Print this page
12278 nfs-zone needs man page changes
Reviewed by: Peter Tribble <peter.tribble@gmail.com>
Reviewed by: Gordon Ross <gordon.w.ross@gmail.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man5/zones.5.man.txt
+++ new/usr/src/man/man5/zones.5.man.txt
1 1 ZONES(5) Standards, Environments, and Macros ZONES(5)
2 2
3 3
4 4
5 5 NAME
6 6 zones - Solaris application containers
7 7
8 8 DESCRIPTION
9 9 The zones facility in Solaris provides an isolated environment for
10 10 running applications. Processes running in a zone are prevented from
11 11 monitoring or interfering with other activity in the system. Access to
12 12 other processes, network interfaces, file systems, devices, and inter-
13 13 process communication facilities are restricted to prevent interaction
14 14 between processes in different zones.
15 15
16 16
17 17 The privileges available within a zone are restricted to prevent
18 18 operations with system-wide impact. See privileges(5).
19 19
20 20
21 21 You can configure and administer zones with the zoneadm(1M) and
22 22 zonecfg(1M) utilities. You can specify the configuration details a
23 23 zone, install file system contents including software packages into the
24 24 zone, and manage the runtime state of the zone. You can use the
25 25 zlogin(1) to run commands within an active zone. You can do this
26 26 without logging in through a network-based login server such as
27 27 in.rlogind(1M) or sshd(1M).
28 28
29 29
30 30 The autobooting of zones is enabled and disabled by the zones service,
31 31 identified by the FMRI:
32 32
33 33
34 34 svc:/system/zones:default
35 35
36 36
37 37 See zoneadm(1M). Note that a zone has an autoboot property, which can
38 38 be set to true (always autoboot). However, if the zones service is
39 39 disabled, autoboot will not occur, regardless of the setting of the
40 40 autoboot property for a given zone. See zonecfg(1M).
41 41
42 42
43 43 An alphanumeric name and numeric ID identify each active zone.
44 44 Alphanumeric names are configured using the zonecfg(1M) utility.
45 45 Numeric IDs are automatically assigned when the zone is booted. The
46 46 zonename(1) utility reports the current zone name, and the zoneadm(1M)
47 47 utility can be used to report the names and IDs of configured zones.
48 48
49 49
50 50 A zone can be in one of several states:
51 51
52 52 CONFIGURED
53 53 Indicates that the configuration for the zone has been
54 54 completely specified and committed to stable storage.
55 55
56 56
57 57 INCOMPLETE
58 58 Indicates that the zone is in the midst of being
59 59 installed or uninstalled, or was interrupted in the
60 60 midst of such a transition.
61 61
62 62
63 63 INSTALLED
64 64 Indicates that the zone's configuration has been
65 65 instantiated on the system: packages have been
66 66 installed under the zone's root path.
67 67
68 68
69 69 READY
70 70 Indicates that the "virtual platform" for the zone has
71 71 been established. For instance, file systems have been
72 72 mounted, devices have been configured, but no
73 73 processes associated with the zone have been started.
74 74
75 75
76 76 RUNNING
77 77 Indicates that user processes associated with the zone
78 78 application environment are running.
79 79
80 80
81 81 SHUTTING_DOWN
82 82 DOWN
83 83 Indicates that the zone is being halted. The zone can
84 84 become stuck in one of these states if it is unable to
85 85 tear down the application environment state (such as
86 86 mounted file systems) or if some portion of the
87 87 virtual platform cannot be destroyed. Such cases
88 88 require operator intervention.
89 89
90 90
91 91 Process Access Restrictions
92 92 Processes running inside a zone (aside from the global zone) have
93 93 restricted access to other processes. Only processes in the same zone
94 94 are visible through /proc (see proc(4) or through system call
95 95 interfaces that take process IDs such as kill(2) and priocntl(2).
96 96 Attempts to access processes that exist in other zones (including the
97 97 global zone) fail with the same error code that would be issued if the
98 98 specified process did not exist.
99 99
100 100 Privilege Restrictions
101 101 Processes running within a non-global zone are restricted to a subset
102 102 of privileges, in order to prevent one zone from being able to perform
103 103 operations that might affect other zones. The set of privileges limits
104 104 the capabilities of privileged users (such as the super-user or root
105 105 user) within the zone. The list of privileges available within a zone
106 106 can be displayed using the ppriv(1) utility. For more information about
107 107 privileges, see privileges(5).
108 108
109 109 Device Restrictions
110 110 The set of devices available within a zone is restricted, to prevent a
111 111 process in one zone from interfering with processes in other zones. For
112 112 example, a process in a zone should not be able to modify kernel memory
113 113 using /dev/kmem, or modify the contents of the root disk. Thus, by
114 114 default, only a few pseudo devices considered safe for use within a
115 115 zone are available. Additional devices can be made available within
116 116 specific zones using the zonecfg(1M) utility.
117 117
118 118
119 119 The device and privilege restrictions have a number of effects on the
120 120 utilities that can run in a non-global zone. For example, the
121 121 eeprom(1M), prtdiag(1M), and prtconf(1M) utilities do not work in a
122 122 zone since they rely on devices that are not normally available.
