Zone Introduction
Zones are containers to segregate services so that they do not
interfere with each other. One zone, the global zone, is
the locus for system-wide administrative functions. Non-global
zones are not able to interact with each other except through
network interfaces. When using management commands that
reference PIDs, only processes in the same zone will be visible
from any non-global zone.
Zones requiring network connectivity have at least one
dedicated IP address. Non-global zones cannot observe
each other's network traffic. Users in the global zone, however,
are able to observe the functioning of processes in non-global
zones. It is usually good practice to limit user access to
the global zone to system administrators. Other processes
and users should be assigned to a non-global zone.
Each zone is assigned a zone name and a unique numeric zone ID.
The global zone always has the name "global" and ID "0."
A node name is also assigned to each zone, including global.
The node names are independent of the zone names.
Each zone has a path to its root directory relative to the
global zone's root directory.
A non-global zone's scheduling class
is set to be the same as the system's scheduling class. If
a zone is assigned to a
resource pool, its scheduling
class can be controlled by controlling the pool's scheduling class.
Non-global zones can have their own zone administrators.
Their authority is limited to their home zone.
The separation of the environments allows for better
security, since the security for each zone is independent.
Separation also allows for the installation of
environments with distinct profiles on the same
hardware.
The virtualization of the environment makes it easier
to duplicate an environment on different physical
servers.
ZFS is supported in Solaris
10 zones from the 6/2006 release and after.
Zone Installation
The system administrator configures new non-global zones
via the
zonecfg command, administers them
via
zoneadm and logs into them via
zlogin.
Zone States
Zone state information can be viewed with
zoneadm list -iv from the global zone.
Non-global zones have one of the following states:
- configured: Configuration complete and
in stable storage.
- incomplete: Installation or uninstallation
underway
- installed: Configuration instantiated
on system. Zone has no associated virtual platform.
- ready: Virtual platform established,
zsched started,
IPs plumbed, filesystems mounted, zone ID assigned.
No zone processes started yet.
- running: This state entered when zone
init process starts.
- shutting down: Zone being halted.
- down: Transitional state during zone
shutdown.
Zone Control Commands
The following control commands can be used to
manage and monitor transitions between states:
zlogin options zone-namezoneadm -z zone-name bootzoneadm -z zone-name haltzoneadm -z zone-name installzoneadm -z zone-name readyzoneadm -z zone-name rebootzoneadm -z zone-name uninstallzoneadm -z zone-name verifyzonecfg -z zone-name: Interactive mode;
can be used to remove
properties of the following types: fs, device, rctl, net, attr
zonecfg -z zone-name commitzonecfg -z zone-name createzonecfg -z zone-name deletezonecfg -z zone-name verify
Resource Management
Zones can be used to dynamically control
resource allocations on a zone basis. This means that an application
on a zone can be isolated and prevented from throttling other processes
in other zones on the same server.
Zone Components
The following components may be included in a zone:
- Zone name
zonepath: Path to the zone root in the global
zone's file space.autoboot: Whether to start the zone automatically.
(Note that the svc:/system/zones:default service needs
to be running in SMF for this to work.)pool: Associate the zone with a resource pool;
multiple zones may share a pool.net:
Zone network interfacefs:
File systems from the zone's /etc/vfstab,
automounted file systems configured within the zone, manually
mounted file systems or ZFS mounts from within the zone.dataset:
This allows a non-global zone to manage a ZFS file system.inherit-pkg-dir:
In a sparse root zone, represents
directories containing packaged software that a non-global zone
shares with the global zone. (Should not be used in a whole root
zone.)
device: Devices that should be configured
in a non-global zone.rctl:
Zone-wide resource
controls such as zone.cpu-shares and
zone.max-lwpsattr: Zone comments
The components can be set using the zonecfg command.
zonecfg Interactive Mode
In interactive mode, zonecfg can refer to either
a global scope or a specific resource. If no zone is specified in
the original zonecfg command, the scope is global
by default.
If a select or add subcommand is
used to specify a resource, the scope limited to that resource
until an end or cancel command is
issued.
The following subcommands are supported:
add: Add the specified resource or property to
the configuration in the scope.cancel: Ends the resource specification and returns
to the global scope without retaining partially specified resources.commit: Dump current configuration to disk.create: In-memory configuration begun for a new zone.
A -t template option specifies a template,
-F overwrites an existing configuration, and -b
creates a blank configuration.delete: Destroy the specified configuration.end: Ends the resource specificationexit: Ends the zonecfg session.export: Export the configuration in a form that can
be used in a command file.help: Context-sensitive help depending on the current
scopeinfo: Display information about the configuration
of the current scope.remove: Remove the specified resource or property
from the command scope.revert: Return to the last state written to disk.select: From the global scope, changes scope to the
specified resourceset: Set the specified property to the specified
valueverify: Verify the current configuration for
correctness.
Adding Resources
dataset:
zonecfg:zone-name> add dataset
zonecfg:zone-name:dataset> set name=pool/filesys
zonecfg:zone-name:dataset> end
fs:
zonecfg:zone-name> add fs
zonecfg:zone-name:fs> set directory=/mountpoint
zonecfg:zone-name:fs> set special=/dev/dsk/c#t#d#s#
zonecfg:zone-name:fs> set raw=/dev/rdsk/c#t#d#s#
zonecfg:zone-name:fs> set type=ufs
zonecfg:zone-name:fs> add options logging
zonecfg:zone-name:fs> end
inherit-pkg-dir:
zonecfg:zone-name> add inherit-pkg-dir
zonecfg:zone-name:inherit-pkg-dir> set dir=/package-home
zonecfg:zone-name:inherit-pkg-dir> end
net:
zonecfg:zone-name> add net
zonecfg:zone-name:net> set physical=interface-name
zonecfg:zone-name:net> set address=xxx.xxx.xxx.xxx
zonecfg:zone-name:net> end
(Examples of interface names include hme0 and bge0.)
rctl:
zonecfg:zone-name> add rctl
zonecfg:zone-name:rctl> set name=resource-name
zonecfg:zone-name:rctl> add value (priv=priv-level,limit=#,action=action-type)
zonecfg:zone-name:rctl> end
(See Resource Management for
information about what sorts of values to use.)
Zone Models
There are two different zone models, sparse and whole root.
Sparse zones only contain a subset of the packages installed into
the root zone. Additional packages can be brought in using
the inherit-pkg-dir
resources. Each sparse zone requires about 100MB of free space
in the global file system. 40MB of free RAM are also recommended.
Whole root zones contain all required packages and also any
optional Solaris packages that have been selected. The disk
space required for whole root zones is as much as is required
for a full installation. Whole root zones allow maximum configuration
within the zone context.
Zone Creation Example
From within the global zone:
# zonecfg -z zone-name
zonecfg:zone-name> create
zonecfg:zone-name> set zonepath=/zone-root-path
(Note that the zone's root path cannot be on ZFS, though
that capability is coming.)
zonecfg:zone-name> set autoboot=true
zonecfg:zone-name> add fs
zonecfg:zone-name:fs> set dir=/mount-point
zonecfg:zone-name:fs> set special=/global-source-dir
zonecfg:zone-name:fs> set type=lofs
zonecfg:zone-name:fs> end
(Inside the non-global zone, the mounted loopback file system will
be readable and writable.)
zonecfg:zone-name> add dataset
zonecfg:zone-name:dataset> set name=zone-pool/ZFS-filesys
zonecfg:zone-name:dataset> end
zonecfg:zone-name> verify
zonecfg:zone-name> commit
zonecfg:zone-name> end
Additional Reading
System Administration Guide: Solaris Containers-Resource Management
and Solaris Zones
