fBIP\fR layer on the network, for
201 instance being connected to different \fBVLAN\fRs or different \fBLAN\fRs than
202 the global zone and other non-global zones, then for isolation reasons the zone
203 should have its exclusive \fBIP\fR.
209 capabilities towards the network as a separate host that is connected to the
210 same network interface. In particular, the superuser in such a zone can change
211 its \fBIP\fR address and spoof \fBARP\fR packets.
212 .sp
213 .LP
214 The shared-\fBIP\fR zones are assigned one or more network interface names and
215 \fBIP\fR addresses in \fBzonecfg\fR(1M). The network interface name(s) must
216 also be configured in the global zone.
217 .sp
218 .LP
219 The exclusive-\fBIP\fR zones are assigned one or more network interface names
220 in \fBzonecfg\fR(1M). The network interface names must be exclusively assigned
221 to that zone, that is, it (or they) can not be assigned to some other running
222 zone, nor can they be used by the global zone.
223 .sp
224 .LP
225 The full \fBIP\fR-level functionality in the form of \fBDHCP\fR client,
226 \fBIPsec\fR and \fBIP\fR Filter, is available in exclusive-\fBIP\fR zones and
227 not in shared-\fBIP\fR zones.
228 .SS "Host Identifiers"
229 A zone is capable of emulating a 32-bit host identifier, which can be
230 configured via \fBzonecfg\fR(1M), for the purpose of system consolidation. If a
231 zone emulates a host identifier, then commands such as \fBhostid\fR(1) and
232 \fBsysdef\fR(1M) as well as C interfaces such as \fBsysinfo\fR(2) and
233 \fBgethostid\fR(3C) that are executed within the context of the zone will
234 display or return the zone's emulated host identifier rather than the host
235 machine's identifier.
236 .SH SEE ALSO
237 \fBhostid\fR(1), \fBzlogin\fR(1), \fBzonename\fR(1), \fBin.rlogind\fR(1M),
238 \fBsshd\fR(1M), \fBsysdef\fR(1M), \fBzoneadm\fR(1M), \fBzonecfg\fR(1M),
239 \fBkill\fR(2), \fBpriocntl\fR(2), \fBsysinfo\fR(2), \fBgethostid\fR(3C),
240 \fBgetzoneid\fR(3C), \fBucred_get\fR(3C), \fBnfs\fR(4), \fBproc\fR(4),
241 \fBsmb\fR(4), \fBattributes\fR(5), \fBbrands\fR(5), \fBprivileges\fR(5),
242 \fBsharefs\fR(7FS), \fBcrgetzoneid\fR(9F)
|