123 123
124 124 Brands
125 125 A zone may be assigned a brand when it is initially created. A branded
126 126 zone is one whose software does not match that software found in the
127 127 global zone. The software may include Solaris software configured or
128 128 laid out differently, or it may include non-Solaris software. The
129 129 particular collection of software is called a "brand" (see brands(5)).
130 130 Once installed, a zone's brand may not be changed unless the zone is
131 131 first uninstalled.
132 132
133 133 File Systems
134 134 Each zone has its own section of the file system hierarchy, rooted at a
135 135 directory known as the zone root. Processes inside the zone can access
136 136 only files within that part of the hierarchy, that is, files that are
137 137 located beneath the zone root. This prevents processes in one zone from
138 138 corrupting or examining file system data associated with another zone.
139 139 The chroot(1M) utility can be used within a zone, but can only restrict
140 140 the process to a root path accessible within the zone.
141 141
142 142
143 143 In order to preserve file system space, sections of the file system can
|
↓ open down ↓ |
143 lines elided |
↑ open up ↑ |
144 144 be mounted into one or more zones using the read-only option of the
145 145 lofs(7FS) file system. This allows the same file system data to be
146 146 shared in multiple zones, while preserving the security guarantees
147 147 supplied by zones.
148 148
149 149
150 150 NFS and autofs mounts established within a zone are local to that zone;
151 151 they cannot be accessed from other zones, including the global zone.
152 152 The mounts are removed when the zone is halted or rebooted.
153 153
154 +
155 + A zone can share filesystems using nfs(4) or smb(4) subject to the
156 + restrictions earlier in this section, plus the additional restriction
157 + that file sharing can only be done from filesystems a zone completely
158 + controls. Some brands(5) do not have the zone root set to a filesystem
159 + boundary. sharefs(7FS) can instantiate per-zone subject to the brand
160 + restrictions.
161 +
154 162 Networking
155 163 A zone has its own port number space for TCP, UDP, and SCTP
156 164 applications and typically one or more separate IP addresses (but some
157 165 configurations of Trusted Extensions share IP address(es) between
158 166 zones).
159 167
160 168
161 169 For the IP layer (IP routing, ARP, IPsec, IP Filter, and so on) a zone
162 170 can either share the configuration and state with the global zone (a
163 171 shared-IP zone), or have its distinct IP layer configuration and state
164 172 (an exclusive-IP zone).
165 173
166 174
167 175 If a zone is to be connected to the same datalink, that is, be on the
168 176 same IP subnet or subnets as the global zone, then it is appropriate
169 177 for the zone to use the shared IP instance.
170 178
171 179
172 180 If a zone needs to be isolated at the IP layer on the network, for
173 181 instance being connected to different VLANs or different LANs than the
174 182 global zone and other non-global zones, then for isolation reasons the
175 183 zone should have its exclusive IP.
176 184
177 185
178 186 A shared-IP zone is prevented from doing certain things towards the
179 187 network (such as changing its IP address or sending spoofed IP or
180 188 Ethernet packets), but an exclusive-IP zone has more or less the same
181 189 capabilities towards the network as a separate host that is connected
182 190 to the same network interface. In particular, the superuser in such a
183 191 zone can change its IP address and spoof ARP packets.
184 192
185 193
186 194 The shared-IP zones are assigned one or more network interface names
187 195 and IP addresses in zonecfg(1M). The network interface name(s) must
188 196 also be configured in the global zone.
189 197
190 198
191 199 The exclusive-IP zones are assigned one or more network interface names
192 200 in zonecfg(1M). The network interface names must be exclusively
193 201 assigned to that zone, that is, it (or they) can not be assigned to
194 202 some other running zone, nor can they be used by the global zone.
195 203
196 204
197 205 The full IP-level functionality in the form of DHCP client, IPsec and
198 206 IP Filter, is available in exclusive-IP zones and not in shared-IP
199 207 zones.
200 208
201 209 Host Identifiers
202 210 A zone is capable of emulating a 32-bit host identifier, which can be
|
↓ open down ↓ |
39 lines elided |
↑ open up ↑ |
203 211 configured via zonecfg(1M), for the purpose of system consolidation. If
204 212 a zone emulates a host identifier, then commands such as hostid(1) and
205 213 sysdef(1M) as well as C interfaces such as sysinfo(2) and gethostid(3C)
206 214 that are executed within the context of the zone will display or return
207 215 the zone's emulated host identifier rather than the host machine's
208 216 identifier.
209 217
210 218 SEE ALSO
211 219 hostid(1), zlogin(1), zonename(1), in.rlogind(1M), sshd(1M),
212 220 sysdef(1M), zoneadm(1M), zonecfg(1M), kill(2), priocntl(2), sysinfo(2),
213 - gethostid(3C), getzoneid(3C), ucred_get(3C), proc(4), attributes(5),
214 - brands(5), privileges(5), crgetzoneid(9F)
221 + gethostid(3C), getzoneid(3C), ucred_get(3C), nfs(4), proc(4), smb(4),
222 + attributes(5), brands(5), privileges(5), sharefs(7FS), crgetzoneid(9F)
215 223
216 224
217 225
218 226 January 29, 2009 ZONES(5)
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX